Сделали перезагрузку, предположительно не стартует виртуализация.
root/root01 не подходит
По SSH через консоль admin есть. Есть cust/cust01
[admin@SPDom0 ~]$ virsh start udom
error: Unknown failure
error: failed to connect to the hypervisor
Очень нужна помощь любая!
Зайдите админом на Dom0 потом в рута провалитесь....
Да сертификат протух.
Админом захожу, рута нет(поменян/утерян)
Есть вариант без рута/сбросить рута ?
- Постоянный участник форума
- Сообщения: 2781
- Зарегистрирован: Пн 07 июл 2008, 16:51
- Откуда: Москва
- Контактная информация:
хотя тоже root....
сохраните базу и переставьте все
All versions of SP.
This was seen on VSP - 220.127.116.11.3.
Also may happen on VSP R6.4
System Platform: Cannot log into CDOM via SSH nor web, but can log into Dom0 via SSH.
Customer may forget the password for admin and root, or the account is locked for too many failure login.
The LDAP cert may have expired.
Run the following command to determine whether the LDAP certificates are valid
openssl x509 -text -in /etc/openldap/cacerts/cdom.crt|egrep -i 'Not Before|Not After'
Not Before: Sep 29 11:50:31 2011 GMT
Not After : Sep 26 11:50:31 2021 GMT
It may have been generated on Jan 1, 2002 because that is the default date on an S8300d if shipped from a factory. The LDAP expiry date for 10 years brings the expiry date to Dec 30, 2011. This will break LDAP.
Above describe the scenario on LDAP cert is expired on VSP, the other scenario listed as below (Please note it applied to VSP R6..0.3 ~ R6.4. For the version < VSP R6.0.3, please raise ticket to reach Avaya Backbone Team for support):
Customer may forget the password for admin and root
The account is locked for too many failure login.
Give the general handling procedure here:
1) Open putty, Login to CDOM or Dom0 as init (here I suppose we log into cdom and suppose customer forgot the admin password)
2) Use ASG tool to get the login password for init.
3) After init login, run su - sroot to switch to sroot (also use ASG tool to get password)
3) Run command pam_tally to check if the account is locked for toom many failure login (If pam_tally does not exist, please try pam_tally2. Replace pam_tally to pam_tally2 in step below if you meet the warning here).
4) You can use pam_tally --reset to clear all failure login record, then run the command pam_tally to check the result (Please note there are 2 '-' before reset)
5) Now, use command ssh dom0.vsp to log into Dom0 as user sroot (or you can use ssh email@example.com, They are same)
6) Repeat step 3 and 4 to clear the failure login on dom0
7) Run command service ldap status to check if ldap process is runing OK. if it is dead, please run command service ldap restart to start it. (If ldap service does not exist, please use slapd to replce ldap. please noe the ldap service is on Dom0, so you must run the command on Dom0)
If the cert is expired, please run command ldap_cert_updater to renew the LDAP certificate.
9) Run command passwd admin to reset admin password (after resetting password you may need 2~5 min to wait for the password takes effect. )
10) Run command passwd root to reset root password
dom0.vsp is equal to the IP address of Dom0. That is defined in hosts file in CDOM.
cdom0.vsp is defined in the hosts file on Dom0, equal to the IP address of cdom
admin account is controlled by LDAP database, can be used for logining CDOM/DOM0 CLI, and the CDOM webpage. so you may need to wait for 2~5 min for it takes effect.
root account is the linux local account, so the password takes effect immediately.
An MR has been written to fix this but there are currently 2 workarounds:
1) Reinstall the entire system including System Platform ensuring the correct date is configured during installation
2) The process below is quite complex but will renew the LDAP certificates and will require a maintenance window:
The strategy is this: 1) Bring date to future 2) run ldap_cert_updater 3) Correct the date. Now your certs are in the future. 4) reboot. Let the CheckCdomCertInFuture java process detect this when CDOM boots and fix everything.
1. If NTP is configured, run:
service ntpd stop
2. Shutdown all Virtual Machines (VMs) except for udom. Use "xm list" command to determine which VMs are running:
Name ID Mem VCPUs State Time(s)
Domain-0 0 512 1 r----- 997024.9
cm 2 3584 1 -b---- 927749.0
udom 3 1024 1 -b---- 608046.9
utility_server 4 500 1 -b---- 155303.1
Shutdown these VMs by running the following commands:
xm shutdown cm; xm shutdown utility_server
Rerun "xm list" until the state of the VMs is blank. This indicates that the VMs are successfully shutdown:
Name ID Mem VCPUs State Time(s)
Domain-0 0 512 1 r----- 997059.4
cm 3584 1 0.0
udom 3 1024 1 -b---- 608066.8
utility_server 500 1 0.0
3. Set the date to be in the future on Dom0, you should only need to set it 5 minutes ahead
Sat Jan 1 00:00:00 EST 2022
4. Renew the certificates by running the following command on CDOM:
As root on dom0
[root@dom0 bin]# ssh cdom.vsp
Last login: Mon Oct 23 13:22:53 EDT 2017 on pts/0
Last failed login: Mon Jul 19 09:16:24 EDT 2021 from 127.0.0.1 on ssh:notty
There were 16 failed login attempts since the last successful login.
[root@wasdcdom ~]# /opt/avaya/vsp/bin/ldap_cert_updater
5. Shutdown the udom VM and monitor using the "xm list" command as above until the state is blank:
**WARNING** If the SALGW is configured on CDOM, then shutting down CDOM will kill all connection to the system other then direct connection via the service port. Check and have contingencies in place before proceeding!
xm shutdown udom
6. This step is only necessary if you are running on a System Platform release earlier than 18.104.22.168.3:
grep "^server " /etc/ntp.conf|tail -1|sed s/"server "/""/ > /etc/ntp/step-tickers
7. Set the date and time back to current:
7a. If NTP is configured, run:
service ntpd start
7b. If NTP is not configured, run the following command:
date 122007312012 (This represents 07:31 on 20th December 2012)
8. Start up all of the VMs again:
xm start udom; xm start cm; xm start utility_server
9. Run the following command to show the current validity dates of the LDAP certs. It will refresh every second and will initially show the certificates as being in the future but will revert back to the current date within 5 minutes
watch -n1 "openssl x509 -text -in /etc/openldap/cacerts/cdom.crt|egrep -i 'Not Before|Not After'"
At this point, you should be able to log in again as normal.
Подскажите как это сделать. Можно в личку.