[ovirt-devel] sslStompReactor just created once, may cause engine failed to connect to new node

Tue Jan 2 12:53:45 UTC 2018

Hello,

One instance of a reactor was done by design. Can you please provide steps
how do you use the code and why do you need to change .truststore?

Thanks,
Piotr

On Wed, Dec 27, 2017 at 2:16 AM, pengyixiang <yxpengi386 at 163.com> wrote:

> hello
>     If we add a new node, we generate vdsm certs and scp them to node,
> then we add it to .truststore in [1], so that our engine can connect to
> vdsm.
> so If .truststore changed, "getSslStompReactor" still use the old
> .truststore and connect failed. I made a mistake, changed certs is
> .truststore rather than engine.p12
>
>
> [1]
>     openssl genrsa \
>         -out client/vdsmkey.pem 2048
>
>     openssl req \
>         -new \
>         -out requests/$1.req \
>         -key client/vdsmkey.pem \
>         -subj "${subject}"
>
>     openssl ca \
>             -batch \
>             -config openssl.conf \
>             -extfile cacert2.conf \
>             -extensions v3_ca \
>             -in requests/$1.req \
>             -out certs/$1.cer \
>             -keyfile private/ca.pem \
>             -subj /O=Linx/CN=$1 \
>             -utf8 \
>             -days "3650" \
>             -startdate "$(date --utc --date "now -1 days"
> +"%y%m%d%H%M%SZ")"
>
>     cp ca.pem client/cacert.pem
>     cp certs/$1.cer client/vdsmcert.pem
>     cp install.sh client
>
>     keytool -import -noprompt -trustcacerts -alias $1$(date --utc --date
> "now +1 days" +"%y%m%d%H%M%SZ")$(cat /dev/urandom | head -n 10 | md5sum |
> head -c 10) -keypass mypass -file certs/$1.cer -keystore .truststore
> -storepass mypass
>
>
>
>
>
>
> At 2017-12-26 16:37:33, "Irit Goihman" <igoihman at redhat.com> wrote:
>
> Hi,
> Can you explain your question?
> Why engine certs are changed?
>
> Thanks,
> Irit
>
> On Mon, Dec 25, 2017 at 3:26 AM, pengyixiang <yxpengi386 at 163.com> wrote:
>
>> hello, everyone!
>>      I use ScenarioClient to call vdsm-jsonrpc-client, but I find after
>> my engine connected to one node, I new a node, then the certs(engine.p12)
>> is changed,
>> but engine can not connected to new node, at last, I find the problem in
>> there [1],  and I think rpc's certs to node that is still old, so I try to
>> changed code to [2],
>> then repeat the test way, it works well, the ovirt's engine doesn't meet
>> the trouble and how did you do? client is created like this [3].
>>
>>
>>
>>
>> [1]   https://github.com/oVirt/vdsm-jsonrpc-java/blob/078233e60c24
>> f8b8525b3bf5fb1c5ab9f1c4e0f4/client/src/main/java/org/
>> ovirt/vdsm/jsonrpc/client/reactors/ReactorFactory.java#L76
>>
>> [2]
>>
>>     private static Reactor getSslStompReactor(ManagerProvider provider) throws ClientConnectionException {
>> //        if (sslStompReactor != null) {
>> //            return sslStompReactor;
>> //        }
>>         synchronized (ReactorFactory.class) {
>> //            if (sslStompReactor != null) {
>> //                return sslStompReactor;
>> //            }
>>             try {
>>                 sslStompReactor = new SSLStompReactor(provider.getSSLContext());
>>             } catch (IOException | GeneralSecurityException e) {
>>                 throw new ClientConnectionException(e);
>>             }
>>         }
>>         return sslStompReactor;
>>     }
>>
>> [3]
>> public ScenarioClient(String hostname, int port) throws ClientConnectionException {
>>     this.reactor = ReactorFactory.getReactor(ProviderFactory.getProvider(), ReactorType.STOMP);
>>     final ReactorClient client = this.reactor.createClient(hostname, port);
>>     client.setClientPolicy(new DefaultStompConnectionPolicy());
>>     this.worker = ReactorFactory.getWorker(PARALLELISM);
>>     this.jsonClient = this.worker.register(client);
>>     this.jsonClient.setRetryPolicy(new DefaultStompClientPolicy());
>> }
>>
>>
>>
>>
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/devel
>>
>
>
>
> --
>
> IRIT GOIHMAN
>
> SOFTWARE ENGINEER
>
> EMEA VIRTUALIZATION R&D
>
> Red Hat EMEA <https://www.redhat.com/>
>
> <https://red.ht/sig>
> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
> @redhatnews <https://twitter.com/redhatnews>   Red Hat
> <https://www.linkedin.com/company/red-hat>   Red Hat
> <https://www.facebook.com/RedHatInc>
>
>
>
>
>
> _______________________________________________
> Devel mailing list
> Devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20180102/19b319cc/attachment.html>