Date   

Re: [openflowplugin-users] Issue with Uninstallation of openflowplugin

Michal Rehak -X (mirehak - PANTHEON TECHNOLOGIES@Cisco) <mirehak@...>
 

Hi Vikram,
unfortunately uninstallation of a karaf feature is not supported. Reason is:
By installing config subsystem gets notified when bundles and config xml files are being loaded. Then it wires corresponding instances/modules and eventually waits till all dependencies are loaded and initiated.

By uninstalling the situation is much more difficult as we do not have the definition of what to do if you uninstall feature which is already used by other running feature.. etc. So yes it is probably not that difficult to register config subsystem to uninstall feature event. But covering all the corner cases is the real issue here.


Regards,
Michal






From: openflowplugin-users-bounces@... [openflowplugin-users-bounces@...] on behalf of Jamo Luhrsen [jluhrsen@...]
Sent: Tuesday, July 07, 2015 01:22
To: Vikram Darsi; openflowjava-users@...; openflowplugin-users@...; openflowplugin-dev@...; openflowjava-dev@...
Subject: Re: [openflowplugin-users] Issue with Uninstallation of openflowplugin

Hi Vikram,
(added the -dev lists as I think those are more read)

I didn't see a reply yet, but I don't think "uninstalling" features is
something we support at this time, nor do I know of any near term plans
to support that.  Someone can correct me if I'm mistaken.

you should be able to semi-gracefully "logout" of the karaf console to
shut down, then restarting should be ok.

hope it helps,
JamO

On 07/03/2015 02:32 AM, Vikram Darsi wrote:
Hi

Followed below steps:

1. Installed Lithium Distribution
2. Installed openflow plugins and dlux using the below command
feature:install odl-openflowplugin-all odl-openflowjava-all odl-dlux-all
   Observation: Openflow ports 6633 and 6653 are up
3. started mininet with the below configuration
 sudo mn --controller=remote,ip=10.1.2.63 --topo tree,5
4. Launched the UI to view the Openflow devices (working fine)


5 Uninstalling openflow plugins with the below command
feature:uninstall odl-openflowjava-all odl-openflowplugin-all
Observation: after few seconds control is back to prompt and when checked for the availability of ports 6633 and 6653, they are still up, waited almost 5 minutes

6. I retried uninstalling the same features
feature:uninstall odl-openflowjava-all odl-openflowplugin-all

got error saying : Error executing command: No installed feature matching odl-openflowjava-all

7. when i run "feature:list -i"

odl-openflowjava-protocol             | 0.6.0-Lithium    | x         | odl-openflowjava-0.6.0-Lithium       | OpenDaylight :: Openflow Java :: Protocol
odl-openflowplugin-southbound         | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: SouthBound    
odl-openflowplugin-flow-services      | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: Flow Services 
odl-openflowplugin-nsf-services       | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: OpenflowPlugin :: NSF :: Services
odl-openflowplugin-nsf-model          | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: OpenflowPlugin :: NSF :: Model   
odl-openflowplugin-flow-services-rest | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: Flow Services :
odl-openflowplugin-flow-services-ui   | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: Flow Services :
odl-openflowplugin-app-config-pusher  | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: app - default c
odl-openflowplugin-app-lldp-speaker   | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: app lldp-speake


it is clear that they are shown as installed


I could not understand this weird behavior , can someone please explain why the ports are still up when we uninstalled the feature, also why karaf is showing that the feature is uninstalled with one command and
shown as installed with the other command.


Thanks
Vikram


This email and attachments may contain privileged or confidential information intended only for the addressee(s) indicated. The sender does not waive any of its rights, privileges or protections respecting this information. If you are not the named addressee, an employee, or agent responsible for sending this message to the named addressee (or this message was received by mistake), you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If received in error, please notify us immediately by e-mail, discard any paper copies and delete all electronic files of the email.

Computer viruses can be transmitted via email. The recipient should check this email and any attachments for viruses. Email transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender accepts no liability for any damage caused by any transmitted viruses or errors or omissions in the contents of this message.

Overture Networks, Inc. 637 Davis Drive, Morrisville, NC USA 27560 www.overturenetworks.com

_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users


Re: [openflowplugin-users] Issue with Uninstallation of openflowplugin

Jamo Luhrsen <jluhrsen@...>
 

Hi Vikram,
(added the -dev lists as I think those are more read)

I didn't see a reply yet, but I don't think "uninstalling" features is
something we support at this time, nor do I know of any near term plans
to support that.  Someone can correct me if I'm mistaken.

you should be able to semi-gracefully "logout" of the karaf console to
shut down, then restarting should be ok.

hope it helps,
JamO

On 07/03/2015 02:32 AM, Vikram Darsi wrote:
Hi

Followed below steps:

1. Installed Lithium Distribution
2. Installed openflow plugins and dlux using the below command
feature:install odl-openflowplugin-all odl-openflowjava-all odl-dlux-all
   Observation: Openflow ports 6633 and 6653 are up
3. started mininet with the below configuration
 sudo mn --controller=remote,ip=10.1.2.63 --topo tree,5
4. Launched the UI to view the Openflow devices (working fine)


5 Uninstalling openflow plugins with the below command
feature:uninstall odl-openflowjava-all odl-openflowplugin-all
Observation: after few seconds control is back to prompt and when checked for the availability of ports 6633 and 6653, they are still up, waited almost 5 minutes

6. I retried uninstalling the same features
feature:uninstall odl-openflowjava-all odl-openflowplugin-all

got error saying : Error executing command: No installed feature matching odl-openflowjava-all

7. when i run "feature:list -i"

odl-openflowjava-protocol             | 0.6.0-Lithium    | x         | odl-openflowjava-0.6.0-Lithium       | OpenDaylight :: Openflow Java :: Protocol
odl-openflowplugin-southbound         | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: SouthBound    
odl-openflowplugin-flow-services      | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: Flow Services 
odl-openflowplugin-nsf-services       | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: OpenflowPlugin :: NSF :: Services
odl-openflowplugin-nsf-model          | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: OpenflowPlugin :: NSF :: Model   
odl-openflowplugin-flow-services-rest | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: Flow Services :
odl-openflowplugin-flow-services-ui   | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: Flow Services :
odl-openflowplugin-app-config-pusher  | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: app - default c
odl-openflowplugin-app-lldp-speaker   | 0.1.0-Lithium    | x         | openflowplugin-0.1.0-Lithium         | OpenDaylight :: Openflow Plugin :: app lldp-speake


it is clear that they are shown as installed


I could not understand this weird behavior , can someone please explain why the ports are still up when we uninstalled the feature, also why karaf is showing that the feature is uninstalled with one command and
shown as installed with the other command.


Thanks
Vikram


This email and attachments may contain privileged or confidential information intended only for the addressee(s) indicated. The sender does not waive any of its rights, privileges or protections respecting this information. If you are not the named addressee, an employee, or agent responsible for sending this message to the named addressee (or this message was received by mistake), you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If received in error, please notify us immediately by e-mail, discard any paper copies and delete all electronic files of the email.

Computer viruses can be transmitted via email. The recipient should check this email and any attachments for viruses. Email transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender accepts no liability for any damage caused by any transmitted viruses or errors or omissions in the contents of this message.

Overture Networks, Inc. 637 Davis Drive, Morrisville, NC USA 27560 www.overturenetworks.com

_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users


Re: NxmNxReg question

Sam Hague
 

Khal,

you can see how they are used in the ovsdb code: ovsdb/utils/mdsal-openflow/... MatchUtils#addNxRegMatch and Actionutils#nxOutputRegAction

Thanks, Sam

----- Original Message -----
From: "Khaldoon Al Zoubi" <khaldoon.alzoubi@...>
To: openflowjava-dev@...
Sent: Tuesday, June 2, 2015 2:52:28 PM
Subject: [openflowjava-dev] NxmNxReg question



Hi,



I need to understand how NxmNxReg0.class, NxmNxReg1.class, etc. are used in
flows actions and matchers. Is there a wiki page, examples or code I can
start with.



Thanks

Khal

_______________________________________________
openflowjava-dev mailing list
openflowjava-dev@...
https://lists.opendaylight.org/mailman/listinfo/openflowjava-dev


NxmNxReg question

Khaldoon Al Zoubi <khaldoon.alzoubi@...>
 

Hi,

 

I need to understand how NxmNxReg0.class, NxmNxReg1.class, etc. are used in flows actions and matchers. Is there a wiki page, examples or code I can start with.

 

Thanks

Khal


Re: [release] [openflowplugin-dev] [SEEK AGREEMENT ON API FREEZE WAIVER] ConnectionAdapter - PacketIn filtering API change

Michal Rehak -X (mirehak - Pantheon Technologies SRO@Cisco) <mirehak@...>
 

Greetings,
this change has definitely potential to solve packetIn flood issues in ofPlugin. We strongly agree.

