[one-users] OpenNebula 3.2.1 econe-server and SSL proxy

Ulrich Schwickerath ulrich.schwickerath at cern.ch
Fri Feb 3 09:23:49 PST 2012 

Hi, all,

here's an update on this problem. After the upgrade to 3.2.1 our 
econe-server is very slow to give back a list of all running VMs.
Our SSL proxy was configured with a time out of 2min which is reached if 
a user has O(300-400) VMs in the system. Increasing this timeout in 
apache did help. The root cause is though why econe-server is so slow. 
Local queries with onevm list are very fast as they should be.


$ time onevm list | wc -l
442

real    0m1.782s
user    0m1.433s
sys     0m0.257s

$ time euca-describe-instances | wc -l
442

real    2m47.010s
user    0m0.324s
sys     0m0.046s


Can anybody reproduce this problem ?

Cheers,
Ulrich



On 02/03/2012 01:36 PM, Ulrich Schwickerath wrote:
> Hi, Daniel,
>
>>
>> Are you running ruby 1.9 in your server?
> No, we are running on SLC6 (compatible to RHEL6)
> [root at oneadmin02 ~]# ruby --version
> ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
>
>> Try applying this patch and
>> installing the nokogiri gem:
>> http://dev.opennebula.org/projects/opennebula/repository/revisions/17e3ffc31e20e17285c36de615862b147577d16a 
>>
> we have
> rubygem-nokogiri-1.4.3.1-1.el6.x86_64
> installed already. I have taken the patch and restarted oned and 
> econe-server but this does not seem to help.
>
> Cheers,
> Ulrich
>>> Cheers,
>>> Ulrich
>>>
>>>
>>> On 02/03/2012 12:21 PM, Daniel Molina wrote:
>>>> On 3 February 2012 11:57, Daniel Molina<dmolina at opennebula.org>    
>>>> wrote:
>>>>> On 3 February 2012 11:30, Ulrich Schwickerath
>>>>> <ulrich.schwickerath at cern.ch>    wrote:
>>>>>> Hi, Daniel,
>>>>>>
>>>>>> thanks a lot for the help on this. The problem with the ssl proxy 
>>>>>> was
>>>>>> that I
>>>>>> was missing an extra / at the end of the ssl_server directive. So 
>>>>>> one
>>>>>> needs
>>>>>>
>>>>>> :ssl_server: https://cloud.opennebula.org/
>>>>>>
>>>>>> rather than
>>>>>>
>>>>>> :ssl_server: https://cloud.opennebula.org
>>>>>>
>>>>>> else I get authentication errors. However, this is not the end of 
>>>>>> the
>>>>>> story
>>>>>> I'm afraid. With this patch in place I can query the system, but 
>>>>>> it's
>>>>>> very
>>>>>> very slow. My most important user has some 500 VMs in the system, 
>>>>>> and a
>>>>>> euca-describe-instances
>>>>>> times out or gives expat parse errors. If I query the system 
>>>>>> locally it
>>>>>> works fine and is very responsive. This problem is new in 3.2.1, I
>>>>>> didn't
>>>>>> have this in 3.0 which I was using before. I already checked that 
>>>>>> I have
>>>>>> all
>>>>>> rubygems installed which are needed.
>>>>> Are you using the same client in both sides? Maybe It is an
>>>>> environment problem (EC2_URL)
>>>>>
>>>>>> Any idea?
>>>> Ok, I think the problem is euca tools does not support paths. I have
>>>> already tested the following configuration and it works:
>>>>
>>>> :ssl_server: https://devel.cloud.opennebula.org/
>>>>
>>>> $ euca-describe-instances -U https://devel.cloud.opennebula.org  | 
>>>> wc -l
>>>> 151
>>>>
>>>> $ econe-describe-instances -U https://devel.cloud.opennebula.org/  
>>>> | wc -l
>>>> 151
>>>>
>>>>
>>>> If you use euca with this url; https://devel.cloud.opennebula.org/ you
>>>> will get the previous error/timeout. Also if you use econe with this
>>>> url; https://devel.cloud.opennebula.org it will return a path empty
>>>> error. I will update the econe tools to set '/' by default
>>>>
>>>> Cheers
>>>>
>>>>>> Thanks!
>>>>>> Ulrich
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 02/02/2012 11:40 PM, Daniel Molina wrote:
>>>>>>> Hi Ulrich,
>>>>>>>
>>>>>>> We have added a new patch in order to support custom paths and 
