Re: [ovirt-users] oVirt 3.5 and SSLv3
On Sun, 24 Apr 2016 21:37:07 +0200 Piotr wrote: PK> Looking at the info you pasted I see: PK> "java.net.NoRouteToHostException: No route to host". PK> It usually mean that there is/was something wrong with your network. I saw that too, and tried pings first. Those worked fine, and the re-install worked right away after I made the java sslv3 change. I'm going to reinstall and move a host from a different lab. We'll see if I have the same experience with it... Robert PK> On Wed, Apr 20, 2016 at 3:28 PM, Robert Story wrote: PK> > On Wed, 20 Apr 2016 08:52:49 -0400 Alexander wrote: PK> > AW> On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote: PK> > AW> > Yesterday I had to re-install a host node in my 3.5.6 cluster. After a fresh PK> > AW> > install of CentOS 7.2, attempts to re-install failed, as did removing and PK> > AW> > re-adding the node. Here is a log excerpt from the engine: PK> > AW> > PK> > AW> > [...] PK> > AW> > [org.ovirt.engine.core.vdsbroker.VdsManager] PK> > AW> > (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It will PK> > AW> > stay in Connecting state for a grace period of 120 seconds and after that PK> > AW> > an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 ERROR PK> > AW> > [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] PK> > AW> > (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime info: PK> > AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: PK> > AW> > java.net.NoRouteToHostException: No route to host at PK> > AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetworkExc PK> > AW> > eption(VdsBrokerCommand.java:126) [vdsbroker.jar:] PK> > AW> > PK> > AW> > Luckily seeing SSL+java in the log tickled my memory about java disabling PK> > AW> > SSLv3, and google helped me find this workaround: PK> > AW> > PK> > AW> > - edit /usr/lib/jvm/java/jre/lib/security/java.security PK> > AW> > - look for jdk.tls.disabledAlgorithms PK> > AW> > - remove SSLv3 from the list PK> > AW> > - service ovirt-engine restart PK> > AW> > PK> > AW> > Google also tells me that this should be an issue for 3.5, and there is a PK> > AW> > vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't find PK> > AW> > how to change/set it. Anyone know the secret? PK> > AW> PK> > AW> Pretty much everything engine related can be configured with PK> > AW> engine-config. engine-config -l will give you a list of all the PK> > AW> options. engine-config -g will get the current value, PK> > AW> engine-config -s = will set it. A quick grep indicates that PK> > AW> you are looking for the VdsmSSLProtocol key. PK> > PK> > Hmmm.. PK> > PK> > # engine-config -g VdsmSSLProtocol PK> > VdsmSSLProtocol: TLSv1 version: general PK> > PK> > Looks like it's already set to TLS, making me wonder why I needed to remove SSLv3. I just put it back and restarted the engine, and it seems to be communicating with all hosts ok. So maybe it's just some process/code using during install that isn't using this setting... pgpEdK00i1P3K.pgp Description: OpenPGP digital signature ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and SSLv3
Robert, Looking at the info you pasted I see: "java.net.NoRouteToHostException: No route to host". It usually mean that there is/was something wrong with your network. Thanks, Piotr On Wed, Apr 20, 2016 at 3:28 PM, Robert Story wrote: > On Wed, 20 Apr 2016 08:52:49 -0400 Alexander wrote: > AW> On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote: > AW> > Yesterday I had to re-install a host node in my 3.5.6 cluster. After a > fresh > AW> > install of CentOS 7.2, attempts to re-install failed, as did removing > and > AW> > re-adding the node. Here is a log excerpt from the engine: > AW> > > AW> > [...] > AW> > [org.ovirt.engine.core.vdsbroker.VdsManager] > AW> > (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It > will > AW> > stay in Connecting state for a grace period of 120 seconds and after > that > AW> > an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 > ERROR > AW> > [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] > AW> > (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime info: > AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: > AW> > java.net.NoRouteToHostException: No route to host at > AW> > > org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetworkExc > AW> > eption(VdsBrokerCommand.java:126) [vdsbroker.jar:] > AW> > > AW> > Luckily seeing SSL+java in the log tickled my memory about java > disabling > AW> > SSLv3, and google helped me find this workaround: > AW> > > AW> > - edit /usr/lib/jvm/java/jre/lib/security/java.security > AW> > - look for jdk.tls.disabledAlgorithms > AW> > - remove SSLv3 from the list > AW> > - service ovirt-engine restart > AW> > > AW> > Google also tells me that this should be an issue for 3.5, and there is > a > AW> > vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't > find > AW> > how to change/set it. Anyone know the secret? > AW> > AW> Pretty much everything engine related can be configured with > AW> engine-config. engine-config -l will give you a list of all the > AW> options. engine-config -g will get the current value, > AW> engine-config -s = will set it. A quick grep indicates that > AW> you are looking for the VdsmSSLProtocol key. > > Hmmm.. > > # engine-config -g VdsmSSLProtocol > VdsmSSLProtocol: TLSv1 version: general > > Looks like it's already set to TLS, making me wonder why I needed to remove > SSLv3. I just put it back and restarted the engine, and it seems to be > communicating with all hosts ok. So maybe it's just some process/code using > during install that isn't using this setting... > > > Robert > > -- > Senior Software Engineer @ Parsons > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and SSLv3
