[RHEL-24163] Inconsistent crypto config reload with kronosnet-1.28

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-9.5
Affects Version/s: rhel-8.10, rhel-9.4
Component/s: corosync
Labels:
- fixed_upstream

Fixed in Build:
corosync-3.1.8-2.el9
Regression:
None
Severity:
None
Commit Hashes:
ce03c68394517ea8782a03968e2507a1096e9efe

Pool Team:

rhel-sst-high-availability
Sub-System Group:

ssg_filesystems_storage_and_HA

Dev Target Milestone:
12
Internal Target Milestone:
19
Story Points:
4
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Git Pull Request:
https://github.com/corosync/corosync/pull/742
Preliminary Testing:
Pass
Testable Builds:
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=61357316
Errata Link:
https://errata.engineering.redhat.com/advisory/135529
Test Coverage:
None

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

With the fix [1] for RHEL-13109 landing in kronosnet-1.28, when the corosync crypto configuration is changed to a combination that cannot be applied by the reload command due to FIPS being enabled (ie. changing cipher or hash algorithm to a non-FIPS one), corosync will be reporting incorrect (the desired new, but not applied) crypto configuration in the totem.crypto_* keys in the cmap (as viewable using the corosync-cmapctl totem.crypto command), while the old crypto config is still in effect.

The inability for new crypto config to be successfully used for cluster comms is correctly reported in syslog and corosync.log, but only on the first reload attempt. Afterwards, corosync believes that the current and desired crypto configs match (which is not true) and reload becomes a no-op (and thus does not log the knet crypto errors again).

This misconfiguration only becomes apparent when fully (re)starting corosync, as it will refuse to start due to knet being unable to use the requested crypto algorithms.

Trying to go from no encryption to failing-to-apply crypto config still results in the other node(s) getting fenced. While this, thankfully, makes a potentially fatal crypto misconfiguration easier to spot, it suggests the fix for RHEL-13109 was incomplete. I'll report this in a separate issue for the kronosnet component.

Ideally (and I'm aware this would be a huge undertaking), the cluster stack should be able to spot and report any mismatch between the active and stored-on-disk configuration, eg. by showing a prominent warning in the pcs status output, the PCSD Web UI, and in the Red Hat Insights portal.

[1] https://github.com/kronosnet/kronosnet/pull/412

Please provide the package NVR for which bug is seen:

RHEL 8.10: kronosnet-1.28-1.el8 + corosync-3.1.8-1.el8
RHEL 9.4: kronosnet-1.28-1.el9 + corosync-3.1.8-1.el9

How reproducible:

