<div dir="auto">It was never there. When we use ssl module we perform a client certificate check which is not available in our m2crypto code. The check fails because the name we use in the certificate is not resolvable in OST.</div><div class="gmail_extra"><br><div class="gmail_quote">30 kwi 2017 12:09 "Yaniv Kaul" <<a href="mailto:ykaul@redhat.com">ykaul@redhat.com</a>> napisał(a):<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 30, 2017 at 1:03 PM, Piotr Kliczewski <span dir="ltr"><<a href="mailto:piotr.kliczewski@gmail.com" target="_blank">piotr.kliczewski@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">When we can have it fixed? I checked few minutes ago and the problem<br>
is still there.<br></blockquote><div><br></div><div><a href="https://gerrit.ovirt.org/#/c/76225/" target="_blank">https://gerrit.ovirt.org/#/c/<wbr>76225/</a> should cover this.</div><div><br></div><div>What I wonder is what caused this in the first place. The SSL change?</div><div>Y.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Thanks,<br>
Piotr<br>
<div class="m_2598716830295936737gmail-HOEnZb"><div class="m_2598716830295936737gmail-h5"><br>
On Sat, Apr 29, 2017 at 11:18 AM, Piotr Kliczewski <<a href="mailto:pkliczew@redhat.com" target="_blank">pkliczew@redhat.com</a>> wrote:<br>
> Nadav,<br>
><br>
> Yes, vdsm is not able to resolve 'engine' which is used in engine's<br>
> certificate.<br>
><br>
> Thanks,<br>
> Piotr<br>
><br>
> 29 kwi 2017 00:37 "Nadav Goldin" <<a href="mailto:ngoldin@redhat.com" target="_blank">ngoldin@redhat.com</a>> napisał(a):<br>
><br>
> Hi Piotr,<br>
> Can you clarify what you noticed is not resolvable - the 'engine' FQDN<br>
> from host0?<br>
><br>
> Thanks,<br>
> Nadav.<br>
><br>
><br>
> On Fri, Apr 28, 2017 at 4:15 PM, Piotr Kliczewski <<a href="mailto:pkliczew@redhat.com" target="_blank">pkliczew@redhat.com</a>><br>
> wrote:<br>
>> I started to investigate the issue [1] and it seems like there is an issue<br>
>> in Lago setup we use.<br>
>><br>
>> During handshake we have a step to verify whether client certificate was<br>
>> issued for a specific host (no such functionality in m2crytpo code base).<br>
>> It works fine when using either ip addresses or fqdns but in this<br>
>> particular<br>
>> setup we use mixed.<br>
>><br>
>> When added logging I see that in engine certificate we use 'engine' name<br>
>> which is not resolvable on the host side and the check fails.<br>
>> I posted a patch [2] which fixes IPv4 mapped addresses issue but we need<br>
>> to<br>
>> fix the setup issue.<br>
>><br>
>> Thanks,<br>
>> Piotr<br>
>><br>
>> [1] <a href="http://jenkins.ovirt.org/job/ovirt-system-tests_manual/326/" rel="noreferrer" target="_blank">http://jenkins.ovirt.org/job/o<wbr>virt-system-tests_manual/326/</a><br>
>> [2] <a href="https://gerrit.ovirt.org/#/c/76197/" rel="noreferrer" target="_blank">https://gerrit.ovirt.org/#/c/7<wbr>6197/</a><br>
>><br>
>> On Thu, Apr 27, 2017 at 3:39 PM, Piotr Kliczewski <<a href="mailto:pkliczew@redhat.com" target="_blank">pkliczew@redhat.com</a>><br>
>> wrote:<br>
>>><br>
>>><br>
>>><br>
>>> On Thu, Apr 27, 2017 at 3:13 PM, Evgheni Dereveanchin<br>
>>> <<a href="mailto:ederevea@redhat.com" target="_blank">ederevea@redhat.com</a>> wrote:<br>
>>>><br>
>>>> Test failed: 002_bootstrap/add_hosts<br>
>>>><br>
>>>> Link to suspected patches:<br>
>>>> <a href="https://gerrit.ovirt.org/76107" rel="noreferrer" target="_blank">https://gerrit.ovirt.org/76107</a> - ssl: change default library<br>
>>>><br>
>>>> Link to job:<br>
>>>> <a href="http://jenkins.ovirt.org/job/test-repo_ovirt_experimental_master/6491/" rel="noreferrer" target="_blank">http://jenkins.ovirt.org/job/t<wbr>est-repo_ovirt_experimental_ma<wbr>ster/6491/</a><br>
