[ovirt-devel] SSO and the engine

Piotr Kliczewski piotr.kliczewski at gmail.com
Fri Jan 27 15:16:07 UTC 2017


Сергей Скурлаев suggested to me that there is newer version of jdk in
updates-testing.

I had updated java-1.8.0-openjdk to 1:1.8.0.121-1.b14.fc24 and I was
able to add host properly.

On Fri, Jan 27, 2017 at 2:57 PM, Piotr Kliczewski
<piotr.kliczewski at gmail.com> wrote:
> I downgraded jdk and it did not help.
>
> My dnf says when I attempt to install as in the link:
>
> No package nss-3.27.0-1.1.fc25.x86_64 available.
> No package nss-softokn-3.27.0-1.0.fc25.x86_64 available.
> No package nss-softokn-freebl-3.27.0-1.0.fc25.x86_64 available.
> No package nss-sysinit-3.27.0-1.1.fc25.x86_64 available.
> No package nss-tools-3.27.0-1.1.fc25.x86_64 available.
> No package nss-util-3.27.0-1.0.fc25.x86_64 available.
>
> I am not able to downgrade nss due to conflicts with other packages.:
>
>
> On Fri, Jan 27, 2017 at 2:23 PM, Benny Zlotnik <bzlotnik at redhat.com> wrote:
>> You can also try downgrading the nss packages, see:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1415137#c15
>>
>> On Fri, Jan 27, 2017 at 3:18 PM, Piotr Kliczewski
>> <piotr.kliczewski at gmail.com> wrote:
>>>
>>> I was too fast to send the update. I am able to login now but I see
>>> core dump during host add:
>>>
>>> 2017-01-27 14:14:01,906+01 ERROR
>>> [org.ovirt.engine.core.bll.hostdeploy.AddVdsCommand] (default task-58)
>>> [20086bed-e76d-42ef-9ab1-30c8e965374b] Failed to establish session
>>> with host 'fedora': SSH session closed during connection
>>> 'root at 192.168.1.102'
>>> 2017-01-27 14:14:01,907+01 WARN
>>> [org.ovirt.engine.core.bll.hostdeploy.AddVdsCommand] (default task-58)
>>> [20086bed-e76d-42ef-9ab1-30c8e965374b] Validation of action 'AddVds'
>>> failed for user admin at internal-authz. Reasons:
>>> VAR__ACTION__ADD,VAR__TYPE__HOST,$server
>>> 192.168.1.102,VDS_CANNOT_CONNECT_TO_SERVER
>>> #
>>> # A fatal error has been detected by the Java Runtime Environment:
>>> #
>>> #  SIGSEGV (0xb) at pc=0x00007f7c9d773734, pid=20890,
>>> tid=0x00007f7c6c148700
>>> #
>>> # JRE version: OpenJDK Runtime Environment (8.0_111-b16) (build
>>> 1.8.0_111-b16)
>>> # Java VM: OpenJDK 64-Bit Server VM (25.111-b16 mixed mode linux-amd64
>>> compressed oops)
>>> # Problematic frame:
>>> # C  [libc.so.6+0x14a734]  __memcpy_avx_unaligned+0x2c4
>>> #
>>> # Failed to write core dump. Core dumps have been disabled. To enable
>>> core dumping, try "ulimit -c unlimited" before starting Java again
>>> #
>>> # An error report file with more information is saved as:
>>> # /tmp/hs_err_pid20890.log
>>> #
>>> # If you would like to submit a bug report, please visit:
>>> #   http://bugreport.java.com/bugreport/crash.jsp
>>> #
>>> ovirt-engine[20848] ERROR run:554 Error: process terminated with status
>>> code -6
>>>
>>> 2017-01-27 14:14:01,756+01 INFO
>>> [org.apache.sshd.common.util.SecurityUtils] (default task-58)
>>> BouncyCastle not registered, using the default JCE provider
>>> 2017-01-27 14:14:01,870+01 INFO
>>> [org.apache.sshd.client.session.ClientSessionImpl]
>>> (sshd-SshClient[26c9f7da]-nio2-thread-1) Client session created
>>> 2017-01-27 14:14:01,885+01 INFO
>>> [org.apache.sshd.client.session.ClientSessionImpl]
>>> (sshd-SshClient[26c9f7da]-nio2-thread-1) Server version string:
>>> SSH-2.0-OpenSSH_7.2
>>> 2017-01-27 14:14:01,886+01 INFO
>>> [org.apache.sshd.client.session.ClientSessionImpl]
>>> (sshd-SshClient[26c9f7da]-nio2-thread-1) Kex: server->client
>>> aes128-ctr hmac-sha2-256 none
>>> 2017-01-27 14:14:01,886+01 INFO
>>> [org.apache.sshd.client.session.ClientSessionImpl]
>>> (sshd-SshClient[26c9f7da]-nio2-thread-1) Kex: client->server
>>> aes128-ctr hmac-sha2-256 none
