[one-users] OpenNebula 3.2.1 econe-server and SSL proxy

Daniel Molina dmolina at opennebula.org
Fri Feb 3 04:16:52 PST 2012 

On 3 February 2012 13:08, Ulrich Schwickerath
<ulrich.schwickerath at cern.ch> wrote:
> Hi, Daniel,
>
> the problem I'm facing is a bit different from what you describe. For
> example, I have one user who as one VM only. For him the setup works:
>
> [uschwick at lxadm11 private]$ time euca-describe-instances | wc -l
> 2
>
> real    0m0.614s
> user    0m0.136s
> sys     0m0.042s
>
> If I switch to my other user with hundreds of VMs I run into described
> timeout problems.
>
> $ time euca-describe-instances
>
> Warning: failed to parse error message from AWS: <unknown>:1:49: syntax
> error
> Traceback (most recent call last):
>  File "/usr/bin/euca-describe-instances", line 127, in <module>
>    main()
>  File "/usr/bin/euca-describe-instances", line 121, in main
>    euca.display_error_and_exit('%s' % ex)
>  File "/usr/lib/python2.6/site-packages/euca2ools/__init__.py", line 1436,
> in display_error_and_exit
>    dom = minidom.parseString(msg)
>  File "/usr/lib64/python2.6/xml/dom/minidom.py", line 1928, in parseString
>    return expatbuilder.parseString(string)
>  File "/usr/lib64/python2.6/xml/dom/expatbuilder.py", line 940, in
> parseString
>    return builder.parseString(string)
>  File "/usr/lib64/python2.6/xml/dom/expatbuilder.py", line 223, in
> parseString
>    parser.Parse(string, True)
> xml.parsers.expat.ExpatError: syntax error: line 1, column 49
>
> real    2m0.365s
> user    0m0.122s
> sys     0m0.046s
>
> same test with econe gives:
>
> [uschwick at oneadmin02 private]$ econe-describe-instances
> econe-describe-instances: execution expired
>
> This looks to me ike a performance issue.

Are you running ruby 1.9 in your server? Try applying this patch and
installing the nokogiri gem:
http://dev.opennebula.org/projects/opennebula/repository/revisions/17e3ffc31e20e17285c36de615862b147577d16a

