Closed drbolsen closed 7 years ago
jinhyunr
commented
8 years ago Can we get the full log? Also, I recommend upgrading Agent to 2.2.0, which is the latest. You can refer to this page on how to do so. https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-linux-update-agent/
drbolsen
commented
8 years ago Although CoreOS seems like supported by Microsoft Azure it is not possible to upgrade the agent, at least not the way it is described in the provided URL. My further digging into the issue indicates that it is related to OpenSSL.
The remaining part of log won't reveal anything useful as it is the only error message associated with this issue. Furthermore, we found that this issue causes problems with loading agent extensions, e.g. command execution due to lack of SSL.
drbolsen
commented
8 years ago Just to be more precise about the issue - python must be built with SSL support in order to be able handling WALinuxAgent secure connections. Currently CoreOS (Stable channel) is shipped with python compiled without SSL, which is a bit surprise considering it is Azure supported Linux distro.
matti
commented
8 years ago Any workarounds, can I disable the SSL from the agent?
brendandixon
commented
8 years ago @drbolsen @matti Are you seeing errors besides these log messages? The agent emits the messages above when it detects that Python was not built with SSL, but it then falls back to use standard HTTP. That is, it should work despite the (noisy) messages above.
drbolsen
commented
7 years ago @brendandixon, the error does not affect CoreOS per se, as you mentioned it indeed falls back to HTTP and spamming in logs however Azure features that are dependent on Azure agent, e.g. remote command execution or password reset via Azure, those services won't work. Even if they would, I would not trust running password reset via unprotected channel.
hglkrijger
commented
7 years ago @drbolsen - running extensions should work, is this not your experience? I agree that something like a password reset or running a production system is not advisable without a secure channel. However that support is something which needs to be added to the CoreOS image, rather than the agent. We just submitted a small change to reduce the verbosity of logging in this scenario, so the logs will not be spammed but other than that I do not see any agent changes to be made. If you are having issues running extensions please let us know, and we can reopen this issue.
RAPYx
commented
7 years ago Hi, any update for this issue ? Because we tried to block all outbound traffic except 443 but with this problem this flow switched on http and it is blocked...
hglkrijger
commented
7 years ago @RAPYx, what is blocked exactly?
RAPYx
commented
7 years ago our firewall rules are set as below
Src: LAN Dest:<
with this issue, waagent switchs to port 80 and it is blocked.
hglkrijger
commented
7 years ago @RAPYx which version of the agent? Support for running behind a NSG or firewall is only present in later versions of the agent. Also, this is not related to the issue above.
Hi there,
We provisioned a new CoreOS cluster on Azure recently, everything seems like working fine however got a number of annoying warning in logs system journal and /var/log/waagent.log
No other issues observed or any other error messages so far, we worried that SSL is not enabled for any reason.
Agent version:
WALinuxAgent-2.1.3 running on coreos 1122.2.0 Python: 2.7.6