--Sig_/MkLQoiV4wn/4AwG=_qj5J9E
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
On Wed, 20 Apr 2016 08:52:49 -0400 Alexander wrote:
AW> On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote:
AW> > Yesterday I had to re-install a host node in my 3.5.6 cluster. After =
a fresh
AW> > install of CentOS 7.2, attempts to re-install failed, as did removing=
and
AW> > re-adding the node. Here is a log excerpt from the engine:
AW> >=20
AW> > [...]
AW> > [org.ovirt.engine.core.vdsbroker.VdsManager]
AW> > (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It=
will
AW> > stay in Connecting state for a grace period of 120 seconds and after =
that
AW> > an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 =
ERROR
AW> > [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo]
AW> > (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime inf=
o:
AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException:
AW> > java.net.NoRouteToHostException: No route to host at
AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetw=
orkExc
AW> > eption(VdsBrokerCommand.java:126) [vdsbroker.jar:]
AW> >=20
AW> > Luckily seeing SSL+java in the log tickled my memory about java disab=
ling
AW> > SSLv3, and google helped me find this workaround:
AW> >=20
AW> > - edit /usr/lib/jvm/java/jre/lib/security/java.security
AW> > - look for jdk.tls.disabledAlgorithms
AW> > - remove SSLv3 from the list
AW> > - service ovirt-engine restart
AW> >=20
AW> > Google also tells me that this should be an issue for 3.5, and there =
is a
AW> > vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can'=
t find
AW> > how to change/set it. Anyone know the secret?
AW>=20
AW> Pretty much everything engine related can be configured with
AW> engine-config. engine-config -l will give you a list of all the
AW> options. engine-config -g <key> will get the current value,
AW> engine-config -s <key>=3D<value> will set it. A quick grep indicates
th=
at
AW> you are looking for the VdsmSSLProtocol key.
Hmmm..
# engine-config -g VdsmSSLProtocol
VdsmSSLProtocol: TLSv1 version: general
Looks like it's already set to TLS, making me wonder why I needed to remove=
SSLv3. I just put it back and restarted the engine, and it seems to be co=
mmunicating with all hosts ok. So maybe it's just some process/code using d=
uring install that isn't using this setting...
Robert
--=20
Senior Software Engineer @ Parsons
--Sig_/MkLQoiV4wn/4AwG=_qj5J9E
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEUEARECAAYFAlcXg+wACgkQ7/fVLLY1mngQdwCXdrkTBAZibgHjPnVSklsNKBgc
tgCcDxw9HH8ydjtPEXV6Quqk41wSYlA=
=U/SD
-----END PGP SIGNATURE-----
--Sig_/MkLQoiV4wn/4AwG=_qj5J9E--