[ovs-dev,3/3] ovn-ctl: add support for SSL nb/sb db connections

Add support for SSL connections to OVN northbound and/or
southbound databases.

To improve security, the NB and SB ovsdb daemons no longer
have open ptcp connections by default.  This is a change in
behavior from previous versions, users wishing to use TCP
connections to the NB/SB daemons can either request that
a passive TCP connection be used via ovn-ctl command-line
options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
scripts):

    --db-sb-default-remote=yes
    --db-nb-default-remote=yes

Or configure a connection after the NB/SB daemons have been
started, e.g.:

    ovn-sbctl set-connection ptcp:6642
    ovn-nbctl set-connection ptcp:6641

Users desiring SSL database connections will need to generate certificates
and private key as described in INSTALL.SSL.rst and perform the following
one-time configuration steps:

   ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
   ovn-sbctl set-connection pssl:6642
   ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
   ovn-nbctl set-connection pssl:6641

On the ovn-controller and ovn-controller-vtep side, SSL configuration
must be provided on the command-line when the daemons are started, this
should be provided via the following command-line options (e.g. via
OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):

   --ovn-controller-ssl-key=<private-key>
   --ovn-controller-ssl-cert=<certificate>
   --ovn-controller-ssl-ca-cert=<ca-cert>

The SB database connection should also be configured to use SSL, e.g.:

    ovs-vsctl set Open_vSwitch . \
              external-ids:ovn-remote=ssl:w.x.y.z:6642

Signed-off-by: Lance Richardson <lrichard@redhat.com>
---
 NEWS                        |  5 ++++
 manpages.mk                 |  4 +++
 ovn/utilities/ovn-ctl       | 72 ++++++++++++++++++++++++++++++++++-----------
 ovn/utilities/ovn-ctl.8.xml |  7 +++++
 4 files changed, 71 insertions(+), 17 deletions(-)

On Thu, Dec 1, 2016 at 9:07 PM, Lance Richardson <lrichard@redhat.com>
wrote:

