tickets #67684
closed
openqa.opensuse.org is not reachable on port 80 anymore (was Remote workers fail to register to openQA server (o3))
Added by ggardet_arm almost 4 years ago.
Updated almost 4 years ago.
Category:
Servers hosted in NBG
Description
The error log is:
Jun 03 13:26:15 ip-172-25-5-39 worker[17214]: [info] CACHE: caching is enabled, setting up /var/lib/openqa/cache/openqa.opensuse.org Jun 03 13:26:15 ip-172-25-5-39 worker[17214]: [info] Project dir for host http://openqa.opensuse.org is /var/lib/openqa/share Jun 03 13:26:15 ip-172-25-5-39 worker[17214]: [info] Registering with openQA http://openqa.opensuse.org Jun 03 13:26:16 ip-172-25-5-39 worker[17214]: [error] Failed to register at http://openqa.opensuse.org: host did not return a worker ID - ignoring server Jun 03 13:26:16 ip-172-25-5-39 worker[17214]: [error] Stopping because registration with all configured web UI hosts failed
- Subject changed from Remote workers fail to register to openQA server to Remote workers fail to register to openQA server (o3)
- Status changed from New to Feedback
- Assignee set to okurz
I assume you tried to register against o3 and the worker was not assigned an id. checking logs. sorry, have not found anything. Can you try to register this worker against another webui please? How did you start the worker?
The problem is o3 is not reachable on port 80 anymore.
Using httpS instead of http in /etc/openqa/workers.ini
fixed it.
- Tracker changed from action to tickets
- Project changed from openQA Infrastructure to openSUSE admin
- Subject changed from Remote workers fail to register to openQA server (o3) to openqa.opensuse.org is not reachable on port 80 anymore (was Remote workers fail to register to openQA server (o3))
- Status changed from Feedback to New
- Assignee deleted (
okurz)
- Category set to Servers hosted in NBG
- Status changed from New to Feedback
- Assignee set to ggardet_arm
I changed the haproxy config now to not redirect http traffic to https for openqa.opensuse.org. Can you please check if this fixes your problem?
On a side note: to me it is unclear why openQA workers require to use unencrypted, unsecured traffic to connect to their openQA master. Especially if the connection is established via the Internet? This seems to be a serious security problem to me. But I have to admit that I have no idea of the current requirements of openQA, so I assume such a connection is needed for tests?
If this plain http connection is indeed needed to control a worker or to send back important feedback to the master server via the internet, I would better raise this with our security team, to make sure we do not allow attackers to manipulate results, sniff credentials or anything like that.
@ggardet_arm lrupp has a good argument. So despite the recent change being a "regression" as in that the old way of http would not work I think https – if all works – should be preferred and I do not have problems to prevent unencrypted http for access to openqa.opensuse.org. So if you can crosscheck that https works fine for you then we could kindly ask lrupp to allow https-only again.
okurz wrote:
@ggardet_arm lrupp has a good argument. So despite the recent change being a "regression" as in that the old way of http would not work I think https – if all works – should be preferred and I do not have problems to prevent unencrypted http for access to openqa.opensuse.org. So if you can crosscheck that https works fine for you then we could kindly ask lrupp to allow https-only again.
I agree httpS should be preferred and I confirm it is working properly with httpS.
- Due date set to 2020-06-26
- Status changed from Feedback to In Progress
- Assignee changed from ggardet_arm to lrupp
- % Done changed from 0 to 50
ggardet_arm wrote:
I agree httpS should be preferred and I confirm it is working properly with httpS.
Thanks for the confirmation.
As result, I will switch off plain http around end of June (26 of June), if there is no veto from your side.
Regards,
Lars
- Status changed from In Progress to Closed
- % Done changed from 50 to 100
lrupp wrote:
As result, I will switch off plain http around end of June (26 of June), if there is no veto from your side.
Done. Closing ticket.
Also available in: Atom
PDF