VMware migration tool: we need your feedback!

michmoor0725

@julien-f Im new to this so not really sure how to answer that question.

xo-server 5.113.0
xo-web 5.116.1

I can PM my support ID if you need to poke around.

julien-f

@michmoor0725 If you are using an official XOA, I think the best would be to wait for the future patch release (very very soon) and re-test after having upgraded

michmoor0725

@julien-f No worries. I dont mind waiting a bit. I do know a patch was pushed by @florent a few days ago.
Im hoping the patches in the upcoming release fixes the imports. Right now i cant migrate anything. Not critical at this time.

julien-f

@michmoor0725 XO 5.82.1 has just been released in the latest channel with a few bug fixes, please let me know if that helps.

michmoor0725

@julien-f well well well....lol...
You are correct. There is an update and im able to import from VMware. No error messages so far.
Taking about 40 minutes or so but i dont know if thats good or not. I selected a NFS storage thats running on mechanical disks so i suspect thats the bottleneck.

I will keep everyone here up to date if i run into any issues.
Job well done you guys/gals. Job well done

michmoor0725

@julien-f VM has been imported but the problem now is networking.
The VM cannot pick up an IP regardless of what network i place it in. The eth0 interface is down. I bring it up no IP. VM is set for DHCP.
I know the vlans work as thats how ive been building test VMs which are configured with a dhcp scope.

For example, ive built a DMZ Host from XO. No issue.
Ive imported a VM from ESXi and placed it in the DMZ vlan. No IP

I took a pcap from the firewall and sure enough I dont see any DHCP Discover packets at all.

michmoor0725

disregard. I rebooted the VM a few times but the solution was to force a dhcp renew
$sudo dhclient

olivierlambert

Good news then

michmoor0725

@olivierlambert Very very good news. Great job on the import tool.

andyh

I have a legacy host running VMWare 5.1.0, when attempting to execute

xo-cli --register --allowUnauthorized <host> <user>

I receive the following error

✖ Error: write EPROTO C057D8B5357F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:

    at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) {
  code: 'EPROTO',
  errno: -71,
  syscall: 'write'
}

Would VMWare 5.1.0 be too old to transfer via Import from ?

olivierlambert

Hi,

I'm not sure to understand why are you using XO CLI in the first place? Have you tried from the UI directly?

andyh

@olivierlambert

When I try the import from the UI directly I receive the following in the logs:

write EPROTO C0A77278D27F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:

I am using Xen Orchestra from sources (commit 6fe79)
xo-server 5.116.3
xo-web 5.119.1

olivierlambert

Sounds like very old SSL libs that are not supported anymore?

andyh

@olivierlambert

This was my initial thought, I tried to drop the MinProtocol to TLSv1.0 in openssl.cnf and recomplile from source. But the error persisted,

Worst case I can look at manually exporting and importing the VMs.

olivierlambert

Let's wait to see if @florent got an idea

florent

@andyh said in VMware migration tool: we need your feedback!:

@olivierlambert

This was my initial thought, I tried to drop the MinProtocol to TLSv1.0 in openssl.cnf and recomplile from source. But the error persisted,

Worst case I can look at manually exporting and importing the VMs.

I have some work to do on the SSL ( the current implementation of the lib have some serious limit) , I will try to handle this at the same time.

andyh

@florent thanks for the response

florent

@andyh hi

could you tests this branch : https://github.com/vatesfr/xen-orchestra/pull/6859

I rewrote the https handling, and I 'm curious of the behaviour with older host

regards

fbeauchamp opened this pull request in vatesfr/xen-orchestra

closed feat(node-vsphere-soap): security improvements #6859

andyh

@florent Thanks for reaching out

Updated XO from Sources to the commit from the branch.

When I attempt the import from VMware, the process doesn't show an error in the UI and the connect process button looks to spin. However, checking the logs I see the following error (with skip SSL enabled or disabled)

write EPROTO C0F754130E7F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:

florent

@andyh I tried to disable TLS V2, can you pull --rebase and retry ?

if it doesn't work, could you check the tls level of your esxi host ?
https://stackoverflow.com/questions/40557031/command-prompt-to-check-tls-version-required-by-a-host
especially curl -Iiv --tlsv1.1 https://example.com

I have

* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

on my esxi 6 host