1. 19 Oct, 2010 1 commit
  2. 15 Oct, 2010 2 commits
    • Apollon Oikonomopoulos's avatar
      http.client: Disable SSL session ID cache · 4ba4fe14
      Apollon Oikonomopoulos authored
      This patch disables the SSL session ID cache for all cURL operations.
      This is needed because http.HttpBase's PyOpenSSL implementation does not
      currently set a context using SSL_set_session_id_context(3SSL), cURL
      tries to re-use the session ID and, according to
       If the session id context is not set on an SSL/TLS server and client
       certificates are used, stored sessions will not be reused but a fatal
       error will be flagged and the handshake will fail.
      Ideally, session caching should be either controlled, or disabled in
      HttpBase, however PyOpenSSL does not seem to implement
      SSL_CTX_set_session_cache_mode nor SSL_CTX_set_session_id_context which
      are used for these purposes (it seems that only M2Crypto's SSL module
      supports these).
      Signed-off-by: default avatarApollon Oikonomopoulos <apollon@noc.grnet.gr>
      Signed-off-by: default avatarMichael Hanselmann <hansmi@google.com>
      Reviewed-by: default avatarMichael Hanselmann <hansmi@google.com>
    • Iustin Pop's avatar
      Crude workaround for pylint breakage · f1763373
      Iustin Pop authored
      The way we currently call pylint, the exact order it inspect modules in
      lib/http/ depends on the filesystem order. This is not good, and if
      lib/http/server.py is loaded before lib/http/__init__.py, it will throw
      a "R0921:763:HttpMessageReader: Abstract class not referenced" (as that
      class is used in server.py).
      For the short-term fix, we just add server.py after "ganeti", so that
      it gets parsed (again?) and pylint sees the usage of the class.
      Signed-off-by: default avatarIustin Pop <iustin@google.com>
      Reviewed-by: default avatarMichael Hanselmann <hansmi@google.com>
  3. 14 Oct, 2010 2 commits
  4. 13 Oct, 2010 3 commits
  5. 12 Oct, 2010 2 commits
    • Apollon Oikonomopoulos's avatar
      Set list of trusted SSL CAs for client to verify · 2d93a6a7
      Apollon Oikonomopoulos authored
      As per SSL_CTX_set_client_CA_list(3SSL), set the list of acceptable CAs
      advertised to SSL clients to include the server's own certificate. This
      evidently fixes the pycurl/gnutls RPC client.
      During the TLS Handshake, when client verification is requested, the
      Server sends a CertificateRequest message which states that the client
      should send a valid certificate as a response. The CertificateRequest
      message contains a section called "certificate_authorities", which,
      according to the standard, is a list of the Distinguished Names (DNs) of
      acceptable certification authorities. The client uses this list to send
      a certificate signed by one of the acceptable CAs.
      Under OpenSSL's server implementation, this list must be set manually
      using some appropriate call, otherwise the list is empty. TLS 1.0[1]
      does not state whether the list may be left blank, whereas TLS 1.1[2]
      and 1.2[3] state that in case the list is blank, then the client *may*
      send any certificate of a valid type (valid types are specified
      elsewhere in the handshake).
      OpenSSL clients seem to obey the behaviour specified in TLS 1.1+,
      whereas at least curl+GnuTLS does not send any certificates if the list
      is empty (which is not wrong per the spec, but also evidently not
      [1] http://tools.ietf.org/html/rfc2246
      [2] http://tools.ietf.org/html/rfc4346
      [3] http://tools.ietf.org/html/rfc5246
      Signed-off-by: default avatarApollon Oikonomopoulos <apollon@noc.grnet.gr>
      Reviewed-by: default avatarMichael Hanselmann <hansmi@google.com>
      Reviewed-by: default avatarGuido Trotter <ultrotter@google.com>
    • Guido Trotter's avatar
      Require aclocal 1.11.1 or above for autogen.sh · dbc4dda7
      Guido Trotter authored
      1.11.1 is the version in squeeze and lucid, and we know it works. We
      also know that 1.10.1 in hardy and lenny doesn't, nor do 1.10 in etch
      and 1.9.6 in dapper. We haven't tested any other version.
      With older versions python.m4 is buggy, and results in the package being
      built not working on python 2.6 (which uses dist-packages rather than
      site-packages as a module directory).
      The autogen.sh interpreter is changed to bash, as we need to use the [[
      builtin to compare versions with "<". [ doesn't have that functionality,
      and we can't of course rely on dpkg, which won't be installed on all
      Signed-off-by: default avatarGuido Trotter <ultrotter@google.com>
      Reviewed-by: default avatarIustin Pop <iustin@google.com>
  6. 11 Oct, 2010 1 commit
    • Iustin Pop's avatar
      RPC: disable curl's Expect header · 8e29563f
      Iustin Pop authored
      This patch solves the very slow (~8-9 seconds) gnt-instance modify
      behaviour. Well, it solves in general the slow RPC behaviour, but it was
      most visible in that LU.
      It seems that curl's behaviour with regard to file uploads (via PUT) and
      the 'Expect' header are interacting badly with our http server.
      First, our http server doesn't properly handle this header. According to
      RFC 2616:
        Requirements for HTTP/1.1 origin servers: Upon receiving a request
        which includes an Expect request-header field with the "100-continue"
        expectation, an origin server MUST either respond with 100 (Continue)
        status and continue to read from the input stream, or respond with a
        final status code.
      Our server doesn't do this, and hence it triggers this behaviour in curl
      (from the curl FAQ):
        4.16 My HTTP POST or PUT requests are slow!
        libcurl makes all POST and PUT requests (except for POST requests with a
        very tiny request body) use the "Expect: 100-continue" header. This header
        allows the server to deny the operation early so that libcurl can bail out
        already before having to send any data. This is useful in authentication
        cases and others.
        However, many servers don't implement the Expect: stuff properly and if the
        server doesn't respond (positively) within 1 second libcurl will continue
        and send off the data anyway.
        You can disable libcurl's use of the Expect: header the same way you disable
        any header, using -H / CURLOPT_HTTPHEADER, or by forcing it to use HTTP 1.0.
      This behaviour was detected by watching the captured traffic (in non-SSL
      mode), where between the initial HTTP headers (ending with the Expect
      one), there was a ~1-2 second pause until curl was sending the body.
      Properly RTFM-ing would have saved ~1 day of digging around, but hey…
      Signed-off-by: default avatarIustin Pop <iustin@google.com>
      Reviewed-by: default avatarMichael Hanselmann <hansmi@google.com>
  7. 08 Oct, 2010 2 commits
  8. 07 Oct, 2010 2 commits
  9. 06 Oct, 2010 1 commit
    • Iustin Pop's avatar
      QA: Fix instance move tests · 677e16eb
      Iustin Pop authored
      The instance move tests were moving the instance from node pair (A,_) to
      (B, A), and left it there. This patch makes sure that the first step
      moves the instance to (B,A) but the second one back to (A,B), so that
      the instance is left on the same primary node.
      The original secondary node is lost though, if I read the code
      Signed-off-by: default avatarIustin Pop <iustin@google.com>
      Reviewed-by: default avatarMichael Hanselmann <hansmi@google.com>
  10. 05 Oct, 2010 11 commits
  11. 04 Oct, 2010 5 commits
  12. 30 Sep, 2010 8 commits