socat tls version issue
930 views
Skip to first unread message
Randy Bush
Oct 24, 2016, 7:17:09 AM10/24/16
to Ganeti Users
# gnt-instance move -n vm0 someguest.hard.knocks.edu
Instance someguest.hard.knocks.edu will be moved. This requires a shutdown of
the instance. Continue?
y/[n]/?: y
Mon Oct 24 11:11:46 2016 - INFO: Shutting down instance someguest.hard.knocks.edu on source node vm2.hard.knocks.edu
Mon Oct 24 11:12:08 2016 Exporting disk/0 from vm2.hard.knocks.edu to vm0.hard.knocks.edu
Mon Oct 24 11:12:11 2016 - WARNING: import 'import-disk0-2016-10-24_11_12_08-CY9nWw' on vm0.hard.knocks.edu failed: Exited with status 1
Mon Oct 24 11:12:11 2016 disk/0 failed to receive data: Exited with status 1 (recent output: socat: E openssl-method="TLSv1": method unknown or not provided by library\n0+0 records in\n0+0 records out\n0 bytes copied, 0.00527276 s, 0.0 kB/s)
Mon Oct 24 11:12:11 2016 - WARNING: Some disks failed to copy, aborting
Failure: command execution error:
Errors during disk copy: Failed to transfer instance data
the source of the move is a debian 8 running 2.15. the destination of
the move is a ubuntu xenial 16.04 running 2.15, which is just not gonna
like deprecated crypto.
suggestions?
randy
Instance someguest.hard.knocks.edu will be moved. This requires a shutdown of
the instance. Continue?
y/[n]/?: y
Mon Oct 24 11:11:46 2016 - INFO: Shutting down instance someguest.hard.knocks.edu on source node vm2.hard.knocks.edu
Mon Oct 24 11:12:08 2016 Exporting disk/0 from vm2.hard.knocks.edu to vm0.hard.knocks.edu
Mon Oct 24 11:12:11 2016 - WARNING: import 'import-disk0-2016-10-24_11_12_08-CY9nWw' on vm0.hard.knocks.edu failed: Exited with status 1
Mon Oct 24 11:12:11 2016 disk/0 failed to receive data: Exited with status 1 (recent output: socat: E openssl-method="TLSv1": method unknown or not provided by library\n0+0 records in\n0+0 records out\n0 bytes copied, 0.00527276 s, 0.0 kB/s)
Mon Oct 24 11:12:11 2016 - WARNING: Some disks failed to copy, aborting
Failure: command execution error:
Errors during disk copy: Failed to transfer instance data
the source of the move is a debian 8 running 2.15. the destination of
the move is a ubuntu xenial 16.04 running 2.15, which is just not gonna
like deprecated crypto.
suggestions?
randy
Jean-François Maeyhieux
Oct 24, 2016, 8:47:36 AM10/24/16
to ganeti
This problem is well known and there is 2 independant solutions:
- Downgrading to socat 1.7.2
or
- Apply the following patch to .../ganeti/impexpd/__init__.py
It's only a one character change. "TLSv1" => "TLS1"
---------------------------------------------------------------------------------
- diff --git a/lib/impexpd/__init__.py b/lib/impexpd/__init__.py
index f40db31..6c49b93 100644
--- a/lib/impexpd/__init__.py
+++ b/lib/impexpd/__init__.py
@@ -88,7 +88,7 @@ BUFSIZE = 1024 * 1024
# Common options for socat
SOCAT_TCP_OPTS = ["keepalive", "keepidle=60", "keepintvl=10", "keepcnt=5"]
-SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
+SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLS1",
"cipher=%s" % constants.OPENSSL_CIPHERS]
---------------------------------------------------------------------------------
Foysal Kayum
Jul 3, 2017, 2:04:27 AM7/3/17
to ganeti
I have encountered the same problem, But unfortunately the workaround is not working. I have changed the "method=TLSv1" to "method=TLS1" in __init__.py .