>
> Cheers,
> Ulrich
>
>
> On 02/03/2012 12:21 PM, Daniel Molina wrote:
>>
>> On 3 February 2012 11:57, Daniel Molina<dmolina at opennebula.org>  wrote:
>>>
>>> On 3 February 2012 11:30, Ulrich Schwickerath
>>> <ulrich.schwickerath at cern.ch>  wrote:
>>>>
>>>> Hi, Daniel,
>>>>
>>>> thanks a lot for the help on this. The problem with the ssl proxy was
>>>> that I
>>>> was missing an extra / at the end of the ssl_server directive. So one
>>>> needs
>>>>
>>>> :ssl_server: https://cloud.opennebula.org/
>>>>
>>>> rather than
>>>>
>>>> :ssl_server: https://cloud.opennebula.org
>>>>
>>>> else I get authentication errors. However, this is not the end of the
>>>> story
>>>> I'm afraid. With this patch in place I can query the system, but it's
>>>> very
>>>> very slow. My most important user has some 500 VMs in the system, and a
>>>> euca-describe-instances
>>>> times out or gives expat parse errors. If I query the system locally it
>>>> works fine and is very responsive. This problem is new in 3.2.1, I
>>>> didn't
>>>> have this in 3.0 which I was using before. I already checked that I have
>>>> all
>>>> rubygems installed which are needed.
>>>
>>> Are you using the same client in both sides? Maybe It is an
>>> environment problem (EC2_URL)
>>>
>>>> Any idea?
>>
>> Ok, I think the problem is euca tools does not support paths. I have
>> already tested the following configuration and it works:
>>
>> :ssl_server: https://devel.cloud.opennebula.org/
>>
>> $ euca-describe-instances -U https://devel.cloud.opennebula.org  | wc -l
>> 151
>>
>> $ econe-describe-instances -U https://devel.cloud.opennebula.org/  | wc -l
>> 151
>>
>>
>> If you use euca with this url; https://devel.cloud.opennebula.org/ you
>> will get the previous error/timeout. Also if you use econe with this
>> url; https://devel.cloud.opennebula.org it will return a path empty
>> error. I will update the econe tools to set '/' by default
>>
>> Cheers
>>
>>>> Thanks!
>>>> Ulrich
>>>>
>>>>
>>>>
>>>>
>>>> On 02/02/2012 11:40 PM, Daniel Molina wrote:
>>>>>
>>>>> Hi Ulrich,
>>>>>
>>>>> We have added a new patch in order to support custom paths and ports
>>>>> when setting up an SSL proxy on top of the econe-server. You can see
>>>>> this patch in the following link:
>>>>>
>>>>> http://dev.opennebula.org/issues/985
>>>>>
>>>>> This patch has been included in the last release (3.2.1). I recommend
>>>>> you to upgrade to this version. Also the performance should be
>>>>> improved since we have included a new authentication cache.
>>>>>
>>>>> Currently the econe-server is running in our public cloud with an SSL
>>>>> proxy, using the following configuration:
>>>>>
>>>>> $ cat econe.conf
>>>>> # Host and port where econe server will run
>>>>> :server: localhost
>>>>> :port: 7141
>>>>>
>>>>> # SSL proxy that serves the API (set if is being used)
>>>>> :ssl_server: https://cloud.opennebula.org/econe
>>>>>
>>>>> # Authentication driver for incomming requests
>>>>> #   ec2, default Acess key and Secret key scheme
>>>>> #   x509, for x509 certificates based authentication
>>>>> :auth: ec2
>>>>>
>>>>> # Authentication driver to communicate with OpenNebula core
>>>>> #   cipher, for symmetric cipher encryption of tokens
>>>>> #   x509, for x509 certificate encryption of tokens
>>>>> :core_auth: cipher
>>>>>
>>>>> $ cat apache2.conf
>>>>> <VirtualHost *:443>
>>>>>         servername cloud.opennebula.org
>>>>>         SSLEngine on
>>>>>         ProxyPass        /econe http://localhost:7141/
>>>>>         ProxyPassReverse /econe http://localhost:7141/
>>>>> </VirtualHost>
>>>>>
>>>>> If you use a path different from '/' the client must support this
>>>>> feature, otherwise the authentication will fail. The econe tools
>>>>> included in the 3.2.1 release support custom paths.
>>>>>
>>>>> Also if you want the proxy to listen in a different port from the
>>>>> default (443) you can specify it in the ssl_parameter:
>>>>> :ssl_server: https://cloud.opennebula.org:8082/
>>>>>
>>>>> Hope this helps
>>>>>
>>>>> On 2 February 2012 22:45, Ulrich Schwickerath
>>>>> <ulrich.schwickerath at cern.ch>    wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> did anybody try to setup the ONE 3.2 econe-server with an SSL proxy ?
>>>>>> The
>>>>>> instructions on the web on this seem to be a bit out of date.
>>>>>> I had it working fine with 3.0 but with 3.2 I get authentication
>>>>>> errors
>>>>>> (the
>>>>>> ssl proxy setup is unchanged sinde 3.0). Direct access via http works
>>>>>> (although slower than before).
>>>>>>
>>>>>> Cheers,
>>>>>> Ulrich
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.opennebula.org
>>>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> --------------------------------------
>>>> Dr. Ulrich Schwickerath
>>>> CERN IT/PES-PS
>>>> 1211 Geneva 23
>>>> e-mail: ulrich.schwickerath at cern.ch
>>>> phone:   +41 22 767 9576
>>>> mobile:  +41 76 487 5602
>>>>
>>>
>>>
>>> --
>>> Daniel Molina
>>> Project Engineer
>>> OpenNebula - The Open Source Toolkit for Data Center Virtualization
>>> www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
>>
>>
>>
>
>
> --
> --------------------------------------
> Dr. Ulrich Schwickerath
> CERN IT/PES-PS
> 1211 Geneva 23
> e-mail: ulrich.schwickerath at cern.ch
> phone:   +41 22 767 9576
> mobile:  +41 76 487 5602
>



-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula

More information about the Users mailing list