Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1577373 - Ambari not working due by recent changes in jdk security policies (TLSv1 disabled) (legacy image building process)
Summary: Ambari not working due by recent changes in jdk security policies (TLSv1 disa...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: sahara-image-elements
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: z2
: 13.0 (Queens)
Assignee: Telles Nobrega
QA Contact: Luigi Toscano
URL:
Whiteboard:
Depends On:
Blocks: 1590381 1590386
TreeView+ depends on / blocked
 
Reported: 2018-05-11 20:21 UTC by Luigi Toscano
Modified: 2018-07-25 16:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
: 1590381 1590386 (view as bug list)
Environment:
Last Closed: 2018-07-25 16:43:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack Storyboard 2002012 0 None None None 2018-05-11 20:21:13 UTC
Red Hat Bugzilla 1577372 0 urgent CLOSED Ambari not working due by recent changes in jdk security policies (TLSv1 disabled) 2021-02-22 00:41:40 UTC

Internal Links: 1577372

Description Luigi Toscano 2018-05-11 20:21:13 UTC
+++ This bug was initially created as a clone of Bug #1577372 +++

Description of problem:


Apparently a very recent change in jdk policies disabled TLSv1, which is used by default by Ambari agents to communicate with the Ambari server.
This means that the Ambari plugins is not working anymore. Recent change because it was working until (at least) the end of April 2018, and one of the document describing the issue was published on May 3th.

After some digging, its seems that this issue is fixed or at least can be workarounded only from Ambari 2.4.3.0 or >=2.5. More details in this ticket: https://issues.apache.org/jira/browse/AMBARI-17666

This is the relevant commit: https://github.com/apache/ambari/commit/b9de1383cd714ccc132e84abb80e8760d75a573e

The important document from Hortonworks describing the issue is: https://community.hortonworks.com/articles/188269/javapython-updates-and-ambari-agent-tls-settings.html

In addition to the patch, the agents should be configured to use a newer version of TLS. This means changing /etc/ambari-agent/conf/ambari-agent.ini on the images and adding a new key in the [security] section:

[security]
force_https_protocol=PROTOCOL_TLSv1_2

This means the the Ambari images can be fixed only upgrading to 2.4.3.0; that means sahara-image-pack can be used without problems; sahara-image-elements defaults to older versions for older versions of HDP for historical reasons, even if 2.4 could be used too even for HDP 2.4 and HDP 2.3, but it may require more time.


Version-Release number of selected component (if applicable):
All versions of Sahara.

** Please note the suggested method for building images on RH-OSP13 will be sahara-image-pack, not sahara-image-builder. This means that this bug is less important than the one filed for sahara-image-pack, rhbz#1577372 **.

Comment 7 Telles Nobrega 2018-07-25 16:43:42 UTC
After testing using sahara-image-elements to generate Ambari images for versions 2.3 and 2.4 using ambari 2.2.0.0 and 2.2.1.0 respectively we identified that problem described in this bug did not affect those versions of plugin.

The testing was done by Luigi Toscano on his environemnt and also by myself on mine and our outputs matched and so we decided to close this as NOTABUG.


Note You need to log in before you can comment on or make changes to this bug.