#opendaylight #help Update archetype based project from AL SR4 to Phosphorus latest #opendaylight #help


Zsolt Krenak
 

Hi Everyone,

I'm trying to bump our ODL version from Aluminium SR4 to Phosphorus latest due to the log4j vulnerability. Our repo is based on the generated archetype repo. I bumped all parent adn dependency versions I could find in poms to the following:

odlparent 9.0.9
controller 4.0.7
netconf 2.0.11
mdsal 8.0.8

I fixed the compiliation errors in our plugin and odl compiles fine. On the other hand when karaf is started the follwing exception happens:

Apache Karaf starting up. Press Enter to open the shell now...

 99% [=======================================================================>]org.apache.karaf.features.internal.util.MultiException: Error restarting bundles:

        Exception in org.ops4j.pax.web.extender.war.internal.Activator.start() of bundle org.ops4j.pax.web.pax-web-extender-war.

        at org.apache.karaf.features.internal.service.Deployer.deploy(Deployer.java:1049)

        at org.apache.karaf.features.internal.service.FeaturesServiceImpl.doProvision(FeaturesServiceImpl.java:1069)

        at org.apache.karaf.features.internal.service.FeaturesServiceImpl.lambda$doProvisionInThread$13(FeaturesServiceImpl.java:1004)

        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)

        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)

        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

        at java.base/java.lang.Thread.run(Thread.java:834)

        Suppressed: org.osgi.framework.BundleException: Exception in org.ops4j.pax.web.extender.war.internal.Activator.start() of bundle org.ops4j.pax.web.pax-web-extender-war.

                at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator(BundleContextImpl.java:835)

                at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:763)

                at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:1028)

                at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:371)

                at org.eclipse.osgi.container.Module.doStart(Module.java:605)

                at org.eclipse.osgi.container.Module.start(Module.java:468)

                at org.eclipse.osgi.internal.framework.EquinoxBundle.start(EquinoxBundle.java:445)

                at org.eclipse.osgi.internal.framework.EquinoxBundle.start(EquinoxBundle.java:464)

                at org.apache.karaf.features.internal.service.BundleInstallSupportImpl.startBundle(BundleInstallSupportImpl.java:165)

                at org.apache.karaf.features.internal.service.FeaturesServiceImpl.startBundle(FeaturesServiceImpl.java:1160)

                at org.apache.karaf.features.internal.service.Deployer.deploy(Deployer.java:1041)

                ... 6 more

        Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.ops4j.pax.web.extender.war.internal.DefaultWebAppDependencyManager

                at org.ops4j.pax.web.extender.war.internal.Activator.doStart(Activator.java:53)

                at org.ops4j.pax.web.extender.war.internal.extender.AbstractExtender.start(AbstractExtender.java:117)

                at org.eclipse.osgi.internal.framework.BundleContextImpl$2.run(BundleContextImpl.java:814)

                at org.eclipse.osgi.internal.framework.BundleContextImpl$2.run(BundleContextImpl.java:1)

                at java.base/java.security.AccessController.doPrivileged(Native Method)

                at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator(BundleContextImpl.java:806)

                ... 16 more


The bundle diag:

opendaylight-user@root>bundle:diag

org.opendaylight.aaa.aaa-shiro (200)

------------------------------------

Status: GracePeriod

Blueprint

1/4/22, 9:52 AM

Missing dependencies:

(objectClass=org.opendaylight.aaa.web.WebServer) (objectClass=org.osgi.service.http.HttpService)

Declarative Services

org.opendaylight.aaa.authenticator.ODLAuthenticator (22)

org.opendaylight.aaa.shiro.idm.OSGIIdmLightProxy (23)

 

 

ODL :: aaa :: web-osgi-impl (204)

---------------------------------

Status: Waiting

Declarative Services

org.opendaylight.aaa.web.osgi.PaxWebServer (24)

  missing references: global

MD SAL Restconf Connector (308)

-------------------------------

Status: GracePeriod

Blueprint

1/4/22, 9:52 AM

Missing dependencies:

(objectClass=org.opendaylight.aaa.web.WebContextSecurer) (objectClass=org.opendaylight.aaa.web.WebServer)

Declarative Services

MD SAL Restconf Connector (309)

-------------------------------

Status: GracePeriod

Blueprint

1/4/22, 9:52 AM

Missing dependencies:

(objectClass=org.opendaylight.aaa.web.WebServer) (objectClass=org.opendaylight.aaa.web.WebContextSecurer)

Declarative Services

MD SAL Rest Api Doc Generator (311)

-----------------------------------

Status: GracePeriod

Blueprint

1/4/22, 9:52 AM

Missing dependencies:

(objectClass=org.opendaylight.aaa.web.WebServer) (objectClass=org.opendaylight.aaa.web.WebContextSecurer)

Declarative Services


I also cloned the archetypes project and bump the versions there to have a reference. When I run mvn clean install, the Opendaylight Rest single feature test dies for the exact same reason. Probably something is missing because this is a big jump in versions, could someone give me a hint what is missing or what changed since aluminium that could cause this problem? Thanks is advance!

