Some errors you could face when configuring SSL encryption between your Floodlight controller and Openvswitch

Hi there!
Floodlight controller’s documentation provides an awesome article explaining how to use SSL to encrypt OpenFlow connections between your Floodlight controller and your Openvswich virtual switches. Please, read it, it helped me to continue with my current Floodlight testing.

If you follow the steps provided, you shouldn’t find any problem… however sometimes we read too fast or we forget something important and things don’t work as expected :-D. Just in case, I’ve compiled some problems and solutions when configuring SSL to secure OpenFlow communication.

—

Problem #1: Unknown wire version: 22

In your Floodlight controller’s log (e.g /var/log/floodlight/floodlight.log) you may find the following message:

ERROR [New I/O worker #12] n.f.c.i.OFChannelHandler [OFChannelHandler.java:731] Illegal argument exception with switch [? from …]. java.lang.IllegalArgumentException: Unknown wire version: 22

Solution: Well.. Have you added/edited the following line in your floodlightdefault.properties file?

net.floodlightcontroller.core.internal.OFSwitchManager.useSsl=YES

Try adding that and restart your controller…

—

Problem #2:  Exception initializing SSL OpenFlow socket: /path/to/your/keystore-file.jks (No such file or directory)

Solution: That’s an easy one!, have you specified where’s your keystore file?

Please be sure to set the keystore location and password in your floodlightdefault.properties configuration file changing these lines:

net.floodlightcontroller.core.internal.OFSwitchManager.keyStorePath=/path/to/your/keystore-file.jks
net.floodlightcontroller.core.internal.OFSwitchManager.keyStorePassword=your-keystore-password

—

Problem #3:  Exception initializing SSL OpenFlow socket: /path/to/your/keystore-file.jks (No such file or directory)

Have you added (imported) to the keystore the private key associated with the public certificate used by your Floodlight Controller?

—

Problem #4: Disconnecting switch due to message parse failure

If you find a message like “Disconnecting switch [? from X.X.X:X:Y] due to message parse failure org.projectfloodlight.openflow.exceptions.OFParseError: Wrong length: Expected=8(8), got=16” maybe Openvswitch and Floodlight are not speaking the same OpenFlow protocol.

You can try to force the OpenFlow protocol version used by an Openvswitch bridge with the following ovs-vsctl command applied to your bridge (e.g I’ve a bridge named ovs-mgmt0):

ovs-vsctl set Bridge ovs-mgmt0 protocols=OpenFlow13

—

I’m sure you won’t need any of these if following Floodlight’s instructions but if Google sent you here I hope these notes has helped you somehow. Use the comments if you need more help.

Cheers!

CentOS 7 – Installing Floodlight

Hi there!,
In the following weeks, I’ll be using the Floodlight controller to develop some code to get a deeper understanding on Software-Defined Networks. In my lab environment I’ll using OpenFlow to configure some OpenVswitch virtual switches.

In this post I’m showing you how I’ve installed Floodlight on my CentOS 7 machine, creating a service, configuring logging and more.

Let’s begin installing some development tools, Git, Java and Ant:

yum group install -y "Development Tools"
yum -y install git
yum install -y java-1.7.0-openjdk ant

We need Floodlight’s source code and then we’ll build it:

cd /opt
git clone git://github.com/floodlight/floodlight.git
cd floodlight/
ant

...
Buildfile: /opt/floodlight/build.xml
init:
...
[jar] Building jar: /opt/floodlight/target/floodlight.jar
...
BUILD SUCCESSFUL
Total time: 50 seconds

Awesome, Floodlight was built succesfully. We’ll now create some directories:

mkdir /var/lib/floodlight
mkdir /etc/floodlight
mkdir /var/log/floodlight/

OpenFlow protocol will use IANA’s reserved port 6653. I’ll add a rule allowing that traffic from my management network 192.168.4.0/24:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.4.0/24" port port="6653" protocol="tcp" accept'

firewall-cmd --reload

Also, if using the REST API (HTTP) or using the web user interface, we’ll need a rule allowing traffic on port 8080. In my lab, I’ll add a rule to allow traffic from my development network 192.168.5.0/24:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.5.0/24" port port="8080" protocol="tcp" accept'

firewall-cmd --reload

Next. Let’s add a user called, guess it? floodlight!, set the JAVA_HOME and change some directories ownership:

useradd floodlight
echo 'export JAVA_HOME=/usr/lib/jvm/jre-openjdk' >> /home/floodlight/.bash_profile 

chown -R floodlight:floodlight /opt/floodlight
chown -R floodlight:floodlight /var/lib/floodlight
chown -R floodlight:floodlight /var/log/floodlight
chown -R floodlight:floodlight /etc/floodlight

Now let’s open a shell using our floodlight user:

su - floodlight

Let’s copy the default floodlight’s properties file to our /etc/floodlight directory:

cp /opt/floodlight/src/main/resources/floodlightdefault.properties /etc/floodlight/

