[ovirt-users] [OVIRT-3.5-TEST-DAY-3] Optaplanner
Hi, I followed deployment manual from [1] and configured two DCs with single cluster each. During configuration of the UI I noticed that in optimizer result tab there was: Status: Data refresh failed: undefined with Martin's help we found that when setting security.mixed_content.block_active_content to false in FF configuration it works and I can see: Status: Solution received During the installation of second host network configuration failed and I opened BZ [2]. When I restored network configuration to the host I wanted to provision vms to see optaplanner suggestions but my rhel6 failed to start any vms due to: Thread-8102::DEBUG::2014-09-17 16:36:16,216::libvirtconnection::143::root::(wrapper) Unknown libvirterror: ecode: 38 edom: 0 level: 2 message: Child quit during startup handshake: Input/output error Thread-8102::DEBUG::2014-09-17 16:36:16,217::vm::2289::vm.Vm::(_startUnderlyingVm) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::_ongoingCreations released Thread-8102::ERROR::2014-09-17 16:36:16,217::vm::2326::vm.Vm::(_startUnderlyingVm) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::The vm start process failed Traceback (most recent call last): File "/usr/share/vdsm/virt/vm.py", line 2266, in _startUnderlyingVm self._run() File "/usr/share/vdsm/virt/vm.py", line 3368, in _run self._connection.createXML(domxml, flags), File "/usr/lib64/python2.6/site-packages/vdsm/libvirtconnection.py", line 111, in wrapper ret = f(*args, **kwargs) File "/usr/lib64/python2.6/site-packages/libvirt.py", line 2665, in createXML if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self) libvirtError: Child quit during startup handshake: Input/output error Thread-8102::DEBUG::2014-09-17 16:36:16,218::vm::2838::vm.Vm::(setDownStatus) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::Changed state to Down: Child quit during startup handshake: Input/output error (code=1) Vdsm is not able to start any vms but engine still thinks that host is 'UP'. Thanks, Piotr [1] http://www.ovirt.org/Features/Optaplanner [2] https://bugzilla.redhat.com/show_bug.cgi?id=1142909
----- Original Message -----
From: "Piotr Kliczewski" <piotr.kliczewski@gmail.com> To: devel@ovirt.org Sent: Wednesday, September 17, 2014 5:25:23 PM Subject: [ovirt-devel] [ovirt-users] [OVIRT-3.5-TEST-DAY-3] Optaplanner
Hi,
I followed deployment manual from [1] and configured two DCs with single cluster each. During configuration of the UI I noticed that in optimizer result tab there was:
Status: Data refresh failed: undefined
with Martin's help we found that when setting
security.mixed_content.block_active_content
This happens when WebAdmin page is loaded as HTTPS and UI plugin uses "active" content (XHR object, <script> etc.) that loads data as HTTP. Loading HTTP content in HTTPS page is considered security vulnerability and should be avoided. By default, Firefox blocks mixed "active" content. More details here: https://support.mozilla.org/en-US/questions/967115 Disabling mixed "active" content in browser is not a proper solution. UI plugin should load its content in a way that is compatible with protocol (i.e. HTTPS) used for enclosing page.
to false in FF configuration it works and I can see:
Status: Solution received
During the installation of second host network configuration failed and I opened BZ [2]. When I restored network configuration to the host I wanted to provision vms to see optaplanner suggestions but my rhel6 failed to start any vms due to:
Thread-8102::DEBUG::2014-09-17 16:36:16,216::libvirtconnection::143::root::(wrapper) Unknown libvirterror: ecode: 38 edom: 0 level: 2 message: Child quit during startup handshake: Input/output error Thread-8102::DEBUG::2014-09-17 16:36:16,217::vm::2289::vm.Vm::(_startUnderlyingVm) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::_ongoingCreations released Thread-8102::ERROR::2014-09-17 16:36:16,217::vm::2326::vm.Vm::(_startUnderlyingVm) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::The vm start process failed Traceback (most recent call last): File "/usr/share/vdsm/virt/vm.py", line 2266, in _startUnderlyingVm self._run() File "/usr/share/vdsm/virt/vm.py", line 3368, in _run self._connection.createXML(domxml, flags), File "/usr/lib64/python2.6/site-packages/vdsm/libvirtconnection.py", line 111, in wrapper ret = f(*args, **kwargs) File "/usr/lib64/python2.6/site-packages/libvirt.py", line 2665, in createXML if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self) libvirtError: Child quit during startup handshake: Input/output error Thread-8102::DEBUG::2014-09-17 16:36:16,218::vm::2838::vm.Vm::(setDownStatus) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::Changed state to Down: Child quit during startup handshake: Input/output error (code=1)
Vdsm is not able to start any vms but engine still thinks that host is 'UP'.
