[ovirt-users] oVirt 3.5 and SSLv3

--Sig_/5hzIpMGnpyZJ8h0tE1_0JkE Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Yesterday I had to re-install a host node in my 3.5.6 cluster. After a fres= h install of CentOS 7.2, attempts to re-install failed, as did removing and= re-adding the node. Here is a log excerpt from the engine: 2016-04-19 18:22:01,100 INFO [org.ovirt.vdsm.jsonrpc.client.reactors.React= orClient] (SSL Stomp Reactor) Connecting to eclipse.localdomain/10.71.10.249 2016-04-19 18:22:01,116 WARN [org.ovirt.vdsm.jsonrpc.client.utils.retry.Re= tryable] (SSL Stomp Reactor) Retry failed 2016-04-19 18:22:01,129 ERROR [org.ovirt.vdsm.jsonrpc.client.reactors.React= orClient] (DefaultQuartzScheduler_Worker-38) Exception during connection 2016-04-19 18:22:01,208 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.Ge= tCapabilitiesVDSCommand] (DefaultQuartzScheduler_Worker-38) Command GetCapa= bilitiesVDSCommand(HostName =3D eclipse, HostId =3D 37a4a1c2-4906-489e-947c= -1ef9fb828bc5, vds=3DHost[eclipse,37a4a1c2-4906-489e-947c-1ef9fb828bc5]) ex= ecution failed. Exception: VDSNetworkException: java.net.NoRouteToHostExcep= tion: No route to host 2016-04-19 18:22:01,209 WARN [org.ovirt.engine.core.vdsbroker.VdsManager] = (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It will = stay in Connecting state for a grace period of 120 seconds and after that a= n attempt to fence the host will be issued. 2016-04-19 18:22:01,938 ERROR [org.ovirt.engine.core.vdsbroker.VdsUpdateRun= TimeInfo] (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime= info: org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: java.= net.NoRouteToHostException: No route to host at org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.creat= eNetworkException(VdsBrokerCommand.java:126) [vdsbroker.jar:] Luckily seeing SSL+java in the log tickled my memory about java disabling S= SLv3, and google helped me find this workaround: - edit /usr/lib/jvm/java/jre/lib/security/java.security - look for jdk.tls.disabledAlgorithms - remove SSLv3 from the list - service ovirt-engine restart Google also tells me that this should be an issue for 3.5, and there is a vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't find how to change/set it. Anyone know the secret? Robert --=20 Senior Software Engineer @ Parsons --Sig_/5hzIpMGnpyZJ8h0tE1_0JkE Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature --Sig_/5hzIpMGnpyZJ8h0tE1_0JkE--