Drools can't be activated after pushing policies from PAP to PDP-D. #policy #controlloop


Charlton Chang
 

Hi,

I deployed ONAP Casablanca by OOM on multi-node environment with Policy images version 1.3.7.
I want to verify the setup for closed-loop.

Reference to the tutorial:
https://wiki.onap.org/display/DW/Policy+on+OOM

After pushing the polices to PDP-D.
The Drools is still inactive (alive: false, brained: false ...).
But the policies have been pushed to Nexus.

While checking the status of BRMSGW, I find some error about Database and WebSocket during the process.

Before pushing policies as the tutorial mentioned in [Before Installing Policies], I failed in services connectivity verification for drools, nexus and message-router.

Maybe it's the cause for the issue ?
How to resolve it ?


Thanks,
Charlton




Charlton Chang
 

Push policies again and check the logs for BRMSGW and Drools, I find the certificate exception in Drools when receiving PDPD-CONFIGURATION event:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate chaining error
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:573)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:557)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:414)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.apache.http.impl.client.DecompressingHttpClient.execute(DecompressingHttpClient.java:164)
at org.eclipse.aether.transport.http.HttpTransporter.execute(HttpTransporter.java:279)
at org.eclipse.aether.transport.http.HttpTransporter.implGet(HttpTransporter.java:235)
at org.eclipse.aether.spi.connector.transport.AbstractTransporter.get(AbstractTransporter.java:59)
at org.eclipse.aether.connector.basic.BasicRepositoryConnector$GetTaskRunner.runTask(BasicRepositoryConnector.java:447)
at org.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run(BasicRepositoryConnector.java:350)

For more details, please refer to the attached log file.

Please help me for the issue.


Thanks,
Charlton



Sandeep Sharma
 

Hi Charlton,
I am running into the exact same issue. Did you get any solution for this ? 

Thanks
-Sandeep


Charlton Chang
 

Hi Sandeep,

I still get stuck in the issue.

I will check what is the failure SSL request for.
(Nexus service seems to work via normal http.)

If you get any solution or progress, please share with me.


Thanks,
Charlton


Sandeep Sharma
 

Hi Charlton,
One work around worked for me. So this is the flow I performed,
1. On the policy nexus http://<ONAP node>:30236/nexus/#, create a proxy repository pointing to https://nexus.onap.org/content/repositories/releases/
2. On the drools pod, update the settings.xml to have a pointer to the proxy repository created. Following is how my settings.xml looks,
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
 
<profiles>
 
<profile>
<id>policy-releases</id>
 
<repositories>
<repository>
<id>policy-nexus-releases</id>
<url>http://nexus:8081/nexus/content/repositories/releases/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
<repository>
<id>policy-nexus-releases</id>
<url>http://nexus:8081/nexus/content/repositories/proxy/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
 
</profile>
 
<profile>
<id>policy-snapshots</id>
 
<repositories>
<repository>
<id>policy-nexus-snapshots</id>
<url>http://nexus:8081/nexus/content/repositories/snapshots/</url>
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
<updatePolicy>always</updatePolicy>
</snapshots>
</repository>
</repositories>
 
</profile>
 
<profile>
<id>onap-releases</id>
 
<repositories>
<repository>
<id>onap-releases</id>
<name>onap-releases</name>
<url>https://nexus.onap.org/content/repositories/releases/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
 
</profile>
 
<profile>
<id>onap-staging</id>
 
<repositories>
<repository>
<id>onap-staging</id>
<name>onap-staging</name>
<url>https://nexus.onap.org/content/repositories/staging/</url>
<releases>
<enabled>true</enabled>
<updatePolicy>always</updatePolicy>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
 
</profile>
 
<profile>
 
<id>onap-snapshots</id>
 
<repositories>
<repository>
<id>onap-snapshots</id>
<name>onap-snapshots</name>
<url>https://nexus.onap.org/content/repositories/snapshots/</url>
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
<updatePolicy>always</updatePolicy>
</snapshots>
</repository>
</repositories>
 
</profile>
 
</profiles>
 
<activeProfiles>
<activeProfile>policy-releases</activeProfile>
<activeProfile>policy-snapshots</activeProfile>
</activeProfiles>
 
<servers>
<server>
<id>policy-nexus-snapshots</id>
<username>admin</username>
<password>admin123</password>
</server>
<server>
<id>policy-nexus-releases</id>
<username>admin</username>
<password>admin123</password>
</server>
</servers>
 
</settings>

3. Execute the push_policies.sh on the pap pod. 

This should resolve the amsterdam rules dependencies in the drools.
-Sandeep


Charlton Chang
 

Hi Sandeep,

Thanks for your sharing, but our test environment has something wrong now.
I will test the flow when it's available.


Thanks,
Charlton


Jorge Hernandez
 

Hello Charlton, 
Some additional feedback besides Sandeep.   I installed Casablanca release, and don't see the errors you've shown in the drools logs when deploying policies, not sure if in your case it was a transient situation with the servers, or something particular to your environment.   I saw other errors though related to  dmaap certs not shown in the log, but it seems you may be passed that as you didn't see them.   In your  brmsgw log, I see some DB problems that suggest that the installation didn't go quite right.   If starting the install from scratch, better to delete the /dockerdata-nfs/dev-policy to start clean.
Best regards,
Jorge


Charlton Chang
 

Hi Jorge,

Thanks for your feedback.

For the DMAAP certs issue, I have changed the image of message-router to version 1.1.14 and it has been resolved.
I have cleaned files under /dockerdata-nfs/dev-policy, the errors still occur in my environment.


Thanks,
Charlton


Mandeep Singh Kalra
 

Hi,

I am also facing similar issue in my environment, it was working some time back with the same casablanca release.
@Jorge/Sandeep :: Dmaap issue resolved as i have updated the message router, not sure of the root cause of this one but is there any link available for proxy workaround ?


Regards
Mandeep


Sandeep Sharma
 

Hi Mandeep,
There is no link for the proxy workaround. This is what you need to do,
1. Please perform these steps before you push any policies.
2. Log in the Policy nexus service at http://<your casablanca IP>:30236/nexus/#
3. The username/password for the Policy nexus is admin/admin123.
4. Click on Ádd repostory', and from the drop down select 'Proxy Repository'.
5. Set the Repository ID/Repository Name, ( As per the settings.xml I have shared in the message above, the id/name is Proxy/proxy.
6.  Set Remote storage location : https://nexus.onap.org/content/repositories/releases/
7. I set the Checksum Policy to Ignore.
8. Save this Proxy repository.
9. Log in the Drools pod shell, and replace the ~/.m2/settings.xml with the one that I had pasted in the message above. Please change modify the settings.xml as per the repo id/name that you chose.
10. Push your policy. 

This workaround has been working very consistently for us.

-Sandeep