Hi Mohamed,
I managed to reproduce the issue. I flipped on debugging and I see:
2018-03-20 11:07:09,492 | INFO | entLoopGroup-4-1 | LoggingHandler
| 60 - io.netty.common - 4.1.16.Final | [id: 0xfe0d155e, L:/
0.0.0.0:6640] READ COMPLETE
2018-03-20 11:07:09,492 | DEBUG | entLoopGroup-5-4 |
OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library -
1.6.0.SNAPSHOT | New Passive channel created : [id: 0xae5053bf, L:/
192.0.2.8:6640 - R:/192.0.2.8:51224]
2018-03-20 11:07:09,593 | DEBUG | assiveConnServ-5 |
OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library -
1.6.0.SNAPSHOT | Handshake status NEED_UNWRAP
2018-03-20 11:07:09,593 | DEBUG | assiveConnServ-5 |
OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library -
1.6.0.SNAPSHOT | handshake not done yet NEED_UNWRAP
2018-03-20 11:07:09,693 | DEBUG | assiveConnServ-5 |
OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library -
1.6.0.SNAPSHOT | Handshake status NEED_UNWRAP
2018-03-20 11:07:09,693 | DEBUG | assiveConnServ-5 |
OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library -
1.6.0.SNAPSHOT | handshake not done yet NEED_UNWRAP
2018-03-20 11:07:09,793 | DEBUG | assiveConnServ-5 |
OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library -
1.6.0.SNAPSHOT | Handshake status NEED_UNWRAP
2018-03-20 11:07:09,794 | DEBUG | assiveConnServ-5 |
OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library -
1.6.0.SNAPSHOT | handshake not done yet NEED_UNWRAP
2018-03-20 11:07:09,894 | DEBUG | assiveConnServ-5 |
OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library -
1.6.0.SNAPSHOT | Handshake status NEED_UNWRAP
2018-03-20 11:07:09,894 | DEBUG | assiveConnServ-5 |
OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library -
1.6.0.SNAPSHOT | handshake not done yet NEED_UNWRAP
2018-03-20 11:07:09,894 | DEBUG | assiveConnServ-5 |
OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library -
1.6.0.SNAPSHOT | channel closed [id: 0xae5053bf, L:/192.0.2.8:6640 ! R:/
192.0.2.8:51224]
Which looks like it is coming from here:
https://github.com/opendaylight/ovsdb/blob/e6b469e18d5f72402ccb817ce1fb1469dd2a9d6c/library/impl/src/main/java/org/opendaylight/ovsdb/lib/impl/OvsdbConnectionService.java#L439
Tim Rozet
Red Hat SDN Team
On Mon, Mar 19, 2018 at 11:53 AM, Mohamed El-Serngawy <
[email protected]> wrote:
> Hi Sam
>
> I'm not quit sure what could be causing this issue, suppose there is no
> need to restart. "getServerContext()" will be executed every time a
> connection established. Will try ti reproduce it today.
>
> thanks
>
>
> On Sun, Mar 18, 2018 at 11:01 AM, Sam Hague <[email protected]> wrote:
>
>> Mohamed,
>>
>> Tim is using the JKS - he pushes all that before connecting the OVS nodes
>> to ODL.
>>
>> Do you know if there are any timing with the JKS when ODL starts compared
>> to when certs are added via rest? ovsdb southbound stats up and has the
>> certificateManager
>> which it uses to start the netty listening on 6640. Then client certs are
>> included to the ODL via rest. Then connections attempted from the ovs nodes
>> but they never connect. Reboot ODL and the connections then work.
>>
>> Could there be something in the reboot which actally gets the client
>> certs applied?
>>
>> Or does the server context change when cert are applied? At startup the
>> ovsdb southbound does certManagerSrv.getServerContext() and opens the
>> listening channel. That same context is used when the incoming connections
>> come in - ovsdb does not do another read of that context.
