The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.
Bug 1780745 - [ovs2.11] SSL connections drops are constantly logged in ovsdb-server-nb.log
Summary: [ovs2.11] SSL connections drops are constantly logged in ovsdb-server-nb.log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: openvswitch2.11
Version: FDP 19.D
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: ---
Assignee: Timothy Redaelli
QA Contact: Jianlin Shi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-06 19:21 UTC by Timothy Redaelli
Modified: 2020-01-21 06:34 UTC (History)
22 users (show)

Fixed In Version: openvswitch2.11-2.11.0-34.el7fdn
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1563574
: 1780747 (view as bug list)
Environment:
Last Closed: 2020-01-21 06:34:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0166 0 None None None 2020-01-21 06:34:38 UTC

Comment 2 Jianlin Shi 2019-12-18 06:45:33 UTC 
reproduced on python-openvswitch2.11-2.11.0-26.el7fdp.x86_64:

[root@hp-dl380pg8-12 bz1780745]# cat ovsdb_ssl_test.py 
from __future__ import print_function
import sys

from ovs import jsonrpc
from ovs import stream
from ovs.unixctl import client

URI='ssl:127.0.0.1:6641'
PRIV='/etc/openvswitch/nbctl-privkey.pem'
CERT='/etc/openvswitch/nbctl-cert.pem'
CACERT='/var/lib/openvswitch/pki/controllerca/cacert.pem'
stream.Stream.ssl_set_private_key_file(PRIV)
stream.Stream.ssl_set_certificate_file(CERT)
stream.Stream.ssl_set_ca_cert_file(CACERT)


class SSLClient(client.UnixctlClient):
    @classmethod
    def create(cls, uri):
        error, _stream = stream.Stream.open_block(
                stream.Stream.open(uri))
        if error:
            client.vlog.warn("failed to connect to %s" % path)
            return error, None
        return 0, cls(jsonrpc.Connection(_stream))                                                    
                                                                                                      
                                                                                                      
_, c = SSLClient.create(URI)                                                                          
print(c.transact("echo", ["hello world"]))                                                            
c.close()

[root@hp-dl380pg8-12 bz1780745]# rpm -qa | grep -E "openvswitch|ovn"
kernel-kernel-networking-openvswitch-ovn-regression-bz1771854_replicate_old_schema-1.0-2.noarch
ovn2.11-central-2.11.1-24.el7fdp.x86_64
python-openvswitch2.11-2.11.0-26.el7fdp.x86_64
kernel-kernel-networking-openvswitch-ovn-common-1.0-6.noarch
ovn2.11-2.11.1-24.el7fdp.x86_64
ovn2.11-host-2.11.1-24.el7fdp.x86_64
openvswitch2.11-2.11.0-26.el7fdp.x86_64
openvswitch-selinux-extra-policy-1.0-14.el7fdp.noarch


[root@hp-dl380pg8-12 bz1780745]# bash -x setup.sh                                                     
+ systemctl start ovn-northd
+ ovs-pki init --force
Creating controllerca...
Creating switchca...
+ pushd /etc/openvswitch                                                                              
/etc/openvswitch ~/bz1780745                                                                          
+ ovs-pki req+sign northdb controller
northdb-req.pem Wed Dec 18 01:37:55 EST 2019                                                          
        fingerprint d8106d3e6f36bca78bc1f1b83e54dbdeab19f9c8
+ ovs-pki req+sign nbctl controller
nbctl-req.pem   Wed Dec 18 01:37:55 EST 2019                                                          
        fingerprint 017f74c3c16bcea8b9e3859393f4178aec5451e3                                          
+ popd
~/bz1780745
+ chown -R openvswitch /etc/openvswitch
+ chown -R openvswitch /var/lib/openvswitch                                                           
+ ovn-nbctl set-ssl /etc/openvswitch/northdb-privkey.pem /etc/openvswitch/northdb-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem
+ ovn-nbctl set-connection pssl:6641                                                                  
+ python ovsdb_ssl_test.py
(0, None, "[u'hello world']")
+ tail -n 10 /var/log/messages
Dec 18 01:37:55 hp-dl380pg8-12 ovsdb-server: ovs|00001|vlog|INFO|opened log file /var/log/openvswitch/ovsdb-server-sb.log
Dec 18 01:37:55 hp-dl380pg8-12 ovsdb-server: ovs|00002|ovsdb_server|INFO|ovsdb-server (Open vSwitch) 2.11.0
Dec 18 01:37:55 hp-dl380pg8-12 ovn-sbctl: ovs|00001|sbctl|INFO|Called as ovn-sbctl init               
Dec 18 01:37:55 hp-dl380pg8-12 ovn-ctl: Starting ovn-northd [  OK  ]
Dec 18 01:37:55 hp-dl380pg8-12 systemd: Started OVN northd management daemon.                         
Dec 18 01:37:55 hp-dl380pg8-12 ovn-nbctl: ovs|00001|nbctl|INFO|Called as ovn-nbctl set-ssl /etc/openvswitch/northdb-privkey.pem /etc/openvswitch/northdb-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem
Dec 18 01:37:56 hp-dl380pg8-12 ovn-nbctl: ovs|00001|nbctl|INFO|Called as ovn-nbctl set-connection pssl:6641
Dec 18 01:37:56 hp-dl380pg8-12 ovsdb-server: ovs|00003|stream_ssl|WARN|SSL_read: unexpected SSL connection close
Dec 18 01:37:56 hp-dl380pg8-12 ovsdb-server: ovs|00004|jsonrpc|WARN|ssl:127.0.0.1:43304: receive error: Protocol error
Dec 18 01:37:56 hp-dl380pg8-12 ovsdb-server: ovs|00005|reconnect|WARN|ssl:127.0.0.1:43304: connection dropped (Protocol error)