always

Steps to reproduce

[root@virt-123 ~]# corosync-cmapctl totem.crypto
totem.crypto_cipher (str) = aes256
totem.crypto_hash (str) = sha256
[root@virt-123 ~]# pcs cluster config update crypto cipher=aes192 hash=md5 model=openssl
Sending updated corosync.conf to nodes...
virt-123: Succeeded
virt-124: Succeeded
virt-123: Corosync configuration reloaded
[root@virt-123 ~]# tail /var/log/cluster/corosync.log 
Feb 05 17:44:33 [54306] virt-123 corosync info    [TOTEM ] Configuring link 0
Feb 05 17:44:33 [54306] virt-123 corosync info    [TOTEM ] Configured link number 0: local addr: 10.37.166.250, port=5405
Feb 05 17:44:33 [54306] virt-123 corosync error   [TOTEM ] knet_handle_crypto_set_config (index 2) failed: -2
Feb 05 17:44:33 [54306] virt-123 corosync info    [TOTEM ] kronosnet crypto reconfigured on index 2: openssl/aes192/md5
Feb 05 17:44:33 [54306] virt-123 corosync info    [KNET  ] common: crypto_openssl.so has been loaded from /usr/lib64/kronosnet/crypto_openssl.so
Feb 05 17:44:33 [54306] virt-123 corosync error   [KNET  ] opensslcrypto: Unable to set openssl context parameters: error:0308010C:digital envelope routines::unsupported
Feb 05 17:44:33 [54306] virt-123 corosync error   [KNET  ] crypto: Test of crypt operation failed - unsupported crypto module parameters
Feb 05 17:44:33 [54306] virt-123 corosync info    [KNET  ] pmtud: MTU manually set to: 0
Feb 05 17:44:33 [54306] virt-123 corosync error   [TOTEM ] knet_handle_crypto_use_config 2 failed: Invalid argument
Feb 05 17:44:33 [54306] virt-123 corosync error   [TOTEM ] knet_handle_crypto_set_config to clear index 1 failed: Device or resource busy
[root@virt-123 ~]# corosync-cmapctl totem.crypto
totem.crypto_cipher (str) = aes192
totem.crypto_hash (str) = md5
totem.crypto_model (str) = openssl
[root@virt-123 ~]# corosync-cfgtool -R
Reloading corosync.conf...
Done
[root@virt-123 ~]# echo $?
0
[root@virt-123 ~]# tail /var/log/cluster/corosync.log
[...]
Feb 05 17:44:45 [54306] virt-123 corosync notice  [CFG   ] Config reload requested by node 1
Feb 05 17:44:45 [54306] virt-123 corosync info    [TOTEM ] Configuring link 0
Feb 05 17:44:45 [54306] virt-123 corosync info    [TOTEM ] Configured link number 0: local addr: 10.37.166.250, port=5405
Feb 05 17:44:45 [54306] virt-123 corosync info    [KNET  ] pmtud: MTU manually set to: 0
[root@virt-123 ~]# pcs cluster stop --all --wait
virt-123: Stopping Cluster (pacemaker)...
virt-124: Stopping Cluster (pacemaker)...
virt-123: Stopping Cluster (corosync)...
virt-124: Stopping Cluster (corosync)...
[root@virt-123 ~]# pcs cluster start
Starting Cluster...
Error: Unable to start corosync: Job for corosync.service failed because the control process exited with error code.
See "systemctl status corosync.service" and "journalctl -xeu corosync.service" for details.
[root@virt-123 ~]# journalctl -u corosync
Feb 05 17:45:07 virt-123 systemd[1]: Starting Corosync Cluster Engine...
Feb 05 17:45:07 virt-123 corosync[60606]:   [MAIN  ] Corosync Cluster Engine 3.1.8 starting up
Feb 05 17:45:07 virt-123 corosync[60606]:   [MAIN  ] Corosync built-in features: dbus systemd xmlconf vqsim nozzle snmp pie relro bindnow
Feb 05 17:45:07 virt-123 corosync[60606]:   [TOTEM ] Initializing transport (Kronosnet).
Feb 05 17:45:07 virt-123 corosync[60606]:   [TOTEM ] knet_handle_crypto_set_config (index 1) failed: -2
Feb 05 17:45:07 virt-123 corosync[60606]:   [KNET  ] pmtud: MTU manually set to: 0
Feb 05 17:45:07 virt-123 corosync[60606]:   [KNET  ] common: crypto_openssl.so has been loaded from /usr/lib64/kronosnet/crypto_openssl.so
Feb 05 17:45:07 virt-123 corosync[60606]:   [KNET  ] opensslcrypto: Unable to set openssl context parameters: error:0308010C:digital envelope routines::unsupported
Feb 05 17:45:07 virt-123 corosync[60606]:   [KNET  ] crypto: Test of crypt operation failed - unsupported crypto module parameters
Feb 05 17:45:07 virt-123 corosync[60606]:   [MAIN  ] Can't initialize TOTEM layer
Feb 05 17:45:07 virt-123 corosync[60606]:   [MAIN  ] Corosync Cluster Engine exiting with status 15 at main.c:1608.
Feb 05 17:45:07 virt-123 systemd[1]: corosync.service: Main process exited, code=exited, status=15/n/a
Feb 05 17:45:07 virt-123 systemd[1]: corosync.service: Failed with result 'exit-code'.
Feb 05 17:45:07 virt-123 systemd[1]: Failed to start Corosync Cluster Engine.

