[Solved] VMware host_auth_error

fine
providers

#1

Hello experts,

I’m trying to add VMware as provider to my MIQ Fine-4 appliance. vCenter 6.0 is running on Windows and I have 2 ESX 6.0 hosts.

First I tried to add vCenter as infrastructure provider: credential validation was successful, but no hosts are discovered.

Then I tried to add an ESX server as infrastructure host: credential validation was successful again, but in evm.log I can see this:

MIQ(Host#authentication_check_no_validation) type: [:default] for [5] [szerver] Validation failed: error, Web Services authenticatio n is not supported for hosts of this type. MIQ(MiqQueue.put) Message id: [19988], id: [], Zone: [Matrix], Role: [], Server: [], Ident: [generic], Target id: [], Instance id: [], Task id: [], Command: [MiqEvent.raise_evm_event], Timeout: [600], Priority: [100], State: [ready], Deliver On: [], Data: [], Args: [["Host", 5], "host_auth_error", {}] <AutomationEngine> MiqAeEvent.build_evm_event >> event=<"host_auth_error"> inputs=<{"MiqEvent::miq_event"=>38, :miq_event_id=>38, "EventStream::event_stream"=>38, :event_stream_id=>38}> MIQ(MiqPriorityWorker::Runner#get_message_via_drb) Message id: [19990], MiqWorker id: [4], Zone: [Matrix], Role: [automate], Server: [], Ident: [generic], Target id: [], Instance id: [], Task id: [], Command: [MiqAeEngine.deliver], Timeout: [3600], Priority: [20], State: [dequeue], Deliver On: [], Data: [], Args: [{:object_type=>"Host", :object_id=>5, :attrs=>{:event_type=>"host_auth_error", "MiqEvent::miq_event"=>38, :miq_event_id=>38, "EventStream::event_stream"=>38, :event_stream_id=>38}, :instance_name=>"Event", :user_id=>1, :miq_group_id=>1, :tenant_id=>1, :automate_message=>nil}], Dequeued in: [5.051034748] seconds

How can I debug further this issue?

Thanks
Krisztián


#2

Hi, @xian

Please do a search on smartstate keyword, you will find many old threads that show debugging efforts/steps.
Like this one.

I am still fighting to understand the whole process enabling smartstate for VMWare provider. I have two Fine-4 miq appliances, production one is not working and POC oneis working. Still trying to figure out what steps I missed on the production one.


#3

grepping for ‘VmScan#process_abort’ in evm.log will usually give you a hint as to what might be going wrong, but in general for SSA to a VMware provider I’d check:

  • That the SmartProxy and SmartState Analysis roles are enabled on an appliance in the same zone as the VMware provider.
  • That the SmartProxy Affinity is set correctly for the hosts that are running the VMs that you want to scan (Configuration -> Settings -> pick the zone -> SmartProxy Affinity tab).
  • That the VDDK is installed on the SmartProxy appliance (this is a really good description: http://www.tigeriq.co/sddk-on-vsphere-6/). There have been some problems with various versions of the VDDK but I’m running with 6.0.2 and it seems to be working fine.
  • Make sure you have configured root account credentials in ManageIQ for each ESXi host and verified them or set scan_via_host to be false in Configuration -> Advanced.
  • That your SmartProxy appliance can connect to each ESXi host on port 902 (i.e. there are no firewalls blocking this)
  • That the VM that you’re scanning is on the list of “supported” operating systems / file systems (https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html-single/support_matrix/#smart_state_analysis_support)

Hope this helps,
pemcg


#4

@pemcg, Thanks for the reply.

  • I jumped the gun to use 6.5 VDDK(latest is not always better) and it only work with ESXi 6.5 hosts. Once I downgraded to to 6.0.2, I found it can do SSA on ESXi 6.x and 5.5.x on fine-4 test miq.

  • scan_via_host really need to be set to false ? It is set to true and still be able to do SSA.

  • The toggle of scan_via_host, does it need a reboot ?

#5

You need scan_via_host to be false if you’re unable to enter the root credentials for the ESXi hosts in ManageIQ, otherwise you’d get the error:

“No eligible proxies for VM :[[XXX] xxx/xxx.vmx] - [Provide credentials for this VM’s Host to perform SmartState Analysis]”

Setting scan_via_host to false tells the SmartProxy to use an authentication token provided by the vCenter to authenticate to the hosts rather than try to login to the hosts themselves.

The setting is under :coresident_miqproxy so I would imagine (but I’m guessing) that you’d just need to disable and re-enable the SmartProxy role for this to take effect.

pemcg


#6

Currently SSA is working on a VM so I set scan_via_host to false and toggle the smartproxy role and click Save to have scan_via_host new false value in effect. SSA still works as shown below.

I am still confused the real impact of scan_via_host value on SSA.


#7

Now I confirm scan_via_host need to be set to false. Looks like the value was set to true but I didn’t disable/re-enable the smart-proxy role to reload the value change. I am getting expected error message now with scan_via_host set to true.

Appreciate @pemcg taking the time to answer my confusion.


#8

@xian, sorry to hijack your email thread. Is your problem resolved ?


#9

Thank you guys for the hints - I can check on Monday only but will come back with my findings.


#10

Xian

It sounds like the account that you’re using to authenticate with the vCenter doesn’t have enough permissions to see the ESXi hosts. Is this an admin account?

pemcg


#11

I made a stupid mistake: I have put the VMware provider into an empty zone with no appliance in it. @pemcg gave the idea to verify, with the first item of his checklist. I re-added the the provider to a different zone and hosts were discovered, also VMs on the hosts. VM provisioning works.

I have not configured SmartProxy, SmartState Analysis roles yet (the latter is on by default) and affinity either. For the (basic) functionality above apparently SmartState Proxy is not needed. A have not installed VDDK yet either. I plan to do so but I want to understand the function of these components before enabling all bells and whistles.

Thanks again.