You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Rene Moser <ma...@renemoser.net> on 2018/05/22 15:39:29 UTC
4.11.1 install feedback
Hi
I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the issue
where I can still not login with admin after upgrade. I immediately get
a "session expired" in the UI. I remember an issue related to roles but
can not find the "workaround" and thought it were fixed for 4.11.1.
Any help is appreciated.
René
Re: 4.11.1 install feedback
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Rene,
About your login issue - if command.properties is not present in CloudStack's classpath for example, usually at /etc/cloudstack/management or somewhere in /usr/share/cloudstack-management/ path. The CloudStack upgrade logic has been simplified wrt dynamic roles and will automatically switch your env to use dynamic roles if commands.properties is missing:
https://github.com/apache/cloudstack/blob/4.11/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java#L65
I'm not sure exactly how the upgrade was tested - can you check either at your API logs why the login is failing and if the API is allowed for the login user/account from cloud.role_permission (select * from role_permissions where role_id=1; for admin user account).
You may also want to check for browser cache i.e. attempt using the UI in incognito mode. Are you able to reproduce failure by using cloudmonkey with login credentials (not apikey/secretkey)?
About the VR issue - a manual reboot should not be necessary after first provisioning, I would see that as a bug and perhaps a blocker. What we can do is look at your env, see systemd process chains (see what's blocking and causing blocking or failures?) and share our findings (or fix/PR) with the community.
After the VR is up, from vCenter client can you see where it is stuck and if it is able to start ssh. You can check for cloud-postinit service (systemctl status cloud-postinit). In the past I found and fixed an issue where it got stuck due to dependency issues around apache2 (killing or performing systemctl stop apache2 also fixed the issue, in my fix I made it stop+start without blocking the cloud-postinit process).
- Rohit
<https://cloudstack.apache.org>
________________________________
From: Rene Moser <ma...@renemoser.net>
Sent: Wednesday, May 23, 2018 1:48:47 PM
To: dev@cloudstack.apache.org
Subject: Re: 4.11.1 install feedback
Hi again
Regarding router: the router looks more stable (rohit lab version).
However, we still need to manually reboot it after first provisioning,
otherwise the management server does not get access by ssh.
Having a lot of fw rules and many VMs in an advanced network, still
takes a "hell of a time" to get the VR fully configured.
This is on VMware 6.5, I think, there is no automated testing for this
env right?
Regards
René
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: 4.11.1 install feedback
Posted by Rohit Yadav <ro...@shapeblue.com>.
Rene, for testing purposes I've updated my temporarily files at:
http://lab.yadav.cloud/testing/4.11.1-pre-rc1/ (packages from latest 4.11)
http://lab.yadav.cloud/systemvmtemplates/4.11/
I'll stop using the above, we'll eventually share a different URL/location to share test artifacts for testing purposes.
- Rohit
________________________________
From: Rene Moser <ma...@renemoser.net>
Sent: Wednesday, May 23, 2018 1:48:47 PM
To: dev@cloudstack.apache.org
Subject: Re: 4.11.1 install feedback
Hi again
Regarding router: the router looks more stable (rohit lab version).
However, we still need to manually reboot it after first provisioning,
otherwise the management server does not get access by ssh.
Having a lot of fw rules and many VMs in an advanced network, still
takes a "hell of a time" to get the VR fully configured.
This is on VMware 6.5, I think, there is no automated testing for this
env right?
Regards
René
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: 4.11.1 install feedback
Posted by Rene Moser <ma...@renemoser.net>.
Hi again
Regarding router: the router looks more stable (rohit lab version).
However, we still need to manually reboot it after first provisioning,
otherwise the management server does not get access by ssh.
Having a lot of fw rules and many VMs in an advanced network, still
takes a "hell of a time" to get the VR fully configured.
This is on VMware 6.5, I think, there is no automated testing for this
env right?
Regards
René
Re: 4.11.1 install feedback
Posted by Khosrow Moossavi <km...@cloudops.com>.