Expected results

Better error reporting on reload when changing crypto configuration fails:

corosync-cfgtool -R should log an error to stderr and exit non-zero when updated crypto config fails to apply (currently exits 0 with no errors or warnings, admin has to independently notice the errors in syslog/corosync.log)
the above also means the higher-level pcs cluster config update command is unable to notice the error
repeated reload attempts of the same un-applicable crypto config should continue logging knet crypto errors instead of appearing as a success

Actual results

Corosync is lying to the cluster admin about which crypto algorithms are in use.

links to

RHBA-2024:135529 corosync update

Errata Tool added a comment - 2024/11/12 9:07 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (corosync bug fix and enhancement update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2024:9217

Errata Tool added a comment - 2024/11/12 9:07 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (corosync bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2024:9217

Patrik Hagara added a comment - 2024/07/04 2:05 PM

successfully tested in compose RHEL-9.5.0-20240703.4

marking verified

[root@virt-505:~]$ fips-mode-setup --check
FIPS mode is enabled.


[root@virt-505:~]$ update-crypto-policies --show
FIPS


[root@virt-505:~]$ update-crypto-policies --is-applied
The configured policy is applied


[root@virt-505:~]$ update-crypto-policies --check
The configured policy matches the generated policy


[root@virt-505:~]$ rpm -q corosync
corosync-3.1.8-2.el9.x86_64


[root@virt-505:~]$ corosync-cmapctl totem.crypto
totem.crypto_cipher (str) = aes256
totem.crypto_hash (str) = sha256


[root@virt-505:~]$ corosync-cmapctl config.reload_error_message


[root@virt-505:~]$ pcs cluster config update crypto cipher=aes192 hash=md5 model=openssl
Sending updated corosync.conf to nodes...
virt-505: Succeeded
virt-509: Succeeded
Warning: virt-505: Unable to reload corosync configuration: Unable to reload corosync configuration: Done

ERROR from reload: Failed to set knet crypto - see syslog for more information

Errors in appying config, corosync.conf might not match the running system
Warning: virt-509: Unable to reload corosync configuration: Unable to reload corosync configuration: Done

ERROR from reload: Failed to set knet crypto - see syslog for more information

Errors in appying config, corosync.conf might not match the running system
Error: Unable to perform operation on any available node/host, therefore it is not possible to continue
Error: Errors have occurred, therefore pcs is unable to continue


[root@virt-505:~]$ echo $?
1


[root@virt-505:~]$ tail -20 /var/log/cluster/corosync.log
Jul 04 15:59:44 [5978] virt-505 corosync notice  [QUORUM] Members[2]: 1 2
Jul 04 15:59:44 [5978] virt-505 corosync notice  [MAIN  ] Completed service synchronization, ready to provide service.
Jul 04 15:59:44 [5978] virt-505 corosync info    [KNET  ] pmtud: PMTUD link change for host: 2 link: 0 from 469 to 1397
Jul 04 15:59:44 [5978] virt-505 corosync info    [KNET  ] pmtud: Global data MTU changed to: 1397
Jul 04 16:01:14 [5978] virt-505 corosync notice  [CFG   ] Config reload requested by node 1
Jul 04 16:01:14 [5978] virt-505 corosync info    [TOTEM ] Configuring link 0
Jul 04 16:01:14 [5978] virt-505 corosync info    [TOTEM ] Configured link number 0: local addr: 10.37.165.153, port=5405
Jul 04 16:01:14 [5978] virt-505 corosync error   [TOTEM ] knet_handle_crypto_set_config (index 2) failed: -2
Jul 04 16:01:14 [5978] virt-505 corosync info    [KNET  ] common: crypto_openssl.so has been loaded from /usr/lib64/kronosnet/crypto_openssl.so
Jul 04 16:01:14 [5978] virt-505 corosync error   [KNET  ] opensslcrypto: Unable to set openssl context parameters: error:0308010C:digital envelope routines::unsupported
Jul 04 16:01:14 [5978] virt-505 corosync error   [KNET  ] crypto: Test of crypt operation failed - unsupported crypto module parameters
Jul 04 16:01:14 [5978] virt-505 corosync info    [KNET  ] pmtud: MTU manually set to: 0
Jul 04 16:01:14 [5978] virt-505 corosync error   [TOTEM ] knet_handle_crypto_use_config 2 failed: Invalid argument
Jul 04 16:01:14 [5978] virt-505 corosync error   [TOTEM ] knet_handle_crypto_set_config to clear index 1 failed: Device or resource busy
Jul 04 16:01:17 [5978] virt-505 corosync notice  [CFG   ] Config reload requested by node 2
Jul 04 16:01:17 [5978] virt-505 corosync info    [TOTEM ] Configuring link 0
Jul 04 16:01:17 [5978] virt-505 corosync info    [TOTEM ] Configured link number 0: local addr: 10.37.165.153, port=5405
Jul 04 16:01:17 [5978] virt-505 corosync error   [TOTEM ] knet_handle_crypto_set_config (index 1) failed: Device or resource busy
Jul 04 16:01:17 [5978] virt-505 corosync info    [KNET  ] pmtud: MTU manually set to: 0
Jul 04 16:01:17 [5978] virt-505 corosync info    [KNET  ] pmtud: Global data MTU changed to: 1397