Regards,
Michal



From: release-bounces@... [release-bounces@...] on behalf of Michal Polkoráb [michal.polkorab@...]
Sent: Monday, May 18, 2015 09:40
To: release@...
Cc: openflowjava-dev; openflowplugin-dev
Subject: [release] [openflowjava-dev] [openflowplugin-dev] [SEEK AGREEMENT ON API FREEZE WAIVER] ConnectionAdapter - PacketIn filtering API change

Hello,

we are seeking agreement on PacketIn filtering support in openflowjava:
Core Details
  • API Name: ConnectionAdapter
    • Containing repo: openflowjava
    • Path to the API: org/opendaylight/openflowjava/protocol/api/connection/ConnectionAdapter.java
  • RECEIVING PROJECTopenflowplugin
  • API PROVIDERS: openflowjava
  • API IMPLEMENTORSopenflowjava
  • API CONSUMERSopenflowplugin
  • Other IMPACTED PROJECTSnone
  • State: SEEK AGREEMENT

Comments
Description of the API Change and Rationale
In order to improve openflow performance (and stability), we should filter PacketIn messages when facing an overloaded situation.
Feedback from IMPACTED PROJECTS

Notification
  • Filed bug: https://bugs.opendaylight.org/show_bug.cgi?id=3229
  • Sent e-mail: 
Seek Agreement
  • Pushed gerrit: https://git.opendaylight.org/gerrit/#/c/20559/
  • List of PROJECT REPRESENTATIVES: Michal Rehak (openflowplugin)
  • Sent e-mail: 

More details / status:
https://wiki.opendaylight.org/view/Simultaneous_Release:Lithium:API_Freeze_Waiver_Records#ConnectionAdapter_-_PacketIn_filtering_API_Change_Waiver​

Regards,
Michal Polkorab​


MichalPolkoráb

Software Developer


Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907
/ michal.polkorab@...
reception: +421 2 206 65 111
/ www.pantheon.sk

logo


[openflowplugin-dev] [SEEK AGREEMENT ON API FREEZE WAIVER] ConnectionAdapter - PacketIn filtering API change

Michal Polkorab
 

Hello,

we are seeking agreement on PacketIn filtering support in openflowjava:
Core Details
  • API Name: ConnectionAdapter
    • Containing repo: openflowjava
    • Path to the API: org/opendaylight/openflowjava/protocol/api/connection/ConnectionAdapter.java
  • RECEIVING PROJECTopenflowplugin
  • API PROVIDERS: openflowjava
  • API IMPLEMENTORSopenflowjava
  • API CONSUMERSopenflowplugin
  • Other IMPACTED PROJECTSnone
  • State: SEEK AGREEMENT

Comments
Description of the API Change and Rationale
In order to improve openflow performance (and stability), we should filter PacketIn messages when facing an overloaded situation.
Feedback from IMPACTED PROJECTS

Notification
  • Filed bug: https://bugs.opendaylight.org/show_bug.cgi?id=3229
  • Sent e-mail: 
Seek Agreement
  • Pushed gerrit: https://git.opendaylight.org/gerrit/#/c/20559/
  • List of PROJECT REPRESENTATIVES: Michal Rehak (openflowplugin)
  • Sent e-mail: 

More details / status:
https://wiki.opendaylight.org/view/Simultaneous_Release:Lithium:API_Freeze_Waiver_Records#ConnectionAdapter_-_PacketIn_filtering_API_Change_Waiver​

Regards,
Michal Polkorab​


MichalPolkoráb

Software Developer


Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907
/ michal.polkorab@...
reception: +421 2 206 65 111
/ www.pantheon.sk

logo


Re: [openflowplugin-dev] [SEEK AGREEMENT ON API FREEZE WAIVER] ConnectionAdapter API change

Michal Rehak -X (mirehak - Pantheon Technologies SRO@Cisco) <mirehak@...>
 

Greetings,
I strongly agree. This is expected to boost some performance.

Regards,
Michal


From: openflowjava-dev-bounces@... [openflowjava-dev-bounces@...] on behalf of Michal Polkoráb [michal.polkorab@...]
Sent: Thursday, May 14, 2015 15:40
To: release@...
Cc: openflowjava-dev; openflowplugin-dev
Subject: [openflowjava-dev] [openflowplugin-dev] [SEEK AGREEMENT ON API FREEZE WAIVER] ConnectionAdapter API change


​Hello,


we are seeking agreement on the way how messages are being handled in openflowjava:

Core Details

  • API Name: ConnectionAdapter
    • Containing repo: openflowjava
    • Path to the API: org/opendaylight/openflowjava/protocol/api/connection/ConnectionAdapter.java
  • RECEIVING PROJECTopenflowplugin
  • API PROVIDERS: openflowjava
  • API IMPLEMENTORSopenflowjava
  • API CONSUMERSopenflowplugin
  • Other IMPACTED PROJECTSnone
  • State: SEEK AGREEMENT

Comments

Description of the API Change and Rationale

In order to improve openflow performance, ChannelOutboundQueue becomes configurable and handles barrier in different manner.

Feedback from IMPACTED PROJECTS


Notification

  • Filed bug: https://bugs.opendaylight.org/show_bug.cgi?id=3219
  • Sent e-mail: 

Seek Agreement

  • Pushed gerrit: https://git.opendaylight.org/gerrit/#/c/20080/
  • List of PROJECT REPRESENTATIVES: Michal Rehak (openflowplugin)
  • Sent e-mail: 


More details / status:

https://wiki.opendaylight.org/view/Simultaneous_Release:Lithium:API_Freeze_Waiver_Records#ConnectionAdapter_API_Change_Waiver


Regards,

Michal Polkorab

MichalPolkoráb

Software Developer


Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907
/ michal.polkorab@...
reception: +421 2 206 65 111
/ www.pantheon.sk

logo


[openflowplugin-dev] [SEEK AGREEMENT ON API FREEZE WAIVER] ConnectionAdapter API change

Michal Polkorab
 


​Hello,


we are seeking agreement on the way how messages are being handled in openflowjava:

Core Details

  • API Name: ConnectionAdapter
    • Containing repo: openflowjava
    • Path to the API: org/opendaylight/openflowjava/protocol/api/connection/ConnectionAdapter.java
  • RECEIVING PROJECTopenflowplugin
  • API PROVIDERS: openflowjava
  • API IMPLEMENTORSopenflowjava
  • API CONSUMERSopenflowplugin
  • Other IMPACTED PROJECTSnone
  • State: SEEK AGREEMENT

Comments

Description of the API Change and Rationale

In order to improve openflow performance, ChannelOutboundQueue becomes configurable and handles barrier in different manner.

Feedback from IMPACTED PROJECTS


Notification

  • Filed bug: https://bugs.opendaylight.org/show_bug.cgi?id=3219
  • Sent e-mail: 

Seek Agreement

  • Pushed gerrit: https://git.opendaylight.org/gerrit/#/c/20080/
  • List of PROJECT REPRESENTATIVES: Michal Rehak (openflowplugin)
  • Sent e-mail: 


More details / status:

https://wiki.opendaylight.org/view/Simultaneous_Release:Lithium:API_Freeze_Waiver_Records#ConnectionAdapter_API_Change_Waiver


Regards,

Michal Polkorab

MichalPolkoráb

Software Developer


Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907
/ michal.polkorab@...
reception: +421 2 206 65 111
/ www.pantheon.sk

logo


Re: [integration-dev] [opendaylight-dev] openflow performance regression

Abhijit Kumbhare
 

Luis,

In today's OF Plugin meeting Tony provided the info on this & the fix:

 

[09:08:50] <ttkacik1> whole issue is in droptest itself

[09:09:40] <abhijitkumbhare> Oh - but have there been any changes to droptest?

[09:09:54] <ttkacik1> droptest was using MD-SAL threads even if it is explicitly docuemnted in javadocs for MD-SAL Notifcation APIs to do not any work which may take time

[09:10:48] <abhijitkumbhare> so someone needs to change drop test

[09:10:53] <ttkacik1> patch which dropped performance was announced to mailing lists before: https://lists.opendaylight.org/pipermail/openflowplugin-dev/2015-May/003022.html

[09:11:08] <ttkacik1> even points to patch

[09:11:30] <abhijitkumbhare> OK

[09:11:54] <ttkacik1> which changed bit behavior of notif. broker impl but not API contractz

[09:12:11] <ttkacik1> which showed that droptest was stealing MD-SAL threads to do its work

[09:12:19] <ttkacik1> that is why perf. dropped

[09:12:40] <ttkacik1> now notification broker makes sure none of the listener is invoked from multiple threads at same time

[09:12:51] <abhijitkumbhare> so someone needs to change drop test to work better with the lithium notification broker

[09:13:10] <abhijitkumbhare> right?

[09:13:29] <ttkacik1> and that was implementation specific behaviour on which droptest relies

[09:13:38] <ttkacik1> I pushed initial fix to droptest as of now

[09:14:12] <abhijitkumbhare> OK - good

[09:14:37] <jamoluhrsen> #info https://git.opendaylight.org/gerrit/#/c/19717/ is Tony's drop-test patch

[09:14:39] <ttkacik1> https://git.opendaylight.org/gerrit/#/c/19717/

[09:14:46] <michal_rehak> testing the patch right now

[09:15:21] <abhijitkumbhare> OK

[09:15:22] <michal_rehak> looks like it improves throughput in He-codebase of ofPlugin 3 times

[09:16:03] <michal_rehak> merged


Thanks,

Abhijit


On Wed, May 6, 2015 at 9:20 AM, Luis Gomez <ecelgp@...> wrote:
OK, you are right Tony, looking at the exact patches that went in the distribution that reduced performance:

openflowplugin:

controller:

It seems the openflowplugin patch is more candidate than the other 2 from controller.