On the same topic, different circumstances, I faced the exact same issue as
well. Mine was
changing cloudstack to use server-ssl.xml rather than server-nossl.xml,
then this issue
happened when reverted back to nossl.
I haven't had the chance to investigate further though.
On Tue, May 22, 2018 at 12:56 PM Rene Moser <ma...@renemoser.net> wrote:
>
>
> On 05/22/2018 06:36 PM, Dag Sonstebo wrote:
> > You may want to try a update cloud.configuration set value='true' where
> name='dynamic.apichecker.enabled' and see if that lets you login.
>
> Thanks updated to entry, restarted management service, didn't help.
>
> Below you find the screen shot of firebug, you can see that login is
> successful but with quotaIsEnabled we get a 401.
>
> https://ibb.co/mZQ4ao
>
>
>
Re: 4.11.1 install feedback
Posted by Rene Moser <ma...@renemoser.net>.
On 05/22/2018 06:36 PM, Dag Sonstebo wrote:
> You may want to try a update cloud.configuration set value='true' where name='dynamic.apichecker.enabled' and see if that lets you login.
Thanks updated to entry, restarted management service, didn't help.
Below you find the screen shot of firebug, you can see that login is
successful but with quotaIsEnabled we get a 401.
https://ibb.co/mZQ4ao
Re: 4.11.1 install feedback
Posted by Dag Sonstebo <Da...@shapeblue.com>.
You may want to try a update cloud.configuration set value='true' where name='dynamic.apichecker.enabled' and see if that lets you login.
Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue
On 22/05/2018, 17:25, "Rene Moser" <ma...@renemoser.net> wrote:
On 05/22/2018 06:08 PM, Dag Sonstebo wrote:
> Rene – did you set dynamic.apichecker.enabled to true?
I checked, it is false.
Dag.Sonstebo@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: 4.11.1 install feedback
Posted by Dag Sonstebo <Da...@shapeblue.com>.
Rene – did you set dynamic.apichecker.enabled to true?
Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue
On 22/05/2018, 16:48, "Rene Moser" <ma...@renemoser.net> wrote:
appending some logs
2018-05-22 17:45:49,929 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356) (logid:33635259) ===START===
10.184.2.226 -- GET command=listZones&response=json&_=1527003949904
2018-05-22 17:45:49,932 DEBUG [c.c.a.ApiServer]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:49,937 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) ===END===
10.184.2.226 -- GET command=listZones&response=json&_=1527003949904
2018-05-22 17:45:50,025 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-16:ctx-8f4234ef) (logid:53421488) ===START===
10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976
2018-05-22 17:45:50,028 DEBUG [c.c.a.ApiServer]
(qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,032 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) ===END===
10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976
2018-05-22 17:45:50,093 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054) (logid:1abefa91) ===START===
10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074
2018-05-22 17:45:50,097 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) The given
command 'quotaIsEnabled' either does not exist, is not available for
user, or not available from ip address '/10.184.2.226'.
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) ===END===
10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-20:ctx-5a7f0d91) (logid:9a3f5b56) ===START===
10.184.2.226 -- GET command=listZones&response=json&_=1527003950156
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServer]
(qtp1386767190-20:ctx-5a7f0d91 ctx-382a670b) (logid:9a3f5b56) Expired
session, missing signature, or missing apiKey -- ignoring request.
Signature: null, apiKey: null
On 05/22/2018 05:39 PM, Rene Moser wrote:
> Hi
>
> I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the issue
> where I can still not login with admin after upgrade. I immediately get
> a "session expired" in the UI. I remember an issue related to roles but
> can not find the "workaround" and thought it were fixed for 4.11.1.
>
> Any help is appreciated.
>
> René
>
Dag.Sonstebo@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: 4.11.1 install feedback
Posted by Rene Moser <ma...@renemoser.net>.
