[opencontrail-dev] contrail control node failed to connect to IF-MAP because of SSLv3 issue

Tue, 18 Aug 2015 18:45:07 -0700

Sorry for the cross-post, but it seems get more attention here. i do need any suggestion. 

Hi,
I am installing the contrail 2.20 for ubuntu 14.04.2 in a single host(10.0.0.1).
I have encountered lot of issue related to the ssl, like the installation process of fab setup_all list below:
# python /opt/contrail/utils/provision_vrouter.py --host_name cfgm01 --host_ip 10.0.0.1 --api_server_ip 10.0.0.1 --oper add --admin_user admin --admin_password 1qazXSW2 --admin_tenant_name admin --openstack_ip 10.0.0.1 

No handlers could be found for logger "vnc_api.vnc_api"
2015-08-16 11:08:58:283625: [[email protected]] out: Traceback (most recent call last): 2015-08-16 11:11:58:847926: [[email protected]] out: File "/opt/contrail/utils/provision_vrouter.py", line 186, in <module> 
2015-08-16 11:11:58:848787: [[email protected]] out: main()
2015-08-16 11:11:58:849162: [[email protected]] out: File "/opt/contrail/utils/provision_vrouter.py", line 182, in main 2015-08-16 11:11:58:849548: [[email protected]] out: VrouterProvisioner(args_str) 2015-08-16 11:11:58:849948: [[email protected]] out: File "/opt/contrail/utils/provision_vrouter.py", line 42, in __init__ 2015-08-16 11:11:58:850286: [[email protected]] out: fq_name=['default-global-system-config']) 2015-08-16 11:11:58:850667: [[email protected]] out: File "/usr/lib/python2.7/dist-packages/vnc_api/gen/vnc_api_client_gen.py", line 1771, in global_system_config_read 2015-08-16 11:11:58:851042: [[email protected]] out: (args_ok, result) = self._read_args_to_id('global-system-config', fq_name, fq_name_str, id, ifmap_id) 2015-08-16 11:11:58:851486: [[email protected]] out: File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 352, in _read_args_to_id 2015-08-16 11:11:58:852505: [[email protected]] out: return (True, self.fq_name_to_id(obj_type, fq_name)) 2015-08-16 11:11:58:852891: [[email protected]] out: File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 459, in fq_name_to_id 2015-08-16 11:11:58:853293: [[email protected]] out: uri = self._action_uri['name-to-id'] 2015-08-16 11:11:58:853690: [[email protected]] out: File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 60, in __getitem__ 
2015-08-16 11:11:58:854077: [[email protected]] out: retry_on_error=False)
2015-08-16 11:11:58:854488: [[email protected]] out: File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 422, in _request 2015-08-16 11:11:58:854957: [[email protected]] out: raise ServiceUnavailableError('Service Unavailable Timeout %d' % status) 2015-08-16 11:11:58:855467: [[email protected]] out: cfgm_common.exceptions.ServiceUnavailableError: Service unavailable time out due to: Service Unavailable Timeout 503 
2015-08-16 11:11:58:855756: [[email protected]] out:
2015-08-16 11:11:58:865541: [[email protected]] out: Fatal error: local() encountered an error (return code 1) while executing 'python /opt/contrail/utils/provision_vrouter.py --host_name cfgm01 --host_ip 10.0.0.1 --api_server_ip 10.0.0.1 --oper add --admin_user admin --admin_password 1qazXSW2 --admin_tenant_name admin --openstack_ip 10.0.0.1' 
2015-08-16 11:11:58:865878: [[email protected]] out:
2015-08-16 11:11:58:866119: [[email protected]] out: Aborting.
2015-08-16 11:11:58:866263: [[email protected]] out:
2015-08-16 11:11:58:930372:
I solved this issue by reference the patch of https://review.opencontrail.org/#/c/12816/2/ifmap-python-patch1.diff 

Also comment out of the line

# jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768

in /etc/java-7-openjdk/security/java.security

and

#jdk.tls.disabledAlgorithms=SSLv3

in /etc/java-6-openjdk/security/java.security
After finished the fab setup_all, all work well except the control node connect to IF-MAP. 

root@cfgm01:~# contrail-status
== Contrail vRouter ==
supervisor-vrouter: active
contrail-vrouter-agent active
contrail-vrouter-nodemgr active

== Contrail Control ==
supervisor-control: active
contrail-control initializing (Number of connections:4, Expected:5)
contrail-control-nodemgr active
contrail-dns active
contrail-named active

== Contrail Analytics ==
supervisor-analytics: active
contrail-analytics-api active
contrail-analytics-nodemgr active
contrail-collector active
contrail-query-engine active
contrail-snmp-collector active
contrail-topology active

== Contrail Config ==
supervisor-config: active
contrail-api:0 active
contrail-config-nodemgr active
contrail-device-manager active
contrail-discovery:0 active
contrail-schema active
contrail-svc-monitor active
ifmap active

== Contrail Web UI ==
supervisor-webui: active
contrail-webui active
contrail-webui-middleware active

== Contrail Database ==
supervisor-database: active
contrail-database active
contrail-database-nodemgr active

== Contrail Support Services ==
supervisor-support-service: active
rabbitmq-server active

root@cfgm01:~#

root@cfgm01:~# tail -f /var/log/contrail/contrail-control.log
2015-08-18 Tue 23:20:22:167.519 CST cfgm01 [Thread 140258279159552, Pid 20845]: IFMapStateMachine [SYS_WARN]: IFMapPeerConnError: sslv3 alert handshake failure SsrcConnect SsrcSslHandshake ifsm::EvConnectSuccess controller/src/ifmap/client/ifmap_state_machine.cc 915 

root@cfgm01:~# tail -f /var/log/contrail/ifmap-server.log
2015-08-18 23:26:27,795 [pool-1-thread-1] DEBUG - EventProcessor: No session found for 10.0.0.1:47281:23076 2015-08-18 23:26:29,017 [pool-5-thread-1] DEBUG - ChannelAcceptor: New connection from 10.0.0.1:47297 on port 8443 2015-08-18 23:26:29,024 [pool-6-thread-14] ERROR - ChannelThread: Receiving request failed 2015-08-18 23:26:29,024 [pool-6-thread-14] ERROR - ChannelThread: SSLHandshakeException: Client doesn't know about our certificate (?) 2015-08-18 23:26:29,024 [pool-6-thread-14] ERROR - ChannelThread: Setting channel 10.0.0.1:47297:23077 into state 'BROKEN' 2015-08-18 23:26:29,024 [pool-1-thread-4] DEBUG - EventProcessor: Processing BadChannelEvent on 10.0.0.1:47297:23077 2015-08-18 23:26:29,025 [pool-1-thread-4] DEBUG - EventProcessor: No session found for 10.0.0.1:47297:23077
I have been stuck here for a long time, could anyone provide any clue to have any progress? 

cheers,
Ethern

--
======================================
Ethern Lin <ethern at ascc.net>
System Analyst, Network Division
Department of Information Technology Services
ACADEMIA SINICA
AS Number: 9264
Phone: +886-2-66149953
TANet VoIP: 93909953
Fax: +886-2-66146444
======================================


_______________________________________________
Dev mailing list
[email protected]
http://lists.opencontrail.org/mailman/listinfo/dev_lists.opencontrail.org

Reply via email to