BR/Luis


On May 6, 2015, at 8:17 AM, Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco) <ttkacik@...> wrote:

is not even in the code-path of throughput testing, since change was to clustered datastore
And for throughput testing suite is using dropallpacketsrpc on
Which  is based on RPCs and Notifications only.
 
Tony
 
From: openflowjava-dev-bounces@... [mailto:openflowjava-dev-bounces@...] On Behalf Of Luis Gomez
Sent: Wednesday, May 06, 2015 5:01 PM
To: Luhrsen, Jamo
Cc: openflowplugin-dev@...; integration-dev@...; openflowjava-dev@...; Mathieu Lemay
Subject: Re: [openflowjava-dev] [integration-dev] [opendaylight-dev] openflow performance regression
 
Hi Jamo. The patch that reduced the performance is:
 
 
You could not see this clearly in the CI because projects that have branched to stable/lithium like controller or yangtools are not triggering any test in CI.
 
BR/Luis
 
 
 
On May 6, 2015, at 7:07 AM, Luhrsen, Jamo <james.luhrsen@...> wrote:
 
I notified openflowplugin-dev about this yesterday.  I was assuming this might have
been the patch [1]  that reduced the performance, as it was what looked like the
patch that triggered the first test that saw the drop.  But, that was not a commit
from Robert, so now I’m not sure.

also, please see the Lithium re-design performance plots [2], just to be able to
compare.

Thanks,
JamO

[1]  https://git.opendaylight.org/gerrit/#/c/19638/
[2]  https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-lithium-redesign-only-master/plot/


On May 6, 2015, at 6:15 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:

I just heard that from Tony. Sorry for that.

--Colin


On Wed, May 6, 2015 at 9:11 AM, Mathieu Lemay <mlemay@...<mailto:mlemay@...>> wrote:
Yes I think Robert sent out an e-mail on re-enabling notifications...

Cheers
Mathieu

On Wed, May 6, 2015 at 9:06 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:
https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-only-master/plot/

Sometime around 19 hours ago it looks like our performance went off a cliff from ~100k flows per second to ~20k flows per second...

--Colin


_______________________________________________
dev mailing list
dev@...<mailto:dev@...>
https://lists.opendaylight.org/mailman/listinfo/dev




--
[http://www.inocybe.com/wp-content/uploads/2014/09/default-login-image.png]

Mathieu Lemay
President & CEO
Inocybe Technologies
1-888-445-7505<tel:1-888-445-7505>
www.inocybe.com<http://www.inocybe.com/>

_______________________________________________
integration-dev mailing list
integration-dev@...<mailto:integration-dev@...>
https://lists.opendaylight.org/mailman/listinfo/integration-dev

_______________________________________________
integration-dev mailing list
integration-dev@...
https://lists.opendaylight.org/mailman/listinfo/integration-dev


_______________________________________________
integration-dev mailing list
integration-dev@...
https://lists.opendaylight.org/mailman/listinfo/integration-dev



Re: [integration-dev] [opendaylight-dev] openflow performance regression

Luis Gomez <ecelgp@...>
 

OK, you are right Tony, looking at the exact patches that went in the distribution that reduced performance:

openflowplugin:

controller:

It seems the openflowplugin patch is more candidate than the other 2 from controller.

BR/Luis


On May 6, 2015, at 8:17 AM, Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco) <ttkacik@...> wrote:

is not even in the code-path of throughput testing, since change was to clustered datastore
And for throughput testing suite is using dropallpacketsrpc on
Which  is based on RPCs and Notifications only.
 
Tony
 
From: openflowjava-dev-bounces@... [mailto:openflowjava-dev-bounces@...] On Behalf Of Luis Gomez
Sent: Wednesday, May 06, 2015 5:01 PM
To: Luhrsen, Jamo
Cc: openflowplugin-dev@...; integration-dev@...; openflowjava-dev@...; Mathieu Lemay
Subject: Re: [openflowjava-dev] [integration-dev] [opendaylight-dev] openflow performance regression
 
Hi Jamo. The patch that reduced the performance is:
 
 
You could not see this clearly in the CI because projects that have branched to stable/lithium like controller or yangtools are not triggering any test in CI.
 
BR/Luis
 
 
 
On May 6, 2015, at 7:07 AM, Luhrsen, Jamo <james.luhrsen@...> wrote:
 
I notified openflowplugin-dev about this yesterday.  I was assuming this might have
been the patch [1]  that reduced the performance, as it was what looked like the
patch that triggered the first test that saw the drop.  But, that was not a commit
from Robert, so now I’m not sure.

also, please see the Lithium re-design performance plots [2], just to be able to
compare.

Thanks,
JamO

[1]  https://git.opendaylight.org/gerrit/#/c/19638/
[2]  https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-lithium-redesign-only-master/plot/


On May 6, 2015, at 6:15 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:

I just heard that from Tony. Sorry for that.

--Colin


On Wed, May 6, 2015 at 9:11 AM, Mathieu Lemay <mlemay@...<mailto:mlemay@...>> wrote:
Yes I think Robert sent out an e-mail on re-enabling notifications...

Cheers
Mathieu

On Wed, May 6, 2015 at 9:06 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:
https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-only-master/plot/

Sometime around 19 hours ago it looks like our performance went off a cliff from ~100k flows per second to ~20k flows per second...

--Colin


_______________________________________________
dev mailing list
dev@...<mailto:dev@...>
https://lists.opendaylight.org/mailman/listinfo/dev




--
[http://www.inocybe.com/wp-content/uploads/2014/09/default-login-image.png]

Mathieu Lemay
President & CEO
Inocybe Technologies
1-888-445-7505<tel:1-888-445-7505>
www.inocybe.com<http://www.inocybe.com/>

_______________________________________________
integration-dev mailing list
integration-dev@...<mailto:integration-dev@...>
https://lists.opendaylight.org/mailman/listinfo/integration-dev

_______________________________________________
integration-dev mailing list
integration-dev@...
https://lists.opendaylight.org/mailman/listinfo/integration-dev


Re: [integration-dev] [opendaylight-dev] openflow performance regression

Tony Tkacik
 

The patch https://git.opendaylight.org/gerrit/#/c/19258/

is not even in the code-path of throughput testing, since change was to clustered datastore

And for throughput testing suite is using dropallpacketsrpc on

Which  is based on RPCs and Notifications only.

 

Tony

 

From: openflowjava-dev-bounces@... [mailto:openflowjava-dev-bounces@...] On Behalf Of Luis Gomez
Sent: Wednesday, May 06, 2015 5:01 PM
To: Luhrsen, Jamo
Cc: openflowplugin-dev@...; integration-dev@...; openflowjava-dev@...; Mathieu Lemay
Subject: Re: [openflowjava-dev] [integration-dev] [opendaylight-dev] openflow performance regression

 

Hi Jamo. The patch that reduced the performance is:

 

 

You could not see this clearly in the CI because projects that have branched to stable/lithium like controller or yangtools are not triggering any test in CI.

 

BR/Luis

 

 

 

On May 6, 2015, at 7:07 AM, Luhrsen, Jamo <james.luhrsen@...> wrote:

 

I notified openflowplugin-dev about this yesterday.  I was assuming this might have
been the patch [1]  that reduced the performance, as it was what looked like the
patch that triggered the first test that saw the drop.  But, that was not a commit
from Robert, so now I’m not sure.

also, please see the Lithium re-design performance plots [2], just to be able to
compare.

Thanks,
JamO

[1]  https://git.opendaylight.org/gerrit/#/c/19638/
[2]  https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-lithium-redesign-only-master/plot/


On May 6, 2015, at 6:15 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:

I just heard that from Tony. Sorry for that.

--Colin


On Wed, May 6, 2015 at 9:11 AM, Mathieu Lemay <mlemay@...<mailto:mlemay@...>> wrote:
Yes I think Robert sent out an e-mail on re-enabling notifications...

Cheers
Mathieu

On Wed, May 6, 2015 at 9:06 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:
https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-only-master/plot/

Sometime around 19 hours ago it looks like our performance went off a cliff from ~100k flows per second to ~20k flows per second...

--Colin


_______________________________________________
dev mailing list
dev@...<mailto:dev@...>
https://lists.opendaylight.org/mailman/listinfo/dev




--
[http://www.inocybe.com/wp-content/uploads/2014/09/default-login-image.png]

Mathieu Lemay
President & CEO
Inocybe Technologies
1-888-445-7505<tel:1-888-445-7505>
www.inocybe.com<http://www.inocybe.com/>

_______________________________________________
integration-dev mailing list
integration-dev@...<mailto:integration-dev@...>
https://lists.opendaylight.org/mailman/listinfo/integration-dev

_______________________________________________
integration-dev mailing list
integration-dev@...
https://lists.opendaylight.org/mailman/listinfo/integration-dev

 


Re: [integration-dev] [opendaylight-dev] openflow performance regression

Luis Gomez <ecelgp@...>
 

Hi Jamo. The patch that reduced the performance is:


You could not see this clearly in the CI because projects that have branched to stable/lithium like controller or yangtools are not triggering any test in CI.

BR/Luis



On May 6, 2015, at 7:07 AM, Luhrsen, Jamo <james.luhrsen@...> wrote:

I notified openflowplugin-dev about this yesterday.  I was assuming this might have
been the patch [1]  that reduced the performance, as it was what looked like the
patch that triggered the first test that saw the drop.  But, that was not a commit
from Robert, so now I’m not sure.

also, please see the Lithium re-design performance plots [2], just to be able to
compare.

