matthewcosgrove / deploy-tools-vm

Packer deployment of a Tools VM on vcenter
0 stars 0 forks source link

Packer built vCenter VM dies on curl calls to GitHub over https #1

Open matthewcosgrove opened 4 years ago

matthewcosgrove commented 4 years ago

First discovered on installing fzf then also on bucc deploy. Debugged the fzf install script and narrowed it down to it hanging on this line https://github.com/junegunn/fzf/blob/305896fcb3b76c5ea94401f6cce74f0f287e8f21/install#L119 which is something like curl -v --output my.tgz -L https://github.com/junegunn/fzf-bin/releases/download/0.23.1/fzf-0.23.1-linux_amd64.tgz

It hangs at this point

* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://github-production-release-asset-2e65be.s3.amazonaws.com/28746931/4eb53400-0b66-11eb-9fcc-1b7fbe08c321?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20201012%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20201012T182007Z&X-Amz-Expires=300&X-Amz-Signature=453cfe2845942cc88f107bc9d5e822e1dafc57dc302071905a1b0d391dcd0ceb&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=28746931&response-content-disposition=attachment%3B%20filename%3Dfzf-0.23.1-linux_amd64.tgz&response-content-type=application%2Foctet-stream'
*   Trying 52.216.136.172...
* TCP_NODELAY set
* Connected to github-production-release-asset-2e65be.s3.amazonaws.com (52.216.136.172) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [91 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2900 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]

With curl version:

curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

To re-produce the same issue just run

./init/packer_build_infra_template.py
./init/clone_from_template.py

then login to the VM and run openssl s_client -connect github-production-release-asset-2e65be.s3.amazonaws.com:443 -msg

Output of govc about (as this is likely to be a vm-tools version or vsphere version issue)

Name:         VMware vCenter Server
Vendor:       VMware, Inc.
Version:      6.5.0
Build:        5973321
OS type:      linux-x64
API type:     VirtualCenter
API version:  6.5
Product ID:   vpx
UUID:         6ca19098-c0f4-4b0e-9ae7-90f1334c1b03

which corresponds to

vCenter Server 6.5 Update 1 | 2017-07-27 | 5973321

in https://kb.vmware.com/s/article/2143838

This results in the VM losing its IP and being unreachable. A reboot does fix it.

matthewcosgrove commented 4 years ago

The issue does not appear on vCenter 7

$ govc about
Name:         VMware vCenter Server
Vendor:       VMware, Inc.
Version:      7.0.0
Build:        16749670
OS type:      linux-x64
API type:     VirtualCenter
API version:  7.0.0.0
Product ID:   vpx
UUID:         877c8776-f2c7-4486-80ce-379a8ee2e982

corresponds to

vCenter Server 7.0.0d | 2020-08-25 | 16749653 | 16749670

from https://kb.vmware.com/s/article/2143838