Bug 1473295 - vdsm with python/ssl ssl_implementation cannot connect to engine
vdsm with python/ssl ssl_implementation cannot connect to engine
Status: CLOSED CURRENTRELEASE
Product: vdsm
Classification: oVirt
Component: General (Show other bugs)
4.19.23
Unspecified Unspecified
unspecified Severity high (vote)
: ovirt-4.1.5
: 4.19.27
Assigned To: Piotr Kliczewski
Jiri Belka
: Regression
Depends On:
Blocks: 1412552
  Show dependency treegraph
 
Reported: 2017-07-20 08:31 EDT by Jiri Belka
Modified: 2017-08-23 04:03 EDT (History)
6 users (show)

See Also:
Fixed In Version: 4.19.25
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-23 04:03:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.1+
rule-engine: blocker+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 79668 master MERGED ssl: handle handshake errors 2017-08-08 03:34 EDT
oVirt gerrit 79669 ovirt-4.1 MERGED ssl: handle handshake errors 2017-07-27 07:54 EDT
oVirt gerrit 79670 ovirt-4.1 MERGED ssl: add flag to enable client certificate 2017-07-27 07:55 EDT
oVirt gerrit 79671 ovirt-4.1 MERGED ssl: client cert check for IPv4 mapped addresses 2017-07-27 07:55 EDT
oVirt gerrit 80373 ovirt-4.1 MERGED ssl: handle handshake errors 2017-08-08 07:18 EDT

  None (edit)
Description Jiri Belka 2017-07-20 08:31:26 EDT
Description of problem:

'ssl_implementation = ssl' in vdsm.conf causes vdsm not to be able to connect to engine. please note this is not default value (default is m2crypto).

~~~
2017-07-20 14:16:14,483+0200 ERROR (Reactor thread) [vds.dispatcher] uncaptured python exception, closing channel <yajsonrpc.betterAsyncore.Dispatcher connected ('::ffff:10.34.63.75', 40334, 0, 0) at 0x3777ef0> (<class 'socket.error'>:Address family not supported by protocol [/usr/lib64/python2.7/asyncore.py|readwrite|110] [/usr/lib64/python2.7/asyncore.py|handle_write_event|468] [/usr/lib/python2.7/site-packages/yajsonrpc/betterAsyncore.py|handle_write|70] [/usr/lib/python2.7/site-packages/yajsonrpc/betterAsyncore.py|_delegate_call|143] [/usr/lib/python2.7/site-packages/vdsm/sslutils.py|handle_write|223] [/usr/lib/python2.7/site-packages/vdsm/sslutils.py|_handle_io|233] [/usr/lib/python2.7/site-packages/vdsm/sslutils.py|_verify_host|247] [/usr/lib/python2.7/site-packages/vdsm/sslutils.py|compare_names|259]) (betterAsyncore:154)
...
2017-07-20 14:18:54,284+0200 ERROR (Reactor thread) [vds.dispatcher] uncaptured python exception, closing channel <yajsonrpc.betterAsyncore.Dispatcher ('::1', 42670, 0, 0) at 0x3782b90> (<class 'ssl.SSLError'>:[SSL: PEER_DID_NOT_RETURN_A_CERTIFICATE] peer did not return a certificate (_ssl.c:579) [/usr/lib64/python2.7/asyncore.py|readwrite|108] [/usr/lib64/python2.7/asyncore.py|handle_read_event|449] [/usr/lib/python2.7/site-packages/yajsonrpc/betterAsyncore.py|handle_read|67] [/usr/lib/python2.7/site-packages/yajsonrpc/betterAsyncore.py|_delegate_call|143] [/usr/lib/python2.7/site-packages/vdsm/sslutils.py|handle_read|220] [/usr/lib/python2.7/site-packages/vdsm/sslutils.py|_handle_io|230] [/usr/lib/python2.7/site-packages/vdsm/sslutils.py|_handshake|263] [/usr/lib64/python2.7/ssl.py|do_handshake|833]) (betterAsyncore:154)


Version-Release number of selected component (if applicable):
redhat-release-server-7.3-7.el7.x86_64
openssl-1.0.1e-60.el7_3.1.x86_64
python-2.7.5-48.el7.x86_64
vdsm-4.19.23-1.el7ev.x86_64

How reproducible:
100%

Steps to Reproduce:
1. install el 7.3 and change vdsm.conf to 'ssl' for 'ssl_implementation'
2.
3.

Actual results:
vdsm cannot connect to engine

Expected results:
should work

Additional info:
Comment 2 Jiri Belka 2017-07-20 08:40:29 EDT
Same on EL 7.4. 3.6 vdsm was working fine, though.
Comment 3 Oved Ourfali 2017-07-21 06:12:48 EDT
Reducing severity as default configuration works.
Comment 4 Red Hat Bugzilla Rules Engine 2017-07-21 06:12:53 EDT
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 5 rhev-integ 2017-07-28 08:16:13 EDT
INFO: Bug status wasn't changed from MODIFIED to ON_QA due to the following reason:

[Open patch attached]

For more info please contact: infra@ovirt.org
Comment 6 Martin Perina 2017-08-02 03:41:04 EDT
Moving back to post, as master patch is still not merged while 4.1 patch was merged by mistake
Comment 7 Jiri Belka 2017-08-11 02:33:59 EDT
ok, vdsm-4.19.26-1.el7ev.x86_64

active and Up in engine (ovirt-engine-4.1.5.2-0.1.el7.noarch)

# grep ^ssl_implementation /etc/vdsm/vdsm.conf
ssl_implementation = ssl
# systemctl is-active vdsmd
active

Note You need to log in before you can comment on or make changes to this bug.