Message ID | 1480606643-23301-1-git-send-email-lrichard@redhat.com |
---|---|
State | Superseded |
Headers | show |
On Thu, Dec 1, 2016 at 9:07 PM, Lance Richardson <lrichard@redhat.com> wrote: > Add support for SSL connections to OVN northbound and/or > southbound databases. > > To improve security, the NB and SB ovsdb daemons no longer > have open ptcp connections by default. This is a change in > behavior from previous versions, users wishing to use TCP > connections to the NB/SB daemons can either request that > a passive TCP connection be used via ovn-ctl command-line > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > scripts): > > --db-sb-default-remote=yes > --db-nb-default-remote=yes > > Or configure a connection after the NB/SB daemons have been > started, e.g.: > > ovn-sbctl set-connection ptcp:6642 > ovn-nbctl set-connection ptcp:6641 > > Users desiring SSL database connections will need to generate certificates > and private key as described in INSTALL.SSL.rst and perform the following > one-time configuration steps: > > ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> > ovn-sbctl set-connection pssl:6642 > ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> > ovn-nbctl set-connection pssl:6641 > > On the ovn-controller and ovn-controller-vtep side, SSL configuration > must be provided on the command-line when the daemons are started, this > should be provided via the following command-line options (e.g. via > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): > > --ovn-controller-ssl-key=<private-key> > --ovn-controller-ssl-cert=<certificate> > --ovn-controller-ssl-ca-cert=<ca-cert> > > The SB database connection should also be configured to use SSL, e.g.: > > ovs-vsctl set Open_vSwitch . \ > external-ids:ovn-remote=ssl:w.x.y.z:6642 > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > --- > NEWS | 5 ++++ > manpages.mk | 4 +++ > ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++ > ++++----------- > ovn/utilities/ovn-ctl.8.xml | 7 +++++ > 4 files changed, 71 insertions(+), 17 deletions(-) > > diff --git a/NEWS b/NEWS > index 3a33abf..9ac8808 100644 > --- a/NEWS > +++ b/NEWS > @@ -9,6 +9,11 @@ Post-v2.6.0 > * Support for source IP address based routing. > * Support for managing SSL and remote connection configuration in > northbound and southbound databases. > + * TCP connections to northbound and southbound databases are no > + longer enabled by default and must be explicitly configured. > + See documentation for ovn-sbctl/ovn-nbctl "set-connection" command > + or ovn-ctl "--db-sb-default-remote"/"--db-nb-default-remote" > + options for information regarding enabling TCP connections. > - Fixed regression in table stats maintenance introduced in OVS > 2.3.0, wherein the number of OpenFlow table hits and misses was > not accurate. > diff --git a/manpages.mk b/manpages.mk > index 11ec023..742bd66 100644 > --- a/manpages.mk > +++ b/manpages.mk > @@ -10,6 +10,8 @@ ovn/utilities/ovn-sbctl.8: \ > lib/table.man \ > lib/vlog.man \ > ovsdb/remote-active.man \ > + ovsdb/remote-active.man \ > + ovsdb/remote-passive.man \ > ovsdb/remote-passive.man > ovn/utilities/ovn-sbctl.8.in: > lib/common.man: > @@ -20,6 +22,8 @@ lib/ssl.man: > lib/table.man: > lib/vlog.man: > ovsdb/remote-active.man: > +ovsdb/remote-active.man: > +ovsdb/remote-passive.man: > ovsdb/remote-passive.man: > > ovsdb/ovsdb-client.1: \ > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl > index 73e78e5..4dade90 100755 > --- a/ovn/utilities/ovn-ctl > +++ b/ovn/utilities/ovn-ctl > @@ -50,7 +50,7 @@ stop_ovsdb () { > > demote_ovnnb() { > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > $ovnnb_active_conf_file > + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > $ovnnb_active_conf_file > fi > > if test -e $ovnnb_active_conf_file; then > @@ -64,7 +64,7 @@ demote_ovnnb() { > > demote_ovnsb() { > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > $ovnsb_active_conf_file > + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > $ovnsb_active_conf_file > fi > > if test -e $ovnsb_active_conf_file; then > @@ -93,15 +93,21 @@ start_ovsdb () { > > set ovsdb-server > > - set "$@" --detach --monitor $OVN_NB_LOG \ > - --log-file=$OVN_NB_LOGFILE \ > - --remote=punix:$DB_NB_SOCK \ > - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ > - --pidfile=$DB_NB_PID \ > - --unixctl=ovnnb_db.ctl > + set "$@" --detach --monitor > + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE > + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID > + set "$@" --remote=db:OVN_Northbound,NB_Global,connections > + set "$@" --unixctl=ovnnb_db.ctl > + set "$@" --private-key=db:OVN_Northbound,SSL,private_key > + set "$@" --certificate=db:OVN_Northbound,SSL,certificate > + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert > + > + if test X"$ > > DB_NB_DEFAULT_REMOTE" = Xyes; then > + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR > + fi > You think its good to add the remote defined in $DB_NB_ADDR/$DB_NB_PORT into the Connection table by this script if $ DB_NB_DEFAULT_REMOTE is set to No. Some thing like below ######### if test X"$DB_NB_DEFAULT_REMOTE" = Xno; then ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR" fi ######### Thanks Numan > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > $ovnnb_active_conf_file > + echo "$DB_NB_SYNC_FROM_PROTO:$DB_ > NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file > fi > > if test -e $ovnnb_active_conf_file; then > @@ -118,15 +124,21 @@ start_ovsdb () { > > set ovsdb-server > > - set "$@" --detach --monitor $OVN_SB_LOG \ > - --log-file=$OVN_SB_LOGFILE \ > - --remote=punix:$DB_SB_SOCK \ > - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ > - --pidfile=$DB_SB_PID \ > - --unixctl=ovnsb_db.ctl > + set "$@" --detach --monitor > + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE > + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID > + set "$@" --remote=db:OVN_Southbound,SB_Global,connections > + set "$@" --unixctl=ovnsb_db.ctl > + set "$@" --private-key=db:OVN_Southbound,SSL,private_key > + set "$@" --certificate=db:OVN_Southbound,SSL,certificate > + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert > + > + if test X"$DB_NB_DEFAULT_REMOTE" = Xyes; then > + set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR > + fi > > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > $ovnsb_active_conf_file > + echo "$DB_SB_SYNC_FROM_PROTO:$DB_ > SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file > fi > > if test -e $ovnsb_active_conf_file; then > @@ -208,12 +220,22 @@ start_northd () { > start_controller () { > set ovn-controller "unix:$DB_SOCK" > set "$@" $OVN_CONTROLLER_LOG > + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then > + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY > + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT > + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT > + fi > OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" > "$OVN_CONTROLLER_WRAPPER" "$@" > } > > start_controller_vtep () { > set ovn-controller-vtep "unix:$DB_SOCK" > set "$@" -vconsole:emer -vsyslog:err -vfile:info > + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then > + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY > + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT > + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT > + fi > OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" > "$OVN_CONTROLLER_WRAPPER" "$@" > } > > @@ -275,6 +297,7 @@ set_defaults () { > DB_NB_FILE=$dbdir/ovnnb_db.db > DB_NB_ADDR=0.0.0.0 > DB_NB_PORT=6641 > + DB_NB_SYNC_FROM_PROTO=tcp > DB_NB_SYNC_FROM_ADDR= > DB_NB_SYNC_FROM_PORT=6641 > > @@ -283,6 +306,7 @@ set_defaults () { > DB_SB_FILE=$dbdir/ovnsb_db.db > DB_SB_ADDR=0.0.0.0 > DB_SB_PORT=6642 > + DB_SB_SYNC_FROM_PROTO=tcp > DB_SB_SYNC_FROM_ADDR= > DB_SB_SYNC_FROM_PORT=6642 > > @@ -307,6 +331,13 @@ set_defaults () { > OVN_SB_LOG="-vconsole:off" > OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log" > OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log" > + > + OVN_CONTROLLER_SSL_KEY="" > + OVN_CONTROLLER_SSL_CERT="" > + OVN_CONTROLLER_SSL_CA_CERT="" > + > + DB_SB_DEFAULT_REMOTE="no" > + DB_NB_DEFAULT_REMOTE="no" > } > > set_option () { > @@ -350,6 +381,9 @@ Options: > --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for > debugging > --ovn-controller-priority=NICE set ovn-northd's niceness (default: > $OVN_CONTROLLER_PRIORITY) > --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind > for debugging > + --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file > + --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file > + --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate > file > --ovn-manage-ovsdb=yes|no Whether or not the OVN databases > should be > automatically started and stopped along > with ovn-northd. The default is "yes". > If > @@ -376,9 +410,13 @@ File location options: > --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE) > --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE) > --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address > (default: $DB_NB_SYNC_FROM_ADDR) > - --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port > (default: $DB_NB_SYNC_FROM_PORT) > + --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default: > $DB_NB_SYNC_FROM_PORT) > + --db-nb-sync-from-proto=PROTO OVN Northbound active db transport > (default: $DB_NB_SYNC_FROM_PROTO) > + --db-nb-default-remote=yes|no Use OVN Northbound default remote > connection (default: $DB_NB_DEFAULT_REMOTE) > --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address > (default: $DB_SB_SYNC_FROM_ADDR) > --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: > $DB_SB_SYNC_FROM_PORT) > + --db-sb-sync-from-proto=PROTO OVN Southbound active db transport > (default: $DB_SB_SYNC_FROM_PROTO) > + --db-sb-default-remote=yes|no Use OVN Southbound default remote > connection (default: $DB_SB_DEFAULT_REMOTE) > > Default directories with "configure" option and environment variable > override: > logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR) > diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml > index ff7366c..f329f74 100644 > --- a/ovn/utilities/ovn-ctl.8.xml > +++ b/ovn/utilities/ovn-ctl.8.xml > @@ -43,12 +43,19 @@ > <p><code>--db-sb-file==<var>FILE</var></code></p> > <p><code>--db-nb-schema==<var>FILE</var></code></p> > <p><code>--db-sb-schema==<var>FILE</var></code></p> > + <p><code>--db-sb-default-remote==<var>yes|no</var></code></p> > + <p><code>--db-nb-default-remote==<var>yes|no</var></code></p> > + <p><code>--ovn-controller-ssl-key==<var>KEY</var></code></p> > + <p><code>--ovn-controller-ssl-cert==<var>CERT</var></code></p> > + <p><code>--ovn-controller-ssl-ca-cert==<var>CERT</var></code></p> > > <h1>Address and port options</h1> > <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> > <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p> > + <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p> > <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p> > <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p> > + <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p> > > <h1>Configuration files</h1> > <p>Following are the optional configuration files. If present, it > should be located in the etc dir</p> > -- > 2.5.5 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
> From: "Numan Siddique" <nusiddiq@redhat.com> > To: "Lance Richardson" <lrichard@redhat.com> > Cc: "ovs dev" <dev@openvswitch.org> > Sent: Thursday, December 8, 2016 8:01:07 AM > Subject: Re: [ovs-dev] [PATCH 3/3] ovn-ctl: add support for SSL nb/sb db connections > > On Thu, Dec 1, 2016 at 9:07 PM, Lance Richardson <lrichard@redhat.com> > wrote: > > > Add support for SSL connections to OVN northbound and/or > > southbound databases. > > > > To improve security, the NB and SB ovsdb daemons no longer > > have open ptcp connections by default. This is a change in > > behavior from previous versions, users wishing to use TCP > > connections to the NB/SB daemons can either request that > > a passive TCP connection be used via ovn-ctl command-line > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > > scripts): > > > > --db-sb-default-remote=yes > > --db-nb-default-remote=yes > > > > Or configure a connection after the NB/SB daemons have been > > started, e.g.: > > > > ovn-sbctl set-connection ptcp:6642 > > ovn-nbctl set-connection ptcp:6641 > > > > Users desiring SSL database connections will need to generate certificates > > and private key as described in INSTALL.SSL.rst and perform the following > > one-time configuration steps: > > > > ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> > > ovn-sbctl set-connection pssl:6642 > > ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> > > ovn-nbctl set-connection pssl:6641 > > > > On the ovn-controller and ovn-controller-vtep side, SSL configuration > > must be provided on the command-line when the daemons are started, this > > should be provided via the following command-line options (e.g. via > > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): > > > > --ovn-controller-ssl-key=<private-key> > > --ovn-controller-ssl-cert=<certificate> > > --ovn-controller-ssl-ca-cert=<ca-cert> > > > > The SB database connection should also be configured to use SSL, e.g.: > > > > ovs-vsctl set Open_vSwitch . \ > > external-ids:ovn-remote=ssl:w.x.y.z:6642 > > > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > > --- > > NEWS | 5 ++++ > > manpages.mk | 4 +++ > > ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++ > > ++++----------- > > ovn/utilities/ovn-ctl.8.xml | 7 +++++ > > 4 files changed, 71 insertions(+), 17 deletions(-) > > > > diff --git a/NEWS b/NEWS > > index 3a33abf..9ac8808 100644 > > --- a/NEWS > > +++ b/NEWS > > @@ -9,6 +9,11 @@ Post-v2.6.0 > > * Support for source IP address based routing. > > * Support for managing SSL and remote connection configuration in > > northbound and southbound databases. > > + * TCP connections to northbound and southbound databases are no > > + longer enabled by default and must be explicitly configured. > > + See documentation for ovn-sbctl/ovn-nbctl "set-connection" command > > + or ovn-ctl "--db-sb-default-remote"/"--db-nb-default-remote" > > + options for information regarding enabling TCP connections. > > - Fixed regression in table stats maintenance introduced in OVS > > 2.3.0, wherein the number of OpenFlow table hits and misses was > > not accurate. > > diff --git a/manpages.mk b/manpages.mk > > index 11ec023..742bd66 100644 > > --- a/manpages.mk > > +++ b/manpages.mk > > @@ -10,6 +10,8 @@ ovn/utilities/ovn-sbctl.8: \ > > lib/table.man \ > > lib/vlog.man \ > > ovsdb/remote-active.man \ > > + ovsdb/remote-active.man \ > > + ovsdb/remote-passive.man \ > > ovsdb/remote-passive.man > > ovn/utilities/ovn-sbctl.8.in: > > lib/common.man: > > @@ -20,6 +22,8 @@ lib/ssl.man: > > lib/table.man: > > lib/vlog.man: > > ovsdb/remote-active.man: > > +ovsdb/remote-active.man: > > +ovsdb/remote-passive.man: > > ovsdb/remote-passive.man: > > > > ovsdb/ovsdb-client.1: \ > > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl > > index 73e78e5..4dade90 100755 > > --- a/ovn/utilities/ovn-ctl > > +++ b/ovn/utilities/ovn-ctl > > @@ -50,7 +50,7 @@ stop_ovsdb () { > > > > demote_ovnnb() { > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > > $ovnnb_active_conf_file > > + echo > > "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > > $ovnnb_active_conf_file > > fi > > > > if test -e $ovnnb_active_conf_file; then > > @@ -64,7 +64,7 @@ demote_ovnnb() { > > > > demote_ovnsb() { > > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > > $ovnsb_active_conf_file > > + echo > > "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > > $ovnsb_active_conf_file > > fi > > > > if test -e $ovnsb_active_conf_file; then > > @@ -93,15 +93,21 @@ start_ovsdb () { > > > > set ovsdb-server > > > > - set "$@" --detach --monitor $OVN_NB_LOG \ > > - --log-file=$OVN_NB_LOGFILE \ > > - --remote=punix:$DB_NB_SOCK \ > > - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ > > - --pidfile=$DB_NB_PID \ > > - --unixctl=ovnnb_db.ctl > > + set "$@" --detach --monitor > > + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE > > + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID > > + set "$@" --remote=db:OVN_Northbound,NB_Global,connections > > + set "$@" --unixctl=ovnnb_db.ctl > > + set "$@" --private-key=db:OVN_Northbound,SSL,private_key > > + set "$@" --certificate=db:OVN_Northbound,SSL,certificate > > + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert > > + > > + if test X"$ > > > > DB_NB_DEFAULT_REMOTE" = Xyes; then > > + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR > > + fi > > > > You think its good to add the remote defined in $DB_NB_ADDR/$DB_NB_PORT > into the Connection table by this script if $ > > DB_NB_DEFAULT_REMOTE > is set to No. > Hi Numan, This would imply that unauthenticated/insecure remote access to the NB database is always available. Users wanting to use SSL for the NB database connection are likely to be concerned about security and authentication for this connection, having a default parallel connection path with unrestricted access would make the use of SSL pointless. An alternative that would preserve existing behavior would be to have users needing SSL set e.g. "DB_NB_NO_DEFAULT_REMOTE=yes" in their environment, but this would be error-prone. It seems better to err on the side of security by default. Regards, Lance > Some thing like below > > ######### > if test X"$DB_NB_DEFAULT_REMOTE" = Xno; then > ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR" > fi > ######### > > Thanks > Numan > >
