Revert "Re-enabled TLS netty"

This reverts commit 1a37866929ca05acba71cdadad87dd563b6064dd. Change-Id: I04cdfe02f70b608b1951c4dee38cb4e345f198d5
2025-10-15 09:21:06 +02:00 · 2018-12-19 14:03:17 -08:00 · 2018-12-19 14:03:17 -08:00 · fb503a7416
commit fb503a7416
parent 82ccf06880
10 changed files with 56 additions and 127 deletions
--- a/core/store/dist/BUILD
+++ b/core/store/dist/BUILD
@ -3,10 +3,10 @@ COMPILE_DEPS = CORE_DEPS + NETTY + JACKSON + KRYO + [
    "//utils/rest:onlab-rest",
    "//core/store/serializers:onos-core-serializers",
    "@io_netty_netty_transport//jar",
-    "@io_netty_netty_transport_native_epoll//jar",
-    "@io_netty_netty_transport_native_unix_common//jar",
    "@io_netty_netty_codec//jar",
    "@io_netty_netty_handler//jar",
+    "@io_netty_netty_transport_native_epoll//jar",
+    "@io_netty_netty_transport_native_unix_common//jar",
    "@io_netty_netty_resolver//jar",
    "@commons_math3//jar",
 ]
--- a/lib/deps.json
+++ b/lib/deps.json
@ -251,7 +251,6 @@
    "io_netty_netty_common": "mvn:io.netty:netty-common:4.1.27.Final",
    "io_netty_netty_handler": "mvn:io.netty:netty-handler:4.1.27.Final",
    "io_netty_netty_handler_proxy": "mvn:io.netty:netty-handler-proxy:4.1.27.Final",
-    "io_netty_netty_tcnative_boringssl": "mvn:io.netty:netty-tcnative-boringssl-static:2.0.12.Final",
    "io_netty_netty_transport": "mvn:io.netty:netty-transport:4.1.27.Final",
    "io_netty_netty_transport_native_unix_common": "mvn:io.netty:netty-transport-native-unix-common:4.1.27.Final",
    "io_netty_netty_transport-native-epoll": "mvn:io.netty:netty-transport-native-epoll:4.1.27.Final",
--- a/protocols/grpc/BUILD
+++ b/protocols/grpc/BUILD
@ -18,6 +18,18 @@ BUNDLES = [
    "@io_opencensus_opencensus_api//jar",
    "@io_opencensus_opencensus_contrib_grpc_metrics//jar",
    "@com_google_code_gson_gson//jar",
+    # Lazily adding all netty-related packages.
+    # Some of them might not be necessary.
+    "@io_netty_netty//jar",
+    "@io_netty_netty_buffer//jar",
+    "@io_netty_netty_codec//jar",
+    "@io_netty_netty_codec_http//jar",
+    "@io_netty_netty_codec_http2//jar",
+    "@io_netty_netty_common//jar",
+    "@io_netty_netty_handler//jar",
+    "@io_netty_netty_transport//jar",
+    "@io_netty_netty_transport_native_epoll//jar",
+    "@io_netty_netty_resolver//jar",
 ]

 onos_app(
--- a/protocols/grpc/ctl/BUILD
+++ b/protocols/grpc/ctl/BUILD
@ -3,7 +3,6 @@ COMPILE_DEPS = CORE_DEPS + [
    "//protocols/grpc/proto:onos-protocols-grpc-proto",
    "@io_grpc_grpc_java//core",
    "@io_grpc_grpc_java//netty",
-    "@io_netty_netty_handler//jar",
 ]

 osgi_jar(
--- a/protocols/grpc/ctl/src/main/java/org/onosproject/grpc/ctl/AbstractGrpcClientController.java
+++ b/protocols/grpc/ctl/src/main/java/org/onosproject/grpc/ctl/AbstractGrpcClientController.java
@ -19,12 +19,8 @@ package org.onosproject.grpc.ctl;
 import com.google.common.collect.Maps;
 import com.google.common.util.concurrent.Striped;
 import io.grpc.ManagedChannel;
-import io.grpc.StatusRuntimeException;
-import io.grpc.netty.GrpcSslContexts;
+import io.grpc.ManagedChannelBuilder;
 import io.grpc.netty.NettyChannelBuilder;
-import io.netty.handler.ssl.NotSslRecordException;
-import io.netty.handler.ssl.SslContext;
-import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import org.onosproject.event.AbstractListenerManager;
 import org.onosproject.event.Event;
 import org.onosproject.event.EventListener;
@ -40,7 +36,6 @@ import org.osgi.service.component.annotations.Reference;
 import org.osgi.service.component.annotations.ReferenceCardinality;
 import org.slf4j.Logger;