> Add support for SSL connections to OVN northbound and/or
> southbound databases.
>
> To improve security, the NB and SB ovsdb daemons no longer
> have open ptcp connections by default.  This is a change in
> behavior from previous versions, users wishing to use TCP
> connections to the NB/SB daemons can either request that
> a passive TCP connection be used via ovn-ctl command-line
> options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
> scripts):
>
>     --db-sb-default-remote=yes
>     --db-nb-default-remote=yes
>
> Or configure a connection after the NB/SB daemons have been
> started, e.g.:
>
>     ovn-sbctl set-connection ptcp:6642
>     ovn-nbctl set-connection ptcp:6641
>
> Users desiring SSL database connections will need to generate certificates
> and private key as described in INSTALL.SSL.rst and perform the following
> one-time configuration steps:
>
>    ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
>    ovn-sbctl set-connection pssl:6642
>    ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
>    ovn-nbctl set-connection pssl:6641
>
> On the ovn-controller and ovn-controller-vtep side, SSL configuration
> must be provided on the command-line when the daemons are started, this
> should be provided via the following command-line options (e.g. via
> OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
>
>    --ovn-controller-ssl-key=<private-key>
>    --ovn-controller-ssl-cert=<certificate>
>    --ovn-controller-ssl-ca-cert=<ca-cert>
>
> The SB database connection should also be configured to use SSL, e.g.:
>
>     ovs-vsctl set Open_vSwitch . \
>               external-ids:ovn-remote=ssl:w.x.y.z:6642
>
> Signed-off-by: Lance Richardson <lrichard@redhat.com>
> ---
>  NEWS                        |  5 ++++
>  manpages.mk                 |  4 +++
>  ovn/utilities/ovn-ctl       | 72 ++++++++++++++++++++++++++++++
> ++++-----------
>  ovn/utilities/ovn-ctl.8.xml |  7 +++++
>  4 files changed, 71 insertions(+), 17 deletions(-)
>
> diff --git a/NEWS b/NEWS
> index 3a33abf..9ac8808 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -9,6 +9,11 @@ Post-v2.6.0
>       * Support for source IP address based routing.
>       * Support for managing SSL and remote connection configuration in
>         northbound and southbound databases.
> +     * TCP connections to northbound and southbound databases are no
> +       longer enabled by default and must be explicitly configured.
> +       See documentation for ovn-sbctl/ovn-nbctl "set-connection" command
> +       or ovn-ctl "--db-sb-default-remote"/"--db-nb-default-remote"
> +       options for information regarding enabling TCP connections.
>     - Fixed regression in table stats maintenance introduced in OVS
>       2.3.0, wherein the number of OpenFlow table hits and misses was
>       not accurate.
> diff --git a/manpages.mk b/manpages.mk
> index 11ec023..742bd66 100644
> --- a/manpages.mk
> +++ b/manpages.mk
> @@ -10,6 +10,8 @@ ovn/utilities/ovn-sbctl.8: \
>         lib/table.man \
>         lib/vlog.man \
>         ovsdb/remote-active.man \
> +       ovsdb/remote-active.man \
> +       ovsdb/remote-passive.man \
>         ovsdb/remote-passive.man
>  ovn/utilities/ovn-sbctl.8.in:
>  lib/common.man:
> @@ -20,6 +22,8 @@ lib/ssl.man:
>  lib/table.man:
>  lib/vlog.man:
>  ovsdb/remote-active.man:
> +ovsdb/remote-active.man:
> +ovsdb/remote-passive.man:
>  ovsdb/remote-passive.man:
>
>  ovsdb/ovsdb-client.1: \
> diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> index 73e78e5..4dade90 100755
> --- a/ovn/utilities/ovn-ctl
> +++ b/ovn/utilities/ovn-ctl
> @@ -50,7 +50,7 @@ stop_ovsdb () {
>
>  demote_ovnnb() {
>      if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> -        echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" >
> $ovnnb_active_conf_file
> +        echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT"
> > $ovnnb_active_conf_file
>      fi
>
>      if test -e $ovnnb_active_conf_file; then
> @@ -64,7 +64,7 @@ demote_ovnnb() {
>
>  demote_ovnsb() {
>      if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
> -        echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" >
> $ovnsb_active_conf_file
> +        echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT"
> > $ovnsb_active_conf_file
>      fi
>
>      if test -e $ovnsb_active_conf_file; then
> @@ -93,15 +93,21 @@ start_ovsdb () {
>
>          set ovsdb-server
>
> -        set "$@" --detach --monitor $OVN_NB_LOG \
> -            --log-file=$OVN_NB_LOGFILE \
> -            --remote=punix:$DB_NB_SOCK \
> -            --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \
> -            --pidfile=$DB_NB_PID \
> -            --unixctl=ovnnb_db.ctl
> +        set "$@" --detach --monitor
> +        set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE
> +        set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID
> +        set "$@" --remote=db:OVN_Northbound,NB_Global,connections
> +        set "$@" --unixctl=ovnnb_db.ctl
> +        set "$@" --private-key=db:OVN_Northbound,SSL,private_key
> +        set "$@" --certificate=db:OVN_Northbound,SSL,certificate
> +        set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
> +
> +        if test X"$
> ​​
> DB_NB_DEFAULT_REMOTE" = Xyes; then
> +            set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
> +        fi
>

​You think its good to add the remote defined in $DB_NB_ADDR​/$DB_NB_PORT
into the Connection table by this script if $
​
DB_NB_DEFAULT_REMOTE
​ is set to No.