Thanks, Piotr
[1] http://www.ovirt.org/Features/Optaplanner [2] https://bugzilla.redhat.com/show_bug.cgi?id=1142909 _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
Disabling mixed "active" content in browser is not a proper solution. UI plugin should load its content in a way that is compatible with protocol (i.e. HTTPS) used for enclosing page.
It is the only solution when the remote service does not support SSL. We might include SSL in some later version, but not for 3.5.
Loading HTTP content in HTTPS page is considered security vulnerability and should be avoided. By default, Firefox blocks mixed "active" content.
I noticed and there is nothing I can do about that, but I never saw the rationale for that. Although I can see how M-i-M could compromise https page if handled poorly.
This happens when WebAdmin page is loaded as HTTPS and UI plugin uses "active" content (XHR object, <script> etc.) that loads data as HTTP.
JSON is hardly active. But again.. I can't change the browser. -- Martin Sivák msivak@redhat.com Red Hat Czech RHEV-M SLA / Brno, CZ ----- Original Message -----
----- Original Message -----
From: "Piotr Kliczewski" <piotr.kliczewski@gmail.com> To: devel@ovirt.org Sent: Wednesday, September 17, 2014 5:25:23 PM Subject: [ovirt-devel] [ovirt-users] [OVIRT-3.5-TEST-DAY-3] Optaplanner
Hi,
I followed deployment manual from [1] and configured two DCs with single cluster each. During configuration of the UI I noticed that in optimizer result tab there was:
Status: Data refresh failed: undefined
with Martin's help we found that when setting
security.mixed_content.block_active_content
This happens when WebAdmin page is loaded as HTTPS and UI plugin uses "active" content (XHR object, <script> etc.) that loads data as HTTP.
Loading HTTP content in HTTPS page is considered security vulnerability and should be avoided. By default, Firefox blocks mixed "active" content.
More details here: https://support.mozilla.org/en-US/questions/967115
Disabling mixed "active" content in browser is not a proper solution. UI plugin should load its content in a way that is compatible with protocol (i.e. HTTPS) used for enclosing page.
to false in FF configuration it works and I can see:
Status: Solution received
During the installation of second host network configuration failed and I opened BZ [2]. When I restored network configuration to the host I wanted to provision vms to see optaplanner suggestions but my rhel6 failed to start any vms due to:
Thread-8102::DEBUG::2014-09-17 16:36:16,216::libvirtconnection::143::root::(wrapper) Unknown libvirterror: ecode: 38 edom: 0 level: 2 message: Child quit during startup handshake: Input/output error Thread-8102::DEBUG::2014-09-17 16:36:16,217::vm::2289::vm.Vm::(_startUnderlyingVm) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::_ongoingCreations released Thread-8102::ERROR::2014-09-17 16:36:16,217::vm::2326::vm.Vm::(_startUnderlyingVm) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::The vm start process failed Traceback (most recent call last): File "/usr/share/vdsm/virt/vm.py", line 2266, in _startUnderlyingVm self._run() File "/usr/share/vdsm/virt/vm.py", line 3368, in _run self._connection.createXML(domxml, flags), File "/usr/lib64/python2.6/site-packages/vdsm/libvirtconnection.py", line 111, in wrapper ret = f(*args, **kwargs) File "/usr/lib64/python2.6/site-packages/libvirt.py", line 2665, in createXML if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self) libvirtError: Child quit during startup handshake: Input/output error Thread-8102::DEBUG::2014-09-17 16:36:16,218::vm::2838::vm.Vm::(setDownStatus) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::Changed state to Down: Child quit during startup handshake: Input/output error (code=1)
Vdsm is not able to start any vms but engine still thinks that host is 'UP'.
Thanks, Piotr
[1] http://www.ovirt.org/Features/Optaplanner [2] https://bugzilla.redhat.com/show_bug.cgi?id=1142909 _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
_______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
----- Original Message -----
From: "Martin Sivak" <msivak@redhat.com> To: "Vojtech Szocs" <vszocs@redhat.com> Cc: "Piotr Kliczewski" <piotr.kliczewski@gmail.com>, devel@ovirt.org Sent: Monday, September 22, 2014 2:04:32 PM Subject: Re: [ovirt-devel] [ovirt-users] [OVIRT-3.5-TEST-DAY-3] Optaplanner
Disabling mixed "active" content in browser is not a proper solution. UI plugin should load its content in a way that is compatible with protocol (i.e. HTTPS) used for enclosing page.
It is the only solution when the remote service does not support SSL. We might include SSL in some later version, but not for 3.5.
If you're requesting remote service directly from within HTTPS context, and this remote service doesn't support HTTPS access, you are correct, the only option is to disable mixed active content in the browser. However, you could also work around this problem via proxy, for example.
Loading HTTP content in HTTPS page is considered security vulnerability and should be avoided. By default, Firefox blocks mixed "active" content.
I noticed and there is nothing I can do about that, but I never saw the rationale for that. Although I can see how M-i-M could compromise https page if handled poorly.
