VMware migration tool: we need your feedback!

julien-f

@michmoor0725 XO 5.82.1 has just been released in the latest channel with a few bug fixes, please let me know if that helps.

michmoor0725

@julien-f well well well....lol...
You are correct. There is an update and im able to import from VMware. No error messages so far.
Taking about 40 minutes or so but i dont know if thats good or not. I selected a NFS storage thats running on mechanical disks so i suspect thats the bottleneck.

I will keep everyone here up to date if i run into any issues.
Job well done you guys/gals. Job well done

michmoor0725

@julien-f VM has been imported but the problem now is networking.
The VM cannot pick up an IP regardless of what network i place it in. The eth0 interface is down. I bring it up no IP. VM is set for DHCP.
I know the vlans work as thats how ive been building test VMs which are configured with a dhcp scope.

For example, ive built a DMZ Host from XO. No issue.
Ive imported a VM from ESXi and placed it in the DMZ vlan. No IP

I took a pcap from the firewall and sure enough I dont see any DHCP Discover packets at all.

michmoor0725

disregard. I rebooted the VM a few times but the solution was to force a dhcp renew
$sudo dhclient

olivierlambert

Good news then

michmoor0725

@olivierlambert Very very good news. Great job on the import tool.

andyh

I have a legacy host running VMWare 5.1.0, when attempting to execute

xo-cli --register --allowUnauthorized <host> <user>

I receive the following error

✖ Error: write EPROTO C057D8B5357F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:

    at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) {
  code: 'EPROTO',
  errno: -71,
  syscall: 'write'
}

Would VMWare 5.1.0 be too old to transfer via Import from ?

olivierlambert

Hi,

I'm not sure to understand why are you using XO CLI in the first place? Have you tried from the UI directly?

andyh

@olivierlambert

When I try the import from the UI directly I receive the following in the logs:

write EPROTO C0A77278D27F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:

I am using Xen Orchestra from sources (commit 6fe79)
xo-server 5.116.3
xo-web 5.119.1

olivierlambert

Sounds like very old SSL libs that are not supported anymore?

andyh

@olivierlambert

This was my initial thought, I tried to drop the MinProtocol to TLSv1.0 in openssl.cnf and recomplile from source. But the error persisted,

Worst case I can look at manually exporting and importing the VMs.

olivierlambert

Let's wait to see if @florent got an idea

florent

@andyh said in VMware migration tool: we need your feedback!:

@olivierlambert

This was my initial thought, I tried to drop the MinProtocol to TLSv1.0 in openssl.cnf and recomplile from source. But the error persisted,

Worst case I can look at manually exporting and importing the VMs.

I have some work to do on the SSL ( the current implementation of the lib have some serious limit) , I will try to handle this at the same time.

andyh

@florent thanks for the response

florent

@andyh hi

could you tests this branch : https://github.com/vatesfr/xen-orchestra/pull/6859

I rewrote the https handling, and I 'm curious of the behaviour with older host

regards

fbeauchamp opened this pull request in vatesfr/xen-orchestra

closed feat(node-vsphere-soap): security improvements #6859

andyh

@florent Thanks for reaching out

Updated XO from Sources to the commit from the branch.

When I attempt the import from VMware, the process doesn't show an error in the UI and the connect process button looks to spin. However, checking the logs I see the following error (with skip SSL enabled or disabled)

write EPROTO C0F754130E7F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:

florent

@andyh I tried to disable TLS V2, can you pull --rebase and retry ?

if it doesn't work, could you check the tls level of your esxi host ?
https://stackoverflow.com/questions/40557031/command-prompt-to-check-tls-version-required-by-a-host
especially curl -Iiv --tlsv1.1 https://example.com

I have

* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

on my esxi 6 host

andyh

@florent

Thanks for the quick response, the same error looks to persist.

Running the curl command gives

* Trying 192.168.xx.yy:443...
* Connected to 192.168.xx.yy (192.168.xx.yy) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

Performing the same check with -tlsv1.0 gives

*   Trying 192.168.xx.yy:443...
* Connected to 192.168.xx.yy (192.168.xx.yy) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Not sure if this helps.

akaylee

Hi!

I am having a similar problem to @andyh
Our VMWare is v5.5, xoa CLI throws:

      "result": {
        "message": "Client network socket disconnected before secure TLS connection was established",
        "name": "Error",
        "stack": "Error: Client network socket disconnected before secure TLS connection was established\n    at Function.AxiosError.from (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/axios/lib/core/AxiosError.js:89:14)\n    at RedirectableRequest.handleRequestError (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/axios/lib/adapters/http.js:591:25)\n    at RedirectableRequest.emit (node:events:527:28)\n    at RedirectableRequest.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n    at ClientRequest.eventHandlers.<computed> (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/follow-redirects/index.js:14:24)\n    at ClientRequest.emit (node:events:527:28)\n    at ClientRequest.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n    at TLSSocket.socketErrorListener (node:_http_client:454:9)\n    at TLSSocket.emit (node:events:527:28)\n    at TLSSocket.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n    at emitErrorNT (node:internal/streams/destroy:157:8)\n    at emitErrorCloseNT (node:internal/streams/destroy:122:3)\n    at processTicksAndRejections (node:internal/process/task_queues:83:21)",

While webUI stucks on "Connect" with no apparent logs present..

When checking tls level of my esxi host:

localhost:~ # openssl s_client -connect www.google.com:443 -tls1
CONNECTED(00000003)

Will there be a support for older versions of ESXi? Or maybe I am doing something wrong. Thanks in advance!

florent

@akaylee we brole rejectUnauthorized ( handling of self signed certificate) During the upgrade of node-vpshere-soap, the fixes are coming and it should also work on 5.5

the first one have been merged and should allow you to list the VM on the host. Does it work ?