Sunstone and Filesystems Problems

Hello Guys

It’s me again now with 2 questions, hope there’s no problem. Let’s see:

  1. It seems I am unable to log in into my sunstone GUI. I can see the login page but I cannot authenticate. Whenever I put serveradmin (I changed its password with oneuser passwd and changed the sunstone_auth file to reflect the changes) it fires a warning saying ‘invalid username or password’ both putting the normal and the hash. However, whenever I put oneadmin and put the password hashed it fires this: ‘OpenNebula is not running or there was a server exception’ check the server logs and I will put it down here.
    Wed Apr 15 18:35:07 2015 [E]: User serveradmin could not be authenticated
    Wed Apr 15 18:35:07 2015 [E]: [UserInfo] User couldn’t be authenticated, aborting call.
    Wed Apr 15 18:35:07 2015 [I]: Unauthorized login attempt
    Wed Apr 15 18:35:07 2015 [I]: 172.18.10.8 - - [15/Apr/2015 18:35:07] “POST /login HTTP/1.1” 401 - 0.0033
    Wed Apr 15 18:35:52 2015 [E]: [UserInfo] User couldn’t be authenticated, aborting call.
    Wed Apr 15 18:35:52 2015 [I]: 172.18.10.8 - - [15/Apr/2015 18:35:52] “POST /login HTTP/1.1” 500 - 0.0432
    The first three lines correspond when I use serveradmin either with normal password or hashed one. The last one represents when I use the hashed one for oneadmin. Any ideas? Something that it’s not running that I should run manually?

  2. After playing a little with the CLI with the image of ttylinux and being able to install it and run on my test host I wanted to try a image I created, I executed and it seems my datastore is full. There’s no space available. Is there a way to purge this? Maybe it’s because I created a bunch of images and then deleted them and some are still there? When I execute onedatastore list it seems theres 2 images in the datastore but whenever I put onedatastore show ID it only appears the only image I have in oneimage list

Any help you can provide with this will be a relief and deeply appreciated. I am a newbie to OpenNebula.

Best Regards

Hi Cristobal,

Could you try updating the serveradmin password with the following command:

oneuser passwd --driver server_cipher serveradmin MYPLAINPASS

After that update the sunstone_auth, oneflow_auth and onegate_auth files in your /var/lib/one/.one/ directory.

Restart oned and sunstone-server

Could you try running the onefsck command, it will fix inconsistent values in the database.

Regarding the capacity of the datastore, opennebula uses the following script to determine it (just a df command). Try checking if the directory has unused files, using the oneimage command you can retrieve the source of the image.

Cheers

Hello Daniel:

I tried all of this changing each and even rebooting the machine as a last resort even creating a new user for server purpouses and adding it to the same files in plain text and still seem unable to connect. I have checked the configuration of the sunstone server and accesed to the xml_rpc address and it seems working just fine (it says that POST is the only thing that it understands). Something else that you can tell me to check? Here’s the result of the .log of sunstone server.

Thu Apr 16 11:33:30 2015 [E]: User serveruser could not be authenticated
Thu Apr 16 11:33:30 2015 [E]: [UserInfo] User couldn’t be authenticated, aborting call.
Thu Apr 16 11:33:30 2015 [I]: Unauthorized login attempt
Thu Apr 16 11:33:30 2015 [I]: 172.18.10.8 - - [16/Apr/2015 11:33:30] “POST /login HTTP/1.1” 401 - 0.0061

And the .error

== Sinatra/1.3.2 has taken the stage on 9869 for development with backup from Thin

I couldnt find onefsck, probably in another package beside opennebula and opennebula-sunstone? I do however run onedb fsck which is the one I could dig from the documentation. And here is the only think it found…

First stop OpenNebula. Lock file found: /var/lock/one/one

Seeing this now I remember that the image I was testing stayed in lock more than 24 hours (I’m guessing it run out of space) therefore I executed oneimage delete. And I think that’s why the onedatastore list shows 2 images but when I run oneimage list it only shows one. I have checked the folders and indeed there’s one which consumes all the space in the datastore (which I guess is the one that I deleted and stayed in lock but wasn’t actually deleted from the datastore) Can I safely delete this folder or should I do something specific before and after to make it as clean as possible?