>>>><br>
>>>> VDSM log:<br>
>>>><br>
>>>><br>
>>>> <a href="http://jenkins.ovirt.org/job/test-repo_ovirt_experimental_master/6491/artifact/exported-artifacts/basic-suit-master-el7/test_logs/basic-suite-master/post-002_bootstrap.py/lago-basic-suite-master-host0/_var_log/vdsm/vdsm.log" rel="noreferrer" target="_blank">http://jenkins.ovirt.org/job/t<wbr>est-repo_ovirt_experimental_ma<wbr>ster/6491/artifact/exported-ar<wbr>tifacts/basic-suit-master-el7/<wbr>test_logs/basic-suite-master/<wbr>post-002_bootstrap.py/lago-<wbr>basic-suite-master-host0/_var_<wbr>log/vdsm/vdsm.log</a><br>
>>>><br>
>>>> Error snippet from VDSM log, this repeats on each connection attempt<br>
>>>> from<br>
>>>> Engine side:<br>
>>>><br>
>>>> <error><br>
>>>><br>
>>>> 2017-04-27 06:39:27,768-0400 INFO (Reactor thread)<br>
>>>> [ProtocolDetector.AcceptorImpl<wbr>] Accepted connection from<br>
>>>> ::ffff:<a href="http://192.168.201.3:49530" rel="noreferrer" target="_blank">192.168.201.3:49530</a> (protocoldetector:74)<br>
>>>> 2017-04-27 06:39:27,898-0400 ERROR (Reactor thread) [vds.dispatcher]<br>
>>>> uncaptured python exception, closing channel<br>
>>>> <yajsonrpc.betterAsyncore.Disp<wbr>atcher connected ('::ffff:192.168.201.3',<br>
>>>> 49530, 0, 0) at 0x1cc3b00> (<class 'socket.error'>:Address family not<br>
>>>> supported by protocol [/usr/lib64/python2.7/asyncore<wbr>.py|readwrite|110]<br>
>>>> [/usr/lib64/python2.7/asyncore<wbr>.py|handle_write_event|468]<br>
>>>><br>
>>>> [/usr/lib/python2.7/site-packa<wbr>ges/yajsonrpc/betterAsyncore.<wbr>py|handle_write|70]<br>
>>>><br>
>>>> [/usr/lib/python2.7/site-packa<wbr>ges/yajsonrpc/betterAsyncore.<wbr>py|_delegate_call|149]<br>
>>>> [/usr/lib/python2.7/site-packa<wbr>ges/vdsm/sslutils.py|handle_<wbr>write|213]<br>
>>>> [/usr/lib/python2.7/site-packa<wbr>ges/vdsm/sslutils.py|_handle_<wbr>io|223]<br>
>>>> [/usr/lib/python2.7/site-packa<wbr>ges/vdsm/sslutils.py|_verify_<wbr>host|237]<br>
>>>> [/usr/lib/python2.7/site-packa<wbr>ges/vdsm/sslutils.py|compare_<wbr>names|249])<br>
>>>> (betterAsyncore:160)<br>
>>>><br>
>>>> </error><br>
>>><br>
>>><br>
>>> This means that what we have in the certificate do not match the source<br>
>>> address we get. I suspect that we issue the certificate for 192.168.201.3<br>
>>> but when we get ::ffff:192.168.201.3.<br>
>>> The change was verified in the env when ipv4 is used. I pushed a revert<br>
>>> [1] for now so we can work on fixing the issue.<br>
>>><br>
>>> [1] <a href="https://gerrit.ovirt.org/#/c/76160" rel="noreferrer" target="_blank">https://gerrit.ovirt.org/#/c/7<wbr>6160</a><br>
>>><br>
>>>><br>
>>>> --<br>
>>>> Regards,<br>
>>>> Evgheni Dereveanchin<br>
>>><br>
>>><br>
>><br>
>><br>
>> ______________________________<wbr>_________________<br>
>> Devel mailing list<br>
>> <a href="mailto:Devel@ovirt.org" target="_blank">Devel@ovirt.org</a><br>
>> <a href="http://lists.ovirt.org/mailman/listinfo/devel" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/devel</a><br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Devel mailing list<br>
> <a href="mailto:Devel@ovirt.org" target="_blank">Devel@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/devel" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/devel</a><br>
______________________________<wbr>_________________<br>
Devel mailing list<br>
<a href="mailto:Devel@ovirt.org" target="_blank">Devel@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/devel" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/devel</a></div></div></blockquote></div><br></div></div>
</blockquote></div></div>