Thanks,
JamO

[1]  https://git.opendaylight.org/gerrit/#/c/19638/
[2]  https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-lithium-redesign-only-master/plot/


On May 6, 2015, at 6:15 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:

I just heard that from Tony. Sorry for that.

--Colin


On Wed, May 6, 2015 at 9:11 AM, Mathieu Lemay <mlemay@...<mailto:mlemay@...>> wrote:
Yes I think Robert sent out an e-mail on re-enabling notifications...

Cheers
Mathieu

On Wed, May 6, 2015 at 9:06 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:
https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-only-master/plot/

Sometime around 19 hours ago it looks like our performance went off a cliff from ~100k flows per second to ~20k flows per second...

--Colin


_______________________________________________
dev mailing list
dev@...<mailto:dev@...>
https://lists.opendaylight.org/mailman/listinfo/dev




--
[http://www.inocybe.com/wp-content/uploads/2014/09/default-login-image.png]

Mathieu Lemay
President & CEO
Inocybe Technologies
1-888-445-7505<tel:1-888-445-7505>
www.inocybe.com<http://www.inocybe.com/>

_______________________________________________
integration-dev mailing list
integration-dev@...<mailto:integration-dev@...>
https://lists.opendaylight.org/mailman/listinfo/integration-dev

_______________________________________________
integration-dev mailing list
integration-dev@...
https://lists.opendaylight.org/mailman/listinfo/integration-dev


Re: [integration-dev] [opendaylight-dev] openflow performance regression

Abhijit Kumbhare
 

Let's discuss this in the OpenFlow plugin IRC bug scrub meeting at 9 am Pacific today.

On Wed, May 6, 2015 at 7:07 AM, Luhrsen, Jamo <james.luhrsen@...> wrote:
I notified openflowplugin-dev about this yesterday.  I was assuming this might have
been the patch [1]  that reduced the performance, as it was what looked like the
patch that triggered the first test that saw the drop.  But, that was not a commit
from Robert, so now I’m not sure.

also, please see the Lithium re-design performance plots [2], just to be able to
compare.

Thanks,
JamO

[1]  https://git.opendaylight.org/gerrit/#/c/19638/
[2]  https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-lithium-redesign-only-master/plot/


On May 6, 2015, at 6:15 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:

I just heard that from Tony. Sorry for that.

--Colin


On Wed, May 6, 2015 at 9:11 AM, Mathieu Lemay <mlemay@...<mailto:mlemay@...>> wrote:
Yes I think Robert sent out an e-mail on re-enabling notifications...

Cheers
Mathieu

On Wed, May 6, 2015 at 9:06 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:
https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-only-master/plot/

Sometime around 19 hours ago it looks like our performance went off a cliff from ~100k flows per second to ~20k flows per second...

--Colin


_______________________________________________
dev mailing list
dev@...<mailto:dev@...>
https://lists.opendaylight.org/mailman/listinfo/dev




--
[http://www.inocybe.com/wp-content/uploads/2014/09/default-login-image.png]

Mathieu Lemay
President & CEO
Inocybe Technologies
1-888-445-7505<tel:1-888-445-7505>
www.inocybe.com<http://www.inocybe.com/>

_______________________________________________
integration-dev mailing list
integration-dev@...<mailto:integration-dev@...>
https://lists.opendaylight.org/mailman/listinfo/integration-dev

_______________________________________________
integration-dev mailing list
integration-dev@...
https://lists.opendaylight.org/mailman/listinfo/integration-dev


Re: [integration-dev] [opendaylight-dev] openflow performance regression

Luhrsen, Jamo <james.luhrsen@...>
 

I notified openflowplugin-dev about this yesterday. I was assuming this might have
been the patch [1] that reduced the performance, as it was what looked like the
patch that triggered the first test that saw the drop. But, that was not a commit
from Robert, so now I’m not sure.

also, please see the Lithium re-design performance plots [2], just to be able to
compare.

Thanks,
JamO

[1] https://git.opendaylight.org/gerrit/#/c/19638/
[2] https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-lithium-redesign-only-master/plot/

On May 6, 2015, at 6:15 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:

I just heard that from Tony. Sorry for that.

--Colin


On Wed, May 6, 2015 at 9:11 AM, Mathieu Lemay <mlemay@...<mailto:mlemay@...>> wrote:
Yes I think Robert sent out an e-mail on re-enabling notifications...

Cheers
Mathieu

On Wed, May 6, 2015 at 9:06 AM, Colin Dixon <colin@...<mailto:colin@...>> wrote:
https://jenkins.opendaylight.org/releng/view/openflowplugin/job/openflowplugin-csit-1node-cds-cbench-performance-only-master/plot/

Sometime around 19 hours ago it looks like our performance went off a cliff from ~100k flows per second to ~20k flows per second...

--Colin


_______________________________________________
dev mailing list
dev@...<mailto:dev@...>
https://lists.opendaylight.org/mailman/listinfo/dev




--
[http://www.inocybe.com/wp-content/uploads/2014/09/default-login-image.png]

Mathieu Lemay
President & CEO
Inocybe Technologies
1-888-445-7505<tel:1-888-445-7505>
www.inocybe.com<http://www.inocybe.com/>

_______________________________________________
integration-dev mailing list
integration-dev@...<mailto:integration-dev@...>
https://lists.opendaylight.org/mailman/listinfo/integration-dev


Re: [opendaylight-dev] openflow performance regression

Colin Dixon
 

I just heard that from Tony. Sorry for that.

--Colin


On Wed, May 6, 2015 at 9:11 AM, Mathieu Lemay <mlemay@...> wrote:
Yes I think Robert sent out an e-mail on re-enabling notifications...

Cheers
Mathieu

On Wed, May 6, 2015 at 9:06 AM, Colin Dixon <colin@...> wrote:
Sometime around 19 hours ago it looks like our performance went off a cliff from ~100k flows per second to ~20k flows per second...

--Colin


_______________________________________________
dev mailing list
dev@...
https://lists.opendaylight.org/mailman/listinfo/dev




--


Mathieu Lemay
President & CEO
Inocybe Technologies 
1-888-445-7505 


Re: [opendaylight-dev] openflow performance regression

Mathieu Lemay <mlemay@...>
 

Yes I think Robert sent out an e-mail on re-enabling notifications...

Cheers
Mathieu

On Wed, May 6, 2015 at 9:06 AM, Colin Dixon <colin@...> wrote:
Sometime around 19 hours ago it looks like our performance went off a cliff from ~100k flows per second to ~20k flows per second...

--Colin


_______________________________________________
dev mailing list
dev@...
https://lists.opendaylight.org/mailman/listinfo/dev




--


Mathieu Lemay
President & CEO
Inocybe Technologies 
1-888-445-7505 


openflow performance regression

Colin Dixon
 

Sometime around 19 hours ago it looks like our performance went off a cliff from ~100k flows per second to ~20k flows per second...

--Colin


Queue usage

Anton Ivanov
 

Hi all,

I was going through the source and I noted something.

We continuously declare queues as blocking while never using the fact that they can block. We effectively use blocking queues as non-blocking.

First of all, am I missing something here? If not - we can improve on what we have at present by either using blocking or using some standard coding paterns for non-blocking.

The improvement is not great ~ 3%, but IMHO it is still being limited somewhere else so it may be more (if we manage to find where the big performance wall is which masks most attempts at performance improvement):

Example:

/exports/src/ODL-instructions/openflowjava/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/connection/ChannelOutboundQueue.java

This enqueues by default, instantiates a flush thread if there is something enqueued and lets the thread lapse after that. There are two ways of improving on it:

1. Do not enqueue at all if the channel is writeable and the queue is empty - immediate 3% improvement in latency right there. This is the fast/slow or cut-through/queue pattern which is quite common across the packet processing world. Nearly everyone uses it and it works.

2. Do not try to synchronize the flusher and do not let it lapse. If the flush thread has been launched, we can use Queue.take() inside the flusher which will block and wait for an element to become available (hopefully in a reasonably efficient manner - I have not looked at the java implementation). I need to get my head around on how to organize the cooperation of netty write() in blocking so that we do not check channel.writeable() unless it is necessary, but that is also doable. The end result will use less locking, less synchronization and most importantly less invocations of execute() - so it should be more efficient than the current implementation.

A.

P.S.

IMHO there are other places (in the plugin itself) which can benefit from similar improvements. None of these by itself is a lot (a few percent each), however I hope that as we look through them we will finally find the culprit for the overall slowliness.

A.


Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Michal Polkorab
 

Those are great news! Now you can test whatever you want.

Thank you for your patience Ashok.
Michal

________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 26 April 2015 13:09
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Thanks Michal. It worked now after installing odl-l2switch-all.

-
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 5:09 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

It is l2switch project that installs all needed flow rules onto all connected switches. So you should start the l2switch project (for example odl-l2switch-all), wait till it starts and then connect your devices. After a short while it should install needed flows and then you can try pingall command - which should succeed now.

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 24 April 2015 15:25
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I am not able to use my device now and it is not pinging between two hosts h1 and h2 :(. My task is to establish a TLS connection between controller and switch and do ping tests between the hosts. But I am not able to do it now. Will there be any other problem ?

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 4:16 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

one reason that comes to my mind might be that your device doesn't support version bitmap (which is added in OF v1.3) or it might be a problem related to the reconnect that occurs. But I guess you can use your device as you wish since you don't see more warn / error logs.