-import javax.net.ssl.SSLException;
 import java.util.Map;
 import java.util.concurrent.locks.Lock;
 import java.util.function.Supplier;
@ -96,18 +91,14 @@ public abstract class AbstractGrpcClientController
    @Override
    public boolean createClient(K clientKey) {
        checkNotNull(clientKey);
-        /*
-            FIXME we might want to move "useTls" and "fallback" to properties of the netcfg and clientKey
-                  For now, we will first try to connect with TLS (accepting any cert), then fall back to
-                  plaintext for every device
-         */
-        return withDeviceLock(() -> doCreateClient(clientKey, true, true), clientKey.deviceId());
+        return withDeviceLock(() -> doCreateClient(clientKey), clientKey.deviceId());
    }

-    private boolean doCreateClient(K clientKey, boolean useTls, boolean fallbackToPlainText) {
-        final DeviceId deviceId = clientKey.deviceId();
-        final String serverAddr = clientKey.serverAddr();
-        final int serverPort = clientKey.serverPort();
+
+    private boolean doCreateClient(K clientKey) {
+        DeviceId deviceId = clientKey.deviceId();
+        String serverAddr = clientKey.serverAddr();
+        int serverPort = clientKey.serverPort();

        if (clientKeys.containsKey(deviceId)) {
            final GrpcClientKey existingKey = clientKeys.get(deviceId);
@ -122,69 +113,18 @@ public abstract class AbstractGrpcClientController
            }
        }

-        log.info("Creating new {}... (key={}, useTls={}, fallbackToPlainText={})",
-                 clientName(clientKey), clientKey, useTls,
-                 fallbackToPlainText);
-
-        final GrpcChannelId channelId = GrpcChannelId.of(
-                clientKey.deviceId(), clientKey.toString());
-        final NettyChannelBuilder channelBuilder = NettyChannelBuilder
+        log.info("Creating client for {} (server={}:{})...",
+                deviceId, serverAddr, serverPort);
+        GrpcChannelId channelId = GrpcChannelId.of(clientKey.deviceId(), clientKey.toString());
+        ManagedChannelBuilder channelBuilder = NettyChannelBuilder
                .forAddress(serverAddr, serverPort)
-                .maxInboundMessageSize(DEFAULT_MAX_INBOUND_MSG_SIZE * MEGABYTES);
-
-        if (useTls) {
-            // FIXME: logic to create/manage SSL properties of a channel builder
-            //  should belong to the GrpcChannelController.
-            log.debug("Using SSL for {}", clientName(clientKey), deviceId);
-            final SslContext sslContext;
-            try {
-                // Accept any server certificate; this is insecure and should
-                // not be used in production
-                sslContext = GrpcSslContexts.forClient()
-                        .trustManager(InsecureTrustManagerFactory.INSTANCE)
-                        .build();
-            } catch (SSLException e) {
-                log.error("Failed to build SSL context for {}", clientName(clientKey), e);
-                return false;
-            }
-            channelBuilder
-                    .sslContext(sslContext)
-                    .useTransportSecurity();
-        } else {
-            log.debug("Using plaintext TCP for {}", clientName(clientKey));
-            channelBuilder.usePlaintext();
-        }
+                .maxInboundMessageSize(DEFAULT_MAX_INBOUND_MSG_SIZE * MEGABYTES)
+                .usePlaintext();

