--Sig_/MkLQoiV4wn/4AwG=_qj5J9E Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Wed, 20 Apr 2016 08:52:49 -0400 Alexander wrote: AW> On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote: AW> > Yesterday I had to re-install a host node in my 3.5.6 cluster. After = a fresh AW> > install of CentOS 7.2, attempts to re-install failed, as did removing= and AW> > re-adding the node. Here is a log excerpt from the engine: AW> >=20 AW> > [...] AW> > [org.ovirt.engine.core.vdsbroker.VdsManager] AW> > (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It= will AW> > stay in Connecting state for a grace period of 120 seconds and after = that AW> > an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 = ERROR AW> > [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] AW> > (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime inf= o: AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: AW> > java.net.NoRouteToHostException: No route to host at AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetw= orkExc AW> > eption(VdsBrokerCommand.java:126) [vdsbroker.jar:] AW> >=20 AW> > Luckily seeing SSL+java in the log tickled my memory about java disab= ling AW> > SSLv3, and google helped me find this workaround: AW> >=20 AW> > - edit /usr/lib/jvm/java/jre/lib/security/java.security AW> > - look for jdk.tls.disabledAlgorithms AW> > - remove SSLv3 from the list AW> > - service ovirt-engine restart AW> >=20 AW> > Google also tells me that this should be an issue for 3.5, and there = is a AW> > vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can'= t find AW> > how to change/set it. Anyone know the secret? AW>=20 AW> Pretty much everything engine related can be configured with AW> engine-config. engine-config -l will give you a list of all the AW> options. engine-config -g <key> will get the current value, AW> engine-config -s <key>=3D<value> will set it. A quick grep indicates th= at AW> you are looking for the VdsmSSLProtocol key. Hmmm.. # engine-config -g VdsmSSLProtocol VdsmSSLProtocol: TLSv1 version: general Looks like it's already set to TLS, making me wonder why I needed to remove= SSLv3. I just put it back and restarted the engine, and it seems to be co= mmunicating with all hosts ok. So maybe it's just some process/code using d= uring install that isn't using this setting... Robert --=20 Senior Software Engineer @ Parsons --Sig_/MkLQoiV4wn/4AwG=_qj5J9E Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEUEARECAAYFAlcXg+wACgkQ7/fVLLY1mngQdwCXdrkTBAZibgHjPnVSklsNKBgc tgCcDxw9HH8ydjtPEXV6Quqk41wSYlA= =U/SD -----END PGP SIGNATURE----- --Sig_/MkLQoiV4wn/4AwG=_qj5J9E--