>>> 2017-01-27 14:14:01,896+01 WARN
>>> [org.apache.sshd.client.session.ClientSessionImpl]
>>> (sshd-SshClient[26c9f7da]-nio2-thread-1) Exception caught:
>>> java.security.ProviderException: java.lang.NegativeArraySizeException
>>> at
>>> sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:147)
>>> at
>>> java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:703)
>>> [rt.jar:1.8.0_111]
>>> at org.apache.sshd.common.kex.ECDH.getE(ECDH.java:59)
>>> at
>>> org.apache.sshd.client.kex.AbstractDHGClient.init(AbstractDHGClient.java:78)
>>> at
>>> org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:359)
>>> at
>>> org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:295)
>>> at
>>> org.apache.sshd.client.session.ClientSessionImpl.handleMessage(ClientSessionImpl.java:256)
>>> at
>>> org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:731)
>>> at
>>> org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:277)
>>> at
>>> org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54)
>>> at
>>> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:187)
>>> at
>>> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:173)
>>> at
>>> org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> [rt.jar:1.8.0_111]
>>> at
>>> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)
>>> at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) [rt.jar:1.8.0_111]
>>> at sun.nio.ch.Invoker.invokeDirect(Invoker.java:157) [rt.jar:1.8.0_111]
>>> at
>>> sun.nio.ch.UnixAsynchronousSocketChannelImpl.implRead(UnixAsynchronousSocketChannelImpl.java:553)
>>> [rt.jar:1.8.0_111]
>>> at
>>> sun.nio.ch.AsynchronousSocketChannelImpl.read(AsynchronousSocketChannelImpl.java:276)
>>> [rt.jar:1.8.0_111]
>>> at
>>> sun.nio.ch.AsynchronousSocketChannelImpl.read(AsynchronousSocketChannelImpl.java:297)
>>> [rt.jar:1.8.0_111]
>>> at
>>> java.nio.channels.AsynchronousSocketChannel.read(AsynchronousSocketChannel.java:420)
>>> [rt.jar:1.8.0_111]
>>> at
>>> org.apache.sshd.common.io.nio2.Nio2Session.startReading(Nio2Session.java:173)
>>> at
>>> org.apache.sshd.common.io.nio2.Nio2Connector$1.onCompleted(Nio2Connector.java:53)
>>> at
>>> org.apache.sshd.common.io.nio2.Nio2Connector$1.onCompleted(Nio2Connector.java:46)
>>> at
>>> org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> [rt.jar:1.8.0_111]
>>> at
>>> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)
>>> at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) [rt.jar:1.8.0_111]
>>> at sun.nio.ch.Invoker$2.run(Invoker.java:218) [rt.jar:1.8.0_111]
>>> at
>>> sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
>>> [rt.jar:1.8.0_111]
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>> [rt.jar:1.8.0_111]
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>> [rt.jar:1.8.0_111]
>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
>>> Caused by: java.lang.NegativeArraySizeException
>>> at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(Native Method)
>>> at
>>> sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:128)
>>> ... 32 more
>>>
>>> On Fri, Jan 27, 2017 at 1:56 PM, Piotr Kliczewski
>>> <piotr.kliczewski at gmail.com> wrote:
>>> > Thank you Juan, It fixed my issue
>>> >
>>> > I updated java.security and changed:
>>> >
>>> > from
>>> >
>>> > jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
>>> >
>>> > to
>>> >
>>> > jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768, EC, ECDHE, ECDH
>>> >
>>> > Thanks,
>>> > Piotr
>>> >
>>> > On Fri, Jan 27, 2017 at 1:42 PM, Juan Hernández <jhernand at redhat.com>
>>> > wrote:
>>> >> See this Piotr:
>>> >>
>>> >>
>>> >>
>>> >> http://post-office.corp.redhat.com/archives/rhev-devel/2017-January/msg00269.html
>>> >>
>>> >> Benny, may be worth publishing it to the upstream devel list.
