1317372 – [RHEVH7.2] Virt-who can't work at vdsm mode as "SSLError: sslv3 alert handshake failure"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1317372 - [RHEVH7.2] Virt-who can't work at vdsm mode as "SSLError: sslv3 alert handshake failure"

Summary: [RHEVH7.2] Virt-who can't work at vdsm mode as "SSLError: sslv3 alert handsha...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	virt-who
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	All
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Radek Novacek
QA Contact:	Eko
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1172230 1203710 1254282 1337819
TreeView+	depends on / blocked

Reported:	2016-03-14 06:54 UTC by Liushihui
Modified:	2020-01-17 15:41 UTC (History)
CC List:	13 users (show)
Fixed In Version:	virt-who-0.17-1.el7
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	1337819 (view as bug list)
Environment:
Last Closed:	2016-11-04 05:08:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2328601	0	None	None	None	2016-05-18 18:07:12 UTC
Red Hat Product Errata	RHBA-2016:2387	0	normal	SHIPPED_LIVE	virt-who bug fix and enhancement update	2016-11-03 13:53:39 UTC

Description Liushihui 2016-03-14 06:54:02 UTC

Description of problem:
When virt-who run in rhevh7.2, configure virt-who run at vdsm mode, virt-who failed to get host/guest mapping info from VDSM as "SSLError: sslv3 alert handshake failure"

Version-Release number of selected component (if applicable):
Rhev-hypervisor7-7.2-20160302.1
virt-who-0.14-9.el7.noarch
vdsm-4.17.23-0.el7ev.noarch
subscription-manager-1.10.14-10.el7.x86_64
python-rhsm-1.13.2-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install Rhev-hypervisor7-7.2-20160302.1, Register it to satellite6.1
2. Start vdsm service and configure virt-who run at vdsm mode
[root@localhost admin]# cat /etc/sysconfig/virt-who  | grep -v ^# | grep -v ^$
VIRTWHO_DEBUG=1
VIRTWHO_INTERVAL=5
VIRTWHO_VDSM=1
[root@localhost admin]# service virt-who restart
Redirecting to /bin/systemctl restart  virt-who.service
3. Check virt-who's log
2016-03-14 05:46:55,833 ERROR: Virt backend 'env/cmdline' fails with exception:
Traceback (most recent call last):
  File "/usr/share/virt-who/virt/virt.py", line 301, in run
    self._run()
  File "/usr/share/virt-who/virt/virt.py", line 332, in _run
    report = self._get_report()
  File "/usr/share/virt-who/virt/virt.py", line 276, in _get_report
    return DomainListReport(self.config, self.listDomains())
  File "/usr/share/virt-who/virt/vdsm/vdsm.py", line 123, in listDomains
    response = self.server.list(True)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.7/site-packages/M2Crypto/m2xmlrpclib.py", line 49, in request
    h.endheaders()
  File "/usr/lib64/python2.7/httplib.py", line 975, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 835, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 797, in send
    self.connect()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect
    sock.connect((self.host, self.port))
  File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl, self._timeout)
SSLError: sslv3 alert handshake failure
4. Check vdsmd service's status
[root@localhost admin]# service vdsmd status
Redirecting to /bin/systemctl status  vdsmd.service
● vdsmd.service - Virtual Desktop Server Manager
   Loaded: loaded (/usr/lib/systemd/system/vdsmd.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2016-03-11 07:38:31 UTC; 2 days ago
 Main PID: 17315 (vdsm)
   CGroup: /system.slice/vdsmd.service
           ├─17315 /usr/bin/python /usr/share/vdsm/vdsm
           └─17459 /usr/libexec/ioprocess --read-pipe-fd 54 --write-pipe-fd 53 --max-threads 10 --max-queued-requests 10

Mar 14 06:45:49 localhost vdsm[17315]: vdsm ProtocolDetector.SSLHandshakeDispatcher ERROR Error during handshake: wrong version number
Mar 14 06:45:54 localhost vdsm[17315]: vdsm ProtocolDetector.SSLHandshakeDispatcher ERROR Error during handshake: wrong version number
Mar 14 06:45:59 localhost vdsm[17315]: vdsm ProtocolDetector.SSLHandshakeDispatcher ERROR Error during handshake: wrong version number
Mar 14 06:46:05 localhost vdsm[17315]: vdsm ProtocolDetector.SSLHandshakeDispatcher ERROR Error during handshake: wrong version number
Mar 14 06:46:10 localhost vdsm[17315]: vdsm ProtocolDetector.SSLHandshakeDispatcher ERROR Error during handshake: wrong version number
Mar 14 06:46:15 localhost vdsm[17315]: vdsm ProtocolDetector.SSLHandshakeDispatcher ERROR Error during handshake: wrong version number
Mar 14 06:46:20 localhost vdsm[17315]: vdsm ProtocolDetector.SSLHandshakeDispatcher ERROR Error during handshake: wrong version number
Mar 14 06:46:25 localhost vdsm[17315]: vdsm ProtocolDetector.SSLHandshakeDispatcher ERROR Error during handshake: wrong version number
Mar 14 06:46:30 localhost vdsm[17315]: vdsm ProtocolDetector.SSLHandshakeDispatcher ERROR Error during handshake: wrong version number
Mar 14 06:46:35 localhost vdsm[17315]: vdsm ProtocolDetector.SSLHandshakeDispatcher ERROR Error during handshake: wrong version number


