XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login
    1. Home
    2. psafont
    • Profile
    • Following 0
    • Followers 0
    • Topics 0
    • Posts 5
    • Best 3
    • Controversial 0
    • Groups 1

    psafont

    @psafont

    XAPI Vizier 🐪

    8
    Reputation
    11
    Profile views
    5
    Posts
    0
    Followers
    0
    Following
    Joined Last Online
    Website github.com/psafont Location Xenserver

    psafont Unfollow Follow
    XAPI Vizier 🐪

    Best posts made by psafont

    • RE: XCP-ng 8.3 beta 🚀

      @stormi said in XCP-ng 8.3 beta 🚀:

      @psafont Will a 8.2 to 8.3 upgrade (through the installation ISO) leave TLS verification disabled, or will it enable it by default?

      It's not enabled by default, enabling it by default is not possible with the current update procedure where the pool coordinator is updated before the other pool member because these do not expose the new certificates to xmlrpc clients before upgrading, breaking communications.

      In other words: must we expect any user who upgrades from 8.2 or lower and then later wants to add a new host to the pool to see this error (and likely ask for help, even if we document it properly - and we would of course)?

      Yes

      posted in News
      psafontP
      psafont
    • RE: XCP-ng 8.3 public alpha 🚀

      @olivierlambert Snapshot is in essence a VDI clone, I don't see any checks being done before the filtering for ignored VDIs is done. And that is done pretty early on, not sure why there are operations affecting virtual block devices from ignored VDIs: https://github.com/xapi-project/xen-api/blob/master/ocaml/xapi/xapi_vm_clone.ml#L416

      posted in News
      psafontP
      psafont
    • RE: XCP-ng 8.3 public alpha 🚀

      @cocoon
      The best thing we can do here is inspect the actual certificate:
      Please run openssl x509 -text -noout -in /etc/xensource/xapi-ssl.pem

      xenserver has generated host certificates with 2048-bit RSA keys for years, these should be able to be loaded by stunnel (through openssl) just fine.

      If the key is smaller that this then the fix is easy: generate a new certificate for that host: xe host-refresh-server-certificate host uuid=<>
      Be mindful that clients that trusted the previous certificate will need to trust the new one in order for the TLS connections to be established

      posted in News
      psafontP
      psafont

    Latest posts made by psafont

    • RE: XCP-ng 8.3 beta 🚀

      @stormi said in XCP-ng 8.3 beta 🚀:

      @psafont Will a 8.2 to 8.3 upgrade (through the installation ISO) leave TLS verification disabled, or will it enable it by default?

      It's not enabled by default, enabling it by default is not possible with the current update procedure where the pool coordinator is updated before the other pool member because these do not expose the new certificates to xmlrpc clients before upgrading, breaking communications.

      In other words: must we expect any user who upgrades from 8.2 or lower and then later wants to add a new host to the pool to see this error (and likely ask for help, even if we document it properly - and we would of course)?

      Yes

      posted in News
      psafontP
      psafont
    • RE: XCP-ng 8.3 beta 🚀

      @gsrfan01 The error happens because the joining host has TLS certificate checking enabled for pool connections while the joined host don't.

      This mismatch happens because on fresh installs TLS certificate checking is enabled, while for updates from previous versions is not.

      To enable TLS certificate checking in a pool simply running xe pool-enable-tls-verification.

      The emergency command is not needed in this case, it's useful to re-enable certificate checking in a single host after is has been disabled using the emergency disable

      posted in News
      psafontP
      psafont
    • RE: XCP-ng 8.3 public alpha 🚀

      @olivierlambert Snapshot is in essence a VDI clone, I don't see any checks being done before the filtering for ignored VDIs is done. And that is done pretty early on, not sure why there are operations affecting virtual block devices from ignored VDIs: https://github.com/xapi-project/xen-api/blob/master/ocaml/xapi/xapi_vm_clone.ml#L416

      posted in News
      psafontP
      psafont
    • RE: xe command "hangs on start" when max / open files is high

      There's ongoing effort to avoid opening file descriptors, to avoid this situation. I'll consult whether the current patches avoid this situation in template-export / vm-import

      https://github.com/xapi-project/xen-api/pull/4877

      snwoods opened this pull request in xapi-project/xen-api

      open CP-32622: avoid using select and instead use epoll #4877

      posted in Compute
      psafontP
      psafont
    • RE: XCP-ng 8.3 public alpha 🚀

      @cocoon
      The best thing we can do here is inspect the actual certificate:
      Please run openssl x509 -text -noout -in /etc/xensource/xapi-ssl.pem

      xenserver has generated host certificates with 2048-bit RSA keys for years, these should be able to be loaded by stunnel (through openssl) just fine.

      If the key is smaller that this then the fix is easy: generate a new certificate for that host: xe host-refresh-server-certificate host uuid=<>
      Be mindful that clients that trusted the previous certificate will need to trust the new one in order for the TLS connections to be established

      posted in News
      psafontP
      psafont