[one-users] OpenNebula 3.2.1 econe-server and SSL proxy

Daniel Molina dmolina at opennebula.org
Fri Feb 3 03:21:22 PST 2012 

On 3 February 2012 11:57, Daniel Molina <dmolina at opennebula.org> wrote:
> On 3 February 2012 11:30, Ulrich Schwickerath
> <ulrich.schwickerath at cern.ch> wrote:
>> Hi, Daniel,
>>
>> thanks a lot for the help on this. The problem with the ssl proxy was that I
>> was missing an extra / at the end of the ssl_server directive. So one needs
>>
>> :ssl_server: https://cloud.opennebula.org/
>>
>> rather than
>>
>> :ssl_server: https://cloud.opennebula.org
>>
>> else I get authentication errors. However, this is not the end of the story
>> I'm afraid. With this patch in place I can query the system, but it's very
>> very slow. My most important user has some 500 VMs in the system, and a
>> euca-describe-instances
>> times out or gives expat parse errors. If I query the system locally it
>> works fine and is very responsive. This problem is new in 3.2.1, I didn't
>> have this in 3.0 which I was using before. I already checked that I have all
>> rubygems installed which are needed.
>
> Are you using the same client in both sides? Maybe It is an
> environment problem (EC2_URL)
>
>>
>> Any idea?

Ok, I think the problem is euca tools does not support paths. I have
already tested the following configuration and it works:

:ssl_server: https://devel.cloud.opennebula.org/

$ euca-describe-instances -U https://devel.cloud.opennebula.org  | wc -l
151

$ econe-describe-instances -U https://devel.cloud.opennebula.org/  | wc -l
151


If you use euca with this url; https://devel.cloud.opennebula.org/ you
will get the previous error/timeout. Also if you use econe with this
url; https://devel.cloud.opennebula.org it will return a path empty
error. I will update the econe tools to set '/' by default

Cheers

>>
>> Thanks!
>> Ulrich
>>
>>
>>
>>
>> On 02/02/2012 11:40 PM, Daniel Molina wrote:
>>>
>>> Hi Ulrich,
>>>
>>> We have added a new patch in order to support custom paths and ports
>>> when setting up an SSL proxy on top of the econe-server. You can see
>>> this patch in the following link:
>>>
>>> http://dev.opennebula.org/issues/985
>>>
>>> This patch has been included in the last release (3.2.1). I recommend
>>> you to upgrade to this version. Also the performance should be
>>> improved since we have included a new authentication cache.
>>>
>>> Currently the econe-server is running in our public cloud with an SSL
>>> proxy, using the following configuration:
>>>
>>> $ cat econe.conf
>>> # Host and port where econe server will run
>>> :server: localhost
>>> :port: 7141
>>>
>>> # SSL proxy that serves the API (set if is being used)
>>> :ssl_server: https://cloud.opennebula.org/econe
>>>
>>> # Authentication driver for incomming requests
>>> #   ec2, default Acess key and Secret key scheme
>>> #   x509, for x509 certificates based authentication
>>> :auth: ec2
>>>
>>> # Authentication driver to communicate with OpenNebula core
>>> #   cipher, for symmetric cipher encryption of tokens
>>> #   x509, for x509 certificate encryption of tokens
>>> :core_auth: cipher
>>>
>>> $ cat apache2.conf
>>> <VirtualHost *:443>
>>>         servername cloud.opennebula.org
>>>         SSLEngine on
>>>         ProxyPass        /econe http://localhost:7141/
>>>         ProxyPassReverse /econe http://localhost:7141/
>>> </VirtualHost>
>>>
>>> If you use a path different from '/' the client must support this
>>> feature, otherwise the authentication will fail. The econe tools
>>> included in the 3.2.1 release support custom paths.
>>>
>>> Also if you want the proxy to listen in a different port from the
>>> default (443) you can specify it in the ssl_parameter:
>>> :ssl_server: https://cloud.opennebula.org:8082/
>>>
>>> Hope this helps
>>>
>>> On 2 February 2012 22:45, Ulrich Schwickerath
>>> <ulrich.schwickerath at cern.ch>  wrote:
>>>>
>>>> Hi,
>>>>
>>>> did anybody try to setup the ONE 3.2 econe-server with an SSL proxy ? The
>>>> instructions on the web on this seem to be a bit out of date.
>>>> I had it working fine with 3.0 but with 3.2 I get authentication errors
>>>> (the
>>>> ssl proxy setup is unchanged sinde 3.0). Direct access via http works
>>>> (although slower than before).
>>>>
>>>> Cheers,
>>>> Ulrich
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opennebula.org
>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>>>
>>
>>
>> --
>> --------------------------------------
>> Dr. Ulrich Schwickerath
>> CERN IT/PES-PS
>> 1211 Geneva 23
>> e-mail: ulrich.schwickerath at cern.ch
>> phone:   +41 22 767 9576
>> mobile:  +41 76 487 5602
>>
>
>
>
> --
> Daniel Molina
> Project Engineer
> OpenNebula - The Open Source Toolkit for Data Center Virtualization
> www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula



-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula

More information about the Users mailing list