Open GoogleCodeExporter opened 9 years ago
Original comment by hel...@google.com
on 17 Jun 2015 at 2:21
[deleted comment]
This workaround breaks connections between nodes and ganeti itself:
# gnt-instance list
Timeout while talking to the master daemon. Jobs might have been submitted and
will continue to run even if the call timed out. Useful commands in this
situation are "gnt-job list", "gnt-job cancel" and "gnt-job watch". Error:
Connect timed out
restarting services/nodes didn't help
Original comment by anatoliy...@gmail.com
on 20 Jun 2015 at 5:10
[deleted comment]
I can confirm that the workaround works, but I didn't need to restart any
daemons.
Original comment by serverha...@gmail.com
on 22 Jun 2015 at 8:30
I tried it on Scientific Linux 7.1 and it failed (as I wrote before).
Maybe I do something wrong:
- Do you generate dhparams.pem on master node only or do you do it on each node
(and as the result server.pem becoming unique on every node)?
- Does it matter where you save dhparams.pem - can it be any directory?
Original comment by anatoliy...@gmail.com
on 22 Jun 2015 at 8:39
[deleted comment]
Because of logjam attack(https://weakdh.org/) - there must be generated dh
params file:
On master node:
openssl dhparam -out dhparams.pem 2048
and then added to server.pem on master node:
cat dhparams.pem >> /var/lib/ganeti/server.pem
And then duplicate it to every node.
Restart was not needed, but i restarted cluster too to confirmation.
Original comment by andrzejd...@gmail.com
on 22 Jun 2015 at 2:10
This is how it looks in logs when new server.pem is on all nodes:
==========================
ganeti-luxid: No voting RPC result from [“node2”,”node1”]
ganeti-wconfd: Error in the RPC HTTP reply from 'Node {nodeName = “node2”,
nodePrimaryIp = “xxxxxx”, nodeSecondaryIp = “xxxxx”,
nodeMasterCandidate = True, nodeOffline = False, nodeDrained = False, nodeGroup
= “yyyyyyy”, nodeMasterCapable = True, nodeVmCapable = True, nodeNdparams =
PartialNDParams {ndpOobProgramP = Nothing, ndpSpindleCountP = Nothing,
ndpExclusiveStorageP = Nothing, ndpOvsP = Nothing, ndpOvsNameP = Nothing,
ndpOvsLinkP = Nothing, ndpSshPortP = Nothing, ndpCpuSpeedP = Nothing},
nodePowered = True, nodeCtime = Tue May 19 14:36:24 CEST 2015, nodeMtime = Tue
May 19 14:36:24 CEST 2015, nodeUuid = “zzzzzzz”, nodeSerial = 1, nodeTags =
fromList []}': CurlLayerError "code: CurlCouldntConnect, explanation: Failed
connect to xxxxxx:1811; Connection refused"
ganeti-luxid: Error in the RPC HTTP reply from 'Node {nodeName = “node2”,
nodePrimaryIp = “xxxxxx”, nodeSecondaryIp = “xxxxxxx”,
nodeMasterCandidate = True, nodeOffline = False, nodeDrained = False, nodeGroup
= “zzzzzzzz”, nodeMasterCapable = True, nodeVmCapable = True, nodeNdparams
= PartialNDParams {ndpOobProgramP = Nothing, ndpSpindleCountP = Nothing,
ndpExclusiveStorageP = Nothing, ndpOvsP = Nothing, ndpOvsNameP = Nothing,
ndpOvsLinkP = Nothing, ndpSshPortP = Nothing, ndpCpuSpeedP = Nothing},
nodePowered = True, nodeCtime = Mon May 18 12:05:29 CEST 2015, nodeMtime = Mon
May 18 12:05:29 CEST 2015, nodeUuid = “zzzzzzzzz”, nodeSerial = 1, nodeTags
= fromList []}': CurlLayerError "code: CurlSSLCACertBadFile, explanation: "
==========================
CurlLayerError "code: CurlSSLCACertBadFile" - I guess something wrong with new
server.pem format.
It looks like:
# grep '\----' server.pem
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
Original comment by anatoliy...@gmail.com
on 23 Jun 2015 at 12:09
Hi!
I have been trying to look into why the workaround does not work for you,
especially because it seems like the correct solution to the problem, and one
we would like to deploy if it does not break people's clusters.
Could you tell me anything about the versions of the following: Ganeti, PycURL,
OpenSSL, and GnuTLS? I will assume the packages are the same as in RHEL.
Cheers,
Riba
Original comment by r...@google.com
on 23 Jun 2015 at 2:15
Hi,
Thanks for the help!
openssl.x86_64 1:1.0.1e-42.el7_1.8
openssl-libs.x86_64 1:1.0.1e-42.el7_1.8
gnutls.x86_64 3.3.8-12.el7
python-pycurl.x86_64 7.19.0-17.el7
# gnt-cluster version
Software version: 2.12.4
Internode protocol: 2120000
Configuration format: 2120000
OS api version: 20
Export interface: 0
VCS version: (ganeti) version v2.12.4
Ganeti packages are from http://jfut.integ.jp/linux/ganeti/7/x86_64/
Original comment by anatoliy...@gmail.com
on 24 Jun 2015 at 9:12
Original issue reported on code.google.com by
lordot...@gmail.com
on 17 Jun 2015 at 11:54