Let’s start Floodlight for the first time, specifying where’s our properties file. If everything is OK we’ll see some info and warning messages:

java -jar /opt/floodlight/target/floodlight.jar -cf /etc/floodlight/floodlightdefault.properties
...
11:00:08.221 INFO [n.f.c.m.FloodlightModuleLoader:main] Loading modules from /etc/floodlight/floodlightdefault.properties
11:00:08.702 WARN [n.f.r.RestApiServer:main] HTTPS disabled; HTTPS will not be used to connect to the REST API.
11:00:08.702 WARN [n.f.r.RestApiServer:main] HTTP enabled; Allowing unsecure access to REST API on port 8080.
11:00:19.552 WARN [n.f.c.i.OFSwitchManager:main] SSL disabled. Using unsecure connections between Floodlight and switches.
...
11:00:19.603 INFO [n.f.c.i.Controller:main] Controller role set to ACTIVE
...
11:00:19.716 INFO [n.f.f.Forwarding:main] Default flow matches set to: VLAN=true, MAC=true, IP=true, TPPT=true
11:00:20.572 INFO [o.s.s.i.r.RPCService:main] Listening for internal floodlight RPC on localhost/127.0.0.1:6642
11:00:20.812 INFO [n.f.c.i.OFSwitchManager:main] Listening for switch connections on 0.0.0.0/0.0.0.0:6653
11:00:20.831 INFO [n.f.l.i.LinkDiscoveryManager:main] Setting autoportfast feature to OFF
11:00:35.997 INFO [n.f.l.i.LinkDiscoveryManager:Scheduled-1] Sending LLDP packets out of all the enabled ports
11:00:37.959 INFO [n.f.j.JythonServer:debugserver-main] Starting DebugServer on :6655

If using the default properties, we’ll now have an active OpenFlow controller with a Forwarding module that allows our virtual switches (if using Floodlight as the controller, of course!) to forward ethernet frames.

As an example, these are information messages when the first switch connects to Floodlight:

11:15:13.041 INFO [n.f.c.i.OFChannelHandler:New I/O worker #11] New switch connection from /192.168.4.2:44893
11:15:13.201 INFO [n.f.c.i.OFSwitchHandshakeHandler:New I/O worker #11] Switch OFSwitchBase DPID[00:00:bc:30:5b:da:eb:60] bound to class class net.floodlightcontroller.core.OFSwitch, description SwitchDescription [manufacturerDescription=Nicira, Inc., hardwareDescription=Open vSwitch, softwareDescription=2.3.1, serialNumber=None, datapathDescription=None]

Once we’ve checked that Floodlight can be started we’ll kill the process using Ctrl-C and close our session.

^C[floodlight@tornasol ~]$ exit

I’m not using floodlight as an interactive user anymore so I’ll remove the shell:

usermod -s /sbin/nologin floodlight

Floodlight by default, will use standard output to write many messages. I want to reduce log level and set a file where logs will be written. Thanks to the information provided by Volkan Yazici and Luca Prete in this Google’s group, these are the steps I’ve followed.

First I create a backup file for the /opt/floodlight/logback.xml file:

cp /opt/floodlight/logback.xml /opt/floodlight/logback.xml.orig

Then I create a new /opt/floodlight/logback.xml file with the following content. Basically I’m reducing the log level so only INFO and WARN messages are sent to /var/log/floodlight/floodlight.log and no messages are sent to standard output:

cat <<EOT > /opt/floodlight/logback.xml
<configuration scan="true">
<appender name="FILE" class="ch.qos.logback.core.FileAppender">
<file>/var/log/floodlight/floodlight.log</file>
<encoder>
<pattern>%date %level [%thread] %logger{10} [%file:%line] %msg%n</pattern>
</encoder>
</appender>
<root level="INFO">
<appender-ref ref="FILE" />
</root>
<logger name="org" level="WARN"/>
<logger name="LogService" level="WARN"/> <!-- Restlet access logging -->
<logger name="net.floodlightcontroller" level="INFO"/>
<logger name="net.floodlightcontroller.logging" level="WARN"/>
</configuration>
EOT

Ok. Now we’ll create a systemd service so Floodlight is started and stopped nicely. I’m specifying where is the configuration file for logback and where’s the properties file.

cat <<EOT > /etc/systemd/system/floodlight.service
[Unit]
Description=FloodLight Service 
After=network.target
[Service]
EnvironmentFile=/etc/sysconfig/floodlight
User=floodlight
WorkingDirectory=/etc/floodlight
ExecStart=/usr/bin/java -Dlogback.configurationFile=/opt/floodlight/logback.xml -jar /opt/floodlight/target/floodlight.jar -cf /etc/floodlight/floodlightdefault.properties
Restart=on-abort
[Install]
WantedBy=multi-user.target
EOT

We’ll create the /etc/sysconfig/floodlight file so we’re sure that the JAVA_HOME environment variable is properly used:

cat <<EOT > /etc/sysconfig/floodlight
JAVA_HOME=/usr/lib/jvm/jre-openjdk
EOT

Let’s cross our fingers. Starting the service and checking status:

systemctl start floodlight.service

systemctl status floodlight.service

Looks good! Let’s enable service start at boot time:

systemctl enable floodlight.service

I think it’s a good idea to add a logrotate.d file so our Floodlight’s log file is rotated. I’ll use libvirtd file as a template to create the /etc/logrotate.d/floodlight file:

/var/log/floodlight/floodlight.log {
weekly
missingok
rotate 4
compress
delaycompress
copytruncate
minsize 100k
}

Finally I’ll check that the web user interface is listening on the 8080 port and that I’ve information about my OpenFlow switches (URL http://x.x.x.x:8080/ui/index.html, use your IP address of course!)

