Team - Security

Private

Posts

  • RE: xcp-ng update to latest june patch - error - requires: perl-interpreter

    @AlexanderK you could try to install perl-interpreter manually maybe?

    I happened to have a test host at hand that hasn't been updated since december, and the yum update went fine, perl interpreter was not installed before and yum update did install it on its own as a depency for openssl 3.

    Maybe others will have ideas as to why this would happen in your case.

  • RE: Adding new host to pool fails - Stunnel SSL certiticate verification failure

    @Bryanvh No problem 🙂

    The issue you encountered wasn't very clear. Therefore, I've proposed a change to the XAPI to make the error more explicit (this will likely be implemented in future XAPI releases).

    So instead of SSL Certification failure the message will be: POOL_JOINING_MASTER_CERTIFICATE_NOT_IN_POOL_BUNDLE.

    Thank you very much for your patience and for bringing this issue to our attention.

    References:
    https://github.com/xapi-project/xen-api/pull/7112

  • RE: MTU change

    @Andrew I did suspect that would be sufficient, but we need to think at feature level, and as mentionned there is no such thing we could do "quickly" for linux and other OSes. I anyway did a brain dump of my investigation before posting my previous message and we do now have an entry in the roadmap for it, which was not the case previously.

  • RE: MTU change

    Unfortunately, that's not trivial.

    Currently in windows, the PV driver reads that info inheritance from the network setting at startup and applies it, it would not allow live modification.

    On the other hand, the Linux driver does not do that, therefore it would not be at feature parity. So it would likely be possible to have a "quick and dirty" implementation that works only at boot and only on windows, that would help your case indeed, but that's not a great product feature 😅

    We will discuss that internally and see what can be added to the roadmap and to which depth we want to dig that hole as well as this can go pretty far, we'll need to split that in smaller steps to be able to deliver something in a timely fashion.

  • RE: Adding new host to pool fails - Stunnel SSL certiticate verification failure

    @Bryanvh Looking at the code, I saw that an exchange was taking place via this certificate.

    So when you told me that the master certificate was missing, I tried to put myself in the same situation as you (by removing the certificate) and trying to join the pool.
    Having encountered the same error as you, I determined that running these commands fixed the problem.

    Indeed, I think the upgrade from 8.2 to 8.3 is the cause. To be more precise, a change occurred in the XAPI during the certificate exchange in version 8.2, and I think it's possible that your 8.2 host wasn't up to date when it upgraded to 8.3 (I'm not sure).

    In any case, I'm glad your problem is solved.

  • RE: Adding new host to pool fails - Stunnel SSL certiticate verification failure

    @Bryanvh I think I've managed to reproduce the issue. The fact that the master's certificate is missing from /etc/stunnel/certs-pool/ seems to be the problem.

    On the master, run xe host-refresh-server-certificate host=$(hostname) and then xe pool-certificate-sync.

    Then, if you run ls -l /etc/stunnel/certs-pool, you should see a certificate with the same name as your master's UUID. It should end with .pem. If it ends with .new.pem, I recommend copying the certificate, removing the .new (which can apparently cause problems).

    You should then be able to join the pool from your host.

    I hope this worked. Please let me know if it works.
    Respectfully,