Hi Everyone, I have updated my nodes to the latest vdsm. After updating when i try to run "vdsClient -s localhost glusterVolumeStatsInfoGet volumeName=<vol_name>" i see the following output displayed. Traceback (most recent call last): File "/usr/share/vdsm/vdsClient.py", line 2839, in <module> code, message = commands[command][0](commandArgs) File "/usr/share/vdsm/vdsClientGluster.py", line 430, in do_glusterVolumeStatsInfoGet status = self.s.glusterVolumeStatsInfoGet(volumeName) File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__ return self.__send(self.__name, args) File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request verbose=self.__verbose File "/usr/lib64/python2.6/xmlrpclib.py", line 1237, in request errcode, errmsg, headers = h.getreply() File "/usr/lib64/python2.6/httplib.py", line 1064, in getreply response = self._conn.getresponse() File "/usr/lib64/python2.6/httplib.py", line 990, in getresponse response.begin() File "/usr/lib64/python2.6/httplib.py", line 391, in begin version, status, reason = self._read_status() File "/usr/lib64/python2.6/httplib.py", line 349, in _read_status line = self.fp.readline() File "/usr/lib64/python2.6/socket.py", line 433, in readline data = recv(1) File "/usr/lib64/python2.6/ssl.py", line 215, in recv return self.read(buflen) File "/usr/lib64/python2.6/ssl.py", line 136, in read return self._sslobj.read(len) SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version Can some one help me to resolve this issue. Version of vdsm: vdsm-python-4.17.0-616.git7548f81.el6.noarch vdsm-4.17.0-616.git7548f81.el6.x86_64 vdsm-cli-4.17.0-616.git7548f81.el6.noarch vdsm-yajsonrpc-4.17.0-616.git7548f81.el6.noarch vdsm-xmlrpc-4.17.0-616.git7548f81.el6.noarch vdsm-gluster-4.17.0-616.git7548f81.el6.noarch vdsm-infra-4.17.0-616.git7548f81.el6.noarch vdsm-jsonrpc-4.17.0-616.git7548f81.el6.noarch Thanks kasturi.
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: users@ovirt.org Sent: Tuesday, April 7, 2015 3:15:12 PM Subject: [ovirt-users] Issue with vdsm on EL6 nodes
<snip>
SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
Can some one help me to resolve this issue.
your openssl is patched to disable ssv3, and engine is trying to communicate using sslv3. please upgrade engine to latest z-stream, it should be resolved.
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: users@ovirt.org Sent: Tuesday, April 7, 2015 3:15:12 PM Subject: [ovirt-users] Issue with vdsm on EL6 nodes
<snip>
SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
Can some one help me to resolve this issue. your openssl is patched to disable ssv3, and engine is trying to communicate using sslv3.
please upgrade engine to latest z-stream, it should be resolved.
Hi Alon, I checked the following value in my database and my engine is using TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch. engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol'; option_name | option_value -----------------+-------------- VdsmSSLProtocol | TLSv1 (1 row) Thanks kasturi.
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:25:07 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: users@ovirt.org Sent: Tuesday, April 7, 2015 3:15:12 PM Subject: [ovirt-users] Issue with vdsm on EL6 nodes
<snip>
SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
Can some one help me to resolve this issue. your openssl is patched to disable ssv3, and engine is trying to communicate using sslv3.
please upgrade engine to latest z-stream, it should be resolved.
Hi Alon,
I checked the following value in my database and my engine is using TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol'; option_name | option_value -----------------+-------------- VdsmSSLProtocol | TLSv1 (1 row)
hmmm.... and you say you get this when you use vdsClient, so maybe it tries to connect using sslv3. is engine working proberly?