        final ManagedChannel channel;
-        try {
-            channel = grpcChannelController.connectChannel(channelId, channelBuilder);
-        } catch (Throwable e) {
-            for (Throwable cause = e; cause != null; cause = cause.getCause()) {
-                if (useTls && cause instanceof NotSslRecordException) {
-                    // Likely root cause is that server is using plaintext
-                    log.warn("Failed to connect {} using TLS", clientName(clientKey));
-                    log.debug("TLS connection exception", e);
-                    if (fallbackToPlainText) {
-                        log.info("Falling back to plaintext TCP for {}", clientName(clientKey));
-                        return doCreateClient(clientKey, false, false);
-                    }
-                }
-                if (!useTls && "Connection reset by peer".equals(cause.getMessage())) {
-                    // Not a great signal, but could indicate the server is expected a TLS connection
-                    log.warn("Failed to connect {} using plaintext TCP; " +
-                                     "is the server using TLS?",
-                             clientName(clientKey));
-                    break;
-                }
-            }
-            if (e instanceof StatusRuntimeException) {
-                log.warn("Unable to connect {}: {}", clientName(clientKey), e.getMessage());
-                log.debug("Connection exception", e);
-            } else {
-                log.error("Exception while connecting {}", clientName(clientKey), e);
-            }
-            return false;
-        }
+
+        channel = grpcChannelController.connectChannel(channelId, channelBuilder);
+

        final C client;
        try {
--- a/tools/build/bazel/generate_workspace.bzl
+++ b/tools/build/bazel/generate_workspace.bzl
@ -1,4 +1,4 @@
-# ***** This file was auto-generated at Tue, 18 Dec 2018 21:54:15 GMT. Do not edit this file manually. *****
+# ***** This file was auto-generated at Wed, 19 Dec 2018 17:57:55 GMT. Do not edit this file manually. *****
 # ***** Use onos-lib-gen *****

 load("//tools/build/bazel:variables.bzl", "ONOS_GROUP_ID", "ONOS_VERSION")
@ -771,12 +771,6 @@ def generated_maven_jars():
            jar_sha256 = "84b00dd1cd25a99b88bd598577825b4be9ad592e2d78b08bd703e7e999fe3498",
            licenses = ["notice"],
            jar_urls = ["http://repo1.maven.org/maven2/io/netty/netty-handler-proxy/4.1.27.Final/netty-handler-proxy-4.1.27.Final.jar"],        )
-    if "io_netty_netty_tcnative_boringssl" not in native.existing_rules():
-        java_import_external(
-            name = "io_netty_netty_tcnative_boringssl",
-            jar_sha256 = "3df756e569504137e90ff368c2fe09f1f953efeddb717d47ed391dfa6ba8b7e3",
-            licenses = ["notice"],
-            jar_urls = ["http://repo1.maven.org/maven2/io/netty/netty-tcnative-boringssl-static/2.0.12.Final/netty-tcnative-boringssl-static-2.0.12.Final.jar"],        )
    if "io_netty_netty_transport" not in native.existing_rules():
        java_import_external(
            name = "io_netty_netty_transport",
@ -1525,7 +1519,6 @@ artifact_map["@io_netty_netty_codec//:io_netty_netty_codec"] = "mvn:io.netty:net
 artifact_map["@io_netty_netty_common//:io_netty_netty_common"] = "mvn:io.netty:netty-common:jar:4.1.27.Final"
 artifact_map["@io_netty_netty_handler//:io_netty_netty_handler"] = "mvn:io.netty:netty-handler:jar:4.1.27.Final"
 artifact_map["@io_netty_netty_handler_proxy//:io_netty_netty_handler_proxy"] = "mvn:io.netty:netty-handler-proxy:jar:4.1.27.Final"
-artifact_map["@io_netty_netty_tcnative_boringssl//:io_netty_netty_tcnative_boringssl"] = "mvn:io.netty:netty-tcnative-boringssl-static:jar:2.0.12.Final"
 artifact_map["@io_netty_netty_transport//:io_netty_netty_transport"] = "mvn:io.netty:netty-transport:jar:4.1.27.Final"
 artifact_map["@io_netty_netty_transport_native_unix_common//:io_netty_netty_transport_native_unix_common"] = "mvn:io.netty:netty-transport-native-unix-common:jar:4.1.27.Final"
 artifact_map["@io_netty_netty_transport_native_epoll//:io_netty_netty_transport_native_epoll"] = "mvn:io.netty:netty-transport-native-epoll:jar:4.1.27.Final"
--- a/tools/build/bazel/modules.bzl
+++ b/tools/build/bazel/modules.bzl
@ -299,7 +299,6 @@ APP_JARS = [
 ]

 FEATURES = [
-    "//tools/package/features:onos-netty",
    "//tools/package/features:onos-thirdparty-base",
    "//tools/package/features:onos-thirdparty-web",
    "//tools/package/features:onos-api",
--- a/tools/package/etc/org.apache.karaf.features.cfg
+++ b/tools/package/etc/org.apache.karaf.features.cfg
@ -30,24 +30,22 @@ featuresRepositories = \