[root@virt-505:~]$ corosync-cmapctl totem.crypto
totem.crypto_cipher (str) = aes256
totem.crypto_hash (str) = sha256
totem.crypto_model (str) = nss


[root@virt-505:~]$ corosync-cmapctl config.reload_error_message
config.reload_error_message (str) = Failed to set knet crypto

Patrik Hagara added a comment - 2024/07/04 2:05 PM successfully tested in compose RHEL-9.5.0-20240703.4 marking verified [root@virt-505:~]$ fips-mode-setup --check FIPS mode is enabled. [root@virt-505:~]$ update-crypto-policies --show FIPS [root@virt-505:~]$ update-crypto-policies --is-applied The configured policy is applied [root@virt-505:~]$ update-crypto-policies --check The configured policy matches the generated policy [root@virt-505:~]$ rpm -q corosync corosync-3.1.8-2.el9.x86_64 [root@virt-505:~]$ corosync-cmapctl totem.crypto totem.crypto_cipher (str) = aes256 totem.crypto_hash (str) = sha256 [root@virt-505:~]$ corosync-cmapctl config.reload_error_message [root@virt-505:~]$ pcs cluster config update crypto cipher=aes192 hash=md5 model=openssl Sending updated corosync.conf to nodes... virt-505: Succeeded virt-509: Succeeded Warning: virt-505: Unable to reload corosync configuration: Unable to reload corosync configuration: Done ERROR from reload: Failed to set knet crypto - see syslog for more information Errors in appying config, corosync.conf might not match the running system Warning: virt-509: Unable to reload corosync configuration: Unable to reload corosync configuration: Done ERROR from reload: Failed to set knet crypto - see syslog for more information Errors in appying config, corosync.conf might not match the running system Error: Unable to perform operation on any available node/host, therefore it is not possible to continue Error: Errors have occurred, therefore pcs is unable to continue [root@virt-505:~]$ echo $? 1 [root@virt-505:~]$ tail -20 / var /log/cluster/corosync.log Jul 04 15:59:44 [5978] virt-505 corosync notice [QUORUM] Members[2]: 1 2 Jul 04 15:59:44 [5978] virt-505 corosync notice [MAIN ] Completed service synchronization, ready to provide service. Jul 04 15:59:44 [5978] virt-505 corosync info [KNET ] pmtud: PMTUD link change for host: 2 link: 0 from 469 to 1397 Jul 04 15:59:44 [5978] virt-505 corosync info [KNET ] pmtud: Global data MTU changed to: 1397 Jul 04 16:01:14 [5978] virt-505 corosync notice [CFG ] Config reload requested by node 1 Jul 04 16:01:14 [5978] virt-505 corosync info [TOTEM ] Configuring link 0 Jul 04 16:01:14 [5978] virt-505 corosync info [TOTEM ] Configured link number 0: local addr: 10.37.165.153, port=5405 Jul 04 16:01:14 [5978] virt-505 corosync error [TOTEM ] knet_handle_crypto_set_config (index 2) failed: -2 Jul 04 16:01:14 [5978] virt-505 