Some thing like below

#########
if test X"$DB_NB_DEFAULT_REMOTE" = Xno; then
   ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR"
fi
​#########

​Thanks
Numan
​


>          if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> -            echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" >
> $ovnnb_active_conf_file
> +            echo "$DB_NB_SYNC_FROM_PROTO:$DB_
> NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
>          fi
>
>          if test -e $ovnnb_active_conf_file; then
> @@ -118,15 +124,21 @@ start_ovsdb () {
>
>          set ovsdb-server
>
> -        set "$@" --detach --monitor $OVN_SB_LOG \
> -            --log-file=$OVN_SB_LOGFILE \
> -            --remote=punix:$DB_SB_SOCK \
> -            --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \
> -            --pidfile=$DB_SB_PID \
> -            --unixctl=ovnsb_db.ctl
> +        set "$@" --detach --monitor
> +        set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE
> +        set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID
> +        set "$@" --remote=db:OVN_Southbound,SB_Global,connections
> +        set "$@" --unixctl=ovnsb_db.ctl
> +        set "$@" --private-key=db:OVN_Southbound,SSL,private_key
> +        set "$@" --certificate=db:OVN_Southbound,SSL,certificate
> +        set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert
> +
> +        if test X"$DB_NB_DEFAULT_REMOTE" = Xyes; then
> +            set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR
> +        fi
>
>          if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
> -            echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" >
> $ovnsb_active_conf_file
> +            echo "$DB_SB_SYNC_FROM_PROTO:$DB_
> SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
>          fi
>
>          if test -e $ovnsb_active_conf_file; then
> @@ -208,12 +220,22 @@ start_northd () {
>  start_controller () {
>      set ovn-controller "unix:$DB_SOCK"
>      set "$@" $OVN_CONTROLLER_LOG
> +    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
> +        set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
> +        set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
> +        set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
> +    fi
>      OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY"
> "$OVN_CONTROLLER_WRAPPER" "$@"
>  }
>
>  start_controller_vtep () {
>      set ovn-controller-vtep "unix:$DB_SOCK"
>      set "$@" -vconsole:emer -vsyslog:err -vfile:info
> +    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
> +        set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
> +        set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
> +        set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
> +    fi
>      OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY"
> "$OVN_CONTROLLER_WRAPPER" "$@"
>  }
>
> @@ -275,6 +297,7 @@ set_defaults () {
>      DB_NB_FILE=$dbdir/ovnnb_db.db
>      DB_NB_ADDR=0.0.0.0
>      DB_NB_PORT=6641
> +    DB_NB_SYNC_FROM_PROTO=tcp
>      DB_NB_SYNC_FROM_ADDR=
>      DB_NB_SYNC_FROM_PORT=6641
>
> @@ -283,6 +306,7 @@ set_defaults () {
>      DB_SB_FILE=$dbdir/ovnsb_db.db
>      DB_SB_ADDR=0.0.0.0
>      DB_SB_PORT=6642
> +    DB_SB_SYNC_FROM_PROTO=tcp
>      DB_SB_SYNC_FROM_ADDR=
>      DB_SB_SYNC_FROM_PORT=6642
>
> @@ -307,6 +331,13 @@ set_defaults () {
>      OVN_SB_LOG="-vconsole:off"
>      OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log"
>      OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log"
> +
