oVirt 3.5 and SSLv3

--Sig_/5hzIpMGnpyZJ8h0tE1_0JkE Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Yesterday I had to re-install a host node in my 3.5.6 cluster. After a fres= h install of CentOS 7.2, attempts to re-install failed, as did removing and= re-adding the node. Here is a log excerpt from the engine: 2016-04-19 18:22:01,100 INFO [org.ovirt.vdsm.jsonrpc.client.reactors.React= orClient] (SSL Stomp Reactor) Connecting to eclipse.localdomain/10.71.10.249 2016-04-19 18:22:01,116 WARN [org.ovirt.vdsm.jsonrpc.client.utils.retry.Re= tryable] (SSL Stomp Reactor) Retry failed 2016-04-19 18:22:01,129 ERROR [org.ovirt.vdsm.jsonrpc.client.reactors.React= orClient] (DefaultQuartzScheduler_Worker-38) Exception during connection 2016-04-19 18:22:01,208 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.Ge= tCapabilitiesVDSCommand] (DefaultQuartzScheduler_Worker-38) Command GetCapa= bilitiesVDSCommand(HostName =3D eclipse, HostId =3D 37a4a1c2-4906-489e-947c= -1ef9fb828bc5, vds=3DHost[eclipse,37a4a1c2-4906-489e-947c-1ef9fb828bc5]) ex= ecution failed. Exception: VDSNetworkException: java.net.NoRouteToHostExcep= tion: No route to host 2016-04-19 18:22:01,209 WARN [org.ovirt.engine.core.vdsbroker.VdsManager] = (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It will = stay in Connecting state for a grace period of 120 seconds and after that a= n attempt to fence the host will be issued. 2016-04-19 18:22:01,938 ERROR [org.ovirt.engine.core.vdsbroker.VdsUpdateRun= TimeInfo] (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime= info: org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: java.= net.NoRouteToHostException: No route to host at org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.creat= eNetworkException(VdsBrokerCommand.java:126) [vdsbroker.jar:] Luckily seeing SSL+java in the log tickled my memory about java disabling S= SLv3, and google helped me find this workaround: - edit /usr/lib/jvm/java/jre/lib/security/java.security - look for jdk.tls.disabledAlgorithms - remove SSLv3 from the list - service ovirt-engine restart Google also tells me that this should be an issue for 3.5, and there is a vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't find how to change/set it. Anyone know the secret? Robert --=20 Senior Software Engineer @ Parsons --Sig_/5hzIpMGnpyZJ8h0tE1_0JkE Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlcXeHIACgkQ7/fVLLY1mnimKgCeL1PD9TRtKtdxC07VPjs3A3eh a4sAnieFpARV2TUY6Ot0PbZoFI5PNgBm =NjWI -----END PGP SIGNATURE----- --Sig_/5hzIpMGnpyZJ8h0tE1_0JkE--

On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote:
Yesterday I had to re-install a host node in my 3.5.6 cluster. After a fresh install of CentOS 7.2, attempts to re-install failed, as did removing and re-adding the node. Here is a log excerpt from the engine:
2016-04-19 18:22:01,100 INFO [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor) Connecting to eclipse.localdomain/10.71.10.249 2016-04-19 18:22:01,116 WARN [org.ovirt.vdsm.jsonrpc.client.utils.retry.Retryable] (SSL Stomp Reactor) Retry failed 2016-04-19 18:22:01,129 ERROR [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (DefaultQuartzScheduler_Worker-38) Exception during connection 2016-04-19 18:22:01,208 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesVDSCommand] (DefaultQuartzScheduler_Worker-38) Command GetCapabilitiesVDSCommand(HostName = eclipse, HostId = 37a4a1c2-4906-489e-947c-1ef9fb828bc5, vds=Host[eclipse,37a4a1c2-4906-489e-947c-1ef9fb828bc5]) execution failed. Exception: VDSNetworkException: java.net.NoRouteToHostException: No route to host 2016-04-19 18:22:01,209 WARN [org.ovirt.engine.core.vdsbroker.VdsManager] (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It will stay in Connecting state for a grace period of 120 seconds and after that an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 ERROR [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime info: org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: java.net.NoRouteToHostException: No route to host at org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetworkExc eption(VdsBrokerCommand.java:126) [vdsbroker.jar:]
Luckily seeing SSL+java in the log tickled my memory about java disabling SSLv3, and google helped me find this workaround:
- edit /usr/lib/jvm/java/jre/lib/security/java.security - look for jdk.tls.disabledAlgorithms - remove SSLv3 from the list - service ovirt-engine restart
Google also tells me that this should be an issue for 3.5, and there is a vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't find how to change/set it. Anyone know the secret?
Pretty much everything engine related can be configured with engine-config. engine-config -l will give you a list of all the options. engine-config -g <key> will get the current value, engine-config -s <key>=<value> will set it. A quick grep indicates that you are looking for the VdsmSSLProtocol key.
Robert

