Discussion:
[xcat-user] conserver / rcons errors after upgrade
David D. Johnson
2017-06-22 20:55:02 UTC
Permalink
Just finished updating xcat front-end node from rhels7.2 to rhels7.3, at the same time
as updating from xcat from 2.12.something to 2.13.4. Since then rcons gives me these errors:


[***@mgt5 etc]# rcons node475
console: invalid keyword 'sslauthority' [/root/.consolerc:3]
console: invalid keyword '/root/.xcat/ca.pem' [/root/.consolerc:4]
console: premature token ';' [/root/.consolerc:4]
console: SSLVerifyCallback(): error with certificate at depth: 0
console: SSLVerifyCallback(): issuer = /CN=xCAT CA
console: SSLVerifyCallback(): subject = /CN=mgt5.oscar.ccv.brown.edu
console: SSLVerifyCallback(): error #20: unable to get local issuer certificate
console: SSL negotiation failed
139835810314176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178:

I tried removing .consolerc, but it keeps getting recreated.

I tried commenting out the lines at the beginning of /etc/conserver.cf,
#_#config * {
#_# sslrequired yes;
#_# sslauthority /etc/xcat/cert/ca.pem;
#_# sslcredentials /etc/xcat/cert/server-cred.pem;
#_#}

but similar results….

[***@mgt5 etc]# rcons node475
console: invalid keyword 'sslauthority' [/root/.consolerc:3]
console: invalid keyword '/root/.xcat/ca.pem' [/root/.consolerc:4]
console: premature token ';' [/root/.consolerc:4]
console: SSL negotiation failed
140447651203008:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:

What did I miss in the upgrade?

Thanks,
— ddj
Dave Johnson
Brown University CIS/CCV
Kilian Cavalotti
2017-06-22 21:37:43 UTC
Permalink
On Thu, Jun 22, 2017 at 1:55 PM, David D. Johnson
<***@brown.edu> wrote:
> Just finished updating xcat front-end node from rhels7.2 to rhels7.3, at the same time
> as updating from xcat from 2.12.something to 2.13.4. Since then rcons gives me these errors:
>
>
> [***@mgt5 etc]# rcons node475
> console: invalid keyword 'sslauthority' [/root/.consolerc:3]

> What did I miss in the upgrade?

Argh, it's partly my fault: I'm the one who requested an upgrade of
the conserver version that ships in xcat-deps:
https://github.com/xcat2/xcat-dep/issues/18

On the other hand, I haven't seen any announce or notification about
the update. Since it breaks existing configurations, it could have
been a good idea.

Anyway, long story short, the xCAT-provided version of conserver had
10yo local patches to support SSL. Those have made their way upstream
since then, but with some different option names. So what you'll need
to do is replace the "sslauthority" directive by
"sslcacertificatefile" in both /etc/conserver.cf and /root/.consolerc

I guess now that the conserver version in xcat-dep is the same as
upstream, it's not really necessary to ship it in xcat-dep, the
dependency could just be made on the upstream version (which is in
EPEL and SLES). Or is there any reason to keep a xCAT-specific
version?

Cheers,
--
Kilian
Long LA Cheng
2017-06-23 03:26:32 UTC
Permalink
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Long LA Cheng
2017-06-23 03:46:35 UTC
Permalink
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Er Tao Zhao
2017-06-23 05:00:28 UTC
Permalink
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
d***@brown.edu
2017-06-23 14:45:33 UTC
Permalink
I used Kilian's workaround. It is working fine so far.