>>> >>
>>> >> On 01/27/2017 01:35 PM, Piotr Kliczewski wrote:
>>> >>> All,
>>> >>>
>>> >>> I pulled the latest source from master and rebuilt my engine. Every
>>> >>> time I attempt to login I see:
>>> >>>
>>> >>> 2017-01-27 13:22:51,403+01 INFO
>>> >>> [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default
>>> >>> task-54) [] User admin at internal successfully logged in with scopes:
>>> >>> ovirt-app-admin ovirt-app-api ovirt-app-portal
>>> >>> ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all
>>> >>> ovirt-ext=token-info:authz-search
>>> >>> ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate
>>> >>> ovirt-ext=token:password-access
>>> >>> #
>>> >>> # A fatal error has been detected by the Java Runtime Environment:
>>> >>> #
>>> >>> #  SIGSEGV (0xb) at pc=0x00007f514eb45734, pid=2519,
>>> >>> tid=0x00007f51119a6700
>>> >>> #
>>> >>> # JRE version: OpenJDK Runtime Environment (8.0_111-b16) (build
>>> >>> 1.8.0_111-b16)
>>> >>> # Java VM: OpenJDK 64-Bit Server VM (25.111-b16 mixed mode linux-amd64
>>> >>> compressed oops)
>>> >>> # Problematic frame:
>>> >>> # C  [libc.so.6+0x14a734]  __memcpy_avx_unaligned+0x2c4
>>> >>> #
>>> >>> # Failed to write core dump. Core dumps have been disabled. To enable
>>> >>> core dumping, try "ulimit -c unlimited" before starting Java again
>>> >>> #
>>> >>> # An error report file with more information is saved as:
>>> >>> # /tmp/hs_err_pid2519.log
>>> >>> #
>>> >>> # If you would like to submit a bug report, please visit:
>>> >>> #   http://bugreport.java.com/bugreport/crash.jsp
>>> >>> #
>>> >>> ovirt-engine[2471] ERROR run:554 Error: process terminated with status
>>> >>> code -6
>>> >>>
>>> >>> I enabled ssl debug to find:
>>> >>>
>>> >>> 2017-01-27 13:22:37,641+01 INFO  [stdout] (default I/O-2) default
>>> >>> I/O-2, fatal error: 80: problem unwrapping net record
>>> >>> 2017-01-27 13:22:37,642+01 INFO  [stdout] (default I/O-2)
>>> >>> java.lang.RuntimeException: java.lang.NegativeArraySizeException
>>> >>> 2017-01-27 13:22:37,642+01 INFO  [stdout] (default I/O-2) %%
>>> >>> Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
>>> >>> 2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
>>> >>> I/O-2, SEND TLSv1.2 ALERT:  fatal, description = internal_error
>>> >>> 2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
>>> >>> I/O-2, WRITE: TLSv1.2 Alert, length = 2
>>> >>> 2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
>>> >>> I/O-2, called closeInbound()
>>> >>> 2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
>>> >>> I/O-2, fatal: engine already closed.  Rethrowing
>>> >>> javax.net.ssl.SSLException: Inbound closed before receiving peer's
>>> >>> close_notify: possible truncation attack?