> +    OVN_CONTROLLER_SSL_KEY=""
> +    OVN_CONTROLLER_SSL_CERT=""
> +    OVN_CONTROLLER_SSL_CA_CERT=""
> +
> +    DB_SB_DEFAULT_REMOTE="no"
> +    DB_NB_DEFAULT_REMOTE="no"
>  }
>
>  set_option () {
> @@ -350,6 +381,9 @@ Options:
>    --ovn-northd-wrapper=WRAPPER   run with a wrapper like valgrind for
> debugging
>    --ovn-controller-priority=NICE     set ovn-northd's niceness (default:
> $OVN_CONTROLLER_PRIORITY)
>    --ovn-controller-wrapper=WRAPPER   run with a wrapper like valgrind
> for debugging
> +  --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file
> +  --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
> +  --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate
> file
>    --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases
> should be
>                                     automatically started and stopped along
>                                     with ovn-northd. The default is "yes".
> If
> @@ -376,9 +410,13 @@ File location options:
>    --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE)
>    --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE)
>    --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address
> (default: $DB_NB_SYNC_FROM_ADDR)
> -  --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port
> (default: $DB_NB_SYNC_FROM_PORT)
> +  --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default:
> $DB_NB_SYNC_FROM_PORT)
> +  --db-nb-sync-from-proto=PROTO OVN Northbound active db transport
> (default: $DB_NB_SYNC_FROM_PROTO)
> +  --db-nb-default-remote=yes|no Use OVN Northbound default remote
> connection (default: $DB_NB_DEFAULT_REMOTE)
>    --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address
> (default: $DB_SB_SYNC_FROM_ADDR)
>    --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default:
> $DB_SB_SYNC_FROM_PORT)
> +  --db-sb-sync-from-proto=PROTO OVN Southbound active db transport
> (default: $DB_SB_SYNC_FROM_PROTO)
> +  --db-sb-default-remote=yes|no Use OVN Southbound default remote
> connection (default: $DB_SB_DEFAULT_REMOTE)
>
>  Default directories with "configure" option and environment variable
> override:
>    logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR)
> diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
> index ff7366c..f329f74 100644
> --- a/ovn/utilities/ovn-ctl.8.xml
> +++ b/ovn/utilities/ovn-ctl.8.xml
> @@ -43,12 +43,19 @@
>      <p><code>--db-sb-file==<var>FILE</var></code></p>
>      <p><code>--db-nb-schema==<var>FILE</var></code></p>
>      <p><code>--db-sb-schema==<var>FILE</var></code></p>
> +    <p><code>--db-sb-default-remote==<var>yes|no</var></code></p>
> +    <p><code>--db-nb-default-remote==<var>yes|no</var></code></p>
> +    <p><code>--ovn-controller-ssl-key==<var>KEY</var></code></p>
> +    <p><code>--ovn-controller-ssl-cert==<var>CERT</var></code></p>
> +    <p><code>--ovn-controller-ssl-ca-cert==<var>CERT</var></code></p>
>
>      <h1>Address and port options</h1>
>      <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p>
>      <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p>
> +    <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p>
>      <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p>
>      <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p>
> +    <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p>
>
>      <h1>Configuration files</h1>
>      <p>Following are the optional configuration files. If present, it
> should be located in the etc dir</p>
> --
> 2.5.5
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