>>
>> Thanks, Sam
>>
>> On Thu, Mar 15, 2018 at 3:03 PM, Tim Rozet <[email protected]> wrote:
>>
>>> Hi Mohamed,
>>> Right, that is one of the wiki pages I followed. There are several that
>>> I kind of had to merge the info together to get it to all work. The read
>>> from the trust store should work. I tested it manually and we have an
>>> unless here in puppet so we do not re-add the cert:
>>> https://github.com/openstack/puppet-neutron/blob/master/mani
>>> fests/plugins/ovs/opendaylight.pp#L191
>>>
>>> We create a JKS for the controller keystore. For the trust store I
>>> believe ODL creates it on boot based on this config:
>>> https://git.opendaylight.org/gerrit/gitweb?p=integration/pac
>>> kaging/puppet-opendaylight.git;a=blob;f=templates/aaa-cert-c
>>> onfig.xml.erb;h=d6faa891630cba1c4747f64ea977d07de08c6b65;hb=
>>> refs/heads/master
>>>
>>>
>>> Tim Rozet
>>> Red Hat SDN Team
>>>
>>> On Thu, Mar 15, 2018 at 2:41 PM, Mohamed El-Serngawy <
>>> [email protected]> wrote:
>>>
>>>> Hi,
>>>>
>>>> The logs attached with the bug is not really showing errors, Just the
>>>> aaa-cert service waiting for aaa-encryption service then it starts fine.
>>>>
>>>> Tim,
>>>>
>>>> I assume you followed the link at [0] to configure the ssl. After you
>>>> add the OVS certificate using the REST API, can you just confirm that you
>>>> are able to read the certificate from the trust-store ? are you using MDSAL
>>>> or java Key Store files ?
>>>>
>>>> [0] https://wiki.opendaylight.org/view/OVSDB_Integration:TLS
>>>> _Communication
>>>>
>>>>
>>>>
>>>> On Thu, Mar 15, 2018 at 2:27 PM, Luis Gomez <[email protected]> wrote:
>>>>
>>>>> I do not remember that issue when I tested OF TLS in the past, I will
>>>>> have to retest to confirm.
>>>>>
>>>>> On Mar 15, 2018, at 11:24 AM, Tim Rozet <[email protected]> wrote:
>>>>>
>>>>> Hi Luis,
>>>>> To clarify we are not talking about SSL configuration here. We indeed
>>>>> configure the file you mentioned along with other config files pax web,
>>>>> ovsdb to only allow SSL/TLS, creating controller and trust stores. This
>>>>> is
>>>>> all done prior to ODL starting. The failure here is that ODL allows a
>>>>> REST
>>>>> implementation to add certificates to the trust store for OVS switches
>>>>> (which obviously implies ODL is up and running). At deploy time, we
>>>>> generate certificates for OVS and then add them via REST to ODL. At that
>>>>> point ODL should trust the switch and allow connections. However, OVSDB
>>>>> never seems to read again from the trust store (unless rebooted) and does
>>>>> not allow the switch to connect.
>>>>>
>>>>> Tim Rozet
>>>>> Red Hat SDN Team
>>>>>
>>>>> On Thu, Mar 15, 2018 at 1:55 PM, Luis Gomez <[email protected]> wrote:
>>>>>
>>>>>> AFAIR for ofp you need to modify this config file:
>>>>>>
>>>>>> /etc/opendaylight/datastore/initial/config/default-openflow-
>>>>>> connection-config.xml
>>>>>>
>>>>>> which means you have to reboot the controller after.
>>>>>>
>>>>>> BR/Luis
>>>>>>
>>>>>>
>>>>>> On Mar 15, 2018, at 10:42 AM, Sam Hague <[email protected]> wrote:
>>>>>>
>>>>>> Mo, and ofp devs,
>>>>>>
>>>>>> how do you handle openflow connections using ssl? We have the bug
>>>>>> below where ODL is required to be restarted to pick up connections over
>>>>>> ssl.
>>>>>>
>>>>>> Is that a design requirement that ODL has to be restarted or is there
>>>>>> a different config that can be used?
>>>>>>
>>>>>> Thanks, Sam
>>>>>>
>>>>>> https://jira.opendaylight.org/browse/OVSDB-449
>>>>>> _______________________________________________
>>>>>> integration-dev mailing list
>>>>>> [email protected]
>>>>>> https://lists.opendaylight.org/mailman/listinfo/integration-dev
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Mohamed ElSerngawy
>>>>
>>>> +1 438 993 2462 <(438)%20993-2462>
>>>>
>>>
>>>
>>
>
>
> --
> Mohamed ElSerngawy
>
> +1 438 993 2462 <(438)%20993-2462>
>
_______________________________________________
openflowplugin-dev mailing list
[email protected]
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-dev