Thank you so much for all the help provided so far.

What driver is using serveruser? Are you using the plain password in sunstone_auth? Could you check that sunstone server is indeed stopped (ps …)?

Yes, the command is onedb fsck sorry. You have to stop oned before running this command since it will modify the database

If this image (the id is the name of the folder) does not exist anymore in opennebula, you ca safely delete it.

Thanks Daniel for the fast reply!!

No problems found by this… so…

Deleted and now space is vastly free in the datastore, though it uses more space than intended by the image of tiny linux. Any idea why is this?

Sorry, I created this same user with the cipher as you showed for the serveradmin. Yes, I am using plain one in the sunstone_auth. I checked that the sunstone server was stopped, and indeed it stops, when it runs it shows:

oneadmin 23428 16.0 5.5 198512 57124 pts/0 Sl 12:36 0:00 ruby /usr/lib/one/sunstone/sunstone-server.rb

It’s not imperative that I get access to the GUI since I have been using the CLI since the beggining (but it will be nice to be able to do so since some things in the documentation seem more easy in the GUI than in the CLI).
Thanks in advance! Regards

Updating:

I keep seeing this pooping up in oned.log

Fri Apr 17 15:49:46 2015 [Z0][AuM][D]: Message received: LOG I 27 Command execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate serveradmin e59c18f64a4d3596d6bf332a65e79cf411fd9d9a ****

Fri Apr 17 15:49:46 2015 [Z0][AuM][I]: Command execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate serveradmin e59c18f64a4d3596d6bf332a65e79cf411fd9d9a ****
Fri Apr 17 15:49:46 2015 [Z0][AuM][D]: Message received: LOG E 27 bad decrypt

Fri Apr 17 15:49:46 2015 [Z0][AuM][I]: bad decrypt
Fri Apr 17 15:49:46 2015 [Z0][AuM][D]: Message received: LOG I 27 ExitCode: 255

Fri Apr 17 15:49:46 2015 [Z0][AuM][I]: ExitCode: 255
Fri Apr 17 15:49:46 2015 [Z0][AuM][D]: Message received: AUTHENTICATE FAILURE 27 bad decrypt

Fri Apr 17 15:49:46 2015 [Z0][AuM][E]: Auth Error: bad decrypt
Fri Apr 17 15:49:46 2015 [Z0][ReM][D]: Req:8720 UID:-1 DocumentPoolInfo invoked , -2, -1, -1, 100
Fri Apr 17 15:49:46 2015 [Z0][ReM][E]: Req:8720 UID:- DocumentPoolInfo result FAILURE [DocumentPoolInfo] User couldn’t be authenticated, aborting call.

I’m not sure why is this happening as sunstone is currently stopped and I check the one_auth file and there’s no serveradmin there (should it?) Is this helpful in any way to solve the problem?

Thanks in advance!

This error is coming from OneFlow requests. It looks like the password stored in oneflow_auth is not correct, OneFlow also uses a “serveradmin” user to interact with oned

Cheers

Hello Daniel:

So after a lot of trouble, I managed to enter my sunstone GUI by changing the authorization from OpenNebula to Sunstone.
I changed it by reverse engineering your sandbox and discovered you guys have that authorization method of sunstone instead of opennebula. However I’m still missing why is that I couldn’t use it like that.
Also, I can only enter Sunstone with the oneadmin user and not with the serveradmin as you claim in your documentation.
Thanks for all the help, hope you can make it clearer for me

Regards

The serveradmin is not able to interact with sunstone/cli. This is a user that allows other components to authenticate on behave of other users. For example if you are using x509 certificates in sunstone, Apache will authenticate the user and then Sunstone will send a signed token using the serverdamin user telling OpenNebula that the user is already authenticated and authorized.

Setting the opennebula auth instead of the sunstone one you are forcing two authentication steps, the one done by sunstone with the Basic Auth header and a second one by the OpenNebula driver defined for that user.

Using the opennebula auth should not fail, I don’t what could be the problem. But you can use both methods, we set the opennebula method by default for deployments using and ldap authentication in previous releases the default method was sunstone.

Hope this helps