 

Br,

Zsolt


Robert Varga
 

On 04/01/2022 10:17, Zsolt Krenak wrote:
Hi Everyone,
Hey Zsolt,

I'm trying to bump our ODL version from Aluminium SR4 to Phosphorus latest due to the log4j vulnerability. Our repo is based on the generated archetype repo. I bumped all parent adn dependency versions I could find in poms to the following:
odlparent 9.0.9
controller 4.0.7
netconf 2.0.11
mdsal 8.0.8
I fixed the compiliation errors in our plugin and odl compiles fine. On the other hand when karaf is started the follwing exception happens:
/Apache Karaf starting up. Press Enter to open the shell now.../
/ 99% [=======================================================================>]org.apache.karaf.features.internal.util.MultiException: Error restarting bundles:/
/        Exception in org.ops4j.pax.web.extender.war.internal.Activator.start() of bundle org.ops4j.pax.web.pax-web-extender-war./
[snip]

/I also cloned the archetypes project and bump the versions there to have a reference. When I run mvn clean install, the Opendaylight Rest single feature test dies for the exact same reason. Probably something is missing because this is a big jump in versions, could someone give me a hint what is missing or what changed since aluminium that could cause this problem? Thanks is advance!
It seems *something* is off, but you do not mention the AAA version. Can you perhaps post full karaf.log, so I can see what bundles are being installed?

Regards,
Robert


Zsolt Krenak
 

Hi Robert,

 

Sorry, if this is a duplicate, I sent this in the morning, but I cannot see it sent so I send it again. 

 

So, the AAA version is the latest released: 0.14.7 which is most probably the problem, as this version is still referencing odlparent 9.0.8 and mdsal 8.0.7. If we downgrade to the released versions of Phosphorus SR1 based on these versions (Platform versions — integration/distribution master documentation (opendaylight.org)) then everything seems to work. So I figure the problem is that the log4j fix is not yet released "officially". Right now went for SR1 which was probably the harder part and now wait for a new release that contains log4j fix (probably SR2?). Is there maybe a timeline for this? Thanks is advance.

Br,

Zsolt


Robert Varga
 

On 11/01/2022 11:12, Zsolt Krenak wrote:
Hi Robert,
Hello Zsolt, everyone,

Sorry, if this is a duplicate, I sent this in the morning, but I cannot see it sent so I send it again.
So, the AAA version is the latest released: 0.14.7 which is most probably the problem, as this version is still referencing odlparent 9.0.8 and mdsal 8.0.7. If we downgrade to the released versions of Phosphorus SR1 based on these versions (Platform versions — integration/distribution master documentation (opendaylight.org) <https://docs.opendaylight.org/projects/integration-distribution/en/stable/platform-versions.html>) then everything seems to work. So I figure the problem is that the log4j fix is not yet released "officially". Right now went for SR1 which was probably the harder part and now wait for a new release that contains log4j fix (probably SR2?). Is there maybe a timeline for this? Thanks is advance.
Right. As per our community support, Phosphorus SR2 will have Log4Shell resolved in the timelines documented in the release plan (sorry, I don't have the link readily available, I am sure Daniel, CCd, does).

As per our governance, a number of MRI projects have releases unaffected by Log4Shell available, but those are not completely integrated. If memory serves right, we are now blocked by CONTROLLER-2025, which we want to have fixed in Phosphorus SR2 as well.

Regards,
Robert


Daniel de la Rosa
 



On Wed, Jan 19, 2022 at 5:30 PM Robert Varga <nite@...> wrote:
On 11/01/2022 11:12, Zsolt Krenak wrote:
> Hi Robert,

Hello Zsolt, everyone,

> Sorry, if this is a duplicate, I sent this in the morning, but I cannot
> see it sent so I send it again.
>
> So, the AAA version is the latest released: 0.14.7 which is most
> probably the problem, as this version is still referencing odlparent
> 9.0.8 and mdsal 8.0.7. If we downgrade to the released versions of
> Phosphorus SR1 based on these versions (Platform versions —
> integration/distribution master documentation (opendaylight.org)
> <https://docs.opendaylight.org/projects/integration-distribution/en/stable/platform-versions.html>)
> then everything seems to work. So I figure the problem is that the log4j
> fix is not yet released "officially". Right now went for SR1 which was
> probably the harder part and now wait for a new release that contains
> log4j fix (probably SR2?). Is there maybe a timeline for this? Thanks is
> advance.

Right. As per our community support, Phosphorus SR2 will have Log4Shell
resolved in the timelines documented in the release plan (sorry, I don't
have the link readily available, I am sure Daniel, CCd, does).

Here is the current release schedule 

 

As per our governance, a number of MRI projects have releases unaffected
by Log4Shell available, but those are not completely integrated. If
memory serves right, we are now blocked by CONTROLLER-2025, which we
want to have fixed in Phosphorus SR2 as well.

Regards,
Robert