Project

General

Profile

Actions

tickets #67684

closed

openqa.opensuse.org is not reachable on port 80 anymore (was Remote workers fail to register to openQA server (o3))

Added by ggardet_arm almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Servers hosted in NBG
Target version:
-
Start date:
2020-06-03
Due date:
2020-06-26
% Done:

100%

Estimated time:

Description

The error log is:

Jun 03 13:26:15 ip-172-25-5-39 worker[17214]: [info] CACHE: caching is enabled, setting up /var/lib/openqa/cache/openqa.opensuse.org                                                                                                         Jun 03 13:26:15 ip-172-25-5-39 worker[17214]: [info] Project dir for host http://openqa.opensuse.org is /var/lib/openqa/share                                                                                                                Jun 03 13:26:15 ip-172-25-5-39 worker[17214]: [info] Registering with openQA http://openqa.opensuse.org                                                                                                                                      Jun 03 13:26:16 ip-172-25-5-39 worker[17214]: [error] Failed to register at http://openqa.opensuse.org: host did not return a worker ID - ignoring server                                                                                    Jun 03 13:26:16 ip-172-25-5-39 worker[17214]: [error] Stopping because registration with all configured web UI hosts failed 
Actions #1

Updated by ggardet_arm almost 4 years ago

  • Subject changed from Remote workers fail to register to openQA server to Remote workers fail to register to openQA server (o3)
Actions #2

Updated by okurz almost 4 years ago

  • Status changed from New to Feedback
  • Assignee set to okurz

I assume you tried to register against o3 and the worker was not assigned an id. checking logs. sorry, have not found anything. Can you try to register this worker against another webui please? How did you start the worker?

Actions #3

Updated by ggardet_arm almost 4 years ago

The problem is o3 is not reachable on port 80 anymore.
Using httpS instead of http in /etc/openqa/workers.ini fixed it.

Actions #4

Updated by ggardet_arm almost 4 years ago

  • Tracker changed from action to tickets
  • Project changed from openQA Infrastructure to openSUSE admin
  • Subject changed from Remote workers fail to register to openQA server (o3) to openqa.opensuse.org is not reachable on port 80 anymore (was Remote workers fail to register to openQA server (o3))
  • Status changed from Feedback to New
  • Assignee deleted (okurz)
Actions #5

Updated by lrupp almost 4 years ago

  • Category set to Servers hosted in NBG
  • Status changed from New to Feedback
  • Assignee set to ggardet_arm

I changed the haproxy config now to not redirect http traffic to https for openqa.opensuse.org. Can you please check if this fixes your problem?

On a side note: to me it is unclear why openQA workers require to use unencrypted, unsecured traffic to connect to their openQA master. Especially if the connection is established via the Internet? This seems to be a serious security problem to me. But I have to admit that I have no idea of the current requirements of openQA, so I assume such a connection is needed for tests?

If this plain http connection is indeed needed to control a worker or to send back important feedback to the master server via the internet, I would better raise this with our security team, to make sure we do not allow attackers to manipulate results, sniff credentials or anything like that.

Actions #6

Updated by okurz almost 4 years ago

@ggardet_arm lrupp has a good argument. So despite the recent change being a "regression" as in that the old way of http would not work I think https – if all works – should be preferred and I do not have problems to prevent unencrypted http for access to openqa.opensuse.org. So if you can crosscheck that https works fine for you then we could kindly ask lrupp to allow https-only again.

Actions #7

Updated by ggardet_arm almost 4 years ago

okurz wrote:

@ggardet_arm lrupp has a good argument. So despite the recent change being a "regression" as in that the old way of http would not work I think https – if all works – should be preferred and I do not have problems to prevent unencrypted http for access to openqa.opensuse.org. So if you can crosscheck that https works fine for you then we could kindly ask lrupp to allow https-only again.

I agree httpS should be preferred and I confirm it is working properly with httpS.

Actions #8

Updated by lrupp almost 4 years ago

  • Due date set to 2020-06-26
  • Status changed from Feedback to In Progress
  • Assignee changed from ggardet_arm to lrupp
  • % Done changed from 0 to 50

ggardet_arm wrote:

I agree httpS should be preferred and I confirm it is working properly with httpS.

Thanks for the confirmation.

As result, I will switch off plain http around end of June (26 of June), if there is no veto from your side.

Regards,
Lars

Actions #9

Updated by lrupp almost 4 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 50 to 100

lrupp wrote:

As result, I will switch off plain http around end of June (26 of June), if there is no veto from your side.

Done. Closing ticket.

Actions

Also available in: Atom PDF