corosync info [KNET ] common: crypto_openssl.so has been loaded from /usr/lib64/kronosnet/crypto_openssl.so Jul 04 16:01:14 [5978] virt-505 corosync error [KNET ] opensslcrypto: Unable to set openssl context parameters: error:0308010C:digital envelope routines::unsupported Jul 04 16:01:14 [5978] virt-505 corosync error [KNET ] crypto: Test of crypt operation failed - unsupported crypto module parameters Jul 04 16:01:14 [5978] virt-505 corosync info [KNET ] pmtud: MTU manually set to: 0 Jul 04 16:01:14 [5978] virt-505 corosync error [TOTEM ] knet_handle_crypto_use_config 2 failed: Invalid argument Jul 04 16:01:14 [5978] virt-505 corosync error [TOTEM ] knet_handle_crypto_set_config to clear index 1 failed: Device or resource busy Jul 04 16:01:17 [5978] virt-505 corosync notice [CFG ] Config reload requested by node 2 Jul 04 16:01:17 [5978] virt-505 corosync info [TOTEM ] Configuring link 0 Jul 04 16:01:17 [5978] virt-505 corosync info [TOTEM ] Configured link number 0: local addr: 10.37.165.153, port=5405 Jul 04 16:01:17 [5978] virt-505 corosync error [TOTEM ] knet_handle_crypto_set_config (index 1) failed: Device or resource busy Jul 04 16:01:17 [5978] virt-505 corosync info [KNET ] pmtud: MTU manually set to: 0 Jul 04 16:01:17 [5978] virt-505 corosync info [KNET ] pmtud: Global data MTU changed to: 1397 [root@virt-505:~]$ corosync-cmapctl totem.crypto totem.crypto_cipher (str) = aes256 totem.crypto_hash (str) = sha256 totem.crypto_model (str) = nss [root@virt-505:~]$ corosync-cmapctl config.reload_error_message config.reload_error_message (str) = Failed to set knet crypto

Patrik Hagara added a comment - 2024/07/03 11:49 AM

[root@virt-297:~]$ rpm -q corosync
corosync-3.1.8-2.el9.x86_64


[root@virt-297:~]$ corosync-cmapctl totem.crypto
totem.crypto_cipher (str) = aes256
totem.crypto_hash (str) = sha256


[root@virt-297:~]$ pcs cluster config update crypto cipher=aes192 hash=md5 model=openssl
Sending updated corosync.conf to nodes...
virt-298: Succeeded
virt-297: Succeeded
Warning: virt-297: Unable to reload corosync configuration: Unable to reload corosync configuration: Done

ERROR from reload: Failed to set knet crypto - see syslog for more information

Errors in appying config, corosync.conf might not match the running system
Warning: virt-298: Unable to reload corosync configuration: Unable to reload corosync configuration: Done

ERROR from reload: Failed to set knet crypto - see syslog for more information

Errors in appying config, corosync.conf might not match the running system
Error: Unable to perform operation on any available node/host, therefore it is not possible to continue
Error: Errors have occurred, therefore pcs is unable to continue