>>>>>>> ports
>>>>>>> when setting up an SSL proxy on top of the econe-server. You can 
>>>>>>> see
>>>>>>> this patch in the following link:
>>>>>>>
>>>>>>> http://dev.opennebula.org/issues/985
>>>>>>>
>>>>>>> This patch has been included in the last release (3.2.1). I 
>>>>>>> recommend
>>>>>>> you to upgrade to this version. Also the performance should be
>>>>>>> improved since we have included a new authentication cache.
>>>>>>>
>>>>>>> Currently the econe-server is running in our public cloud with 
>>>>>>> an SSL
>>>>>>> proxy, using the following configuration:
>>>>>>>
>>>>>>> $ cat econe.conf
>>>>>>> # Host and port where econe server will run
>>>>>>> :server: localhost
>>>>>>> :port: 7141
>>>>>>>
>>>>>>> # SSL proxy that serves the API (set if is being used)
>>>>>>> :ssl_server: https://cloud.opennebula.org/econe
>>>>>>>
>>>>>>> # Authentication driver for incomming requests
>>>>>>> #   ec2, default Acess key and Secret key scheme
>>>>>>> #   x509, for x509 certificates based authentication
>>>>>>> :auth: ec2
>>>>>>>
>>>>>>> # Authentication driver to communicate with OpenNebula core
>>>>>>> #   cipher, for symmetric cipher encryption of tokens
>>>>>>> #   x509, for x509 certificate encryption of tokens
>>>>>>> :core_auth: cipher
>>>>>>>
>>>>>>> $ cat apache2.conf
>>>>>>> <VirtualHost *:443>
>>>>>>>          servername cloud.opennebula.org
>>>>>>>          SSLEngine on
>>>>>>>          ProxyPass        /econe http://localhost:7141/
>>>>>>>          ProxyPassReverse /econe http://localhost:7141/
>>>>>>> </VirtualHost>
>>>>>>>
>>>>>>> If you use a path different from '/' the client must support this
>>>>>>> feature, otherwise the authentication will fail. The econe tools
>>>>>>> included in the 3.2.1 release support custom paths.
>>>>>>>
>>>>>>> Also if you want the proxy to listen in a different port from the
>>>>>>> default (443) you can specify it in the ssl_parameter:
>>>>>>> :ssl_server: https://cloud.opennebula.org:8082/
>>>>>>>
>>>>>>> Hope this helps
>>>>>>>
>>>>>>> On 2 February 2012 22:45, Ulrich Schwickerath
>>>>>>> <ulrich.schwickerath at cern.ch>      wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> did anybody try to setup the ONE 3.2 econe-server with an SSL 
>>>>>>>> proxy ?
>>>>>>>> The
>>>>>>>> instructions on the web on this seem to be a bit out of date.
>>>>>>>> I had it working fine with 3.0 but with 3.2 I get authentication
>>>>>>>> errors
>>>>>>>> (the
>>>>>>>> ssl proxy setup is unchanged sinde 3.0). Direct access via http 
>>>>>>>> works
>>>>>>>> (although slower than before).
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Ulrich
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at lists.opennebula.org
>>>>>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>>>>
>>>>>>>
>>>>>> -- 
>>>>>> --------------------------------------
>>>>>> Dr. Ulrich Schwickerath
>>>>>> CERN IT/PES-PS
>>>>>> 1211 Geneva 23
>>>>>> e-mail: ulrich.schwickerath at cern.ch
>>>>>> phone:   +41 22 767 9576
>>>>>> mobile:  +41 76 487 5602
>>>>>>
>>>>>
>>>>> -- 
>>>>> Daniel Molina
>>>>> Project Engineer
>>>>> OpenNebula - The Open Source Toolkit for Data Center Virtualization
>>>>> www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
>>>>
>>>>
>>>
>>> -- 
>>> --------------------------------------
>>> Dr. Ulrich Schwickerath
>>> CERN IT/PES-PS
>>> 1211 Geneva 23
>>> e-mail: ulrich.schwickerath at cern.ch
>>> phone:   +41 22 767 9576
>>> mobile:  +41 76 487 5602
>>>
>>
>>
>
>


-- 
--------------------------------------
Dr. Ulrich Schwickerath
CERN IT/PES-PS
1211 Geneva 23
e-mail: ulrich.schwickerath at cern.ch
phone:   +41 22 767 9576
mobile:  +41 76 487 5602

More information about the Users mailing list