On Thu, Dec 8, 2016 at 8:37 AM, Lance Richardson <lrichard@redhat.com> wrote: > > From: "Numan Siddique" <nusiddiq@redhat.com> > > To: "Lance Richardson" <lrichard@redhat.com> > > Cc: "ovs dev" <dev@openvswitch.org> > > Sent: Thursday, December 8, 2016 8:01:07 AM > > Subject: Re: [ovs-dev] [PATCH 3/3] ovn-ctl: add support for SSL nb/sb db > connections > > > > On Thu, Dec 1, 2016 at 9:07 PM, Lance Richardson <lrichard@redhat.com> > > wrote: > > > > > Add support for SSL connections to OVN northbound and/or > > > southbound databases. > > > > > > To improve security, the NB and SB ovsdb daemons no longer > > > have open ptcp connections by default. This is a change in > > > behavior from previous versions, users wishing to use TCP > > > connections to the NB/SB daemons can either request that > > > a passive TCP connection be used via ovn-ctl command-line > > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > > > scripts): > > > > > > --db-sb-default-remote=yes > > > --db-nb-default-remote=yes > > > > > > Or configure a connection after the NB/SB daemons have been > > > started, e.g.: > > > > > > ovn-sbctl set-connection ptcp:6642 > > > ovn-nbctl set-connection ptcp:6641 > > > > > > Users desiring SSL database connections will need to generate > certificates > > > and private key as described in INSTALL.SSL.rst and perform the > following > > > one-time configuration steps: > > > > > > ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> > > > ovn-sbctl set-connection pssl:6642 > > > ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> > > > ovn-nbctl set-connection pssl:6641 > > > > > > On the ovn-controller and ovn-controller-vtep side, SSL configuration > > > must be provided on the command-line when the daemons are started, this > > > should be provided via the following command-line options (e.g. via > > > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): > > > > > > --ovn-controller-ssl-key=<private-key> > > > --ovn-controller-ssl-cert=<certificate> > > > --ovn-controller-ssl-ca-cert=<ca-cert> > > > > > > The SB database connection should also be configured to use SSL, e.g.: > > > > > > ovs-vsctl set Open_vSwitch . \ > > > external-ids:ovn-remote=ssl:w.x.y.z:6642 > > > > > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > > > --- > > > NEWS | 5 ++++ > > > manpages.mk | 4 +++ > > > ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++ > > > ++++----------- > > > ovn/utilities/ovn-ctl.8.xml | 7 +++++ > > > 4 files changed, 71 insertions(+), 17 deletions(-) > > > > > > diff --git a/NEWS b/NEWS > > > index 3a33abf..9ac8808 100644 > > > --- a/NEWS > > > +++ b/NEWS > > > @@ -9,6 +9,11 @@ Post-v2.6.0 > > > * Support for source IP address based routing. > > > * Support for managing SSL and remote connection configuration in > > > northbound and southbound databases. > > > + * TCP connections to northbound and southbound databases are no > > > + longer enabled by default and must be explicitly configured. > > > + See documentation for ovn-sbctl/ovn-nbctl "set-connection" > command > > > + or ovn-ctl "--db-sb-default-remote"/"--db-nb-default-remote" > > > + options for information regarding enabling TCP connections. > > > - Fixed regression in table stats maintenance introduced in OVS > > > 2.3.0, wherein the number of OpenFlow table hits and misses was > > > not accurate. > > > diff --git a/manpages.mk b/manpages.mk > > > index 11ec023..742bd66 100644 > > > --- a/manpages.mk > > > +++ b/manpages.mk > > > @@ -10,6 +10,8 @@ ovn/utilities/ovn-sbctl.8: \ > > > lib/table.man \ > > > lib/vlog.man \ > > > ovsdb/remote-active.man \ > > > + ovsdb/remote-active.man \ > > > + ovsdb/remote-passive.man \ > > > ovsdb/remote-passive.man > > > ovn/utilities/ovn-sbctl.8.in: > > > lib/common.man: > > > @@ -20,6 +22,8 @@ lib/ssl.man: > > > lib/table.man: > > > lib/vlog.man: > > > ovsdb/remote-active.man: > > > +ovsdb/remote-active.man: > > > +ovsdb/remote-passive.man: > > > ovsdb/remote-passive.man: > > > > > > ovsdb/ovsdb-client.1: \ > > > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl > > > index 73e78e5..4dade90 100755 > > > --- a/ovn/utilities/ovn-ctl > > > +++ b/ovn/utilities/ovn-ctl > > > @@ -50,7 +50,7 @@ stop_ovsdb () { > > > > > > demote_ovnnb() { > > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > > > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > > > $ovnnb_active_conf_file > > > + echo > > > "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > > > $ovnnb_active_conf_file > > > fi > > > > > > if test -e $ovnnb_active_conf_file; then > > > @@ -64,7 +64,7 @@ demote_ovnnb() { > > > > > > demote_ovnsb() { > > > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > > > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > > > $ovnsb_active_conf_file > > > + echo > > > "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > > > $ovnsb_active_conf_file > > > fi > > > > > > if test -e $ovnsb_active_conf_file; then > > > @@ -93,15 +93,21 @@ start_ovsdb () { > > > > > > set ovsdb-server > > > > > > - set "$@" --detach --monitor $OVN_NB_LOG \ > > > - --log-file=$OVN_NB_LOGFILE \ > > > - --remote=punix:$DB_NB_SOCK \ > > > - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ > > > - --pidfile=$DB_NB_PID \ > > > - --unixctl=ovnnb_db.ctl > > > + set "$@" --detach --monitor > > > + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE > > > + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID > > > + set "$@" --remote=db:OVN_Northbound,NB_Global,connections > > > + set "$@" --unixctl=ovnnb_db.ctl > > > + set "$@" --private-key=db:OVN_Northbound,SSL,private_key > > > + set "$@" --certificate=db:OVN_Northbound,SSL,certificate > > > + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert > > > + > > > + if test X"$ > > > > > > DB_NB_DEFAULT_REMOTE" = Xyes; then > > > + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR > > > + fi > > > > > > > You think its good to add the remote defined in $DB_NB_ADDR/$DB_NB_PORT > > into the Connection table by this script if $ > > > > DB_NB_DEFAULT_REMOTE > > is set to No. > > > > Hi Numan, > > This would imply that unauthenticated/insecure remote access to the > NB database is always available. > > Users wanting to use SSL for the NB database connection are likely > to be concerned about security and authentication for this connection, > having a default parallel connection path with unrestricted access > would make the use of SSL pointless. > > An alternative that would preserve existing behavior would be to > have users needing SSL set e.g. "DB_NB_NO_DEFAULT_REMOTE=yes" in > their environment, but this would be error-prone. It seems better > to err on the side of security by default. > > I was looking at this with Numan and thought of another idea. What would you think of changing the DEFAULT_REMOTE option to be CREATE_REMOTE to more clearly indicate that the option is telling ovn-ctl that we want it to go ahead and set up a remote for us. When CREATE_REMOTE is "yes", instead of adding it to the ovsdb-server command line, how about we add it to to the Connection table. That way we can add support for some additional options. This came up from our need to set the inactivity_probe option. Presumably we could add some more options to this script to let you enable SSL through options, as well. Numan had a start at a patch doing something like this here, but it probably makes sense to just integrate with your patch. https://github.com/numansiddique/overcloud_image_for_ovn/blob/master/patches/ovs-0005-ovn-ctl-Add-remotes-in-Connection-table-of-NB-and-SB.patch > Regards, > > Lance > > > Some thing like below > > > > ######### > > if test X"$DB_NB_DEFAULT_REMOTE" = Xno; then > > ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR" > > fi > > ######### > > > > Thanks > > Numan > > > > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
> From: "Russell Bryant" <russell@ovn.org> > What would you think of changing the DEFAULT_REMOTE option to be > CREATE_REMOTE to more clearly indicate that the option is telling ovn-ctl > that we want it to go ahead and set up a remote for us. > Sounds good, I think CREATE_REMOTE is a better name. > When CREATE_REMOTE is "yes", instead of adding it to the ovsdb-server > command line, how about we add it to to the Connection table. That way we > can add support for some additional options. This came up from our need to Makes sense, having the remote configuration in the db would give us more flexibility. > set the inactivity_probe option. Presumably we could add some more options > to this script to let you enable SSL through options, as well. > > Numan had a start at a patch doing something like this here, but it > probably makes sense to just integrate with your patch. > > https://github.com/numansiddique/overcloud_image_for_ovn/blob/master/patches/ovs-0005-ovn-ctl-Add-remotes-in-Connection-table-of-NB-and-SB.patch > Thanks, I will steal some of that :-) I'll incorporate and post v2 shortly. Thanks, Lance > > > Regards, > > > > Lance > > > > > Some thing like below > > > > > > ######### > > > if test X"$DB_NB_DEFAULT_REMOTE" = Xno; then > > > ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR" > > > fi > > > ######### > > > > > > Thanks > > > Numan > > > > > > > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > > > -- > Russell Bryant >
