[one-users] OpenNebula 3.2.1 econe-server and SSL proxy

Ulrich Schwickerath ulrich.schwickerath at cern.ch
Fri Feb 3 04:36:12 PST 2012 

Hi, Daniel,

>
> Are you running ruby 1.9 in your server?
No, we are running on SLC6 (compatible to RHEL6)
[root at oneadmin02 ~]# ruby --version
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]

> Try applying this patch and
> installing the nokogiri gem:
> http://dev.opennebula.org/projects/opennebula/repository/revisions/17e3ffc31e20e17285c36de615862b147577d16a
we have
rubygem-nokogiri-1.4.3.1-1.el6.x86_64
installed already. I have taken the patch and restarted oned and 
econe-server but this does not seem to help.

Cheers,
Ulrich
>> Cheers,
>> Ulrich
>>
>>
>> On 02/03/2012 12:21 PM, Daniel Molina wrote:
>>> On 3 February 2012 11:57, Daniel Molina<dmolina at opennebula.org>    wrote:
>>>> On 3 February 2012 11:30, Ulrich Schwickerath
>>>> <ulrich.schwickerath at cern.ch>    wrote:
>>>>> Hi, Daniel,
>>>>>
>>>>> thanks a lot for the help on this. The problem with the ssl proxy was
>>>>> that I
>>>>> was missing an extra / at the end of the ssl_server directive. So one
>>>>> needs
>>>>>
>>>>> :ssl_server: https://cloud.opennebula.org/
>>>>>
>>>>> rather than
>>>>>
>>>>> :ssl_server: https://cloud.opennebula.org
>>>>>
>>>>> else I get authentication errors. However, this is not the end of the
>>>>> story
>>>>> I'm afraid. With this patch in place I can query the system, but it's
>>>>> very
>>>>> very slow. My most important user has some 500 VMs in the system, and a
>>>>> euca-describe-instances
>>>>> times out or gives expat parse errors. If I query the system locally it
>>>>> works fine and is very responsive. This problem is new in 3.2.1, I
>>>>> didn't
>>>>> have this in 3.0 which I was using before. I already checked that I have
>>>>> all
>>>>> rubygems installed which are needed.
>>>> Are you using the same client in both sides? Maybe It is an
>>>> environment problem (EC2_URL)
>>>>
>>>>> Any idea?
>>> Ok, I think the problem is euca tools does not support paths. I have
>>> already tested the following configuration and it works:
>>>
>>> :ssl_server: https://devel.cloud.opennebula.org/
>>>
>>> $ euca-describe-instances -U https://devel.cloud.opennebula.org  | wc -l
>>> 151
>>>
>>> $ econe-describe-instances -U https://devel.cloud.opennebula.org/  | wc -l
>>> 151
>>>
>>>
>>> If you use euca with this url; https://devel.cloud.opennebula.org/ you
>>> will get the previous error/timeout. Also if you use econe with this
>>> url; https://devel.cloud.opennebula.org it will return a path empty
>>> error. I will update the econe tools to set '/' by default
>>>
>>> Cheers
>>>
>>>>> Thanks!
>>>>> Ulrich
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 02/02/2012 11:40 PM, Daniel Molina wrote:
>>>>>> Hi Ulrich,
>>>>>>
>>>>>> We have added a new patch in order to support custom paths and ports
>>>>>> when setting up an SSL proxy on top of the econe-server. You can see
>>>>>> this patch in the following link:
>>>>>>
>>>>>> http://dev.opennebula.org/issues/985
>>>>>>
>>>>>> This patch has been included in the last release (3.2.1). I recommend
>>>>>> you to upgrade to this version. Also the performance should be
>>>>>> improved since we have included a new authentication cache.
>>>>>>
>>>>>> Currently the econe-server is running in our public cloud with an SSL
>>>>>> proxy, using the following configuration:
>>>>>>
>>>>>> $ cat econe.conf
>>>>>> # Host and port where econe server will run
>>>>>> :server: localhost
>>>>>> :port: 7141
>>>>>>
>>>>>> # SSL proxy that serves the API (set if is being used)
>>>>>> :ssl_server: https://cloud.opennebula.org/econe
>>>>>>
>>>>>> # Authentication driver for incomming requests
>>>>>> #   ec2, default Acess key and Secret key scheme
>>>>>> #   x509, for x509 certificates based authentication
>>>>>> :auth: ec2
>>>>>>
>>>>>> # Authentication driver to communicate with OpenNebula core
>>>>>> #   cipher, for symmetric cipher encryption of tokens
>>>>>> #   x509, for x509 certificate encryption of tokens
>>>>>> :core_auth: cipher
>>>>>>
>>>>>> $ cat apache2.conf
>>>>>> <VirtualHost *:443>
>>>>>>          servername cloud.opennebula.org
>>>>>>          SSLEngine on
>>>>>>          ProxyPass        /econe http://localhost:7141/
>>>>>>          ProxyPassReverse /econe http://localhost:7141/
>>>>>> </VirtualHost>
>>>>>>
>>>>>> If you use a path different from '/' the client must support this
>>>>>> feature, otherwise the authentication will fail. The econe tools
>>>>>> included in the 3.2.1 release support custom paths.
>>>>>>
>>>>>> Also if you want the proxy to listen in a different port from the
>>>>>> default (443) you can specify it in the ssl_parameter:
>>>>>> :ssl_server: https://cloud.opennebula.org:8082/
>>>>>>
>>>>>> Hope this helps
>>>>>>
>>>>>> On 2 February 2012 22:45, Ulrich Schwickerath
>>>>>> <ulrich.schwickerath at cern.ch>      wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> did anybody try to setup the ONE 3.2 econe-server with an SSL proxy ?
>>>>>>> The
>>>>>>> instructions on the web on this seem to be a bit out of date.
>>>>>>> I had it working fine with 3.0 but with 3.2 I get authentication
>>>>>>> errors
>>>>>>> (the
>>>>>>> ssl proxy setup is unchanged sinde 3.0). Direct access via http works
>>>>>>> (although slower than before).
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Ulrich
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at lists.opennebula.org
>>>>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>>>
>>>>>>
>>>>> --
>>>>> --------------------------------------
>>>>> Dr. Ulrich Schwickerath
>>>>> CERN IT/PES-PS
>>>>> 1211 Geneva 23
>>>>> e-mail: ulrich.schwickerath at cern.ch
>>>>> phone:   +41 22 767 9576
>>>>> mobile:  +41 76 487 5602
>>>>>
>>>>
>>>> --
>>>> Daniel Molina
>>>> Project Engineer
>>>> OpenNebula - The Open Source Toolkit for Data Center Virtualization
>>>> www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
>>>
>>>
>>
>> --
>> --------------------------------------
>> Dr. Ulrich Schwickerath
>> CERN IT/PES-PS
>> 1211 Geneva 23
>> e-mail: ulrich.schwickerath at cern.ch
>> phone:   +41 22 767 9576
>> mobile:  +41 76 487 5602
>>
>
>


-- 
--------------------------------------
Dr. Ulrich Schwickerath
CERN IT/PES-PS
1211 Geneva 23
e-mail: ulrich.schwickerath at cern.ch
phone:   +41 22 767 9576
mobile:  +41 76 487 5602

More information about the Users mailing list