Nux, We had the same issue on an internal instance. It turned out to be an issue with java-1.7.0-openjdk.x86_64 1:1.7.0.85-2.6.1.3.el6_7 Downgrading it to java-1.7.0-openjdk.x86_64 1:1.7.0.85-2.6.1.3.el6_6 fixed.
Java version number is same in both the rpms. only the last digit is different. I don’t understand that format but el6_6 worked fine. ~Rajani On 31-Aug-2015, at 5:50 pm, Nux! <n...@li.nux.ro<mailto:n...@li.nux.ro>> wrote: Thanks Milamber, I'll have to set up a test env for this and follow your advice. I'll get back with any findings. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro<http://www.nux.ro> ----- Original Message ----- From: "Milamber" <milam...@apache.org> To: dev@cloudstack.apache.org Sent: Monday, 31 August, 2015 13:13:10 Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init SSL java.io.IOException: Connection closed with -1 on reading size Hello, Perhaps an issue on SSL/TLS requirement. Check difference of the file below (now and after the update) JAVA_HOME/jre/lib/security/java.security Particularly the keys: jdk.certpath.disabledAlgorithms and jdk.tls.legacyAlgorithms Also, check the keystore contains the ssl keys with the keytool command (from the updated packages). Can you read-it, check the key size, etc. ==== Some reference: http://www.oracle.com/technetwork/java/javase/6u17-141447.html 6861062 java classes_security Disable MD2 in certificate chain validation http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html Default x.509 Certificates Have Longer Key Length Starting from 7u40, the use of x.509 certificates with RSA keys less than 1024 bits in length is restricted. This restriction is applied via the Java Security property, jdk.certpath.disabledAlgorithms. The default value of jdk.certpath.disabledAlgorithms is now as follows: jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 In order to avoid the compatibility issue, users who use X.509 certificates with RSA keys less than 1024 bits, are recommended to update their certificates with stronger keys. As a workaround, at their own risk, users can adjust the key size to permit smaller key sizes through the security property jdk.certpath.disabledAlgorithms. ===== On 31/08/2015 12:11, Nux! wrote: Rajani, Yes, you read right. The rpm changelog shows: Tue Jul 28 2015 Andrew Hughes <gnu.and...@redhat.com> - 1:1.6.0.36-1.13.8.1 - Update tarball to fix TCK regression (PR2565) - Resolves: rhbz#1235150 * Wed Jul 22 2015 Andrew Hughes <gnu.and...@redhat.com> - 1:1.6.0.36-1.13.8.0 - Update to IcedTea 1.13.8 - Update no_pr2125.patch to work against new version. - Resolves: rhbz#1235150 Nothing dramatic, though I do not have permission to read those bugzilla entries. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- From: "Rajani Karuturi" <raj...@apache.org> To: dev@cloudstack.apache.org Sent: Monday, 31 August, 2015 11:59:04 Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init SSL java.io.IOException: Connection closed with -1 on reading size If I am reading it right, java 1.7 has no version change and 1.6 is changed from 1.6.0.35 to 16.0.36 which caused the failure Interestingly, I do not see release notes for 1.6.0_36 http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html ~Rajani On Mon, Aug 31, 2015 at 4:09 PM, Nux! <n...@li.nux.ro> wrote: Rajani, Sure: Downgrade java-1.6.0-openjdk-1:1.6.0.35-1.13.7.1.el6_6.x86_64 @base Downgraded 1:1.6.0.36-1.13.8.1.el6_7.x86_64 @updates Downgrade java-1.7.0-openjdk-1:1.7.0.85-2.6.1.3.el6_6.x86_64 @updates Downgraded 1:1.7.0.85-2.6.1.3.el6_7.x86_64 @updates Downgrade java-1.7.0-openjdk-devel-1:1.7.0.85-2.6.1.3.el6_6.x86_64 @updates Downgraded 1:1.7.0.85-2.6.1.3.el6_7.x86_64 @updates The differences seem trivial and there's always the risk it may not have been the java change at all doing this, but I do not know what else could have triggered it. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- From: "Rajani Karuturi" <raj...@apache.org> To: dev@cloudstack.apache.org Sent: Monday, 31 August, 2015 11:21:45 Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init SSL java.io.IOException: Connection closed with -1 on reading size Hi Lucian, Can you share the point release numbers of java before and after the upgrade? (May be that would help us find the issue.) ~Rajani On Mon, Aug 31, 2015 at 3:42 PM, Nux! <n...@li.nux.ro> wrote: A downgrade of both java-1.6.0-openjdk and java-1.7.0-openjdk followed by a reboot of the management server seems to have fixed it, but it's not a solution I like very much. Anyone has any clues as to what causes that error? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- From: "Nux!" <n...@li.nux.ro> To: "dev" <dev@cloudstack.apache.org> Sent: Monday, 31 August, 2015 10:58:16 Subject: Hypervisors disconnected - java.io.IOException Fail to init SSL java.io.IOException: Connection closed with -1 on reading size Hi, Has anyone seen this before and can translate to English? The logs don't say much, it's obviously SSL related somehow. The agent says: java.io.IOException: SSL: Fail to init SSL! java.io.IOException: Connection closed with -1 on reading size. at com.cloud.utils.nio.NioClient.init(NioClient.java:87) at com.cloud.utils.nio.NioConnection.run(NioConnection.java:111) at java.lang.Thread.run(Thread.java:745) 2015-08-31 10:27:56,315 INFO [utils.nio.NioClient] (Agent-Selector:null) Connecting to 192.168.168.2:8250 2015-08-31 10:28:06,333 ERROR [utils.nio.NioConnection] (Agent-Selector:null) Unable to initialize the threads. java.io.IOException: SSL: Fail to init SSL! java.io.IOException: Connection closed with -1 on reading size. at com.cloud.utils.nio.NioClient.init(NioClient.java:87) at com.cloud.utils.nio.NioConnection.run(NioConnection.java:111) at java.lang.Thread.run(Thread.java:745) openssl s_client -connect 192.168.168.2:8250 just hangs with "CONNECTED(00000003)" This happened after a java openjdk (1.6.0 and 1.7.0) and httpd updates from CentOs6. Obviously the hypervisors are in disconnected state and no VM operation is possible etc. Thoughts? -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