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 24 April 2015 15:11
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I checked now with port 8181. Now I got the response as shown below. It showed the node id's and so the device is in controller datastore. But still we are getting OFPBRC_BAD_TYPE error reply. Will there be any other reason ?


Part of Response:

<node>
<id>openflow:1</id>
<node-connector>
<id>openflow:1:LOCAL</id>
<flow-capable-node-connector-statistics
xmlns="urn:opendaylight:port:statistics">
<transmit-errors>0</transmit-errors>
<bytes>
<received>648</received>
<transmitted>1196</transmitted>
</bytes>


Thanks
Ashok
________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 3:44 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

We need to update the wiki page: please use the http://<controller-ip>:8181/restconf/operational/opendaylight-inventory:nodes/ (just change the port from 8080 to 8181) and make sure one of the next features is installed on you karaf container: odl-restconf, odl-restconf-noauth, odl-restconf-all.

But I believe that it works - otherwise you wouldn't see the device in the ODL GUI.

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 24 April 2015 14:34
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I tried checking whether the device is in controller store but through the restconf I didnt get any response as attached snapshot. But in the controller gui I am able to find that my switch (openflow:1) is connected to controller (Attached the snapshot).


Additionally I am getting below exception in karaf. Could you check whether this exception is related to my error?. Will there be any other reason for these OFPBRC_BAD_TYPE error reply so that I could check that also?


ERROR:

opendaylight-user@root>Exception in thread "Thread-44" java.util.concurrent.RejectedExecutionException: Task org.opendaylight.openflowplugin.openflow.md.core.HandshakeStepWrapper@596c1ed3 rejected from org.opendaylight.openflowplugin.openflow.md.core.ThreadPoolLoggingExecutor@495bdc82[Terminated, pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 0]
at java.util.concurrent.ThreadPoolExecutor$AbortPolicy.rejectedExecution(ThreadPoolExecutor.java:2048)
at java.util.concurrent.ThreadPoolExecutor.reject(ThreadPoolExecutor.java:821)
at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1372)
at org.opendaylight.openflowplugin.openflow.md.core.ConnectionConductorImpl.onConnectionReady(ConnectionConductorImpl.java:419)
at org.opendaylight.openflowjava.protocol.impl.connection.ConnectionAdapterImpl$3.run(ConnectionAdapterImpl.java:467)
at java.lang.Thread.run(Thread.java:745)


Thanks
Ashok

______________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 2:17 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

I must repeat myself - it looks that your setup works (although I still don't get why there is 2015-04-23T12:28:06.621Z|00933|connmgr|INFO|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message log in your virtual switch).

The best idea would be to test if the device is in controller datastore. Please follow the step from this wiki page: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin::End_to_End_Inventory (using GET http method).
If you see something like <node> in the reply, controller communicates with your device.

Regards,
Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 23 April 2015 18:16
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Thanks Michal for checking my issue. I have attached full karaf logs that is generated while trying TLS connection between switch and controller.

Could you please check these logs are sufficient ?

If not, could you please tell the commands for collecting karaf logs in verbose mode, so that I could collect logs using that command and send you for deeper analysis.

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Thursday, April 23, 2015 5:48 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

based on your logs - it looks like your setup works. Let me explain:

2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Not an TLS record exception - please verify TLS configuration.
- signals that you successfully managed to configure controller (openflowjava) with TLS configuration, but you connected device which doesn't support TLS (or with no TLS set).

2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Closing connection.
- device is being disconnected because it doesn't support TLS (and it must when TLS is enabled)

2015-04-23 15:28:06,572 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55747 --> :6633
2015-04-23 15:28:06,573 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
- device reconnects

2015-04-23 15:28:06,620 | INFO | entLoopGroup-8-7 | ConnectionAdapterImpl | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Hello received / branch
- device successfully sent hello message to the controller and it was successfully decoded

2015-04-23 15:28:06,628 | WARN | OFRpc-0 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Group Features
2015-04-23 15:28:06,628 | WARN | OFRpc-1 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Meter Features
- signals further communication - it looks like you connected device in OF v1.0 mode and that's why it doesn't support meter and group features

2015-04-23T12:28:06.620Z|00932|rconn|INFO|s1<->ssl:127.0.0.1:6633: connected
2015-04-23T12:28:06.621Z|00933|connmgr|INFO|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message
- looks like the device successfully connected but for some unknown reason it can't process Hello message sent from controller


Do you see any other logs (in controller console) after those you sent ?

Regards,
Michal Polkorab
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 23 April 2015 15:22
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi All,

I am getting following error while establishing a TLS connection between controller and openvswitch. Open switch throws error as "OFPBRC_BAD_TYPE error reply to OFPT_HELLO message" whereas controller throws error as "Not an TLS record exception - please verify TLS configuration" though I followed all configuration steps as mentioned in the Wiki link. https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Could anyone help me in resolving this issue?

Note: I have openvswitch and opendaylight controller in same machine and so I am trying to connect ssl:127.0.0.1:6633 from switch.


Error at openvswitch:

2015-04-23T12:28:06.539Z|00920|bridge|INFO|bridge s1: added interface s1 on port 65534
2015-04-23T12:28:06.539Z|00921|bridge|INFO|bridge s1: using datapath ID 0000f644e1d6d148
2015-04-23T12:28:06.539Z|00922|connmgr|INFO|s1: added service controller "punix:/var/run/openvswitch/s1.mgmt"
2015-04-23T12:28:06.544Z|00923|bridge|INFO|bridge s1: using datapath ID 0000000000000001
2015-04-23T12:28:06.554Z|00924|bridge|INFO|bridge s1: added interface s1-eth1 on port 1
2015-04-23T12:28:06.559Z|00925|bridge|INFO|bridge s1: added interface s1-eth2 on port 2
2015-04-23T12:28:06.563Z|00926|connmgr|INFO|s1: added primary controller "tcp:127.0.0.1:6633"
2015-04-23T12:28:06.563Z|00927|rconn|INFO|s1<->tcp:127.0.0.1:6633: connecting...
2015-04-23T12:28:06.568Z|00928|rconn|INFO|s1<->tcp:127.0.0.1:6633: connection failed (Connection reset by peer)
2015-04-23T12:28:06.572Z|00929|connmgr|INFO|s1: added primary controller "ssl:127.0.0.1:6633"
2015-04-23T12:28:06.572Z|00930|rconn|INFO|s1<->ssl:127.0.0.1:6633: connecting...
2015-04-23T12:28:06.572Z|00931|connmgr|INFO|s1: removed primary controller "tcp:127.0.0.1:6633"
2015-04-23T12:28:06.620Z|00932|rconn|INFO|s1<->ssl:127.0.0.1:6633: connected
2015-04-23T12:28:06.621Z|00933|connmgr|INFO|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message


Error at controller:


2015-04-23 15:28:06,385 | INFO | entLoopGroup-8-5 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55745 --> :6633
2015-04-23 15:28:06,385 | INFO | entLoopGroup-8-5 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
2015-04-23 15:28:06,388 | WARN | entLoopGroup-8-5 | SessionManagerOFImpl | 243 - org.opendaylight.openflowplugin - 0.0.6.Helium-SR3 | context for invalidation not found
2015-04-23 15:28:06,564 | INFO | entLoopGroup-8-6 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55746 --> :6633
2015-04-23 15:28:06,564 | INFO | entLoopGroup-8-6 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Not an TLS record exception - please verify TLS configuration.
2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Closing connection.
2015-04-23 15:28:06,568 | WARN | entLoopGroup-8-6 | SessionManagerOFImpl | 243 - org.opendaylight.openflowplugin - 0.0.6.Helium-SR3 | context for invalidation not found
2015-04-23 15:28:06,572 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55747 --> :6633
2015-04-23 15:28:06,573 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
2015-04-23 15:28:06,620 | INFO | entLoopGroup-8-7 | ConnectionAdapterImpl | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Hello received / branch
2015-04-23 15:28:06,628 | WARN | OFRpc-0 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Group Features
2015-04-23 15:28:06,628 | WARN | OFRpc-1 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Meter Features


Thanks
Ashok
________________________________________
From: Rajendran Ashok
Sent: Wednesday, April 22, 2015 8:27 PM
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I tried the same by updating java.security file but still I am getting below SSL error while connecting to controller through TLS. Could you send me your config file so that I could check mine ?


Log with error:

2015-04-21T21:55:54.703Z|00231|rconn|INFO|s1<->ssl:127.0.0.1:6633: waiting 4 seconds before reconnect
2015-04-21T21:55:58.700Z|00232|rconn|INFO|s1<->ssl:127.0.0.1:6633: connecting...
2015-04-21T21:55:58.704Z|00233|stream_ssl|WARN|SSL_connect: unexpected SSL connection close


Note: I have openvswitch and opendaylight controller in same machine and so I am trying to connect ssl:127.0.0.1:6633 from switch.


Steps followed by me:


Step 1:

I commented this line in java.security file in controller host.