-- ddj
Dave Johnson

> On Jun 23, 2017, at 1:00 AM, Er Tao Zhao <***@cn.ibm.com> wrote:
>
> Hi, Dave
>
> Based on Cheng Long's comments, Will you pls work around it with:
> Download 2.13.4 xcat-dep tar ball from https://xcat.org/files/xcat/xcat-dep/2.x_Linux/xcat-dep-2.13.4-linux.tar.bz2
> Extract it and go to the correct sub directory for his OS+arch
> Force to install it with "rpm -U -v -h --force /path/to/conserver-xcat-8.1.16-10.ppc64le.rpm"
> Thx!
> Best Regards,
> -----------------------------------
> Zhao Er Tao
>
> IBM China System and Technology Laboratory, Beijing
> Tel:(86-10)82450485
> Email: ***@cn.ibm.com
> Address: 1/F, 28 Building,ZhongGuanCun Software Park,
> No.8 DongBeiWang West Road, Haidian District,
> Beijing, 100193, P.R.China
>
>
> ----- Original message -----
> From: "Long LA Cheng" <***@cn.ibm.com>
> To: xcat-***@lists.sourceforge.net
> Cc: xcat-***@lists.sourceforge.net
> Subject: Re: [xcat-user] conserver / rcons errors after upgrade
> Date: Fri, Jun 23, 2017 11:48 AM
>
> Hi Kilian,
>
> Thanks for your reply, I explain some historical reasons that we do not use the conserver from upstream directly.
>
> 1. xcat should support some old version systems. From their default repo, it can not get the conserver with the proper version. conserver supports the option of sslcacertificatefile until 8.1.19.
>
> 2. Another reason is that xcat is trying to support some scenario that the management node can not connect to the internet repo directly, the user can copy the repo files and create the repo locally.
>
> Thanks.
> Best Regards
>
> Long Cheng(皋韙)
> IBM Systems &Technology Group, Development
> SOFTWARE ENGINEER
> Tel:86-10-82453046
> Email:***@cn.ibm.com
> Address: 3F, Building 28, Zhong Guan Cun Software Park, No.8, Dong Bei Wang West Road, Hai Dian District, Beijing 100193, PRC
> 地址囜际商䞚机噚䞭囜(投资)有限公叞, 䞭囜系统科技实验宀, 北京垂海淀区䞜北旺西路8号䞭关村蜯件园28号楌3层邮猖:100193
>
>
> ----- Original message -----
> From: Long LA Cheng/China/IBM
> To: xcat-***@lists.sourceforge.net
> Cc: xcat-***@lists.sourceforge.net
> Subject: Re: [xcat-user] conserver / rcons errors after upgrade
> Date: Fri, Jun 23, 2017 11:26 AM
>
> Hi Dave Johnson,
>
> Sorry for the inconvenienceI guess this error is due to the inconsistencies of the xcat-core(2.13.4) and xcat-dep(2.13.5 dev) from online repo.
> As conserver-xcat has been upgrade to the latest version (8.2.1), some configuration option from upstream is different from the old one with patches.
>
> Can you try the steps below to see if it can solve the problem:
>
> sed -i 's/sslauthority/sslcacertificatefile/1' $HOME/.consolerc
> sed -i 's/sslauthority/sslcacertificatefile/1' /etc/conserver.cf
> service conserver restart
>
> Thanks
> Best Regards
>
> Long Cheng(皋韙)
> IBM Systems &Technology Group, Development
> SOFTWARE ENGINEER
> Tel:86-10-82453046
> Email:***@cn.ibm.com
> Address: 3F, Building 28, Zhong Guan Cun Software Park, No.8, Dong Bei Wang West Road, Hai Dian District, Beijing 100193, PRC
> 地址囜际商䞚机噚䞭囜(投资)有限公叞, 䞭囜系统科技实验宀, 北京垂海淀区䞜北旺西路8号䞭关村蜯件园28号楌3层邮猖:100193
>
>
> ----- Original message -----
> From: Kilian Cavalotti <***@gmail.com>
> To: xCAT Users Mailing list <xcat-***@lists.sourceforge.net>
> Cc:
> Subject: Re: [xcat-user] conserver / rcons errors after upgrade
> Date: Fri, Jun 23, 2017 5:39 AM
>
> On Thu, Jun 22, 2017 at 1:55 PM, David D. Johnson
> <***@brown.edu> wrote:
> > Just finished updating xcat front-end node from rhels7.2 to rhels7.3, at the same time
> > as updating from xcat from 2.12.something to 2.13.4. Since then rcons gives me these errors:
> >
> >
> > [***@mgt5 etc]# rcons node475
> > console: invalid keyword 'sslauthority' [/root/.consolerc:3]
>
> > What did I miss in the upgrade?
>
> Argh, it's partly my fault: I'm the one who requested an upgrade of
> the conserver version that ships in xcat-deps:
> https://github.com/xcat2/xcat-dep/issues/18
>
> On the other hand, I haven't seen any announce or notification about
> the update. Since it breaks existing configurations, it could have
> been a good idea.
>
> Anyway, long story short, the xCAT-provided version of conserver had
> 10yo local patches to support SSL. Those have made their way upstream
> since then, but with some different option names. So what you'll need
> to do is replace the "sslauthority" directive by
> "sslcacertificatefile" in both /etc/conserver.cf and /root/.consolerc
>
> I guess now that the conserver version in xcat-dep is the same as
> upstream, it's not really necessary to ship it in xcat-dep, the
> dependency could just be made on the upstream version (which is in
> EPEL and SLES). Or is there any reason to keep a xCAT-specific
> version?
>
> Cheers,
> --
> Kilian
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> xCAT-user mailing list
> xCAT-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> xCAT-user mailing list
> xCAT-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> xCAT-user mailing list
> xCAT-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
Loading...