> From: "Numan Siddique" <nusiddiq@redhat.com>
> To: "Lance Richardson" <lrichard@redhat.com>
> Cc: "ovs dev" <dev@openvswitch.org>
> Sent: Thursday, December 8, 2016 8:01:07 AM
> Subject: Re: [ovs-dev] [PATCH 3/3] ovn-ctl: add support for SSL nb/sb db connections
> 
> On Thu, Dec 1, 2016 at 9:07 PM, Lance Richardson <lrichard@redhat.com>
> wrote:
> 
> > Add support for SSL connections to OVN northbound and/or
> > southbound databases.
> >
> > To improve security, the NB and SB ovsdb daemons no longer
> > have open ptcp connections by default.  This is a change in
> > behavior from previous versions, users wishing to use TCP
> > connections to the NB/SB daemons can either request that
> > a passive TCP connection be used via ovn-ctl command-line
> > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
> > scripts):
> >
> >     --db-sb-default-remote=yes
> >     --db-nb-default-remote=yes
> >
> > Or configure a connection after the NB/SB daemons have been
> > started, e.g.:
> >
> >     ovn-sbctl set-connection ptcp:6642
> >     ovn-nbctl set-connection ptcp:6641
> >
> > Users desiring SSL database connections will need to generate certificates
> > and private key as described in INSTALL.SSL.rst and perform the following
> > one-time configuration steps:
> >
> >    ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
> >    ovn-sbctl set-connection pssl:6642
> >    ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
> >    ovn-nbctl set-connection pssl:6641
> >
> > On the ovn-controller and ovn-controller-vtep side, SSL configuration
> > must be provided on the command-line when the daemons are started, this
> > should be provided via the following command-line options (e.g. via
> > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
> >
> >    --ovn-controller-ssl-key=<private-key>
> >    --ovn-controller-ssl-cert=<certificate>
> >    --ovn-controller-ssl-ca-cert=<ca-cert>
> >
> > The SB database connection should also be configured to use SSL, e.g.:
> >
> >     ovs-vsctl set Open_vSwitch . \
> >               external-ids:ovn-remote=ssl:w.x.y.z:6642
> >
> > Signed-off-by: Lance Richardson <lrichard@redhat.com>
> > ---
> >  NEWS                        |  5 ++++
> >  manpages.mk                 |  4 +++
> >  ovn/utilities/ovn-ctl       | 72 ++++++++++++++++++++++++++++++
> > ++++-----------
> >  ovn/utilities/ovn-ctl.8.xml |  7 +++++
> >  4 files changed, 71 insertions(+), 17 deletions(-)
> >
> > diff --git a/NEWS b/NEWS
> > index 3a33abf..9ac8808 100644
> > --- a/NEWS
> > +++ b/NEWS
> > @@ -9,6 +9,11 @@ Post-v2.6.0
> >       * Support for source IP address based routing.
> >       * Support for managing SSL and remote connection configuration in
> >         northbound and southbound databases.
> > +     * TCP connections to northbound and southbound databases are no
> > +       longer enabled by default and must be explicitly configured.
> > +       See documentation for ovn-sbctl/ovn-nbctl "set-connection" command
> > +       or ovn-ctl "--db-sb-default-remote"/"--db-nb-default-remote"
> > +       options for information regarding enabling TCP connections.
> >     - Fixed regression in table stats maintenance introduced in OVS
> >       2.3.0, wherein the number of OpenFlow table hits and misses was
> >       not accurate.
> > diff --git a/manpages.mk b/manpages.mk
> > index 11ec023..742bd66 100644
> > --- a/manpages.mk
> > +++ b/manpages.mk
> > @@ -10,6 +10,8 @@ ovn/utilities/ovn-sbctl.8: \
> >         lib/table.man \
> >         lib/vlog.man \
> >         ovsdb/remote-active.man \
> > +       ovsdb/remote-active.man \
> > +       ovsdb/remote-passive.man \
> >         ovsdb/remote-passive.man
> >  ovn/utilities/ovn-sbctl.8.in:
> >  lib/common.man:
> > @@ -20,6 +22,8 @@ lib/ssl.man:
> >  lib/table.man:
> >  lib/vlog.man:
> >  ovsdb/remote-active.man:
> > +ovsdb/remote-active.man:
> > +ovsdb/remote-passive.man:
> >  ovsdb/remote-passive.man:
> >
> >  ovsdb/ovsdb-client.1: \
> > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> > index 73e78e5..4dade90 100755
> > --- a/ovn/utilities/ovn-ctl
> > +++ b/ovn/utilities/ovn-ctl
> > @@ -50,7 +50,7 @@ stop_ovsdb () {
> >
> >  demote_ovnnb() {
> >      if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> > -        echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" >
> > $ovnnb_active_conf_file
> > +        echo
> > "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT"
> > > $ovnnb_active_conf_file
> >      fi
> >
> >      if test -e $ovnnb_active_conf_file; then
> > @@ -64,7 +64,7 @@ demote_ovnnb() {
> >
> >  demote_ovnsb() {
> >      if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
> > -        echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" >
> > $ovnsb_active_conf_file
> > +        echo
> > "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT"
> > > $ovnsb_active_conf_file
> >      fi
> >
> >      if test -e $ovnsb_active_conf_file; then
> > @@ -93,15 +93,21 @@ start_ovsdb () {
> >
> >          set ovsdb-server
> >
> > -        set "$@" --detach --monitor $OVN_NB_LOG \
> > -            --log-file=$OVN_NB_LOGFILE \
> > -            --remote=punix:$DB_NB_SOCK \
> > -            --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \
> > -            --pidfile=$DB_NB_PID \
> > -            --unixctl=ovnnb_db.ctl
> > +        set "$@" --detach --monitor
> > +        set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE
> > +        set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID
> > +        set "$@" --remote=db:OVN_Northbound,NB_Global,connections
> > +        set "$@" --unixctl=ovnnb_db.ctl
> > +        set "$@" --private-key=db:OVN_Northbound,SSL,private_key
> > +        set "$@" --certificate=db:OVN_Northbound,SSL,certificate
> > +        set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
> > +
> > +        if test X"$
> > ​​
> > DB_NB_DEFAULT_REMOTE" = Xyes; then
> > +            set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
> > +        fi
> >
> 
> ​You think its good to add the remote defined in $DB_NB_ADDR​/$DB_NB_PORT
> into the Connection table by this script if $
> ​
> DB_NB_DEFAULT_REMOTE
> ​ is set to No.
> 