[root@virt-297:~]$ echo $?
1


[root@virt-297:~]$ tail -20 /var/log/cluster/corosync.log
Jul 03 13:39:07 [36788] virt-297 corosync notice  [QUORUM] Members[2]: 1 2
Jul 03 13:39:07 [36788] virt-297 corosync notice  [MAIN  ] Completed service synchronization, ready to provide service.
Jul 03 13:39:07 [36788] virt-297 corosync info    [KNET  ] pmtud: PMTUD link change for host: 2 link: 0 from 469 to 1397
Jul 03 13:39:07 [36788] virt-297 corosync info    [KNET  ] pmtud: Global data MTU changed to: 1397
Jul 03 13:42:00 [36788] virt-297 corosync notice  [CFG   ] Config reload requested by node 1
Jul 03 13:42:00 [36788] virt-297 corosync info    [TOTEM ] Configuring link 0
Jul 03 13:42:00 [36788] virt-297 corosync info    [TOTEM ] Configured link number 0: local addr: 10.37.167.168, port=5405
Jul 03 13:42:00 [36788] virt-297 corosync error   [TOTEM ] knet_handle_crypto_set_config (index 2) failed: -2
Jul 03 13:42:00 [36788] virt-297 corosync info    [KNET  ] common: crypto_openssl.so has been loaded from /usr/lib64/kronosnet/crypto_openssl.so
Jul 03 13:42:00 [36788] virt-297 corosync error   [KNET  ] opensslcrypto: Unable to set openssl context parameters: error:0308010C:digital envelope routines::unsupported
Jul 03 13:42:00 [36788] virt-297 corosync error   [KNET  ] crypto: Test of crypt operation failed - unsupported crypto module parameters
Jul 03 13:42:00 [36788] virt-297 corosync info    [KNET  ] pmtud: MTU manually set to: 0
Jul 03 13:42:00 [36788] virt-297 corosync error   [TOTEM ] knet_handle_crypto_use_config 2 failed: Invalid argument
Jul 03 13:42:00 [36788] virt-297 corosync error   [TOTEM ] knet_handle_crypto_set_config to clear index 1 failed: Device or resource busy
Jul 03 13:42:02 [36788] virt-297 corosync notice  [CFG   ] Config reload requested by node 2
Jul 03 13:42:02 [36788] virt-297 corosync info    [TOTEM ] Configuring link 0
Jul 03 13:42:02 [36788] virt-297 corosync info    [TOTEM ] Configured link number 0: local addr: 10.37.167.168, port=5405
Jul 03 13:42:02 [36788] virt-297 corosync error   [TOTEM ] knet_handle_crypto_set_config (index 1) failed: Device or resource busy
Jul 03 13:42:02 [36788] virt-297 corosync info    [KNET  ] pmtud: MTU manually set to: 0
Jul 03 13:42:02 [36788] virt-297 corosync info    [KNET  ] pmtud: Global data MTU changed to: 1397


[root@virt-297:~]$ corosync-cmapctl totem.crypto
totem.crypto_cipher (str) = aes256
totem.crypto_hash (str) = sha256
totem.crypto_model (str) = nss


[root@virt-297:~]$ corosync-cmapctl config.reload_error_message
config.reload_error_message (str) = Failed to set knet crypto