On 05/22/2018 06:08 PM, Paul Angus wrote:
> Had you 'upgraded' to dynamic roles in your 4.9 environment Rene?
right, it was for 4.9. Yes, did that.
the "session expired" issue seems only related to UI. api keys still work.
RE: 4.11.1 install feedback
Posted by Paul Angus <pa...@shapeblue.com>.
Had you 'upgraded' to dynamic roles in your 4.9 environment Rene?
Kind regards,
Paul Angus
paul.angus@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
-----Original Message-----
From: Rene Moser <ma...@renemoser.net>
Sent: 22 May 2018 16:48
To: dev@cloudstack.apache.org
Subject: Re: 4.11.1 install feedback
appending some logs
2018-05-22 17:45:49,929 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356) (logid:33635259) ===START===
10.184.2.226 -- GET command=listZones&response=json&_=1527003949904
2018-05-22 17:45:49,932 DEBUG [c.c.a.ApiServer]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:49,937 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) ===END===
10.184.2.226 -- GET command=listZones&response=json&_=1527003949904
2018-05-22 17:45:50,025 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-16:ctx-8f4234ef) (logid:53421488) ===START===
10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976
2018-05-22 17:45:50,028 DEBUG [c.c.a.ApiServer] (qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,032 DEBUG [c.c.a.ApiServlet] (qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) ===END===
10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976
2018-05-22 17:45:50,093 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054) (logid:1abefa91) ===START===
10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074
2018-05-22 17:45:50,097 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) The given command 'quotaIsEnabled' either does not exist, is not available for user, or not available from ip address '/10.184.2.226'.
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) ===END===
10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-20:ctx-5a7f0d91) (logid:9a3f5b56) ===START===
10.184.2.226 -- GET command=listZones&response=json&_=1527003950156
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServer]
(qtp1386767190-20:ctx-5a7f0d91 ctx-382a670b) (logid:9a3f5b56) Expired session, missing signature, or missing apiKey -- ignoring request.
Signature: null, apiKey: null
On 05/22/2018 05:39 PM, Rene Moser wrote:
> Hi
>
> I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the
> issue where I can still not login with admin after upgrade. I
> immediately get a "session expired" in the UI. I remember an issue
> related to roles but can not find the "workaround" and thought it were fixed for 4.11.1.
>
> Any help is appreciated.
>
> René
>
Re: 4.11.1 install feedback
Posted by Rene Moser <ma...@renemoser.net>.
appending some logs
2018-05-22 17:45:49,929 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356) (logid:33635259) ===START===
10.184.2.226 -- GET command=listZones&response=json&_=1527003949904
2018-05-22 17:45:49,932 DEBUG [c.c.a.ApiServer]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:49,937 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) ===END===
10.184.2.226 -- GET command=listZones&response=json&_=1527003949904
2018-05-22 17:45:50,025 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-16:ctx-8f4234ef) (logid:53421488) ===START===
10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976
2018-05-22 17:45:50,028 DEBUG [c.c.a.ApiServer]
(qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,032 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) ===END===
10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976
2018-05-22 17:45:50,093 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054) (logid:1abefa91) ===START===
10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074
2018-05-22 17:45:50,097 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) The given
command 'quotaIsEnabled' either does not exist, is not available for
user, or not available from ip address '/10.184.2.226'.
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) ===END===
10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-20:ctx-5a7f0d91) (logid:9a3f5b56) ===START===
10.184.2.226 -- GET command=listZones&response=json&_=1527003950156
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServer]
(qtp1386767190-20:ctx-5a7f0d91 ctx-382a670b) (logid:9a3f5b56) Expired
session, missing signature, or missing apiKey -- ignoring request.
Signature: null, apiKey: null
On 05/22/2018 05:39 PM, Rene Moser wrote:
> Hi
>
> I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the issue
> where I can still not login with admin after upgrade. I immediately get
> a "session expired" in the UI. I remember an issue related to roles but
> can not find the "workaround" and thought it were fixed for 4.11.1.
>
> Any help is appreciated.
>
> René
>