Hi Numan,

This would imply that unauthenticated/insecure remote access to the
NB database is always available.

Users wanting to use SSL for the NB database connection are likely
to be concerned about security and authentication for this connection,
having a default parallel connection path with unrestricted access
would make the use of SSL pointless.

An alternative that would preserve existing behavior would be to
have users needing SSL set e.g. "DB_NB_NO_DEFAULT_REMOTE=yes" in
their environment, but this would be error-prone. It seems better
to err on the side of security by default.

Regards,

   Lance

> Some thing like below
> 
> #########
> if test X"$DB_NB_DEFAULT_REMOTE" = Xno; then
>    ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR"
> fi
> ​#########
> 
> ​Thanks
> Numan
> ​
>

On Thu, Dec 8, 2016 at 8:37 AM, Lance Richardson <lrichard@redhat.com>
wrote:

> > From: "Numan Siddique" <nusiddiq@redhat.com>
> > To: "Lance Richardson" <lrichard@redhat.com>
> > Cc: "ovs dev" <dev@openvswitch.org>
> > Sent: Thursday, December 8, 2016 8:01:07 AM
> > Subject: Re: [ovs-dev] [PATCH 3/3] ovn-ctl: add support for SSL nb/sb db
> connections
> >
> > On Thu, Dec 1, 2016 at 9:07 PM, Lance Richardson <lrichard@redhat.com>
> > wrote:
> >
> > > Add support for SSL connections to OVN northbound and/or
> > > southbound databases.
> > >
> > > To improve security, the NB and SB ovsdb daemons no longer
> > > have open ptcp connections by default.  This is a change in
> > > behavior from previous versions, users wishing to use TCP
> > > connections to the NB/SB daemons can either request that
> > > a passive TCP connection be used via ovn-ctl command-line
> > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
> > > scripts):
> > >
> > >     --db-sb-default-remote=yes
> > >     --db-nb-default-remote=yes
> > >
> > > Or configure a connection after the NB/SB daemons have been
> > > started, e.g.:
> > >
> > >     ovn-sbctl set-connection ptcp:6642
> > >     ovn-nbctl set-connection ptcp:6641
> > >
> > > Users desiring SSL database connections will need to generate
> certificates
> > > and private key as described in INSTALL.SSL.rst and perform the
> following
> > > one-time configuration steps:
> > >
> > >    ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
> > >    ovn-sbctl set-connection pssl:6642
> > >    ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
> > >    ovn-nbctl set-connection pssl:6641
> > >
> > > On the ovn-controller and ovn-controller-vtep side, SSL configuration
> > > must be provided on the command-line when the daemons are started, this
> > > should be provided via the following command-line options (e.g. via
> > > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
> > >
> > >    --ovn-controller-ssl-key=<private-key>
> > >    --ovn-controller-ssl-cert=<certificate>
> > >    --ovn-controller-ssl-ca-cert=<ca-cert>
> > >
> > > The SB database connection should also be configured to use SSL, e.g.:
> > >
> > >     ovs-vsctl set Open_vSwitch . \
> > >               external-ids:ovn-remote=ssl:w.x.y.z:6642
> > >
> > > Signed-off-by: Lance Richardson <lrichard@redhat.com>
> > > ---
> > >  NEWS                        |  5 ++++
> > >  manpages.mk                 |  4 +++
> > >  ovn/utilities/ovn-ctl       | 72 ++++++++++++++++++++++++++++++
> > > ++++-----------
> > >  ovn/utilities/ovn-ctl.8.xml |  7 +++++
> > >  4 files changed, 71 insertions(+), 17 deletions(-)
> > >
> > > diff --git a/NEWS b/NEWS
> > > index 3a33abf..9ac8808 100644
> > > --- a/NEWS
> > > +++ b/NEWS
> > > @@ -9,6 +9,11 @@ Post-v2.6.0
> > >       * Support for source IP address based routing.
> > >       * Support for managing SSL and remote connection configuration in
> > >         northbound and southbound databases.
> > > +     * TCP connections to northbound and southbound databases are no
> > > +       longer enabled by default and must be explicitly configured.
> > > +       See documentation for ovn-sbctl/ovn-nbctl "set-connection"
> command