"security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"

Step 2:

In my mininet host, that is openvswitch , I executed below commands. Then I got following six files, ctl-cert.pem, ctl-privkey.pem, ctl-req.pem, sc-cert.pem, sc-privkey.pem, sc-req.pem

sudo ovs-pki req+sign sc switch
sudo ovs-pki req+sign ctl controller

step 3:

Then I prepared the keystore with below commands

sudo openssl pkcs12 -export -in ctl-cert.pem -inkey ctl-privkey.pem \
-out ctl.p12 -name odlserver \
-CAfile /var/lib/openvswitch/pki/controllerca/cacert.pem -caname root -chain

step 4:

Then using these 2 files, created ctl.jks and truststore.jks with below commands respectively

keytool -importkeystore \
-deststorepass opendaylight -destkeypass opendaylight -destkeystore ctl.jks \
-srckeystore ctl.p12 -srcstoretype PKCS12 -srcstorepass opendaylight \
-alias odlserver

keytool -importcert -file sc-cert.pem -keystore truststore.jks -storepass opendaylight


step 5:

Then copied these 2 files - ctl.jks and truststore.jks in the below path and modified config file - 42-openflowplugin.xml as below

etc/opendaylight/karaf/ssl


42-openflowplugin.xml:


<name>openflow-switch-connection-provider-default-impl</name>
<port>6633</port>
<!-- Possible transport-protocol options: TCP, TLS, UDP -->
<transport-protocol>TLS</transport-protocol>
<switch-idle-timeout>15000</switch-idle-timeout>
<tls>
<keystore>ssl/ctl.jks</keystore>
<keystore-type>JKS</keystore-type>
<keystore-path-type>PATH</keystore-path-type>
<keystore-password>opendaylight</keystore-password>
<truststore>ssl/truststore.jks</truststore>
<truststore-type>JKS</truststore-type>
<truststore-path-type>PATH</truststore-path-type>
<truststore-password>opendaylight</truststore-password>
<certificate-password>opendaylight</certificate-password>
</tls>
<!-- Exemplary thread model configuration. Uncomment <threads> tag below to adjust default thread model -->
<!-- <threads>
<boss-threads>2</boss-threads>
<worker-threads>8</worker-threads>
</threads> -->
</module>
<!-- default OF-switch-connection-provider (port 6653) -->
<module>
<type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:openflow:switch:connection:provider:impl">prefix:openflow-switch-connection-provider-impl</type>
<name>openflow-switch-connection-provider-legacy-impl</name>
<port>6653</port>
<!-- Possible transport-protocol options: TCP, TLS, UDP -->
<transport-protocol>TLS</transport-protocol>
<switch-idle-timeout>15000</switch-idle-timeout>
<tls>
<keystore>ssl/ctl.jks</keystore>
<keystore-type>JKS</keystore-type>
<keystore-path-type>PATH</keystore-path-type>
<keystore-password>opendaylight</keystore-password>
<truststore>ssl/truststore.jks</truststore>
<truststore-type>JKS</truststore-type>
<truststore-path-type>PATH</truststore-path-type>
<truststore-password>opendaylight</truststore-password>
<certificate-password>opendaylight</certificate-password>
</tls>


step 6:

Executed below command to configure openvswitch

sudo ovs-vsctl set-ssl \
/etc/openvswitch/sc-privkey.pem \
/etc/openvswitch/sc-cert.pem \
/var/lib/openvswitch/pki/controllerca/cacert.pem

step 7:

started mininet by executing the file ssl_switch_tests.py. I wrote below contents inside the file.

'ovs-vsctl set-controller s1 ssl:127.0.0.1:6633


After following all these steps, I got the mentioned SSL error. I have attached ovs-vswitchd.log also. Could you please help me if I am missing any steps or using wrong config file. It would be helpful for me as I am stuck in this step for long time.


Thanks
Ashok



________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, April 21, 2015 5:27 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

I went through the tutorial and it works fine (for me). But I hit the CKR_DOMAIN_PARAMS_INVALID exception as mentioned here: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support#CKR_DOMAIN_PARAMS_INVALID_exception

So I updated the java.security according to comments and all works fine.
If you don't see the CKR_DOMAIN_PARAMS_INVALID exception please try using "log:set DEBUG org.opendaylight.openflowjava" and report back what you found.

Regards,
Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 21 April 2015 13:19
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I created my own keys. I used this TLS version - OpenSSL 1.0.1

rajenda3@ws-32:/var/lib/openvswitch/pki/controllerca$ openssl version
OpenSSL 1.0.1 14 Mar 2012


Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, April 21, 2015 1:27 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

what keys do you use ? Exemplary keys (from openflowjava) or you created your own keys ? What TLS version do you use ?

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 21 April 2015 09:59
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi All,

I am trying to enable TLS connection between opendaylight controller and the switch. I followed the steps given in below link. But when I tried to establish connection now, it is showing error saying certificate verification failed and wrong version number as shown below in ovs-vswitchd.log. I checked the certificate and it has the validity. Could you please check why I am facing this error ?


link:
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support


Error:
Apr 20 12:14:46|03981|rconn|INFO|s1<->ssl:192.168.56.101:6633: continuing to retry connections in the background but suppressing further logging
Apr 20 12:14:54|03982|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr 20 12:15:10|03983|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr 20 15:32:04|04215|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Apr 20 15:32:12|04216|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Note:
My controller address : 192.168.56.101 which is a virtual box machine and my switch is in my local machine

Attached full ovs-vswitchd.log along this mail.

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, March 31, 2015 5:07 PM
To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

if you clone openflowjava repository (git clone ssh://<username>@git.opendaylight.org:29418/openflowjava or git clone https://git.opendaylight.org/gerrit/openflowjava), then you will be able to get exemplary TLS keys (located in openflowjava/openflow-protocol-impl/src/main/resources).

Regards,
Michal Polkorab
________________________________________
From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) <mirehak@...>
Sent: 31 March 2015 15:12
To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: Re: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

fw to openflowjava-ml

________________________________________
From: Rajendran Ashok [ashok.rajendran@...]
Sent: Tuesday, March 31, 2015 00:54
To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Thanks Michal for the reply. I was following the same link for enabling TLS. In this link, it has mentioned to find the files exemplary-*.pem in this path openflowjava/openflow-protocol-impl/src/main/resources. But I am not able to find that files in that path.

Is there any steps to generate this file or am I missing any configuration ? Please help on this

EXCERPT FROM WIKI LINK:

Exemplary configuration

There is already exemplary code in configuration/initial/42-openflowplugin.xml file and also exemplary keys stored in openflowjava (src/main/resources). This exemplary code is commented, so the default is to use unsecured communication.

If you want to try TLS secured communication with your device, you need to do following steps:

* make sure that <transport-protocol> is set with TLS
* uncomment code in <tls> tags
* find exemplary-* files in openflowjava repository - under openflow-protocol-impl/src/main/resources
* copy exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem files into your device
* configure your device with provided keys (in case of openvswitch please see "Configure openvswitch SSL" part below)
* start communication

Thanks
Ashok


________________________________________
From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) [mirehak@...]
Sent: Monday, March 30, 2015 6:10 PM
To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,
you might find this wiki useful:
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Regards,
Michal

________________________________________
From: openflowplugin-users-bounces@... [openflowplugin-users-bounces@...] on behalf of Rajendran Ashok [ashok.rajendran@...]
Sent: Monday, March 30, 2015 16:46
To: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi,

Thanks for your reply. I am able find 42-openflowplugin.xml file in the directory mentioned by you.

But now I am looking for these three files, exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem to transfer it to my mininet host. But I am not able to find it in the path mentioned in that wiki page - openflowjava/openflow-protocol-impl/src/main/resources

Where can I find these files ? Could you also mention where can I find the updated Wiki page for Helium with Karaf so that I can follow it ( As u mentioned in below mail that this wiki page is not updated for helium karaf )

Thanks
Ashok



________________________________________
From: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) [vrpolak@...]
Sent: Tuesday, March 24, 2015 5:08 PM
To: Rajendran Ashok
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok.

Helium is based on Karaf, but the wiki page
was written before that change was made.

42-openflowplugin.xml under the directory configuration/initial/
The new directory is etc/opendaylight/karaf/
but the file only appears after karaf is started
and an openflow feature is installed.

When you have your version of 42-openflowplugin.xml ready,
you can place it into etc/opendaylight/karaf/
before karaf starts, and your values will be used
instead of those from the default file.

Vratko.

-----Original Message-----
From: openflowplugin-users-bounces@... [mailto:openflowplugin-users-bounces@...] On Behalf Of Rajendran Ashok
Sent: Tuesday, March 24, 2015 3:23 PM
To: openflowplugin-users@...
Subject: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller


Hi All,

I am working on opendaylight controller for my assignment. I would like to enable TLS connection in my opendaylight controller and mininet switch. I followed the steps given in below link. But I am stuck at one point where I am not able to find the xml file - 42-openflowplugin.xml under the directory configuration/initial/. Is there any configuration to be done to get this file or do I need to create this file ? Could you please help me on this issue.

https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Note: I downloaded opendaylight controller code from git in stable/Helium branch and built it using maven as mentioned in Wiki.

Thanks
Ashok
_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users
_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users
_______________________________________________
openflowjava-dev mailing list
openflowjava-dev@...
https://lists.opendaylight.org/mailman/listinfo/openflowjava-dev
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]


Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Rajendran Ashok <ashok.rajendran@...>
 

Thanks Michal. It worked now after installing odl-l2switch-all.

-
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 5:09 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

It is l2switch project that installs all needed flow rules onto all connected switches. So you should start the l2switch project (for example odl-l2switch-all), wait till it starts and then connect your devices. After a short while it should install needed flows and then you can try pingall command - which should succeed now.

