On Sun, Aug 7, 2022 at 6:34 AM P F <[email protected]> wrote: > > I'm unable to recreate the original problem. > > The good news is, the process moves past the engine_setup now. > The ovirt-engine server actually starts, and is exposed on > https://<ovirthost>:6900/ovirt-engine > > The bad news is, when I try to access the engine Web UI at that URL, I get a > '500 Internal Server Error'. > I don't see any obvious errors in the log files in /var/log/ovirt-engine
Can you check/share all of /var/log/ovirt-engine and /var/log/httpd? > > I'm able to access the URL https://<ovirthost>:6900/ovirt-engine > However, as soon as I click the "Administration Portal" link on the main > page, I see the '500 Internal Server Error' > > I do notice the following error in /var/log/httpd/ssl_error_log; > > [Sat Aug 06 18:45:32.106641 2022] [auth_openidc:error] [pid 1648:tid > 139896547178240] [client 192.168.222.3:58098] oidc_authenticate_user: the URL > hostname (ovirt-engine.internal.net) of the configured OIDCRedirectURI does > not match the URL hostname of the URL being accessed > (ovirt-node04.internal.net): the "state" and "session" cookies will not be > shared between the two!, referer: > https://ovirt-node04.internal.net:6900/ovirt-engine/ I am not an expert on how this should work. Adding Martin. In any case, this sounds like a bug to me, even though not sure it's possible/easy to fix - would you like to create one? > > The error above would suggest that it will not be possible to access the > engine Web UI which is temporarily exposed on port 6900. Seems so. > How has this ever been possible in the past? Most likely this is a result of enabling keycloak integration. Perhaps you can try again and answer 'No' to 'Configure Keycloak integration on the engine'. If this works, it might be the simplest way for now - you can enable keycloak integration later if you want. > What do I need to do in order to access the engine Web UI, since I need to > configure the hosts's network to include several VLANs necessary to complete > the restore of the engine DB? I am just guessing here, not knowing anything about openidc. Perhaps it does not like being accessed as a different hostname and/or port. The engine does not like this either, but we "convince" it: [1] https://github.com/oVirt/ovirt-ansible-collection/blob/master/roles/hosted_engine_setup/tasks/bootstrap_local_vm/04_engine_final_tasks.yml#L30 - name: Allow the webadmin UI to be accessed over the first host block: - name: Saving original value ansible.builtin.replace: path: /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf regexp: '^(SSO_ALTERNATE_ENGINE_FQDNS=.*)' replace: '#\1 # pre hosted-engine-setup' - name: Adding new SSO_ALTERNATE_ENGINE_FQDNS line ansible.builtin.lineinfile: path: /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf line: 'SSO_ALTERNATE_ENGINE_FQDNS="{{ he_host_address }}" # hosted-engine-setup' But this isn't mandatory, it's just a convenience we added at some point. Instead, you can do something similar to what we do to allow access on port 6900: [2] https://github.com/oVirt/ovirt-ansible-collection/blob/master/roles/hosted_engine_setup/tasks/bootstrap_local_vm/05_add_host.yml#L12 - name: Open a port on firewalld ansible.builtin.command: firewall-cmd --zone=public --add-port {{ he_webui_forward_port }}/tcp changed_when: true - name: Expose engine VM webui over a local port via ssh port forwarding ansible.builtin.command: >- sshpass -e ssh -tt -o ServerAliveInterval=5 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -g -L {{ he_webui_forward_port }}:{{ he_fqdn }}:443 {{ he_fqdn }} environment: "{{ he_cmd_lang | combine( { 'SSHPASS': he_appliance_password } ) }}" changed_when: true async: 86400 poll: 0 register: sshpf But instead of opening the port on firewalld from the host, do the entire tunnelling from your laptop (or where you run the web browser): 1. Add the engine VM's name to your /etc/hosts, to the line of '127.0.0.1' 2. Find the (temporary, local) IP address of the engine VM, in your case that's '192.168.222.3' 3. Create an ssh tunnel - something like: # ssh -L443:192.168.222.3:443 [email protected] Then you can access the engine (and keycloak) web UI via the "real" FQDN: https://ovirt-engine.internal.net/ovirt-engine/ Good luck and best regards, -- Didi _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/FOSD7O2OTNYB56BTWMSU6EBQ3WZJ3D3Y/