On Wed, 20 Apr 2016 08:52:49 -0400 Alexander wrote: AW> On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote: AW> > Yesterday I had to re-install a host node in my 3.5.6 cluster. After a fresh AW> > install of CentOS 7.2, attempts to re-install failed, as did removing and AW> > re-adding the node. Here is a log excerpt from the engine: AW> > AW> > [...] AW> > [org.ovirt.engine.core.vdsbroker.VdsManager] AW> > (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It will AW> > stay in Connecting state for a grace period of 120 seconds and after that AW> > an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 ERROR AW> > [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] AW> > (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime info: AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: AW> > java.net.NoRouteToHostException: No route to host at AW> > org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetworkExc AW> > eption(VdsBrokerCommand.java:126) [vdsbroker.jar:] AW> > AW> > Luckily seeing SSL+java in the log tickled my memory about java disabling AW> > SSLv3, and google helped me find this workaround: AW> > AW> > - edit /usr/lib/jvm/java/jre/lib/security/java.security AW> > - look for jdk.tls.disabledAlgorithms AW> > - remove SSLv3 from the list AW> > - service ovirt-engine restart AW> > AW> > Google also tells me that this should be an issue for 3.5, and there is a AW> > vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't find AW> > how to change/set it. Anyone know the secret? AW> AW> Pretty much everything engine related can be configured with AW> engine-config. engine-config -l will give you a list of all the AW> options. engine-config -g will get the current value, AW> engine-config -s = will set it. A quick grep indicates that AW> you are looking for the VdsmSSLProtocol key. Hmmm.. # engine-config -g VdsmSSLProtocol VdsmSSLProtocol: TLSv1 version: general Looks like it's already set to TLS, making me wonder why I needed to remove SSLv3. I just put it back and restarted the engine, and it seems to be communicating with all hosts ok. So maybe it's just some process/code using during install that isn't using this setting... Robert -- Senior Software Engineer @ Parsons pgpgkDJo5spii.pgp Description: OpenPGP digital signature ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and SSLv3
On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote: > Yesterday I had to re-install a host node in my 3.5.6 cluster. After a fresh > install of CentOS 7.2, attempts to re-install failed, as did removing and > re-adding the node. Here is a log excerpt from the engine: > > > 2016-04-19 18:22:01,100 INFO > [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor) > Connecting to eclipse.localdomain/10.71.10.249 2016-04-19 18:22:01,116 WARN > [org.ovirt.vdsm.jsonrpc.client.utils.retry.Retryable] (SSL Stomp Reactor) > Retry failed 2016-04-19 18:22:01,129 ERROR > [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] > (DefaultQuartzScheduler_Worker-38) Exception during connection 2016-04-19 > 18:22:01,208 ERROR > [org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesVDSCommand] > (DefaultQuartzScheduler_Worker-38) Command > GetCapabilitiesVDSCommand(HostName = eclipse, HostId = > 37a4a1c2-4906-489e-947c-1ef9fb828bc5, > vds=Host[eclipse,37a4a1c2-4906-489e-947c-1ef9fb828bc5]) execution failed. > Exception: VDSNetworkException: java.net.NoRouteToHostException: No route > to host 2016-04-19 18:22:01,209 WARN > [org.ovirt.engine.core.vdsbroker.VdsManager] > (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It will > stay in Connecting state for a grace period of 120 seconds and after that > an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 ERROR > [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] > (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime info: > org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: > java.net.NoRouteToHostException: No route to host at > org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetworkExc > eption(VdsBrokerCommand.java:126) [vdsbroker.jar:] > > > Luckily seeing SSL+java in the log tickled my memory about java disabling > SSLv3, and google helped me find this workaround: > > - edit /usr/lib/jvm/java/jre/lib/security/java.security > - look for jdk.tls.disabledAlgorithms > - remove SSLv3 from the list > - service ovirt-engine restart > > Google also tells me that this should be an issue for 3.5, and there is a > vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't find > how to change/set it. Anyone know the secret? > Pretty much everything engine related can be configured with engine-config. engine-config -l will give you a list of all the options. engine-config -g will get the current value, engine-config -s = will set it. A quick grep indicates that you are looking for the VdsmSSLProtocol key. > > Robert ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] oVirt 3.5 and SSLv3
Yesterday I had to re-install a host node in my 3.5.6 cluster. After a fresh install of CentOS 7.2, attempts to re-install failed, as did removing and re-adding the node. Here is a log excerpt from the engine: 2016-04-19 18:22:01,100 INFO [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor) Connecting to eclipse.localdomain/10.71.10.249 2016-04-19 18:22:01,116 WARN [org.ovirt.vdsm.jsonrpc.client.utils.retry.Retryable] (SSL Stomp Reactor) Retry failed 2016-04-19 18:22:01,129 ERROR [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (DefaultQuartzScheduler_Worker-38) Exception during connection 2016-04-19 18:22:01,208 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesVDSCommand] (DefaultQuartzScheduler_Worker-38) Command GetCapabilitiesVDSCommand(HostName = eclipse, HostId = 37a4a1c2-4906-489e-947c-1ef9fb828bc5, vds=Host[eclipse,37a4a1c2-4906-489e-947c-1ef9fb828bc5]) execution failed. Exception: VDSNetworkException: java.net.NoRouteToHostException: No route to host 2016-04-19 18:22:01,209 WARN [org.ovirt.engine.core.vdsbroker.VdsManager] (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It will stay in Connecting state for a grace period of 120 seconds and after that an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 ERROR [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime info: org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException: java.net.NoRouteToHostException: No route to host at org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetworkException(VdsBrokerCommand.java:126) [vdsbroker.jar:] Luckily seeing SSL+java in the log tickled my memory about java disabling SSLv3, and google helped me find this workaround: - edit /usr/lib/jvm/java/jre/lib/security/java.security - look for jdk.tls.disabledAlgorithms - remove SSLv3 from the list - service ovirt-engine restart Google also tells me that this should be an issue for 3.5, and there is a vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't find how to change/set it. Anyone know the secret? Robert -- Senior Software Engineer @ Parsons pgpPaFIlxN6q6.pgp Description: OpenPGP digital signature ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users