But still it fails to move the instance.
Foysal Kayum
Jul 3, 2017, 2:16:14 AM7/3/17
to ganeti
After changing the "in __init__.py" With the following error...
Mon Jul 3 12:07:59 2017 - INFO: Shutting down instance testvm2 on source node node2.c2.desh.net
Mon Jul 3 12:10:06 2017 Exporting disk/0 from node2.c2.desh.net to node1.c2.desh.net
Mon Jul 3 12:10:09 2017 disk/0 is now listening, starting export
Mon Jul 3 12:10:10 2017 - WARNING: import 'import-disk0-2017-07-03_12_10_06-OPdyT2' on node1.c2.desh.net failed: Exited with status 1
Mon Jul 3 12:10:10 2017 disk/0 failed to receive data: Exited with status 1 (recent output: 0+0 records in\n0+0 records out\n0 bytes copied, 4.50237 s, 0.0 kB/s)
Mon Jul 3 12:10:10 2017 - WARNING: Aborting export 'export-disk0-2017-07-03_12_10_10-N9yEYx' on 1b5d7965-cd15-4a30-a785-1d96d018b125
Mon Jul 3 12:10:14 2017 - WARNING: export 'export-disk0-2017-07-03_12_10_10-N9yEYx' on node2.c2.desh.net failed: Exited with status 1
Mon Jul 3 12:10:14 2017 disk/0 failed to send data: Exited with status 1 (recent output: socat: E certificate is valid but its commonName does not match hostname\ndd: dd: error writing 'standard output': Broken pipe\ndd: 0 bytes copied, 0.024983 s, 0.0 kB/s\ndd: error writing 'standard output': Broken pipe\n2+0 records in\n1+0 records out\n1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.0299893 s, 35.0 MB/s)
Mon Jul 3 12:10:14 2017 - WARNING: Some disks failed to copy, aborting
Failure: command execution error:
Errors during disk copy: Failed to transfer instance data
tco...@gmail.com
Oct 23, 2017, 7:54:23 AM10/23/17
to ganeti
Hi,
The workaround mentioned worked to me only when moving instances from one cluster to another. However, it hasn't' worked with gnt-instance move to us either.
The only solution I have found for now is to disable the verify. In the same file:
-SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLS1",
+SOCAT_OPENSSL_OPTS = ["verify=0", "method=TLS1",
I don't like that solution but I need to move some "plain" instances.
Regards,
Dani
The workaround mentioned worked to me only when moving instances from one cluster to another. However, it hasn't' worked with gnt-instance move to us either.
The only solution I have found for now is to disable the verify. In the same file:
-SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLS1",
+SOCAT_OPENSSL_OPTS = ["verify=0", "method=TLS1",
I don't like that solution but I need to move some "plain" instances.
Regards,
Dani
candlerb
Oct 24, 2017, 8:01:43 AM10/24/17
to ganeti
> certificate is valid but its commonName does not match hostname
Error is pretty clear there. Did you rename the node? You might need to renew-crypto.
Randy Bush
Oct 25, 2017, 11:22:45 AM10/25/17
to tco...@gmail.com, ganeti
> The workaround mentioned worked to me only when moving instances from one
> cluster to another. However, it hasn't' worked with gnt-instance move to us
> either.
>
> The only solution I have found for now is to disable the verify. In the
> same file:
>
> -SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLS1",
> +SOCAT_OPENSSL_OPTS = ["verify=0", "method=TLS1",
luckily, i only have this problem at 1.5 times the period of the
> cluster to another. However, it hasn't' worked with gnt-instance move to us
> either.
>
> The only solution I have found for now is to disable the verify. In the
> same file:
>
> -SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLS1",
> +SOCAT_OPENSSL_OPTS = ["verify=0", "method=TLS1",
solution falling out of what's left of my memory. shame it is still in
the code base.
randy
Reply all
Reply to author
Forward
0 new messages