 #
 # Comma separated list of features to install at startup
-# Groups of features within parens are brought up in parallel
-# Groups of features are brought up sequentially
-# Features without a paren group are assigned to an implicit paren group that ends when the next paren is found
 #
 featuresBoot = \
-    (instance/4.2.1, \
-     package/4.2.1, \
-     log/4.2.1, \
-     framework/4.2.1, \
-     system/4.2.1, \
-     eventadmin/4.2.1, \
-     feature/4.2.1, \
-     shell/4.2.1, \
-     management/4.2.1, \
-     service/4.2.1, \
-     jaas/4.2.1, \
-     deployer/4.2.1, \
-     diagnostic/4.2.1), \
+    instance/4.2.1, \
+    package/4.2.1, \
+    log/4.2.1, \
+    ssh/4.2.1, \
+    framework/4.2.1, \
+    system/4.2.1, \
+    eventadmin/4.2.1, \
+    feature/4.2.1, \
+    shell/4.2.1, \
+    management/4.2.1, \
+    service/4.2.1, \
+    jaas/4.2.1, \
+    deployer/4.2.1, \
+    diagnostic/4.2.1, \
    (wrap/2.5.4), \
    (bundle/4.2.1, \
     config/4.2.1, \
--- a/tools/package/features/BUILD
+++ b/tools/package/features/BUILD
@ -7,27 +7,6 @@ osgi_feature_repo(
    visibility = ["//visibility:public"],
 )

-osgi_feature(
-    name = "onos-netty",
-    description = "ONOS Netty dependencies",
-    included_bundles = [
-        "@io_netty_netty//jar",
-        "@io_netty_netty_common//jar",
-        "@io_netty_netty_buffer//jar",
-        "@io_netty_netty_handler//jar",
-        "@io_netty_netty_tcnative_boringssl//jar",
-        "@io_netty_netty_codec//jar",
-        "@io_netty_netty_codec_http//jar",
-        "@io_netty_netty_codec_http2//jar",
-        "@io_netty_netty_transport//jar",
-        "@io_netty_netty_transport_native_epoll//jar",
-        "@io_netty_netty_transport_native_unix_common//jar",
-        "@io_netty_netty_resolver//jar",
-    ],
-    required_features = [],
-    visibility = ["//visibility:public"],
-)
-
 osgi_feature(
    name = "onos-thirdparty-base",
    description = "ONOS 3rd party dependencies",
@ -38,6 +17,15 @@ osgi_feature(
        "@commons_codec//jar",
        "@commons_configuration//jar",
        "@com_google_guava_guava//jar",
+        "@io_netty_netty//jar",
+        "@io_netty_netty_common//jar",
+        "@io_netty_netty_buffer//jar",
+        "@io_netty_netty_transport//jar",
+        "@io_netty_netty_handler//jar",
+        "@io_netty_netty_codec//jar",
+        "@io_netty_netty_transport_native_epoll//jar",
+        "@io_netty_netty_transport_native_unix_common//jar",
+        "@io_netty_netty_resolver//jar",
        "@commons_pool//jar",
        "@commons_math3//jar",
        "@joda_time//jar",
@ -65,7 +53,7 @@ osgi_feature(
        "@org_osgi_util_function//jar",
        "@org_osgi_util_promise//jar",
    ],
-    required_features = ["onos-netty"],
+    required_features = [],
    visibility = ["//visibility:public"],
 )

--- a/tools/test/bin/onos-check-logs
+++ b/tools/test/bin/onos-check-logs
@ -110,6 +110,7 @@ else
            # Sanctioned exclusions for exceptions in third-party code; one pattern per exclusion
            /at org\.apache\.felix\.scr\.impl\.ComponentRegistry\.getComponentHolders\(ComponentRegistry\.java:356\)/ { exclusion = 1; }
            /at org\.apache\.karaf\.service\.guard\.impl\.GuardProxyCatalog.1.run\(GuardProxyCatalog\.java:253\)/ { exclusion = 1; }
+            /at org\.apache\.sshd\.server\.SshServer\.start/ { exclusion = 1; }

        END { exit fail; }
        ' > $aux