Actual results:
Virt-who can't get host/guest mapping info in vdsm mode Meanwhile, when start virt-who service, virt-who failed to communicate with vdsm.

Expected results:
Virt-who can get host/guest mapping info successfully.it also shouldn't show any error when virt-who communicate with vdsm.

Additional info:

Comment 2 Radek Novacek 2016-03-15 08:43:17 UTC

virt-who tries to use SSLv3 which is now disabled. This issue is now addressed upstream: https://github.com/virt-who/virt-who/commit/b5673a4121d30887464723bc65574d494b82756a

Comment 4 Radek Novacek 2016-05-03 06:17:32 UTC

It will be fixed in RHEL-7.3. virt-who will be rebased to latest upstream version that contains fix for this issue.

Comment 5 Eko 2016-05-12 04:23:12 UTC

This bug can be reproduced in rhev-hypervisor7-ng-3.6-20160506.0 build

----------log-------------------
# virt-who --vdsm -d -o
2016-05-11 22:26:31,567 INFO: Using configuration "env/cmdline" ("vdsm" mode)
2016-05-11 22:26:31,654 ERROR: Virt backend 'env/cmdline' fails with exception:
Traceback (most recent call last):
  File "/usr/share/virt-who/virt/virt.py", line 301, in run
    self._run()
  File "/usr/share/virt-who/virt/virt.py", line 332, in _run
    report = self._get_report()
  File "/usr/share/virt-who/virt/virt.py", line 276, in _get_report
    return DomainListReport(self.config, self.listDomains())
  File "/usr/share/virt-who/virt/vdsm/vdsm.py", line 123, in listDomains
    response = self.server.list(True)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.7/site-packages/M2Crypto/m2xmlrpclib.py", line 49, in request
    h.endheaders()
  File "/usr/lib64/python2.7/httplib.py", line 975, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 835, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 797, in send
    self.connect()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect
    sock.connect((self.host, self.port))
  File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl, self._timeout)
SSLError: sslv3 alert handshake failure

Comment 6 Radek Novacek 2016-05-12 06:53:07 UTC

Mithun, if the customer wants the fix earlier than in 7.3, feel free to propose this bug for z-stream fix.

Comment 7 Radek Novacek 2016-05-12 06:55:34 UTC

Since this bug is blocker for RHEV 3.6 and RHEV 4.0, how can we deliver the fix? This bug is not approved for fixing in RHEL-7.2 (yet?). Is there some process to fix it only for RHEV?

Comment 10 Radek Novacek 2016-05-17 13:01:22 UTC

Fixed in virt-who-0.17-1.el7.

Comment 16 Eko 2016-06-13 04:54:27 UTC

Verified with virt-who-0.14-9.el7_2.1,

# rpm -Uvh virt-who-0.14-9.el7_2.1.noarch.rpm 
Preparing...                          ################################# [100%]
Updating / installing...
   1:virt-who-0.14-9.el7_2.1          ################################# [ 50%]
Cleaning up / removing...
   2:virt-who-0.14-9.el7              ################################# [100%]

# virt-who --vdsm -d
2016-06-13 00:51:07,516 INFO: Using configuration "env/cmdline" ("vdsm" mode)
2016-06-13 00:51:07,516 DEBUG: Starting infinite loop with 3600 seconds interval
2016-06-13 00:51:07,609 DEBUG: Authenticating with certificate: /etc/pki/consumer/cert.pem
2016-06-13 00:51:07,828 INFO: Sending domain info: []
2016-06-13 00:51:09,411 INFO: virt-who guest list update successful
^C2016-06-13 00:51:13,683 DEBUG: virt-who shut down started

Comment 18 errata-xmlrpc 2016-11-04 05:08:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2387.html

Note You need to log in before you can comment on or make changes to this bug.