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 24 April 2015 15:25
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I am not able to use my device now and it is not pinging between two hosts h1 and h2 :(. My task is to establish a TLS connection between controller and switch and do ping tests between the hosts. But I am not able to do it now. Will there be any other problem ?

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 4:16 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

one reason that comes to my mind might be that your device doesn't support version bitmap (which is added in OF v1.3) or it might be a problem related to the reconnect that occurs. But I guess you can use your device as you wish since you don't see more warn / error logs.

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 24 April 2015 15:11
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I checked now with port 8181. Now I got the response as shown below. It showed the node id's and so the device is in controller datastore. But still we are getting OFPBRC_BAD_TYPE error reply. Will there be any other reason ?


Part of Response:

<node>
<id>openflow:1</id>
<node-connector>
<id>openflow:1:LOCAL</id>
<flow-capable-node-connector-statistics
xmlns="urn:opendaylight:port:statistics">
<transmit-errors>0</transmit-errors>
<bytes>
<received>648</received>
<transmitted>1196</transmitted>
</bytes>


Thanks
Ashok
________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 3:44 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

We need to update the wiki page: please use the http://<controller-ip>:8181/restconf/operational/opendaylight-inventory:nodes/ (just change the port from 8080 to 8181) and make sure one of the next features is installed on you karaf container: odl-restconf, odl-restconf-noauth, odl-restconf-all.

But I believe that it works - otherwise you wouldn't see the device in the ODL GUI.

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 24 April 2015 14:34
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I tried checking whether the device is in controller store but through the restconf I didnt get any response as attached snapshot. But in the controller gui I am able to find that my switch (openflow:1) is connected to controller (Attached the snapshot).


Additionally I am getting below exception in karaf. Could you check whether this exception is related to my error?. Will there be any other reason for these OFPBRC_BAD_TYPE error reply so that I could check that also?


ERROR:

opendaylight-user@root>Exception in thread "Thread-44" java.util.concurrent.RejectedExecutionException: Task org.opendaylight.openflowplugin.openflow.md.core.HandshakeStepWrapper@596c1ed3 rejected from org.opendaylight.openflowplugin.openflow.md.core.ThreadPoolLoggingExecutor@495bdc82[Terminated, pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 0]
at java.util.concurrent.ThreadPoolExecutor$AbortPolicy.rejectedExecution(ThreadPoolExecutor.java:2048)
at java.util.concurrent.ThreadPoolExecutor.reject(ThreadPoolExecutor.java:821)
at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1372)
at org.opendaylight.openflowplugin.openflow.md.core.ConnectionConductorImpl.onConnectionReady(ConnectionConductorImpl.java:419)
at org.opendaylight.openflowjava.protocol.impl.connection.ConnectionAdapterImpl$3.run(ConnectionAdapterImpl.java:467)
at java.lang.Thread.run(Thread.java:745)


Thanks
Ashok

______________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 2:17 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

I must repeat myself - it looks that your setup works (although I still don't get why there is 2015-04-23T12:28:06.621Z|00933|connmgr|INFO|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message log in your virtual switch).

The best idea would be to test if the device is in controller datastore. Please follow the step from this wiki page: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin::End_to_End_Inventory (using GET http method).
If you see something like <node> in the reply, controller communicates with your device.

Regards,
Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 23 April 2015 18:16
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Thanks Michal for checking my issue. I have attached full karaf logs that is generated while trying TLS connection between switch and controller.

Could you please check these logs are sufficient ?

If not, could you please tell the commands for collecting karaf logs in verbose mode, so that I could collect logs using that command and send you for deeper analysis.

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Thursday, April 23, 2015 5:48 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

based on your logs - it looks like your setup works. Let me explain:

2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Not an TLS record exception - please verify TLS configuration.
- signals that you successfully managed to configure controller (openflowjava) with TLS configuration, but you connected device which doesn't support TLS (or with no TLS set).

2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Closing connection.
- device is being disconnected because it doesn't support TLS (and it must when TLS is enabled)

2015-04-23 15:28:06,572 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55747 --> :6633
2015-04-23 15:28:06,573 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
- device reconnects

2015-04-23 15:28:06,620 | INFO | entLoopGroup-8-7 | ConnectionAdapterImpl | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Hello received / branch
- device successfully sent hello message to the controller and it was successfully decoded

2015-04-23 15:28:06,628 | WARN | OFRpc-0 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Group Features
2015-04-23 15:28:06,628 | WARN | OFRpc-1 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Meter Features
- signals further communication - it looks like you connected device in OF v1.0 mode and that's why it doesn't support meter and group features

2015-04-23T12:28:06.620Z|00932|rconn|INFO|s1<->ssl:127.0.0.1:6633: connected
2015-04-23T12:28:06.621Z|00933|connmgr|INFO|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message
- looks like the device successfully connected but for some unknown reason it can't process Hello message sent from controller


Do you see any other logs (in controller console) after those you sent ?

Regards,
Michal Polkorab
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 23 April 2015 15:22
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi All,

I am getting following error while establishing a TLS connection between controller and openvswitch. Open switch throws error as "OFPBRC_BAD_TYPE error reply to OFPT_HELLO message" whereas controller throws error as "Not an TLS record exception - please verify TLS configuration" though I followed all configuration steps as mentioned in the Wiki link. https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Could anyone help me in resolving this issue?

Note: I have openvswitch and opendaylight controller in same machine and so I am trying to connect ssl:127.0.0.1:6633 from switch.


Error at openvswitch:

2015-04-23T12:28:06.539Z|00920|bridge|INFO|bridge s1: added interface s1 on port 65534
2015-04-23T12:28:06.539Z|00921|bridge|INFO|bridge s1: using datapath ID 0000f644e1d6d148
2015-04-23T12:28:06.539Z|00922|connmgr|INFO|s1: added service controller "punix:/var/run/openvswitch/s1.mgmt"
2015-04-23T12:28:06.544Z|00923|bridge|INFO|bridge s1: using datapath ID 0000000000000001
2015-04-23T12:28:06.554Z|00924|bridge|INFO|bridge s1: added interface s1-eth1 on port 1
2015-04-23T12:28:06.559Z|00925|bridge|INFO|bridge s1: added interface s1-eth2 on port 2
2015-04-23T12:28:06.563Z|00926|connmgr|INFO|s1: added primary controller "tcp:127.0.0.1:6633"
2015-04-23T12:28:06.563Z|00927|rconn|INFO|s1<->tcp:127.0.0.1:6633: connecting...
2015-04-23T12:28:06.568Z|00928|rconn|INFO|s1<->tcp:127.0.0.1:6633: connection failed (Connection reset by peer)
2015-04-23T12:28:06.572Z|00929|connmgr|INFO|s1: added primary controller "ssl:127.0.0.1:6633"
2015-04-23T12:28:06.572Z|00930|rconn|INFO|s1<->ssl:127.0.0.1:6633: connecting...
2015-04-23T12:28:06.572Z|00931|connmgr|INFO|s1: removed primary controller "tcp:127.0.0.1:6633"
2015-04-23T12:28:06.620Z|00932|rconn|INFO|s1<->ssl:127.0.0.1:6633: connected
2015-04-23T12:28:06.621Z|00933|connmgr|INFO|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message


Error at controller:


2015-04-23 15:28:06,385 | INFO | entLoopGroup-8-5 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55745 --> :6633
2015-04-23 15:28:06,385 | INFO | entLoopGroup-8-5 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
2015-04-23 15:28:06,388 | WARN | entLoopGroup-8-5 | SessionManagerOFImpl | 243 - org.opendaylight.openflowplugin - 0.0.6.Helium-SR3 | context for invalidation not found
2015-04-23 15:28:06,564 | INFO | entLoopGroup-8-6 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55746 --> :6633
2015-04-23 15:28:06,564 | INFO | entLoopGroup-8-6 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Not an TLS record exception - please verify TLS configuration.
2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Closing connection.
2015-04-23 15:28:06,568 | WARN | entLoopGroup-8-6 | SessionManagerOFImpl | 243 - org.opendaylight.openflowplugin - 0.0.6.Helium-SR3 | context for invalidation not found
2015-04-23 15:28:06,572 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55747 --> :6633
2015-04-23 15:28:06,573 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
2015-04-23 15:28:06,620 | INFO | entLoopGroup-8-7 | ConnectionAdapterImpl | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Hello received / branch
2015-04-23 15:28:06,628 | WARN | OFRpc-0 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Group Features
2015-04-23 15:28:06,628 | WARN | OFRpc-1 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Meter Features


Thanks
Ashok
________________________________________
From: Rajendran Ashok
Sent: Wednesday, April 22, 2015 8:27 PM
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I tried the same by updating java.security file but still I am getting below SSL error while connecting to controller through TLS. Could you send me your config file so that I could check mine ?


Log with error:

2015-04-21T21:55:54.703Z|00231|rconn|INFO|s1<->ssl:127.0.0.1:6633: waiting 4 seconds before reconnect
2015-04-21T21:55:58.700Z|00232|rconn|INFO|s1<->ssl:127.0.0.1:6633: connecting...
2015-04-21T21:55:58.704Z|00233|stream_ssl|WARN|SSL_connect: unexpected SSL connection close


Note: I have openvswitch and opendaylight controller in same machine and so I am trying to connect ssl:127.0.0.1:6633 from switch.


Steps followed by me:


Step 1:

I commented this line in java.security file in controller host.