--Sig_/MkLQoiV4wn/4AwG=_qj5J9E Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Wed, 20 Apr 2016 08:52:49 -0400 Alexander wrote: AW> On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote: AW> > Yesterday I had to re-install a host node in my 3.5.6 cluster. After = a fresh AW> > install of CentOS 7.2, attempts to re-install failed, as did removing= and AW> > re-adding the node. Here is a log excerpt from the engine: AW> >=20 AW> > [...] AW> > [org.ovirt.engine.core.vdsbroker.VdsManager] AW> > (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It= will AW> > stay in Connecting state for a grace period of 120 seconds and after = that AW> > an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 = ERROR AW> > [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] AW> > (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime inf= o: AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: AW> > java.net.NoRouteToHostException: No route to host at AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetw= orkExc AW> > eption(VdsBrokerCommand.java:126) [vdsbroker.jar:] AW> >=20 AW> > Luckily seeing SSL+java in the log tickled my memory about java disab= ling AW> > SSLv3, and google helped me find this workaround: AW> >=20 AW> > - edit /usr/lib/jvm/java/jre/lib/security/java.security AW> > - look for jdk.tls.disabledAlgorithms AW> > - remove SSLv3 from the list AW> > - service ovirt-engine restart AW> >=20 AW> > Google also tells me that this should be an issue for 3.5, and there = is a AW> > vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can'= t find AW> > how to change/set it. Anyone know the secret? AW>=20 AW> Pretty much everything engine related can be configured with AW> engine-config. engine-config -l will give you a list of all the AW> options. engine-config -g <key> will get the current value, AW> engine-config -s <key>=3D<value> will set it. A quick grep indicates th= at AW> you are looking for the VdsmSSLProtocol key. Hmmm.. # engine-config -g VdsmSSLProtocol VdsmSSLProtocol: TLSv1 version: general Looks like it's already set to TLS, making me wonder why I needed to remove= SSLv3. I just put it back and restarted the engine, and it seems to be co= mmunicating with all hosts ok. So maybe it's just some process/code using d= uring install that isn't using this setting... Robert --=20 Senior Software Engineer @ Parsons --Sig_/MkLQoiV4wn/4AwG=_qj5J9E Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEUEARECAAYFAlcXg+wACgkQ7/fVLLY1mngQdwCXdrkTBAZibgHjPnVSklsNKBgc tgCcDxw9HH8ydjtPEXV6Quqk41wSYlA= =U/SD -----END PGP SIGNATURE----- --Sig_/MkLQoiV4wn/4AwG=_qj5J9E--

Robert, Looking at the info you pasted I see: "java.net.NoRouteToHostException: No route to host". It usually mean that there is/was something wrong with your network. Thanks, Piotr On Wed, Apr 20, 2016 at 3:28 PM, Robert Story <rstory@tislabs.com> wrote:
On Wed, 20 Apr 2016 08:52:49 -0400 Alexander wrote: AW> On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote: AW> > Yesterday I had to re-install a host node in my 3.5.6 cluster. After a fresh AW> > install of CentOS 7.2, attempts to re-install failed, as did removing and AW> > re-adding the node. Here is a log excerpt from the engine: AW> > AW> > [...] AW> > [org.ovirt.engine.core.vdsbroker.VdsManager] AW> > (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It will AW> > stay in Connecting state for a grace period of 120 seconds and after that AW> > an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 ERROR AW> > [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] AW> > (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime info: AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: AW> > java.net.NoRouteToHostException: No route to host at AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetworkExc AW> > eption(VdsBrokerCommand.java:126) [vdsbroker.jar:] AW> > AW> > Luckily seeing SSL+java in the log tickled my memory about java disabling AW> > SSLv3, and google helped me find this workaround: AW> > AW> > - edit /usr/lib/jvm/java/jre/lib/security/java.security AW> > - look for jdk.tls.disabledAlgorithms AW> > - remove SSLv3 from the list AW> > - service ovirt-engine restart AW> > AW> > Google also tells me that this should be an issue for 3.5, and there is a AW> > vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't find AW> > how to change/set it. Anyone know the secret? AW> AW> Pretty much everything engine related can be configured with AW> engine-config. engine-config -l will give you a list of all the AW> options. engine-config -g <key> will get the current value, AW> engine-config -s <key>=<value> will set it. A quick grep indicates that AW> you are looking for the VdsmSSLProtocol key.
Hmmm..
# engine-config -g VdsmSSLProtocol VdsmSSLProtocol: TLSv1 version: general
Looks like it's already set to TLS, making me wonder why I needed to remove SSLv3. I just put it back and restarted the engine, and it seems to be communicating with all hosts ok. So maybe it's just some process/code using during install that isn't using this setting...
Robert
-- Senior Software Engineer @ Parsons
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