Patrik Hagara added a comment - 2024/07/03 11:49 AM [root@virt-297:~]$ rpm -q corosync corosync-3.1.8-2.el9.x86_64 [root@virt-297:~]$ corosync-cmapctl totem.crypto totem.crypto_cipher (str) = aes256 totem.crypto_hash (str) = sha256 [root@virt-297:~]$ pcs cluster config update crypto cipher=aes192 hash=md5 model=openssl Sending updated corosync.conf to nodes... virt-298: Succeeded virt-297: Succeeded Warning: virt-297: Unable to reload corosync configuration: Unable to reload corosync configuration: Done ERROR from reload: Failed to set knet crypto - see syslog for more information Errors in appying config, corosync.conf might not match the running system Warning: virt-298: Unable to reload corosync configuration: Unable to reload corosync configuration: Done ERROR from reload: Failed to set knet crypto - see syslog for more information Errors in appying config, corosync.conf might not match the running system Error: Unable to perform operation on any available node/host, therefore it is not possible to continue Error: Errors have occurred, therefore pcs is unable to continue [root@virt-297:~]$ echo $? 1 [root@virt-297:~]$ tail -20 / var /log/cluster/corosync.log Jul 03 13:39:07 [36788] virt-297 corosync notice [QUORUM] Members[2]: 1 2 Jul 03 13:39:07 [36788] virt-297 corosync notice [MAIN ] Completed service synchronization, ready to provide service. Jul 03 13:39:07 [36788] virt-297 corosync info [KNET ] pmtud: PMTUD link change for host: 2 link: 0 from 469 to 1397 Jul 03 13:39:07 [36788] virt-297 corosync info [KNET ] pmtud: Global data MTU changed to: 1397 Jul 03 13:42:00 [36788] virt-297 corosync notice [CFG ] Config reload requested by node 1 Jul 03 13:42:00 [36788] virt-297 corosync info [TOTEM ] Configuring link 0 Jul 03 13:42:00 [36788] virt-297 corosync info [TOTEM ] Configured link number 0: local addr: 10.37.167.168, port=5405 Jul 03 13:42:00 [36788] virt-297 corosync error [TOTEM ] knet_handle_crypto_set_config (index 2) failed: -2 Jul 03 13:42:00 [36788] virt-297 corosync info [KNET ] common: crypto_openssl.so has been loaded from /usr/lib64/kronosnet/crypto_openssl.so Jul 03 13:42:00 [36788] virt-297 corosync error [KNET ] opensslcrypto: Unable to set openssl context parameters: error:0308010C:digital envelope routines::unsupported Jul 03 13:42:00 [36788] virt-297 corosync error [KNET ] crypto: Test of crypt operation failed - unsupported crypto module parameters Jul 03 13:42:00 [36788] virt-297 corosync info [KNET ] pmtud: MTU manually set to: 0 Jul 03 13:42:00 [36788] virt-297 corosync error [TOTEM ] knet_handle_crypto_use_config 2 failed: Invalid argument Jul 03 13:42:00 [36788] virt-297 corosync error [TOTEM ] knet_handle_crypto_set_config to clear index 1 failed: Device or resource busy Jul 03 13:42:02 [36788] virt-297 corosync notice [CFG ] Config reload requested by node 2 Jul 03 13:42:02 [36788] virt-297 corosync info [TOTEM ] Configuring link 0 Jul 03 13:42:02 [36788] virt-297 corosync info [TOTEM ] Configured link number 0: local addr: 10.37.167.168, port=5405 Jul 03 13:42:02 [36788] virt-297 corosync error [TOTEM ] knet_handle_crypto_set_config (index 1) failed: Device or resource busy Jul 03 13:42:02 [36788] virt-297 corosync info [KNET ] pmtud: MTU manually set to: 0 Jul 03 13:42:02 [36788] virt-297 corosync info [KNET ] pmtud: Global data MTU changed to: 1397 [root@virt-297:~]$ corosync-cmapctl totem.crypto totem.crypto_cipher (str) = aes256 totem.crypto_hash (str) = sha256 totem.crypto_model (str) = nss [root@virt-297:~]$ corosync-cmapctl config.reload_error_message config.reload_error_message (str) = Failed to set knet crypto

Jan Friesse added a comment - 2024/05/20 2:19 PM

Upstream patch https://github.com/corosync/corosync/commit/ce03c68394517ea8782a03968e2507a1096e9efe

Jan Friesse added a comment - 2024/05/20 2:19 PM Upstream patch https://github.com/corosync/corosync/commit/ce03c68394517ea8782a03968e2507a1096e9efe

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2024/11/12 9:07 AM

Expand comment: Errata Tool added a comment - 2024/11/12 9:07 AM

Collapse comment: Patrik Hagara added a comment - 2024/07/04 2:05 PM

Expand comment: Patrik Hagara added a comment - 2024/07/04 2:05 PM

Collapse comment: Patrik Hagara added a comment - 2024/07/03 11:49 AM

Expand comment: Patrik Hagara added a comment - 2024/07/03 11:49 AM

Collapse comment: Jan Friesse added a comment - 2024/05/20 2:19 PM

Expand comment: Jan Friesse added a comment - 2024/05/20 2:19 PM

People

Dates