On Fri, 1 Feb 2019 22:35:00 +0200
Dan Kenigsberg <dan...@redhat.com> wrote:

> On Fri, Feb 1, 2019 at 10:18 PM Dominik Holler <dhol...@redhat.com>
> wrote:
> >
> > On Fri, 1 Feb 2019 14:37:10 +0100
> > Gianluca Cecchi <gianluca.cec...@gmail.com> wrote:
> >
> > > Hello,
> > > at this moment (about two days ago) I have updated only engine
> > > (external, not self hosted) from 4.2.7.5 to 4.2.8.2
> > >
> > > As soon as I'm starting for the first time a VM with an ovn based
> > > nic I get what below in ovirt-provider-ovn.log
> > >
> > > In admin gui, if I try for example to start via "run once" I get:
> > > "
> > > Error while executing action Run VM once: Failed to communicate
> > > with the external provider, see log for additional details.
> > > "
> > > Any clue?
> >
> > The ovirt-provider-ovn fails during checking the credentials at
> > engine's sso because of a networking problem.
> 
> That would be odd - after all we're using the loopback interface
> From: ::ffff:127.0.0.1:49582 Request: GET /v2.0/ports
> but please try the url.
> 

Communication from Engine to ovirt-provider-ovn via OpenStack API looks
good. The problem seems to be in the communication from
ovirt-provider-ovn to engine's sso.
The hostname to resolve seems to be 'engine-host'.

> >
> > Can you please check if the url of the config value
> > ovirt-host in
> > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> > can be reached from engine's host?
> > If this does not explain the problem, can you please increase the
> > logging of the ovirt-provider-ovn by
> > sudo sed -i.$(date +%F-%H-%M)
> > 's/INFO/DEBUG/gi' /etc/ovirt-provider-ovn/logger.conf systemctl
> > restart ovirt-provider-ovn and share a new detailed error in
> > ovirt-provider-ovn.log? Thanks.
> 
> Dominik, could it possibly be related to our hardening  TLS ciphers?
> If it is, setting (an insecure) ssl-ciphers-string=DEFAULT in
> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf would
> help.
> 


I do not expect this, because this setting should be applied only to
OpenStack API related communication, which looks good here.

> >
> >
> >
> > > Thanks,
> > > Gianluca
> > >
> > > 2019-01-29 17:23:20,554 root Starting server
> > > 2019-01-29 17:23:20,554 root Version: 1.2.18-1
> > > 2019-01-29 17:23:20,555 root Build date: 20190114151850
> > > 2019-01-29 17:23:20,555 root Githash: dae4c1d
> > > 2019-01-29 18:04:15,575 root Starting server
> > > 2019-01-29 18:04:15,576 root Version: 1.2.18-1
> > > 2019-01-29 18:04:15,576 root Build date: 20190114151850
> > > 2019-01-29 18:04:15,576 root Githash: dae4c1d
> > > 2019-02-01 14:26:58,316 root From: ::ffff:127.0.0.1:49582
> > > Request: GET /v2.0/ports
> > > 2019-02-01 14:26:58,317 root
> > > HTTPSConnectionPool(host='engine-host', port=443): Max retries
> > > exceeded with url: /ovirt-engine/sso/oauth/token-info (Caused by
> > > NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection
> > > object at
> > > 0x7fe806166b90>: Failed to establish a new connection: [Errno -2]
> > > 0x7fe806166b90>Name or
> > > service not known',))
> > > Traceback (most recent call last):
> > >   File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py",
> > > line 134, in _handle_request
> > >     method, path_parts, content
> > >   File
> > > "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py",
> > > line 175, in handle_request return
> > > self.call_response_handler(handler, content, parameters) File
> > > "/usr/share/ovirt-provider-ovn/handlers/neutron.py", line 33, in
> > > call_response_handler TOKEN_HTTP_HEADER_FIELD_NAME, '')):
> > >   File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line
> > > 31, in validate_token
> > >     return auth.core.plugin.validate_token(token)
> > >   File
> > > "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
> > > line 36, in validate_token
> > >     return self._is_user_name(token, _admin_user_name())
> > >   File
> > > "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
> > > line 47, in _is_user_name
> > >     timeout=AuthorizationByUserName._timeout())
> > >   File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
> > > line 131, in get_token_info
> > >     timeout=timeout
> > >   File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
> > > line 54, in wrapper
> > >     response = func(*args, **kwargs)
> > >   File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
> > > line 47, in wrapper
> > >     raise BadGateway(e)
> > > BadGateway: HTTPSConnectionPool(host='engine-host', port=443): Max
> > > retries exceeded with url: /ovirt-engine/sso/oauth/token-info
> > > (Caused by
> > > NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection
> > > object at
> > > 0x7fe806166b90>: Failed to establish a new connection: [Errno -2]
> > > 0x7fe806166b90>Name or
> > > service not known',))
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/USEHLA2SH5GGKDVBHQMHHLH4LAIPO6CB/

Reply via email to