--Sig_/6lbcZeV9C+5Z5rwkSFlb7xX Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sun, 24 Apr 2016 21:37:07 +0200 Piotr wrote: PK> Looking at the info you pasted I see: PK> "java.net.NoRouteToHostException: No route to host". PK> It usually mean that there is/was something wrong with your network. I saw that too, and tried pings first. Those worked fine, and the re-install worked right away after I made the java sslv3 change. I'm going to reinstall and move a host from a different lab. We'll see if I have the same experience with it... Robert PK> On Wed, Apr 20, 2016 at 3:28 PM, Robert Story <rstory@tislabs.com> wrot= e: PK> > On Wed, 20 Apr 2016 08:52:49 -0400 Alexander wrote: =20 PK> > AW> On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote: =20 PK> > AW> > Yesterday I had to re-install a host node in my 3.5.6 cluster. = After a fresh PK> > AW> > install of CentOS 7.2, attempts to re-install failed, as did re= moving and PK> > AW> > re-adding the node. Here is a log excerpt from the engine: PK> > AW> > PK> > AW> > [...] PK> > AW> > [org.ovirt.engine.core.vdsbroker.VdsManager] PK> > AW> > (DefaultQuartzScheduler_Worker-38) Host eclipse is not respondi= ng. It will PK> > AW> > stay in Connecting state for a grace period of 120 seconds and = after that PK> > AW> > an attempt to fence the host will be issued. 2016-04-19 18:22:0= 1,938 ERROR PK> > AW> > [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] PK> > AW> > (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runti= me info: PK> > AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: PK> > AW> > java.net.NoRouteToHostException: No route to host at PK> > AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.crea= teNetworkExc PK> > AW> > eption(VdsBrokerCommand.java:126) [vdsbroker.jar:] PK> > AW> > PK> > AW> > Luckily seeing SSL+java in the log tickled my memory about java= disabling PK> > AW> > SSLv3, and google helped me find this workaround: PK> > AW> > PK> > AW> > - edit /usr/lib/jvm/java/jre/lib/security/java.security PK> > AW> > - look for jdk.tls.disabledAlgorithms PK> > AW> > - remove SSLv3 from the list PK> > AW> > - service ovirt-engine restart PK> > AW> > PK> > AW> > Google also tells me that this should be an issue for 3.5, and = there is a PK> > AW> > vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but = I can't find PK> > AW> > how to change/set it. Anyone know the secret? =20 PK> > AW> PK> > AW> Pretty much everything engine related can be configured with PK> > AW> engine-config. engine-config -l will give you a list of all the PK> > AW> options. engine-config -g <key> will get the current value, PK> > AW> engine-config -s <key>=3D<value> will set it. A quick grep indica= tes that PK> > AW> you are looking for the VdsmSSLProtocol key. =20 PK> > PK> > Hmmm.. PK> > PK> > # engine-config -g VdsmSSLProtocol PK> > VdsmSSLProtocol: TLSv1 version: general PK> > PK> > Looks like it's already set to TLS, making me wonder why I needed to = remove SSLv3. I just put it back and restarted the engine, and it seems to= be communicating with all hosts ok. So maybe it's just some process/code u= sing during install that isn't using this setting... --Sig_/6lbcZeV9C+5Z5rwkSFlb7xX Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlceOboACgkQ7/fVLLY1mngHTACeKizq5qyd2YrQ+MGJejYWmTCA OWMAnj2i5zkOx1StkflJKj423+NpOJXC =jo2h -----END PGP SIGNATURE----- --Sig_/6lbcZeV9C+5Z5rwkSFlb7xX--
participants (3)
-
Alexander Wels
-
Piotr Kliczewski
-
Robert Story