"security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"

Step 2:

In my mininet host, that is openvswitch , I executed below commands. Then I got following six files, ctl-cert.pem, ctl-privkey.pem, ctl-req.pem, sc-cert.pem, sc-privkey.pem, sc-req.pem

sudo ovs-pki req+sign sc switch
sudo ovs-pki req+sign ctl controller

step 3:

Then I prepared the keystore with below commands

sudo openssl pkcs12 -export -in ctl-cert.pem -inkey ctl-privkey.pem \
-out ctl.p12 -name odlserver \
-CAfile /var/lib/openvswitch/pki/controllerca/cacert.pem -caname root -chain

step 4:

Then using these 2 files, created ctl.jks and truststore.jks with below commands respectively

keytool -importkeystore \
-deststorepass opendaylight -destkeypass opendaylight -destkeystore ctl.jks \
-srckeystore ctl.p12 -srcstoretype PKCS12 -srcstorepass opendaylight \
-alias odlserver

keytool -importcert -file sc-cert.pem -keystore truststore.jks -storepass opendaylight


step 5:

Then copied these 2 files - ctl.jks and truststore.jks in the below path and modified config file - 42-openflowplugin.xml as below

etc/opendaylight/karaf/ssl


42-openflowplugin.xml:


<name>openflow-switch-connection-provider-default-impl</name>
<port>6633</port>
<!-- Possible transport-protocol options: TCP, TLS, UDP -->
<transport-protocol>TLS</transport-protocol>
<switch-idle-timeout>15000</switch-idle-timeout>
<tls>
<keystore>ssl/ctl.jks</keystore>
<keystore-type>JKS</keystore-type>
<keystore-path-type>PATH</keystore-path-type>
<keystore-password>opendaylight</keystore-password>
<truststore>ssl/truststore.jks</truststore>
<truststore-type>JKS</truststore-type>
<truststore-path-type>PATH</truststore-path-type>
<truststore-password>opendaylight</truststore-password>
<certificate-password>opendaylight</certificate-password>
</tls>
<!-- Exemplary thread model configuration. Uncomment <threads> tag below to adjust default thread model -->
<!-- <threads>
<boss-threads>2</boss-threads>
<worker-threads>8</worker-threads>
</threads> -->
</module>
<!-- default OF-switch-connection-provider (port 6653) -->
<module>
<type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:openflow:switch:connection:provider:impl">prefix:openflow-switch-connection-provider-impl</type>
<name>openflow-switch-connection-provider-legacy-impl</name>
<port>6653</port>
<!-- Possible transport-protocol options: TCP, TLS, UDP -->
<transport-protocol>TLS</transport-protocol>
<switch-idle-timeout>15000</switch-idle-timeout>
<tls>
<keystore>ssl/ctl.jks</keystore>
<keystore-type>JKS</keystore-type>
<keystore-path-type>PATH</keystore-path-type>
<keystore-password>opendaylight</keystore-password>
<truststore>ssl/truststore.jks</truststore>
<truststore-type>JKS</truststore-type>
<truststore-path-type>PATH</truststore-path-type>
<truststore-password>opendaylight</truststore-password>
<certificate-password>opendaylight</certificate-password>
</tls>


step 6:

Executed below command to configure openvswitch

sudo ovs-vsctl set-ssl \
/etc/openvswitch/sc-privkey.pem \
/etc/openvswitch/sc-cert.pem \
/var/lib/openvswitch/pki/controllerca/cacert.pem

step 7:

started mininet by executing the file ssl_switch_tests.py. I wrote below contents inside the file.

'ovs-vsctl set-controller s1 ssl:127.0.0.1:6633


After following all these steps, I got the mentioned SSL error. I have attached ovs-vswitchd.log also. Could you please help me if I am missing any steps or using wrong config file. It would be helpful for me as I am stuck in this step for long time.


Thanks
Ashok



________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, April 21, 2015 5:27 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

I went through the tutorial and it works fine (for me). But I hit the CKR_DOMAIN_PARAMS_INVALID exception as mentioned here: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support#CKR_DOMAIN_PARAMS_INVALID_exception

So I updated the java.security according to comments and all works fine.
If you don't see the CKR_DOMAIN_PARAMS_INVALID exception please try using "log:set DEBUG org.opendaylight.openflowjava" and report back what you found.

Regards,
Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 21 April 2015 13:19
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I created my own keys. I used this TLS version - OpenSSL 1.0.1

rajenda3@ws-32:/var/lib/openvswitch/pki/controllerca$ openssl version
OpenSSL 1.0.1 14 Mar 2012


Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, April 21, 2015 1:27 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

what keys do you use ? Exemplary keys (from openflowjava) or you created your own keys ? What TLS version do you use ?

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 21 April 2015 09:59
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi All,

I am trying to enable TLS connection between opendaylight controller and the switch. I followed the steps given in below link. But when I tried to establish connection now, it is showing error saying certificate verification failed and wrong version number as shown below in ovs-vswitchd.log. I checked the certificate and it has the validity. Could you please check why I am facing this error ?


link:
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support


Error:
Apr 20 12:14:46|03981|rconn|INFO|s1<->ssl:192.168.56.101:6633: continuing to retry connections in the background but suppressing further logging
Apr 20 12:14:54|03982|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr 20 12:15:10|03983|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr 20 15:32:04|04215|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Apr 20 15:32:12|04216|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Note:
My controller address : 192.168.56.101 which is a virtual box machine and my switch is in my local machine

Attached full ovs-vswitchd.log along this mail.

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, March 31, 2015 5:07 PM
To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

if you clone openflowjava repository (git clone ssh://<username>@git.opendaylight.org:29418/openflowjava or git clone https://git.opendaylight.org/gerrit/openflowjava), then you will be able to get exemplary TLS keys (located in openflowjava/openflow-protocol-impl/src/main/resources).

Regards,
Michal Polkorab
________________________________________
From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) <mirehak@...>
Sent: 31 March 2015 15:12
To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: Re: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

fw to openflowjava-ml

________________________________________
From: Rajendran Ashok [ashok.rajendran@...]
Sent: Tuesday, March 31, 2015 00:54
To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Thanks Michal for the reply. I was following the same link for enabling TLS. In this link, it has mentioned to find the files exemplary-*.pem in this path openflowjava/openflow-protocol-impl/src/main/resources. But I am not able to find that files in that path.

Is there any steps to generate this file or am I missing any configuration ? Please help on this

EXCERPT FROM WIKI LINK:

Exemplary configuration

There is already exemplary code in configuration/initial/42-openflowplugin.xml file and also exemplary keys stored in openflowjava (src/main/resources). This exemplary code is commented, so the default is to use unsecured communication.

If you want to try TLS secured communication with your device, you need to do following steps:

* make sure that <transport-protocol> is set with TLS
* uncomment code in <tls> tags
* find exemplary-* files in openflowjava repository - under openflow-protocol-impl/src/main/resources
* copy exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem files into your device
* configure your device with provided keys (in case of openvswitch please see "Configure openvswitch SSL" part below)
* start communication

Thanks
Ashok


________________________________________
From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) [mirehak@...]
Sent: Monday, March 30, 2015 6:10 PM
To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,
you might find this wiki useful:
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Regards,
Michal

________________________________________
From: openflowplugin-users-bounces@... [openflowplugin-users-bounces@...] on behalf of Rajendran Ashok [ashok.rajendran@...]
Sent: Monday, March 30, 2015 16:46
To: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi,

Thanks for your reply. I am able find 42-openflowplugin.xml file in the directory mentioned by you.

But now I am looking for these three files, exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem to transfer it to my mininet host. But I am not able to find it in the path mentioned in that wiki page - openflowjava/openflow-protocol-impl/src/main/resources

Where can I find these files ? Could you also mention where can I find the updated Wiki page for Helium with Karaf so that I can follow it ( As u mentioned in below mail that this wiki page is not updated for helium karaf )

Thanks
Ashok



________________________________________
From: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) [vrpolak@...]
Sent: Tuesday, March 24, 2015 5:08 PM
To: Rajendran Ashok
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok.

Helium is based on Karaf, but the wiki page
was written before that change was made.

42-openflowplugin.xml under the directory configuration/initial/
The new directory is etc/opendaylight/karaf/
but the file only appears after karaf is started
and an openflow feature is installed.

When you have your version of 42-openflowplugin.xml ready,
you can place it into etc/opendaylight/karaf/
before karaf starts, and your values will be used
instead of those from the default file.

Vratko.

-----Original Message-----
From: openflowplugin-users-bounces@... [mailto:openflowplugin-users-bounces@...] On Behalf Of Rajendran Ashok
Sent: Tuesday, March 24, 2015 3:23 PM
To: openflowplugin-users@...
Subject: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller


Hi All,

I am working on opendaylight controller for my assignment. I would like to enable TLS connection in my opendaylight controller and mininet switch. I followed the steps given in below link. But I am stuck at one point where I am not able to find the xml file - 42-openflowplugin.xml under the directory configuration/initial/. Is there any configuration to be done to get this file or do I need to create this file ? Could you please help me on this issue.

https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Note: I downloaded opendaylight controller code from git in stable/Helium branch and built it using maven as mentioned in Wiki.

Thanks
Ashok
_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users
_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users
_______________________________________________
openflowjava-dev mailing list
openflowjava-dev@...
https://lists.opendaylight.org/mailman/listinfo/openflowjava-dev
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]

361 - 380 of 861