On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:25:07 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: users@ovirt.org Sent: Tuesday, April 7, 2015 3:15:12 PM Subject: [ovirt-users] Issue with vdsm on EL6 nodes
<snip>
SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
Can some one help me to resolve this issue. your openssl is patched to disable ssv3, and engine is trying to communicate using sslv3.
please upgrade engine to latest z-stream, it should be resolved. Hi Alon,
I checked the following value in my database and my engine is using TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol'; option_name | option_value -----------------+-------------- VdsmSSLProtocol | TLSv1 (1 row) hmmm.... and you say you get this when you use vdsClient, so maybe it tries to connect using sslv3.
is engine working proberly?
yes, engine works fine, i have few other nodes where i have the same vdsm version added to same engine and i do not hit this issue there. I am just wondering how is this happening.
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:39:58 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:25:07 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: users@ovirt.org Sent: Tuesday, April 7, 2015 3:15:12 PM Subject: [ovirt-users] Issue with vdsm on EL6 nodes
<snip>
SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
Can some one help me to resolve this issue. your openssl is patched to disable ssv3, and engine is trying to communicate using sslv3.
please upgrade engine to latest z-stream, it should be resolved. Hi Alon,
I checked the following value in my database and my engine is using TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol'; option_name | option_value -----------------+-------------- VdsmSSLProtocol | TLSv1 (1 row) hmmm.... and you say you get this when you use vdsClient, so maybe it tries to connect using sslv3.
is engine working proberly?
yes, engine works fine, i have few other nodes where i have the same vdsm version added to same engine and i do not hit this issue there. I am just wondering how is this happening.
compare openssl version. yaniv, please fix the vdsClient to use TLSv1
On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:39:58 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:25:07 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: users@ovirt.org Sent: Tuesday, April 7, 2015 3:15:12 PM Subject: [ovirt-users] Issue with vdsm on EL6 nodes
<snip>
SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
Can some one help me to resolve this issue. your openssl is patched to disable ssv3, and engine is trying to communicate using sslv3.
please upgrade engine to latest z-stream, it should be resolved. Hi Alon,
I checked the following value in my database and my engine is using TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol'; option_name | option_value -----------------+-------------- VdsmSSLProtocol | TLSv1 (1 row) hmmm.... and you say you get this when you use vdsClient, so maybe it tries to connect using sslv3.
is engine working proberly?
yes, engine works fine, i have few other nodes where i have the same vdsm version added to same engine and i do not hit this issue there. I am just wondering how is this happening.
compare openssl version.
yaniv, please fix the vdsClient to use TLSv1
should it use v1 always (forcefully)? we can do that, but currently it chooses the highest version both parties are able to use -- Yaniv Bronhaim.
----- Original Message -----
From: "ybronhei" <ybronhei@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "knarra" <knarra@redhat.com>, users@ovirt.org, "Dima Kuznetsov" <dkuznets@redhat.com> Sent: Sunday, April 12, 2015 12:17:03 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:39:58 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:25:07 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
----- Original Message ----- > From: "knarra" <knarra@redhat.com> > To: users@ovirt.org > Sent: Tuesday, April 7, 2015 3:15:12 PM > Subject: [ovirt-users] Issue with vdsm on EL6 nodes > <snip>
> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL > routines:SSL3_READ_BYTES:tlsv1 alert protocol version > > Can some one help me to resolve this issue. your openssl is patched to disable ssv3, and engine is trying to communicate using sslv3.
please upgrade engine to latest z-stream, it should be resolved. Hi Alon,
I checked the following value in my database and my engine is using TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol'; option_name | option_value -----------------+-------------- VdsmSSLProtocol | TLSv1 (1 row) hmmm.... and you say you get this when you use vdsClient, so maybe it
----- Original Message ----- tries to connect using sslv3.
is engine working proberly?
yes, engine works fine, i have few other nodes where i have the same vdsm version added to same engine and i do not hit this issue there. I am just wondering how is this happening.
compare openssl version.
yaniv, please fix the vdsClient to use TLSv1
should it use v1 always (forcefully)? we can do that, but currently it chooses the highest version both parties are able to use
it looks like it uses SSLv3 per this report.
