RE: Ansible Role - Install XO from source - Now available

@wezke said in Ansible Role - Install XO from source - Now available:

@probain

Thank you for sharing your ansible role, ill have a look at it

It's far, far from perfect. So there might be a few rough edges that I solved manually. But I welcome feedback.

For completeness sake. Confirming that the fix also works in my second lab as well.

@florent said in Snapshots are no longer being pruned? Commit 58f02:

@probain thanks for signaling this, we just merged a fix, that fix it on our labs
can you test it on your side ?
https://github.com/vatesfr/xen-orchestra/pull/9202

I can confirm that it solves the issue in my primary lab. Tomorrow I will be able to re-validate at my second lab as well.
Thank you for such a quick fix!

I can now reliably recreate the behavior between the commits mentioned above.
As I expected, the problems with finding a "known good" was due to user error

@AlexD2006

Thanks for your input.

So I believe I've managed to find which commit breaks my snapshot-pruning.

If I use the commit: 8a390057b648205b7ae2c6ccc2a0bc78dc624e08 - Then the pruning works.

However, if I go to the next one: 05c6f87a1212e81c51e63f6a585b9e97a3c1bfb2- Pruning breaks and snapshots are no longer being deleted as retention says they should.

I can consistently and reliably re-create the different scenarios in my first lab. This doesn't explain why I'm seing inconsistent results in my other lab. But that might be user error, that I have to double check tomorrow!

Perhaps you could try to see if you see the same behaviour between the commits?

It might be that my known good, isn't that good at all.

I can replicate the problem in my second lab as well. But it is being affected even with commits older than a101e.
I'm still trying to find and provide better/useful information.

Trying to pin down a "known good" at the moment.

Update:
~~Found one: a101e

I'll try to step through the commits, to find where it breaks.~~

Update 2: a101e might not be a "known good".

Running XO from source - Commit 58f02 on a fully update XCP-NG 8.3
Since Friday (error might have come silently from earlier), snapshots are no longer being pruned. After week-end, when I got a possibility to look at what was/is happening. I had 109 snapshots for each VM. The retention is 4.

• I've tried to delete the old schedule and re-create it.
• I've tried to delete the backup-job, and re-create it.
• I've tried adjusting the retetion

None of the above have had any discernable affect.

Is there something else I can do or provide, to maybe hammer out this? Since I belive it to be a bug. I would very much want to do my part in finding the solution.

Thanks!

I've mentioned it on the forums once or twice. And after @wezke explicitly asked for it. I decided to take the time to finally go ahead and publish an Ansible-role for installing XO from source.

Benefits from using any of the many installation-scripts:

Scripts are often quite big. Making them hard to validate and scrutinize for security reasons.

Ansible (imho) is easier to read and see what it does.

If you are orchestrating your environment through Ansible already, this should drop in semi-nicely

This follows the official steps from the Xen-Orchestra docs, except for ONE main thing. This does not run the xo-server as root. In the hopes that it should raise security just a tiny bit more.

Note and Disclaimer!
Do your own validation of the source. Do NOT take my word for how this works. And use it at your own risk.
Now, with all disclaimers out of the way. Feel free to use as you'd like. I hope the community takes kindly to this.

https://github.com/cloudrootab/ansible_role_xoce

PS: This is ported from my private role. But should work. See the disclaimer above!
PPS: This is a re-post from a now deleted forum-post, where I mistakenly placed the topic in XCP-NG/Installation.

@wezke
I'll try to get some time later on and make a cloned & public version release of my role. No promises about timeframe, as I am absolutely swamped right now.

@MajorP93

Well yes and no.

A script is harder to verify for maliciousness. I'm not saying that this script is bad. Rather that I have a paranoid standard practice that I start from.

Ansible has several benefits as well. That I value above using specialized scripts.

The beauty is that everyone can use and do whatever solution they like the best.

@pierrebrunet
For Google Workspace:
Yes it is in the "Service Provider details"-section: See screenshot for example

Edit: Removed doubled screenshot

@pierrebrunet
I'm jumping in here as well. Reporting that the PR fixes it for Google Workspace as well!
However, the checkbox in GW is called "Signed response".
No further adjustments of the plugin itself was needed.

@marcoi
I do this constantly by using either ctrl+mouse click, or middle mouse click.

I treat XO as almost ephemeral. And extensive regularly take scheduled backups of its config. Both locally and off-site.
For XO itself, I use community edition. But I've got an entire ansible-role I've built that sets it up within minutes on any configured computer. Mainly because I don't like/trust scripts that are from some random people on the internet. And also, my approach is as close to doing a step-by-step according to docs, as you can get.

I've been thinking about sharing the ansible-role. But unsure how much interest there is for such things.

But for XOA there isn't a need for such a thing. And still, with the extremely easy restore config from backup-file possibility. I wouldn't really do something crazy and overly complicated either.

@florent said in Backblaze as Remote error Unsupported header 'x-amz-checksum-mode' received for this API call.:

,
requestChecksumCalculation: "WHEN_REQUIRED",
responseChecksumValidation: "WHEN_REQUIRED"

I (previously as @jr-m4) just tried the patch you suggested. And I can confirm that this does indeed make the backup complete successfully!
Great work finding a solution that quicklly!

@dsmteam
Unfortunately this is the limit of what I know regarding SAML. The Google Workspace variant, was cobbled together after many hours of experimenting.

I wish you the best of luck. And if you do find a solution, please consider adding to the docs as well. As this is an area where we desperately need more comprehensive docs (as you're experiencing).

@dsmteam
Make sure to enter a newline at the end of the certificate field.

The SAML docs online are lacking. But I've written these instructions for Google Workspace SAML. Maybe this could help? And feel free to add to the docs if you happen to find a solution.
https://docs.xen-orchestra.com/users#google-workspace---saml-supportgooglecom

@JamfoFL

@Danp responded to similar/same issue here:
https://xcp-ng.org/forum/post/89858

@R2rho
Faulty gear always sucks. But who would've guessed that two separate systems would produce the same problems. That is highly unlikely, but never impossible.

Good luck with the RMA

Well, unfortunately I got nothin... Extremely weird indeed