Bug 1558652 - [Deployment][TLS] Enabling TLS does not explicitly disable HTTP which may cause NB REST failures in ODL
Summary: [Deployment][TLS] Enabling TLS does not explicitly disable HTTP which may cau...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-opendaylight
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: beta
: 13.0 (Queens)
Assignee: Tim Rozet
QA Contact: Itzik Brown
URL:
Whiteboard: odl_deployment, odl_tls
Depends On:
Blocks: 1488826
TreeView+ depends on / blocked
 
Reported: 2018-03-20 16:58 UTC by Tim Rozet
Modified: 2018-10-18 07:22 UTC (History)
6 users (show)

Fixed In Version: puppet-opendaylight-7.0.0-0.20180216174117
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
N/A
Last Closed: 2018-06-27 13:48:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenDaylight Bug INTPAK-152 None None None 2018-03-20 17:14:29 UTC
OpenDaylight gerrit 69699 None None None 2018-03-20 17:51:23 UTC
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 13:48:48 UTC

Description Tim Rozet 2018-03-20 16:58:02 UTC
Description of problem:
The HTTP port is configured to be the same as the HTTPS port (8081) and HTTPS is enabled.  Previously this behavior would result in HTTPS only being enabled.  However, with changes to Oyxgen this is no longer the case.  Now exceptions are thrown because Pax thinks there is a conflict with both HTTP and HTTPs enabled on the same port and jetty NB never comes up.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Deploy ODL TLS container deployment
2. Deployment will fail at step 4 in compute, while 'Waiting for Netvirt to come up'
3. Go to a control/compute node and curl the internal_api ODL IP check URL like: curl -k   --head -u admin:admin https://192.0.2.10:8081/restconf/operational/network-topology:network-topology/topology/netvirt:1

Actual results:
503 service error returned

Expected results:
Should return a web page response 200 OK.

Additional info:

Comment 1 Tim Rozet 2018-03-20 17:00:30 UTC
According to Pax documentation setting the http port to a negative number should disable http.  I tried this out and it doesn't work.  Jetty complains that it is an invalid value.  The solution is to explicitly disable http in the pax config file via:
org.apache.felix.http.enable = false

Comment 7 Itzik Brown 2018-04-26 09:45:51 UTC
Checked with:
puppet-opendaylight-8.1.0-0.20180321182556.45c4db7.el7ost.noarch

Comment 9 errata-xmlrpc 2018-06-27 13:48:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.