Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1780745

Summary: [ovs2.11] SSL connections drops are constantly logged in ovsdb-server-nb.log
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Timothy Redaelli <tredaelli>
Component: openvswitch2.11Assignee: Timothy Redaelli <tredaelli>
Status: CLOSED ERRATA QA Contact: Jianlin Shi <jishi>
Severity: medium Docs Contact:
Priority: high    
Version: FDP 19.DCC: amuller, atragler, ctrautma, dholler, fleitner, jhsiao, jishi, kfida, klaas, lmartins, mduarted, mkalfon, mmartinv, mmichels, obockows, pchavva, qding, ralongi, rhodain, schandle, sirao, twilson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openvswitch2.11-2.11.0-34.el7fdn Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1563574
: 1780747 (view as bug list) Environment:
Last Closed: 2020-01-21 06:34:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 2 Jianlin Shi 2019-12-18 06:45:33 UTC 
reproduced on python-openvswitch2.11-2.11.0-26.el7fdp.x86_64:

[root@hp-dl380pg8-12 bz1780745]# cat ovsdb_ssl_test.py 
from __future__ import print_function
import sys

from ovs import jsonrpc
from ovs import stream
from ovs.unixctl import client

URI='ssl:127.0.0.1:6641'
PRIV='/etc/openvswitch/nbctl-privkey.pem'
CERT='/etc/openvswitch/nbctl-cert.pem'
CACERT='/var/lib/openvswitch/pki/controllerca/cacert.pem'
stream.Stream.ssl_set_private_key_file(PRIV)
stream.Stream.ssl_set_certificate_file(CERT)
stream.Stream.ssl_set_ca_cert_file(CACERT)


class SSLClient(client.UnixctlClient):
    @classmethod
    def create(cls, uri):
        error, _stream = stream.Stream.open_block(
                stream.Stream.open(uri))
        if error:
            client.vlog.warn("failed to connect to %s" % path)
            return error, None
        return 0, cls(jsonrpc.Connection(_stream))                                                    
                                                                                                      
                                                                                                      
_, c = SSLClient.create(URI)                                                                          
print(c.transact("echo", ["hello world"]))                                                            
c.close()

[root@hp-dl380pg8-12 bz1780745]# rpm -qa | grep -E "openvswitch|ovn"
kernel-kernel-networking-openvswitch-ovn-regression-bz1771854_replicate_old_schema-1.0-2.noarch
ovn2.11-central-2.11.1-24.el7fdp.x86_64
python-openvswitch2.11-2.11.0-26.el7fdp.x86_64
kernel-kernel-networking-openvswitch-ovn-common-1.0-6.noarch
ovn2.11-2.11.1-24.el7fdp.x86_64
ovn2.11-host-2.11.1-24.el7fdp.x86_64
openvswitch2.11-2.11.0-26.el7fdp.x86_64
openvswitch-selinux-extra-policy-1.0-14.el7fdp.noarch


[root@hp-dl380pg8-12 bz1780745]# bash -x setup.sh                                                     
+ systemctl start ovn-northd
+ ovs-pki init --force
Creating controllerca...
Creating switchca...
+ pushd /etc/openvswitch                                                                              
/etc/openvswitch ~/bz1780745                                                                          
+ ovs-pki req+sign northdb controller
northdb-req.pem Wed Dec 18 01:37:55 EST 2019                                                          
        fingerprint d8106d3e6f36bca78bc1f1b83e54dbdeab19f9c8
+ ovs-pki req+sign nbctl controller
nbctl-req.pem   Wed Dec 18 01:37:55 EST 2019                                                          
        fingerprint 017f74c3c16bcea8b9e3859393f4178aec5451e3                                          
+ popd
~/bz1780745
+ chown -R openvswitch /etc/openvswitch
+ chown -R openvswitch /var/lib/openvswitch                                                           
+ ovn-nbctl set-ssl /etc/openvswitch/northdb-privkey.pem /etc/openvswitch/northdb-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem
+ ovn-nbctl set-connection pssl:6641                                                                  
+ python ovsdb_ssl_test.py
(0, None, "[u'hello world']")
+ tail -n 10 /var/log/messages
Dec 18 01:37:55 hp-dl380pg8-12 ovsdb-server: ovs|00001|vlog|INFO|opened log file /var/log/openvswitch/ovsdb-server-sb.log
Dec 18 01:37:55 hp-dl380pg8-12 ovsdb-server: ovs|00002|ovsdb_server|INFO|ovsdb-server (Open vSwitch) 2.11.0
Dec 18 01:37:55 hp-dl380pg8-12 ovn-sbctl: ovs|00001|sbctl|INFO|Called as ovn-sbctl init               
Dec 18 01:37:55 hp-dl380pg8-12 ovn-ctl: Starting ovn-northd [  OK  ]
Dec 18 01:37:55 hp-dl380pg8-12 systemd: Started OVN northd management daemon.                         
Dec 18 01:37:55 hp-dl380pg8-12 ovn-nbctl: ovs|00001|nbctl|INFO|Called as ovn-nbctl set-ssl /etc/openvswitch/northdb-privkey.pem /etc/openvswitch/northdb-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem
Dec 18 01:37:56 hp-dl380pg8-12 ovn-nbctl: ovs|00001|nbctl|INFO|Called as ovn-nbctl set-connection pssl:6641
Dec 18 01:37:56 hp-dl380pg8-12 ovsdb-server: ovs|00003|stream_ssl|WARN|SSL_read: unexpected SSL connection close
Dec 18 01:37:56 hp-dl380pg8-12 ovsdb-server: ovs|00004|jsonrpc|WARN|ssl:127.0.0.1:43304: receive error: Protocol error
Dec 18 01:37:56 hp-dl380pg8-12 ovsdb-server: ovs|00005|reconnect|WARN|ssl:127.0.0.1:43304: connection dropped (Protocol error)

