On Mon, May 11, 2020 at 12:31 PM Giorgio Biacchi <[email protected]> wrote:
> Hi list, > I've spent a couple of days trying to understand why this was happening... > > For the installation I have a well tested installation server with a > custom kickstart file to setup ssh keys and custom hooks for infiniband > and I'm installing Ovirt Node 4.3.9 via pxe, this is particularly useful > when I have to install a bunch of blades at once.. In the past I had no > issues and all was working like a charm until now when some hardware > failed and I had to replace it. > > As expected I have no issues in the node installation process.. the > troubles begins when I try to add the node, installation fails and in > the UI I have an exclamation mark with the message "Host has no default > route." but I can ping and do ssh to the host from the manager.. the > problem is somewhere else in the communication between the engine and > vdsmd preventing the engine to refresh the host capabilities. > > So from the engine I tried: > > [root@manager ~]# openssl s_client -connect 172.20.22.78:54321 > CONNECTED(00000003) > --- > Certificate chain > 0 s:/CN=cn128.lagrange.di.unimi.it/O=VDSM Certificate > i:/CN=VDSM Certificate Authority > 1 s:/CN=VDSM Certificate Authority > i:/CN=VDSM Certificate Authority > --- > > The host has still the self signed vdsm certificate.. and on the host in > vdsm.log I find: > > 2020-05-11 09:52:25,433+0000 ERROR (Reactor thread) > [ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError, > address: ::ffff:159.149.129.220 (sslutils:264) > > So I tried to enroll the certificate from the UI and from the events tab > I sow the enrolling was successful but: > > [root@manager ~]# openssl s_client -connect 172.20.22.78:54321 > > 140084336994192:error:140790E5:SSL routines:ssl23_write:ssl handshake > failure:s23_lib.c:177: > CONNECTED(00000003) > --- > no peer certificate available > --- > > there's still some issue with the certificates.. so on the host again: > > [root@cn128 vdsm]# find /etc/pki/vdsm/ -type f -cmin -10| xargs ls -l > -rw-------. 1 root kvm 1424 May 11 09:56 /etc/pki/vdsm/certs/cacert.pem > -rw-------. 1 root kvm 5108 May 11 09:57 /etc/pki/vdsm/certs/vdsmcert.pem > -r--r-----. 1 root kvm 1704 May 11 09:56 /etc/pki/vdsm/keys/vdsmkey.pem > -rw-r--r--. 1 root root 1424 May 11 09:57 > /etc/pki/vdsm/libvirt-spice/ca-cert.pem > -rw-r--r--. 1 root root 5108 May 11 09:57 > /etc/pki/vdsm/libvirt-spice/server-cert.pem > -r--r-----. 1 root root 1704 May 11 09:56 > /etc/pki/vdsm/libvirt-spice/server-key.pem > > It seems that cacert.pem and vdsmcert.pem have wrong permissions.. let's > try to fix it.. > > [root@cn128 vdsm]# chown 36:36 /etc/pki/vdsm/certs/cacert.pem > /etc/pki/vdsm/certs/vdsmcert.pem > > And now: > > [root@manager ~]# openssl s_client -connect 172.20.22.78:54321| less > CONNECTED(00000003) > --- > Certificate chain > 0 s:/O=lagrange.di.unimi.it/CN=172.20.22.78 > i:/C=US/O=lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941 > 1 s:/C=US/O=lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941 > i:/C=US/O=lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941 > --- > > Now I can finally refresh the host capabilities and setup the host > networks.. > > In attachment all the relevant logs, I don't know if I've found some > bug.. this is the first time i had so many troubles adding a new host.. > so I decided to share my experience with the list.. > > Thanks for raising this. On adding the host there is an error about vdsm-hook-nestedvt which I cannot interprete, maybe someone else can do. In vdsm.log I noticed a strange behavior of setupNetworks, can you please share the corresponding supervdsm.log, too? > Cheers > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/6JTU3HB4WCI27WSLGEOSLMPYFU22EX5H/ >
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/LK47PGCYENSDO6LV7VRFPRO6UJEH2ASH/