I think that [1] explains the rationale behind mixed content, which is divided into two separate categories (active content & display content). [1] https://developer.mozilla.org/en-US/docs/Security/MixedContent Sniffers can steal sensitive data sent over HTTP. Man-in-Middle attacker can rewrite HTTP response to gain access to parts of web page (DOM) and ultimately compromise security of whole (HTTPS) page. This is why browsers typically block mixed active content (XMLHttpRequest, <iframe>, <script>, etc.)
This happens when WebAdmin page is loaded as HTTPS and UI plugin uses "active" content (XHR object, <script> etc.) that loads data as HTTP.
JSON is hardly active. But again.. I can't change the browser.
Maliciously rewritten JSON can become active, containing functions. When interpreted via eval(), it becomes security issue. This is one of reasons why JSON.parse() was added to ES5 spec, to safely evaluate JSON strings.
-- Martin Sivák msivak@redhat.com Red Hat Czech RHEV-M SLA / Brno, CZ
----- Original Message -----
----- Original Message -----
From: "Piotr Kliczewski" <piotr.kliczewski@gmail.com> To: devel@ovirt.org Sent: Wednesday, September 17, 2014 5:25:23 PM Subject: [ovirt-devel] [ovirt-users] [OVIRT-3.5-TEST-DAY-3] Optaplanner
Hi,
I followed deployment manual from [1] and configured two DCs with single cluster each. During configuration of the UI I noticed that in optimizer result tab there was:
Status: Data refresh failed: undefined
with Martin's help we found that when setting
security.mixed_content.block_active_content
This happens when WebAdmin page is loaded as HTTPS and UI plugin uses "active" content (XHR object, <script> etc.) that loads data as HTTP.
Loading HTTP content in HTTPS page is considered security vulnerability and should be avoided. By default, Firefox blocks mixed "active" content.
More details here: https://support.mozilla.org/en-US/questions/967115
Disabling mixed "active" content in browser is not a proper solution. UI plugin should load its content in a way that is compatible with protocol (i.e. HTTPS) used for enclosing page.
to false in FF configuration it works and I can see:
Status: Solution received
During the installation of second host network configuration failed and I opened BZ [2]. When I restored network configuration to the host I wanted to provision vms to see optaplanner suggestions but my rhel6 failed to start any vms due to:
Thread-8102::DEBUG::2014-09-17 16:36:16,216::libvirtconnection::143::root::(wrapper) Unknown libvirterror: ecode: 38 edom: 0 level: 2 message: Child quit during startup handshake: Input/output error Thread-8102::DEBUG::2014-09-17 16:36:16,217::vm::2289::vm.Vm::(_startUnderlyingVm) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::_ongoingCreations released Thread-8102::ERROR::2014-09-17 16:36:16,217::vm::2326::vm.Vm::(_startUnderlyingVm) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::The vm start process failed Traceback (most recent call last): File "/usr/share/vdsm/virt/vm.py", line 2266, in _startUnderlyingVm self._run() File "/usr/share/vdsm/virt/vm.py", line 3368, in _run self._connection.createXML(domxml, flags), File "/usr/lib64/python2.6/site-packages/vdsm/libvirtconnection.py", line 111, in wrapper ret = f(*args, **kwargs) File "/usr/lib64/python2.6/site-packages/libvirt.py", line 2665, in createXML if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self) libvirtError: Child quit during startup handshake: Input/output error Thread-8102::DEBUG::2014-09-17 16:36:16,218::vm::2838::vm.Vm::(setDownStatus) vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::Changed state to Down: Child quit during startup handshake: Input/output error (code=1)
Vdsm is not able to start any vms but engine still thinks that host is 'UP'.
Thanks, Piotr
[1] http://www.ovirt.org/Features/Optaplanner [2] https://bugzilla.redhat.com/show_bug.cgi?id=1142909 _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
_______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
On 22/09/14 14:04, Martin Sivak wrote:
It is the only solution when the remote service does not support SSL. We might include SSL in some later version, but not for 3.5.
What is the problem which prevents inclusion of ssl support? Is this "just" work that needs to be done or are there any obstacles/bugs/ design flaws which need to get fixed? -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
It is just work that needs to be done.. the ssl certificates should be done properly together with the engine certificates. Starting https server is easy, but the integration to the whole environment is a bit tricky so it can't be done properly that fast (especially when it is a tech preview feature and we still have blockers). -- Martin Sivák msivak@redhat.com Red Hat Czech RHEV-M SLA / Brno, CZ ----- Original Message -----
On 22/09/14 14:04, Martin Sivak wrote:
It is the only solution when the remote service does not support SSL. We might include SSL in some later version, but not for 3.5.
What is the problem which prevents inclusion of ssl support? Is this "just" work that needs to be done or are there any obstacles/bugs/ design flaws which need to get fixed?
-- Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
participants (4)
-
Martin Sivak -
Piotr Kliczewski -
Sven Kieske -
Vojtech Szocs