Bug 1558652

Summary: [Deployment][TLS] Enabling TLS does not explicitly disable HTTP which may cause NB REST failures in ODL
Product: Red Hat OpenStack Reporter: Tim Rozet <trozet>
Component: puppet-opendaylightAssignee: Tim Rozet <trozet>
Status: CLOSED ERRATA QA Contact: Itzik Brown <itbrown>
Severity: high Docs Contact:
Priority: urgent    
Version: 13.0 (Queens)CC: aadam, jjoyce, jschluet, mkolesni, slinaber, tvignaud
Target Milestone: betaKeywords: Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: odl_deployment, odl_tls
Fixed In Version: puppet-opendaylight-7.0.0-0.20180216174117 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
N/A
Last Closed: 2018-06-27 13:48:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1488826    

Description Tim Rozet 2018-03-20 16:58:02 UTC
Description of problem:
The HTTP port is configured to be the same as the HTTPS port (8081) and HTTPS is enabled.  Previously this behavior would result in HTTPS only being enabled.  However, with changes to Oyxgen this is no longer the case.  Now exceptions are thrown because Pax thinks there is a conflict with both HTTP and HTTPs enabled on the same port and jetty NB never comes up.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Deploy ODL TLS container deployment
2. Deployment will fail at step 4 in compute, while 'Waiting for Netvirt to come up'
3. Go to a control/compute node and curl the internal_api ODL IP check URL like: curl -k   --head -u admin:admin https://192.0.2.10:8081/restconf/operational/network-topology:network-topology/topology/netvirt:1

Actual results:
503 service error returned

Expected results:
Should return a web page response 200 OK.

Additional info:

Comment 1 Tim Rozet 2018-03-20 17:00:30 UTC
According to Pax documentation setting the http port to a negative number should disable http.  I tried this out and it doesn't work.  Jetty complains that it is an invalid value.  The solution is to explicitly disable http in the pax config file via:
org.apache.felix.http.enable = false

Comment 7 Itzik Brown 2018-04-26 09:45:51 UTC
Checked with:
puppet-opendaylight-8.1.0-0.20180321182556.45c4db7.el7ost.noarch

Comment 9 errata-xmlrpc 2018-06-27 13:48:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086