Hi, all,
here's an update on this problem. After the upgrade to 3.2.1 our
econe-server is very slow to give back a list of all running VMs.
Our SSL proxy was configured with a time out of 2min which is reached if
a user has O(300-400) VMs in the system. Increasing this timeout in
apache did help. The root cause is though why econe-server is so slow.
Local queries with onevm list are very fast as they should be.
$ time onevm list | wc -l
442
real 0m1.782s
user 0m1.433s
sys 0m0.257s
$ time euca-describe-instances | wc -l
442
real 2m47.010s
user 0m0.324s
sys 0m0.046s
Can anybody reproduce this problem ?
Cheers,
Ulrich
On 02/03/2012 01:36 PM, Ulrich Schwickerath wrote:
Hi, Daniel,
Are you running ruby 1.9 in your server?
No, we are running on SLC6 (compatible to RHEL6)
[root@oneadmin02 ~]# ruby --version
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
Try applying this patch and
installing the nokogiri gem:
http://dev.opennebula.org/projects/opennebula/repository/revisions/17e3ffc31e20e17285c36de615862b147577d16a
we have
rubygem-nokogiri-1.4.3.1-1.el6.x86_64
installed already. I have taken the patch and restarted oned and
econe-server but this does not seem to help.
Cheers,
Ulrich
Cheers,
Ulrich
On 02/03/2012 12:21 PM, Daniel Molina wrote:
On 3 February 2012 11:57, Daniel Molina<[email protected]>
wrote:
On 3 February 2012 11:30, Ulrich Schwickerath
<[email protected]> wrote:
Hi, Daniel,
thanks a lot for the help on this. The problem with the ssl proxy
was
that I
was missing an extra / at the end of the ssl_server directive. So
one
needs
:ssl_server: https://cloud.opennebula.org/
rather than
:ssl_server: https://cloud.opennebula.org
else I get authentication errors. However, this is not the end of
the
story
I'm afraid. With this patch in place I can query the system, but
it's
very
very slow. My most important user has some 500 VMs in the system,
and a
euca-describe-instances
times out or gives expat parse errors. If I query the system
locally it
works fine and is very responsive. This problem is new in 3.2.1, I
didn't
have this in 3.0 which I was using before. I already checked that
I have
all
rubygems installed which are needed.
Are you using the same client in both sides? Maybe It is an
environment problem (EC2_URL)
Any idea?
Ok, I think the problem is euca tools does not support paths. I have
already tested the following configuration and it works:
:ssl_server: https://devel.cloud.opennebula.org/
$ euca-describe-instances -U https://devel.cloud.opennebula.org |
wc -l
151
$ econe-describe-instances -U https://devel.cloud.opennebula.org/
| wc -l
151
If you use euca with this url; https://devel.cloud.opennebula.org/ you
will get the previous error/timeout. Also if you use econe with this
url; https://devel.cloud.opennebula.org it will return a path empty
error. I will update the econe tools to set '/' by default
Cheers
Thanks!
Ulrich
On 02/02/2012 11:40 PM, Daniel Molina wrote:
Hi Ulrich,
We have added a new patch in order to support custom paths and
ports
when setting up an SSL proxy on top of the econe-server. You can
see
this patch in the following link:
http://dev.opennebula.org/issues/985
This patch has been included in the last release (3.2.1). I
recommend
you to upgrade to this version. Also the performance should be
improved since we have included a new authentication cache.
Currently the econe-server is running in our public cloud with
an SSL
proxy, using the following configuration:
$ cat econe.conf
# Host and port where econe server will run
:server: localhost
:port: 7141
# SSL proxy that serves the API (set if is being used)
:ssl_server: https://cloud.opennebula.org/econe
# Authentication driver for incomming requests
# ec2, default Acess key and Secret key scheme
# x509, for x509 certificates based authentication
:auth: ec2
# Authentication driver to communicate with OpenNebula core
# cipher, for symmetric cipher encryption of tokens
# x509, for x509 certificate encryption of tokens
:core_auth: cipher
$ cat apache2.conf
<VirtualHost *:443>
servername cloud.opennebula.org
SSLEngine on
ProxyPass /econe http://localhost:7141/
ProxyPassReverse /econe http://localhost:7141/
</VirtualHost>
If you use a path different from '/' the client must support this
feature, otherwise the authentication will fail. The econe tools
included in the 3.2.1 release support custom paths.
Also if you want the proxy to listen in a different port from the
default (443) you can specify it in the ssl_parameter:
:ssl_server: https://cloud.opennebula.org:8082/
Hope this helps
On 2 February 2012 22:45, Ulrich Schwickerath
<[email protected]> wrote:
Hi,
did anybody try to setup the ONE 3.2 econe-server with an SSL
proxy ?
The
instructions on the web on this seem to be a bit out of date.
I had it working fine with 3.0 but with 3.2 I get authentication
errors
(the
ssl proxy setup is unchanged sinde 3.0). Direct access via http
works
(although slower than before).
Cheers,
Ulrich
_______________________________________________
Users mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
--
--------------------------------------
Dr. Ulrich Schwickerath
CERN IT/PES-PS
1211 Geneva 23
e-mail: [email protected]
phone: +41 22 767 9576
mobile: +41 76 487 5602
--
Daniel Molina
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | [email protected] | @OpenNebula
--
--------------------------------------
Dr. Ulrich Schwickerath
CERN IT/PES-PS
1211 Geneva 23
e-mail: [email protected]
phone: +41 22 767 9576
mobile: +41 76 487 5602
--
--------------------------------------
Dr. Ulrich Schwickerath
CERN IT/PES-PS
1211 Geneva 23
e-mail: [email protected]
phone: +41 22 767 9576
mobile: +41 76 487 5602
_______________________________________________
Users mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