> > > +       or ovn-ctl "--db-sb-default-remote"/"--db-nb-default-remote"
> > > +       options for information regarding enabling TCP connections.
> > >     - Fixed regression in table stats maintenance introduced in OVS
> > >       2.3.0, wherein the number of OpenFlow table hits and misses was
> > >       not accurate.
> > > diff --git a/manpages.mk b/manpages.mk
> > > index 11ec023..742bd66 100644
> > > --- a/manpages.mk
> > > +++ b/manpages.mk
> > > @@ -10,6 +10,8 @@ ovn/utilities/ovn-sbctl.8: \
> > >         lib/table.man \
> > >         lib/vlog.man \
> > >         ovsdb/remote-active.man \
> > > +       ovsdb/remote-active.man \
> > > +       ovsdb/remote-passive.man \
> > >         ovsdb/remote-passive.man
> > >  ovn/utilities/ovn-sbctl.8.in:
> > >  lib/common.man:
> > > @@ -20,6 +22,8 @@ lib/ssl.man:
> > >  lib/table.man:
> > >  lib/vlog.man:
> > >  ovsdb/remote-active.man:
> > > +ovsdb/remote-active.man:
> > > +ovsdb/remote-passive.man:
> > >  ovsdb/remote-passive.man:
> > >
> > >  ovsdb/ovsdb-client.1: \
> > > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> > > index 73e78e5..4dade90 100755
> > > --- a/ovn/utilities/ovn-ctl
> > > +++ b/ovn/utilities/ovn-ctl
> > > @@ -50,7 +50,7 @@ stop_ovsdb () {
> > >
> > >  demote_ovnnb() {
> > >      if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> > > -        echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" >
> > > $ovnnb_active_conf_file
> > > +        echo
> > > "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT"
> > > > $ovnnb_active_conf_file
> > >      fi
> > >
> > >      if test -e $ovnnb_active_conf_file; then
> > > @@ -64,7 +64,7 @@ demote_ovnnb() {
> > >
> > >  demote_ovnsb() {
> > >      if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
> > > -        echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" >
> > > $ovnsb_active_conf_file
> > > +        echo
> > > "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT"
> > > > $ovnsb_active_conf_file
> > >      fi
> > >
> > >      if test -e $ovnsb_active_conf_file; then
> > > @@ -93,15 +93,21 @@ start_ovsdb () {
> > >
> > >          set ovsdb-server
> > >
> > > -        set "$@" --detach --monitor $OVN_NB_LOG \
> > > -            --log-file=$OVN_NB_LOGFILE \
> > > -            --remote=punix:$DB_NB_SOCK \
> > > -            --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \
> > > -            --pidfile=$DB_NB_PID \
> > > -            --unixctl=ovnnb_db.ctl
> > > +        set "$@" --detach --monitor
> > > +        set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE
> > > +        set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID
> > > +        set "$@" --remote=db:OVN_Northbound,NB_Global,connections
> > > +        set "$@" --unixctl=ovnnb_db.ctl
> > > +        set "$@" --private-key=db:OVN_Northbound,SSL,private_key
> > > +        set "$@" --certificate=db:OVN_Northbound,SSL,certificate
> > > +        set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
> > > +
> > > +        if test X"$
> > > ​​
> > > DB_NB_DEFAULT_REMOTE" = Xyes; then
> > > +            set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
> > > +        fi
> > >
> >
> > ​You think its good to add the remote defined in $DB_NB_ADDR​/$DB_NB_PORT
> > into the Connection table by this script if $
> > ​
> > DB_NB_DEFAULT_REMOTE
> > ​ is set to No.
> >
>
> Hi Numan,
>
> This would imply that unauthenticated/insecure remote access to the
> NB database is always available.
>
> Users wanting to use SSL for the NB database connection are likely
> to be concerned about security and authentication for this connection,
> having a default parallel connection path with unrestricted access
> would make the use of SSL pointless.
>
> An alternative that would preserve existing behavior would be to
> have users needing SSL set e.g. "DB_NB_NO_DEFAULT_REMOTE=yes" in
> their environment, but this would be error-prone. It seems better
> to err on the side of security by default.
>
>
I was looking at this with Numan and thought of another idea.