On 04/12/2015 12:17 PM, ybronhei wrote:
On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:39:58 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:25:07 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
----- Original Message ----- > From: "knarra" <knarra@redhat.com> > To: users@ovirt.org > Sent: Tuesday, April 7, 2015 3:15:12 PM > Subject: [ovirt-users] Issue with vdsm on EL6 nodes > <snip>
> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL > routines:SSL3_READ_BYTES:tlsv1 alert protocol version > > Can some one help me to resolve this issue. your openssl is patched to disable ssv3, and engine is trying to communicate using sslv3.
please upgrade engine to latest z-stream, it should be resolved. Hi Alon,
I checked the following value in my database and my engine is using TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol'; option_name | option_value -----------------+-------------- VdsmSSLProtocol | TLSv1 (1 row) hmmm.... and you say you get this when you use vdsClient, so maybe it tries to connect using sslv3.
is engine working proberly?
yes, engine works fine, i have few other nodes where i have the same vdsm version added to same engine and i do not hit this issue there. I am just wondering how is this happening.
compare openssl version.
yaniv, please fix the vdsClient to use TLSv1
should it use v1 always (forcefully)? we can do that, but currently it chooses the highest version both parties are able to use
Vdsm uses ssl.PROTOCOL_SSLv23 which chooses the right tls version in python 2.7. In el6 we have python 2.6 which picks sslv2 or sslv3 when using ssl.PROTOCOL_SSLv23 (the highest version both sides support) - ovirt 3.6 (vdsm 4.17 and above) doesn't support el6 anymore therefore current 3.6 code works as expected in el7\fedora>20. If we want to fix vdsm 4.16.x (ovirt 3.5 package) to use explicitly ssl.PROTOCOL_TLSv1 we can do so - but it will be ovirt-3.5 branch only do we want that? if so we need bug for 3.5 -- Yaniv Bronhaim.
----- Original Message -----
From: "ybronhei" <ybronhei@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Dan Kenigsberg" <danken@redhat.com> Cc: users@ovirt.org, "Oved Ourfalli" <oourfali@redhat.com>, devel@ovirt.org Sent: Sunday, April 12, 2015 1:56:18 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/12/2015 12:17 PM, ybronhei wrote:
On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:39:58 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:25:07 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote: > ----- Original Message ----- >> From: "knarra" <knarra@redhat.com> >> To: users@ovirt.org >> Sent: Tuesday, April 7, 2015 3:15:12 PM >> Subject: [ovirt-users] Issue with vdsm on EL6 nodes >> > <snip> > >> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL >> routines:SSL3_READ_BYTES:tlsv1 alert protocol version >> >> Can some one help me to resolve this issue. > your openssl is patched to disable ssv3, and engine is trying to > communicate using sslv3. > > please upgrade engine to latest z-stream, it should be resolved. Hi Alon,
I checked the following value in my database and my engine is using TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol'; option_name | option_value -----------------+-------------- VdsmSSLProtocol | TLSv1 (1 row) hmmm.... and you say you get this when you use vdsClient, so maybe it tries to connect using sslv3.
is engine working proberly?
yes, engine works fine, i have few other nodes where i have the same vdsm version added to same engine and i do not hit this issue there. I am just wondering how is this happening.
compare openssl version.
yaniv, please fix the vdsClient to use TLSv1
should it use v1 always (forcefully)? we can do that, but currently it chooses the highest version both parties are able to use
Vdsm uses ssl.PROTOCOL_SSLv23 which chooses the right tls version in python 2.7. In el6 we have python 2.6 which picks sslv2 or sslv3 when using ssl.PROTOCOL_SSLv23 (the highest version both sides support) -
ovirt 3.6 (vdsm 4.17 and above) doesn't support el6 anymore therefore current 3.6 code works as expected in el7\fedora>20.
If we want to fix vdsm 4.16.x (ovirt 3.5 package) to use explicitly ssl.PROTOCOL_TLSv1 we can do so - but it will be ovirt-3.5 branch only
do we want that? if so we need bug for 3.5
as far as I understand the ssl.PROTOCOL_SSLv23 will also use TLSv1, the problem is at client side not at server side. Alon
participants (3)
-
Alon Bar-Lev -
knarra -
ybronhei