<=== ssl error message

Verified on python-openvswitch2.11-2.11.0-35.el7fdp.x86_64:

[root@hp-dl380pg8-12 bz1780745]# bash -x setup.sh                                                     
+ systemctl start ovn-northd
+ ovs-pki init --force
Creating controllerca...
Creating switchca...
+ pushd /etc/openvswitch
/etc/openvswitch ~/bz1780745
+ ovs-pki req+sign northdb controller                                                                 
northdb-req.pem Wed Dec 18 01:43:12 EST 2019                                                          
        fingerprint 4689c819e32ead9ab7d9c49b6eca5de2dd3d7fbc                                          
+ ovs-pki req+sign nbctl controller
nbctl-req.pem   Wed Dec 18 01:43:12 EST 2019
        fingerprint ed2579d3e94022cad51347f568da97bf6a1b8065                                          
+ popd
~/bz1780745
+ chown -R openvswitch /etc/openvswitch                                                               
+ chown -R openvswitch /var/lib/openvswitch                                                           
+ ovn-nbctl set-ssl /etc/openvswitch/northdb-privkey.pem /etc/openvswitch/northdb-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem
+ ovn-nbctl set-connection pssl:6641
+ python ovsdb_ssl_test.py
(0, None, "[u'hello world']")                                                                         
+ tail -n 10 /var/log/messages
Dec 18 01:43:12 hp-dl380pg8-12 ovn-nbctl: ovs|00001|nbctl|INFO|Called as ovn-nbctl init               
Dec 18 01:43:12 hp-dl380pg8-12 ovn-ctl: /var/lib/openvswitch/ovnsb_db.db does not exist ... (warning).
Dec 18 01:43:12 hp-dl380pg8-12 ovn-ctl: Creating empty database /var/lib/openvswitch/ovnsb_db.db [  OK  ]
Dec 18 01:43:12 hp-dl380pg8-12 ovsdb-server: ovs|00001|vlog|INFO|opened log file /var/log/openvswitch/ovsdb-server-sb.log
Dec 18 01:43:12 hp-dl380pg8-12 ovsdb-server: ovs|00002|ovsdb_server|INFO|ovsdb-server (Open vSwitch) 2.11.0
Dec 18 01:43:12 hp-dl380pg8-12 ovn-sbctl: ovs|00001|sbctl|INFO|Called as ovn-sbctl init               
Dec 18 01:43:12 hp-dl380pg8-12 ovn-ctl: Starting ovn-northd [  OK  ]
Dec 18 01:43:12 hp-dl380pg8-12 systemd: Started OVN northd management daemon.
Dec 18 01:43:12 hp-dl380pg8-12 ovn-nbctl: ovs|00001|nbctl|INFO|Called as ovn-nbctl set-ssl /etc/openvswitch/northdb-privkey.pem /etc/openvswitch/northdb-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem
Dec 18 01:43:12 hp-dl380pg8-12 ovn-nbctl: ovs|00001|nbctl|INFO|Called as ovn-nbctl set-connection pssl:6641

<==== no error message

[root@hp-dl380pg8-12 bz1780745]# rpm -qa | grep -E "openvswitch|ovn"
kernel-kernel-networking-openvswitch-ovn-regression-bz1771854_replicate_old_schema-1.0-2.noarch       
ovn2.11-central-2.11.1-24.el7fdp.x86_64                                                               
python-openvswitch2.11-2.11.0-35.el7fdp.x86_64                                                        
kernel-kernel-networking-openvswitch-ovn-common-1.0-6.noarch                                          
ovn2.11-2.11.1-24.el7fdp.x86_64                                                                       
ovn2.11-host-2.11.1-24.el7fdp.x86_64                                                                  
openvswitch2.11-2.11.0-35.el7fdp.x86_64                                                               
openvswitch-selinux-extra-policy-1.0-14.el7fdp.noarch
Comment 4 errata-xmlrpc 2020-01-21 06:34:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:0166