<=== ssl error message

Verified on python-openvswitch2.11-2.11.0-35.el7fdp.x86_64:

[root@hp-dl380pg8-12 bz1780745]# bash -x setup.sh                                                     
+ systemctl start ovn-northd
+ ovs-pki init --force
Creating controllerca...
Creating switchca...
+ pushd /etc/openvswitch
/etc/openvswitch ~/bz1780745
+ ovs-pki req+sign northdb controller                                                                 
northdb-req.pem Wed Dec 18 01:43:12 EST 2019                                                          
        fingerprint 4689c819e32ead9ab7d9c49b6eca5de2dd3d7fbc                                          
+ ovs-pki req+sign nbctl controller
nbctl-req.pem   Wed Dec 18 01:43:12 EST 2019
        fingerprint ed2579d3e94022cad51347f568da97bf6a1b8065                                          
+ popd
~/bz1780745
+ chown -R openvswitch /etc/openvswitch                                                               
+ chown -R openvswitch /var/lib/openvswitch                                                           
+ ovn-nbctl set-ssl /etc/openvswitch/northdb-privkey.pem /etc/openvswitch/northdb-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem
+ ovn-nbctl set-connection pssl:6641
+ python ovsdb_ssl_test.py
(0, None, "[u'hello world']")                                                                         
+ tail -n 10 /var/log/messages
Dec 18 01:43:12 hp-dl380pg8-12 ovn-nbctl: ovs|00001|nbctl|INFO|Called as ovn-nbctl init               
Dec 18 01:43:12 hp-dl380pg8-12 ovn-ctl: /var/lib/openvswitch/ovnsb_db.db does not exist ... (warning).
Dec 18 01:43:12 hp-dl380pg8-12 ovn-ctl: Creating empty database /var/lib/openvswitch/ovnsb_db.db [  OK  ]
Dec 18 01:43:12 hp-dl380pg8-12 ovsdb-server: ovs|00001|vlog|INFO|opened log file /var/log/openvswitch/ovsdb-server-sb.log
Dec 18 01:43:12 hp-dl380pg8-12 ovsdb-server: ovs|00002|ovsdb_server|INFO|ovsdb-server (Open vSwitch) 2.11.0
Dec 18 01:43:12 hp-dl380pg8-12 ovn-sbctl: ovs|00001|sbctl|INFO|Called as ovn-sbctl init               
Dec 18 01:43:12 hp-dl380pg8-12 ovn-ctl: Starting ovn-northd [  OK  ]
Dec 18 01:43:12 hp-dl380pg8-12 systemd: Started OVN northd management daemon.
Dec 18 01:43:12 hp-dl380pg8-12 ovn-nbctl: ovs|00001|nbctl|INFO|Called as ovn-nbctl set-ssl /etc/openvswitch/northdb-privkey.pem /etc/openvswitch/northdb-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem
Dec 18 01:43:12 hp-dl380pg8-12 ovn-nbctl: ovs|00001|nbctl|INFO|Called as ovn-nbctl set-connection pssl:6641

<==== no error message

[root@hp-dl380pg8-12 bz1780745]# rpm -qa | grep -E "openvswitch|ovn"
kernel-kernel-networking-openvswitch-ovn-regression-bz1771854_replicate_old_schema-1.0-2.noarch       
ovn2.11-central-2.11.1-24.el7fdp.x86_64                                                               
python-openvswitch2.11-2.11.0-35.el7fdp.x86_64                                                        
kernel-kernel-networking-openvswitch-ovn-common-1.0-6.noarch                                          
ovn2.11-2.11.1-24.el7fdp.x86_64                                                                       
ovn2.11-host-2.11.1-24.el7fdp.x86_64                                                                  
openvswitch2.11-2.11.0-35.el7fdp.x86_64                                                               
openvswitch-selinux-extra-policy-1.0-14.el7fdp.noarch
Comment 4 errata-xmlrpc 2020-01-21 06:34:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:0166
Note You need to log in before you can comment on or make changes to this bug.