[ovirt-users] oVirt 3.5 and SSLv3

Piotr Kliczewski piotr.kliczewski at gmail.com
Sun Apr 24 19:37:07 UTC 2016


Robert,

Looking at the info you pasted I see:
"java.net.NoRouteToHostException: No route to host".
It usually mean that there is/was something wrong with your network.

Thanks,
Piotr

On Wed, Apr 20, 2016 at 3:28 PM, Robert Story <rstory at tislabs.com> wrote:
> On Wed, 20 Apr 2016 08:52:49 -0400 Alexander wrote:
> AW> On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote:
> AW> > Yesterday I had to re-install a host node in my 3.5.6 cluster. After a fresh
> AW> > install of CentOS 7.2, attempts to re-install failed, as did removing and
> AW> > re-adding the node. Here is a log excerpt from the engine:
> AW> >
> AW> > [...]
> AW> > [org.ovirt.engine.core.vdsbroker.VdsManager]
> AW> > (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It will
> AW> > stay in Connecting state for a grace period of 120 seconds and after that
> AW> > an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 ERROR
> AW> > [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo]
> AW> > (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime info:
> AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException:
> AW> > java.net.NoRouteToHostException: No route to host at
> AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetworkExc
> AW> > eption(VdsBrokerCommand.java:126) [vdsbroker.jar:]
> AW> >
> AW> > Luckily seeing SSL+java in the log tickled my memory about java disabling
> AW> > SSLv3, and google helped me find this workaround:
> AW> >
> AW> >  - edit /usr/lib/jvm/java/jre/lib/security/java.security
> AW> >  - look for jdk.tls.disabledAlgorithms
> AW> >  - remove SSLv3 from the list
> AW> >  - service ovirt-engine restart
> AW> >
> AW> > Google also tells me that this should be an issue for 3.5, and there is a
> AW> > vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't find
> AW> > how to change/set it. Anyone know the secret?
> AW>
> AW> Pretty much everything engine related can be configured with
> AW> engine-config. engine-config -l will give you a list of all the
> AW> options. engine-config -g <key> will get the current value,
> AW> engine-config -s <key>=<value> will set it. A quick grep indicates that
> AW> you are looking for the VdsmSSLProtocol key.
>
> Hmmm..
>
>   # engine-config -g VdsmSSLProtocol
>   VdsmSSLProtocol: TLSv1 version: general
>
> Looks like it's already set to TLS, making me wonder why I needed to remove SSLv3.  I just put it back and restarted the engine, and it seems to be communicating with all hosts ok. So maybe it's just some process/code using during install that isn't using this setting...
>
>
> Robert
>
> --
> Senior Software Engineer @ Parsons
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



More information about the Users mailing list