diff --git a/NEWS b/NEWS index 3a33abf..9ac8808 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,11 @@ Post-v2.6.0 * Support for source IP address based routing. * Support for managing SSL and remote connection configuration in northbound and southbound databases. + * TCP connections to northbound and southbound databases are no + longer enabled by default and must be explicitly configured. + See documentation for ovn-sbctl/ovn-nbctl "set-connection" command + or ovn-ctl "--db-sb-default-remote"/"--db-nb-default-remote" + options for information regarding enabling TCP connections. - Fixed regression in table stats maintenance introduced in OVS 2.3.0, wherein the number of OpenFlow table hits and misses was not accurate. diff --git a/manpages.mk b/manpages.mk index 11ec023..742bd66 100644 --- a/manpages.mk +++ b/manpages.mk @@ -10,6 +10,8 @@ ovn/utilities/ovn-sbctl.8: \ lib/table.man \ lib/vlog.man \ ovsdb/remote-active.man \ + ovsdb/remote-active.man \ + ovsdb/remote-passive.man \ ovsdb/remote-passive.man ovn/utilities/ovn-sbctl.8.in: lib/common.man: @@ -20,6 +22,8 @@ lib/ssl.man: lib/table.man: lib/vlog.man: ovsdb/remote-active.man: +ovsdb/remote-active.man: +ovsdb/remote-passive.man: ovsdb/remote-passive.man: ovsdb/ovsdb-client.1: \ diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl index 73e78e5..4dade90 100755 --- a/ovn/utilities/ovn-ctl +++ b/ovn/utilities/ovn-ctl @@ -50,7 +50,7 @@ stop_ovsdb () { demote_ovnnb() { if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file fi if test -e $ovnnb_active_conf_file; then @@ -64,7 +64,7 @@ demote_ovnnb() { demote_ovnsb() { if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file fi if test -e $ovnsb_active_conf_file; then @@ -93,15 +93,21 @@ start_ovsdb () { set ovsdb-server - set "$@" --detach --monitor $OVN_NB_LOG \ - --log-file=$OVN_NB_LOGFILE \ - --remote=punix:$DB_NB_SOCK \ - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ - --pidfile=$DB_NB_PID \ - --unixctl=ovnnb_db.ctl + set "$@" --detach --monitor + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID + set "$@" --remote=db:OVN_Northbound,NB_Global,connections + set "$@" --unixctl=ovnnb_db.ctl + set "$@" --private-key=db:OVN_Northbound,SSL,private_key + set "$@" --certificate=db:OVN_Northbound,SSL,certificate + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert + + if test X"$DB_NB_DEFAULT_REMOTE" = Xyes; then + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR + fi if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file fi if test -e $ovnnb_active_conf_file; then @@ -118,15 +124,21 @@ start_ovsdb () { set ovsdb-server - set "$@" --detach --monitor $OVN_SB_LOG \ - --log-file=$OVN_SB_LOGFILE \ - --remote=punix:$DB_SB_SOCK \ - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ - --pidfile=$DB_SB_PID \ - --unixctl=ovnsb_db.ctl + set "$@" --detach --monitor + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID + set "$@" --remote=db:OVN_Southbound,SB_Global,connections + set "$@" --unixctl=ovnsb_db.ctl + set "$@" --private-key=db:OVN_Southbound,SSL,private_key + set "$@" --certificate=db:OVN_Southbound,SSL,certificate + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert + + if test X"$DB_NB_DEFAULT_REMOTE" = Xyes; then + set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR + fi if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file fi if test -e $ovnsb_active_conf_file; then @@ -208,12 +220,22 @@ start_northd () { start_controller () { set ovn-controller "unix:$DB_SOCK" set "$@" $OVN_CONTROLLER_LOG + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT + fi OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" } start_controller_vtep () { set ovn-controller-vtep "unix:$DB_SOCK" set "$@" -vconsole:emer -vsyslog:err -vfile:info + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT + fi OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" } @@ -275,6 +297,7 @@ set_defaults () { DB_NB_FILE=$dbdir/ovnnb_db.db DB_NB_ADDR=0.0.0.0 DB_NB_PORT=6641 + DB_NB_SYNC_FROM_PROTO=tcp DB_NB_SYNC_FROM_ADDR= DB_NB_SYNC_FROM_PORT=6641 @@ -283,6 +306,7 @@ set_defaults () { DB_SB_FILE=$dbdir/ovnsb_db.db DB_SB_ADDR=0.0.0.0 DB_SB_PORT=6642 + DB_SB_SYNC_FROM_PROTO=tcp DB_SB_SYNC_FROM_ADDR= DB_SB_SYNC_FROM_PORT=6642 @@ -307,6 +331,13 @@ set_defaults () { OVN_SB_LOG="-vconsole:off" OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log" OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log" + + OVN_CONTROLLER_SSL_KEY="" + OVN_CONTROLLER_SSL_CERT="" + OVN_CONTROLLER_SSL_CA_CERT="" + + DB_SB_DEFAULT_REMOTE="no" + DB_NB_DEFAULT_REMOTE="no" } set_option () { @@ -350,6 +381,9 @@ Options: --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for debugging --ovn-controller-priority=NICE set ovn-northd's niceness (default: $OVN_CONTROLLER_PRIORITY) --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind for debugging + --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file + --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file + --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file --ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be automatically started and stopped along with ovn-northd. The default is "yes". If @@ -376,9 +410,13 @@ File location options: --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE) --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE) --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address (default: $DB_NB_SYNC_FROM_ADDR) - --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) + --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) + --db-nb-sync-from-proto=PROTO OVN Northbound active db transport (default: $DB_NB_SYNC_FROM_PROTO) + --db-nb-default-remote=yes|no Use OVN Northbound default remote connection (default: $DB_NB_DEFAULT_REMOTE) --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address (default: $DB_SB_SYNC_FROM_ADDR) --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: $DB_SB_SYNC_FROM_PORT) + --db-sb-sync-from-proto=PROTO OVN Southbound active db transport (default: $DB_SB_SYNC_FROM_PROTO) + --db-sb-default-remote=yes|no Use OVN Southbound default remote connection (default: $DB_SB_DEFAULT_REMOTE) Default directories with "configure" option and environment variable override: logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR) diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml index ff7366c..f329f74 100644 --- a/ovn/utilities/ovn-ctl.8.xml +++ b/ovn/utilities/ovn-ctl.8.xml @@ -43,12 +43,19 @@ <p><code>--db-sb-file==<var>FILE</var></code></p> <p><code>--db-nb-schema==<var>FILE</var></code></p> <p><code>--db-sb-schema==<var>FILE</var></code></p> + <p><code>--db-sb-default-remote==<var>yes|no</var></code></p> + <p><code>--db-nb-default-remote==<var>yes|no</var></code></p> + <p><code>--ovn-controller-ssl-key==<var>KEY</var></code></p> + <p><code>--ovn-controller-ssl-cert==<var>CERT</var></code></p> + <p><code>--ovn-controller-ssl-ca-cert==<var>CERT</var></code></p> <h1>Address and port options</h1> <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p> + <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p> <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p> + <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p> <h1>Configuration files</h1> <p>Following are the optional configuration files. If present, it should be located in the etc dir</p>
Add support for SSL connections to OVN northbound and/or southbound databases. To improve security, the NB and SB ovsdb daemons no longer have open ptcp connections by default. This is a change in behavior from previous versions, users wishing to use TCP connections to the NB/SB daemons can either request that a passive TCP connection be used via ovn-ctl command-line options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup scripts): --db-sb-default-remote=yes --db-nb-default-remote=yes Or configure a connection after the NB/SB daemons have been started, e.g.: ovn-sbctl set-connection ptcp:6642 ovn-nbctl set-connection ptcp:6641 Users desiring SSL database connections will need to generate certificates and private key as described in INSTALL.SSL.rst and perform the following one-time configuration steps: ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> ovn-sbctl set-connection pssl:6642 ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> ovn-nbctl set-connection pssl:6641 On the ovn-controller and ovn-controller-vtep side, SSL configuration must be provided on the command-line when the daemons are started, this should be provided via the following command-line options (e.g. via OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): --ovn-controller-ssl-key=<private-key> --ovn-controller-ssl-cert=<certificate> --ovn-controller-ssl-ca-cert=<ca-cert> The SB database connection should also be configured to use SSL, e.g.: ovs-vsctl set Open_vSwitch . \ external-ids:ovn-remote=ssl:w.x.y.z:6642 Signed-off-by: Lance Richardson <lrichard@redhat.com> --- NEWS | 5 ++++ manpages.mk | 4 +++ ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++++++----------- ovn/utilities/ovn-ctl.8.xml | 7 +++++ 4 files changed, 71 insertions(+), 17 deletions(-)