<div dir="ltr"><div><div><div><div><div><div>I started to investigate the issue [1] and it seems like there is an issue in Lago setup we use.<br><br></div>During handshake we have a step to verify whether client certificate was issued for a specific host (no such functionality in m2crytpo code base).<br></div>It works fine when using either ip addresses or fqdns but in this particular setup we use mixed.<br><br></div>When added logging I see that in engine certificate we use 'engine' name which is not resolvable on the host side and the check fails.<br></div>I posted a patch [2] which fixes IPv4 mapped addresses issue but we need to fix the setup issue.<br><br></div>Thanks,<br></div>Piotr<br><div><div><br>[1] <a href="http://jenkins.ovirt.org/job/ovirt-system-tests_manual/326/">http://jenkins.ovirt.org/job/ovirt-system-tests_manual/326/</a><br>[2] <a href="https://gerrit.ovirt.org/#/c/76197/">https://gerrit.ovirt.org/#/c/76197/</a><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 27, 2017 at 3:39 PM, Piotr Kliczewski <span dir="ltr"><<a href="mailto:pkliczew@redhat.com" target="_blank">pkliczew@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Thu, Apr 27, 2017 at 3:13 PM, Evgheni Dereveanchin <span dir="ltr"><<a href="mailto:ederevea@redhat.com" target="_blank">ederevea@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span style="font-size:12.8px">Test failed: 002_bootstrap/</span><span style="color:rgb(0,0,0)">add_host<wbr>s</span><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Link to suspected patches:</span></div><div><span style="font-size:12.8px"> <a href="https://gerrit.ovirt.org/76107" target="_blank">https://gerrit.ovirt.org/7610<wbr>7</a> - ssl: change default library</span><br><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Link to job:</span></div><div><span style="font-size:12.8px"> <a href="http://jenkins.ovirt.org/job/test-repo_ovirt_experimental_master/6491/" target="_blank">http://jenkins.ovirt.org/job/<wbr>test-repo_ovirt_experimental_m<wbr>aster/6491/</a></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">VDSM log:</span></div><div><span style="font-size:12.8px"> <a href="http://jenkins.ovirt.org/job/test-repo_ovirt_experimental_master/6491/artifact/exported-artifacts/basic-suit-master-el7/test_logs/basic-suite-master/post-002_bootstrap.py/lago-basic-suite-master-host0/_var_log/vdsm/vdsm.log" target="_blank">http://jenkins.ovirt.org/job/<wbr>test-repo_ovirt_experimental_m<wbr>aster/6491/artifact/exported-a<wbr>rtifacts/basic-suit-master-el7<wbr>/test_logs/basic-suite-master/<wbr>post-002_bootstrap.py/lago-<wbr>basic-suite-master-host0/_var_<wbr>log/vdsm/vdsm.log</a></span><br clear="all"><div><br></div><div><div style="font-size:12.8px"><span style="font-size:12.8px">Error snippet from VDSM log, this repeats on each connection attempt from Engine side:</span></div><div style="font-size:12.8px"><span style="font-size:12.8px"><br></span></div><div style="font-size:12.8px"><span style="font-size:12.8px"><error></span></div></div><div style="font-size:12.8px"><span style="font-size:12.8px"><br></span></div><div style="font-size:12.8px"><span style="font-size:12.8px"><div style="font-size:12.8px"><div style="font-size:12.8px">2017-04-27 06:39:27,768-0400 INFO (Reactor thread) [ProtocolDetector.AcceptorImpl<wbr>] Accepted connection from ::ffff:<a href="http://192.168.201.3:49530" target="_blank">192.168.201.3:49530</a> (protocoldetector:74)</div><div style="font-size:12.8px">2017-04-27 06:39:27,898-0400 ERROR (Reactor thread) [vds.dispatcher] uncaptured python exception, closing channel <yajsonrpc.betterAsyncore.Disp<wbr>atcher connected ('::ffff:192.168.201.3', 49530, 0, 0) at 0x1cc3b00> (<class 'socket.error'>:Address family not supported by protocol [/usr/lib64/python2.7/asyncore<wbr>.py|readwrite|110] [/usr/lib64/python2.7/asyncore<wbr>.py|handle_write_event|468] [/usr/lib/python2.7/site-packa<wbr>ges/yajsonrpc/betterAsyncore.<wbr>py|handle_write|70] [/usr/lib/python2.7/site-packa<wbr>ges/yajsonrpc/betterAsyncore.<wbr>py|_delegate_call|149] [/usr/lib/python2.7/site-packa<wbr>ges/vdsm/sslutils.py|handle_<wbr>write|213] [/usr/lib/python2.7/site-packa<wbr>ges/vdsm/sslutils.py|_handle_<wbr>io|223] [/usr/lib/python2.7/site-packa<wbr>ges/vdsm/sslutils.py|_verify_<wbr>host|237] [/usr/lib/python2.7/site-packa<wbr>ges/vdsm/sslutils.py|compare_<wbr>names|249]) (betterAsyncore:160)</div></div><div><br></div></span></div><div><span style="font-size:12.8px"></error></span><span class="m_-7013957557062814923gmail-HOEnZb"><font color="#888888"><br></font></span></div></div></div></div></blockquote><div><br></div></span><div>This means that what we have in the certificate do not match the source address we get. I suspect that we issue the certificate for 192.168.201.3 but when we get <span style="font-size:12.8px">::ffff:192.168.201.3.<br></span></div><div><span style="font-size:12.8px">The change was verified in the env when ipv4 is used. I pushed a revert [1] for now so we can work on fixing the issue.<br><br>[1] <a href="https://gerrit.ovirt.org/#/c/76160" target="_blank">https://gerrit.ovirt.org/#/c/<wbr>76160</a><span class="HOEnZb"><font color="#888888"><br></font></span></span></div><span class="HOEnZb"><font color="#888888"><div><span style="font-size:12.8px"><a href="http://192.168.201.3:49530" target="_blank"></a></span></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><span class="m_-7013957557062814923gmail-HOEnZb"><font color="#888888"></font></span></div><span class="m_-7013957557062814923gmail-HOEnZb"><font color="#888888">-- <br><div class="m_-7013957557062814923gmail-m_1030527822276251082gmail_signature"><div dir="ltr"><div style="font-size:small">Regards,</div><div style="font-size:small">Evgheni Dereveanchin</div></div></div>
</font></span></div></div></div>
</blockquote></font></span></div><br></div></div>
</blockquote></div><br></div>