>>> >>> 2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
>>> >>> I/O-2, called closeOutbound()
>>> >>> 2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
>>> >>> I/O-2, closeOutboundInternal()
>>> >>> 2017-01-27 13:22:37,644+01 INFO  [stdout] (default task-1) default
>>> >>> task-1, received EOFException: error
>>> >>> 2017-01-27 13:22:37,644+01 INFO  [stdout] (default task-1) default
>>> >>> task-1, handling exception: javax.net.ssl.SSLHandshakeException:
>>> >>> Remote host closed connection during handshake
>>> >>> 2017-01-27 13:22:37,645+01 INFO  [stdout] (default task-1) default
>>> >>> task-1, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
>>> >>> 2017-01-27 13:22:37,645+01 INFO  [stdout] (default task-1) default
>>> >>> task-1, WRITE: TLSv1.2 Alert, length = 2
>>> >>> 2017-01-27 13:22:37,645+01 INFO  [stdout] (default task-1) [Raw
>>> >>> write]: length = 7
>>> >>> 2017-01-27 13:22:37,647+01 INFO  [stdout] (default task-1) 0000: 15 03
>>> >>> 03 00 02 02 28                               ......(
>>> >>> 2017-01-27 13:22:37,647+01 INFO  [stdout] (default task-1) default
>>> >>> task-1, called closeSocket()
>>> >>> 2017-01-27 13:22:37,644+01 ERROR [org.xnio.nio] (default I/O-2)
>>> >>> XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1 at 6d665208
>>> >>> failed with an exception: java.lang.RuntimeException:
>>> >>> java.lang.NegativeArraySizeException
>>> >>> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at
>>> >>> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at
>>> >>> sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
>>> >>> [rt.jar:1.8.0_111]
>>> >>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:742)
>>> >>> at
>>> >>> io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:639)
>>> >>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
>>> >>> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1035)
>>> >>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588)
>>> >>> [xnio-nio-3.4.0.Final.jar:3.4.0.Final]
>>> >>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)
>>> >>> [xnio-nio-3.4.0.Final.jar:3.4.0.Final]
>>> >>> Caused by: java.security.ProviderException:
>>> >>> java.lang.NegativeArraySizeException
>>> >>> at
>>> >>> sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:147)
>>> >>> at
>>> >>> java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:703)
>>> >>> [rt.jar:1.8.0_111]
>>> >>> at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:64)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at
>>> >>> sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1432)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at
>>> >>> sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1219)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at
>>> >>> sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1023)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at
>>> >>> sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:738)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at
>>> >>> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at java.security.AccessController.doPrivileged(Native Method)
>>> >>> [rt.jar:1.8.0_111]
>>> >>> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
>>> >>> [jsse.jar:1.8.0_111]
>>> >>> at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1023)
>>> >>> at
>>> >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>> >>> [rt.jar:1.8.0_111]
>>> >>> at
>>> >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>> >>> [rt.jar:1.8.0_111]
>>> >>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
>>> >>> Caused by: java.lang.NegativeArraySizeException
>>> >>> at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(Native Method)
>>> >>> at
>>> >>> sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:128)
>>> >>> ... 16 more
>>> >>>
>>> >>> Are we aware of the issue? Is there any workaround?
>>> >>>
>>> >>> I am using fedora 24 with all recent updates applied.
>>> >>>
>>> >>> Thanks,
>>> >>> Piotr
>>> >>>
>>> >>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> Devel mailing list
>>> >>> Devel at ovirt.org
>>> >>> http://lists.ovirt.org/mailman/listinfo/devel
>>> >>>
>>> >>
>>
>>


More information about the Devel mailing list