What would you think of changing the DEFAULT_REMOTE option to be
CREATE_REMOTE to more clearly indicate that the option is telling ovn-ctl
that we want it to go ahead and set up a remote for us.

When CREATE_REMOTE is "yes", instead of adding it to the ovsdb-server
command line, how about we add it to to the Connection table.  That way we
can add support for some additional options.  This came up from our need to
set the inactivity_probe option.  Presumably we could add some more options
to this script to let you enable SSL through options, as well.

Numan had a start at a patch doing something like this here, but it
probably makes sense to just integrate with your patch.

https://github.com/numansiddique/overcloud_image_for_ovn/blob/master/patches/ovs-0005-ovn-ctl-Add-remotes-in-Connection-table-of-NB-and-SB.patch


> Regards,
>
>    Lance
>
> > Some thing like below
> >
> > #########
> > if test X"$DB_NB_DEFAULT_REMOTE" = Xno; then
> >    ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR"
> > fi
> > ​#########
> >
> > ​Thanks
> > Numan
> > ​
> >
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

> From: "Russell Bryant" <russell@ovn.org>

> What would you think of changing the DEFAULT_REMOTE option to be
> CREATE_REMOTE to more clearly indicate that the option is telling ovn-ctl
> that we want it to go ahead and set up a remote for us.
> 

Sounds good, I think CREATE_REMOTE is a better name.

> When CREATE_REMOTE is "yes", instead of adding it to the ovsdb-server
> command line, how about we add it to to the Connection table.  That way we
> can add support for some additional options.  This came up from our need to

Makes sense, having the remote configuration in the db would give us more
flexibility.

> set the inactivity_probe option.  Presumably we could add some more options
> to this script to let you enable SSL through options, as well.
> 
> Numan had a start at a patch doing something like this here, but it
> probably makes sense to just integrate with your patch.
> 
> https://github.com/numansiddique/overcloud_image_for_ovn/blob/master/patches/ovs-0005-ovn-ctl-Add-remotes-in-Connection-table-of-NB-and-SB.patch
> 

Thanks, I will steal some of that :-)

I'll incorporate and post v2 shortly.

Thanks,

   Lance

> 
> > Regards,
> >
> >    Lance
> >
> > > Some thing like below
> > >
> > > #########
> > > if test X"$DB_NB_DEFAULT_REMOTE" = Xno; then
> > >    ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR"
> > > fi
> > > ​#########
> > >
> > > ​Thanks
> > > Numan
> > > ​
> > >
> > _______________________________________________
> > dev mailing list
> > dev@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
> 
> 
> 
> --
> Russell Bryant
>