OK. Nice!, now I’m ready to start developing. I’ll post any useful information about Floodlight’s development or usage in my blog, but you should start visiting the official page, as I’m going to do right now 😀

Cheers!

“Installing” Floodlight OpenFlow Controller – Debian Wheezy

It’s time to learn new things. I want to use an OpenFlow controller with my OVS switches. Openvswitch already provides “a simple OpenFlow controller reference implementation” (ovs-controller) but I’d like to start with Floodlight. I’m using the official documentation but, as always, I like to share my notes with you:

Floodlight works with Java so we’ll install some packages:

aptitude -y install default-jdk ant git

Let’s download the latest Floodlight stable version and compile the jar:

cd /opt
git clone git://github.com/floodlight/floodlight.git
cd floodlight/
ant

...
dist:
[jar] Building jar: /opt/floodlight/target/floodlight.jar
[jar] Building jar: /opt/floodlight/target/floodlight-test.jar
BUILD SUCCESSFUL
Total time: 25 seconds

We’re going to start Floodlight. The controller by default will listen in the 6633 port.

java -jar target/floodlight.jar
19:53:53.434 INFO [n.f.c.m.FloodlightModuleLoader:main] Loading default modules
19:53:53.827 INFO [n.f.c.i.Controller:main] Controller role set to MASTER
19:53:53.834 INFO [n.f.c.i.Controller:main] Flush switches on reconnect -- Disabled
19:54:03.558 INFO [n.f.l.i.LinkDiscoveryManager:main] Setting autoportfast feature to OFF
19:54:03.779 INFO [o.s.s.i.c.FallbackCCProvider:main] Cluster not yet configured; using fallback local configuration
19:54:03.779 INFO [o.s.s.i.SyncManager:main] [32767] Updating sync configuration ClusterConfig [allNodes={32767=Node [hostname=localhost, port=6642, nodeId=32767, domainId=32767]}, authScheme=CHALLENGE_RESPONSE, keyStorePath=/etc/floodlight/auth_credentials.jceks, keyStorePassword is unset]
19:54:03.853 INFO [o.s.s.i.r.RPCService:main] Listening for internal floodlight RPC on localhost/127.0.0.1:6642
19:54:04.066 INFO [n.f.c.i.Controller:main] Listening for switch connections on 0.0.0.0/0.0.0.0:6633
19:54:09.047 INFO [n.f.j.JythonServer:debugserver-main] Starting DebugServer on :6655

OK, the controller is waiting for connections. Now we’re going to add a new OVS bridge and set the controller for that bridge:

ovs-vsctl add-br br0
ovs-vsctl set-controller br0 tcp:127.0.0.1:6633

Floodlight is being contacted by Openvswitch! 🙂

20:18:24.725 INFO [n.f.c.i.OFChannelHandler:New I/O server worker #2-1] New switch connection from /127.0.0.1:43418
20:18:24.749 INFO [n.f.c.i.OFChannelHandler:New I/O server worker #2-1] Disconnected switch [/127.0.0.1:43418 DPID[?]]
20:18:25.703 INFO [n.f.c.i.OFChannelHandler:New I/O server worker #2-2] New switch connection from /127.0.0.1:43419
20:18:25.728 INFO [n.f.c.i.OFChannelHandler:New I/O server worker #2-2] Switch OFSwitchBase [/127.0.0.1:43419 DPID[00:00:b6:19:eb:08:04:4d]] bound to class class net.floodlightcontroller.core.internal.OFSwitchImpl, writeThrottle=false, description Switch Desc - Vendor: Nicira, Inc. Model: Open vSwitch Make: None Version: 1.9.3 S/N: None
20:18:25.731 INFO [n.f.c.OFSwitchBase:New I/O server worker #2-2] Clearing all flows on switch OFSwitchBase [/127.0.0.1:43419 DPID[00:00:b6:19:eb:08:04:4d]]
20:18:25.734 WARN [n.f.c.i.C.s.notification:main] Switch 00:00:b6:19:eb:08:04:4d connected.

Now thanks to Marist College (SDN Lab) and IBM I’ll use Avior as a Floodlight GUI, visit the webpage to download the 32bit or 64bit version

cd /opt
wget http://openflow.marist.edu/static/download/avior-1.3_linux_x64.jar
java -jar avior-1.3_linux_x64.jar

And here is a screenshot, the OpenVswitch is shown. Great.

This is just the beginning! More in a few days… I’ll update this post including how to add a daemon to start the controller.