| Message ID | 1490203150-13291-1-git-send-email-lrichard@redhat.com |
|---|---|
| State | Accepted |
| Headers | show |
On Wed, Mar 22, 2017 at 1:19 PM, Lance Richardson <lrichard@redhat.com> wrote: > When SSL support is available, use SSL for the ovn-controller > to southbound database connection. When configured without > SSL, unix socket connections are used. > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > --- > tutorial/automake.mk | 3 ++- > tutorial/ovs-sandbox | 42 ++++++++++++++++++++++++++++++++++++------ > 2 files changed, 38 insertions(+), 7 deletions(-) I imagine you're using this to help with development and manual testing of the ovsdb-server ACL work for OVN? I can see how it'd be helpful for that so I'm OK with it. I guess we're fairly confident that SSL is at least part of the solution (either with generic ovsdb ACLs or a trusted daemon), so I think we could merge this now. I haven't tested it myself yet. I'll give it a shot if you decide to post the non-RFC version. > > diff --git a/tutorial/automake.mk b/tutorial/automake.mk > index ce8415e..b7ea10c 100644 > --- a/tutorial/automake.mk > +++ b/tutorial/automake.mk > @@ -8,4 +8,5 @@ EXTRA_DIST += \ > tutorial/t-stage4 \ > tutorial/ovn-setup.sh > sandbox: all > - cd $(srcdir)/tutorial && MAKE=$(MAKE) ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS) > + cd $(srcdir)/tutorial && MAKE=$(MAKE) HAVE_OPENSSL=$(HAVE_OPENSSL) \ > + ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS) > diff --git a/tutorial/ovs-sandbox b/tutorial/ovs-sandbox > index a28dcbf..3da1c48 100755 > --- a/tutorial/ovs-sandbox > +++ b/tutorial/ovs-sandbox > @@ -331,6 +331,14 @@ if $ovn; then > ovsdb_sb_server_args="ovnsb.db" > ovsdb_sb_backup_server_args="ovnsb2.db" > ovsdb_nb_server_args="ovnnb.db" > + > + if [ "$HAVE_OPENSSL" = yes ]; then > + OVS_PKI="run ovs-pki --dir=$sandbox/pki --log=$sandbox/ovs-pki.log" > + $OVS_PKI -B 1024 init > + $OVS_PKI -B 1024 req+sign ovnsb switch > + $OVS_PKI -B 1024 req+sign ovnnb switch > + $OVS_PKI -B 1024 req+sign ovn-controller switch > + fi > fi > rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir --pidfile -vconsole:off --log-file \ > --remote=punix:"$sandbox"/db.sock $ovsdb_server_args > @@ -338,15 +346,27 @@ if $ovn; then > rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ > --pidfile="$sandbox"/ovnnb_db.pid -vconsole:off \ > --log-file="$sandbox"/ovnnb_db.log \ > + --remote=db:OVN_Northbound,NB_Global,connections \ > + --private-key=db:OVN_Northbound,SSL,private_key \ > + --certificate=db:OVN_Northbound,SSL,certificate \ > + --ca-cert=db:OVN_Northbound,SSL,ca_cert \ > --remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args > rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ > --pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \ > --log-file="$sandbox"/ovnsb_db.log \ > + --remote=db:OVN_Southbound,SB_Global,connections \ > + --private-key=db:OVN_Southbound,SSL,private_key \ > + --certificate=db:OVN_Southbound,SSL,certificate \ > + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ > --remote=punix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_server_args > # Start SB back up server > rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ > --pidfile="$sandbox"/ovnsb_db2.pid -vconsole:off \ > --log-file="$sandbox"/ovnsb_db2.log \ > + --remote=db:OVN_Southbound,SB_Global,connections \ > + --private-key=db:OVN_Southbound,SSL,private_key \ > + --certificate=db:OVN_Southbound,SSL,certificate \ > + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ > --remote=punix:"$sandbox"/ovnsb_db2.sock \ > --unixctl="$sandbox"/sb_backup_unixctl \ > --sync-from=unix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_backup_server_args > @@ -372,24 +392,34 @@ rungdb $gdb_vswitchd $gdb_vswitchd_ex ovs-vswitchd --detach --no-chdir --pidfile > --enable-dummy=$dummy -vvconn -vnetdev_dummy > > if $ovn; then > + ovn-nbctl init > + ovn-sbctl init > + > ovs-vsctl set open . external-ids:system-id=56b18105-5706-46ef-80c4-ff20979ab068 > ovs-vsctl set open . external-ids:hostname=sandbox > - ovs-vsctl set open . external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock > ovs-vsctl set open . external-ids:ovn-encap-type=geneve > ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1 > > - ovn-nbctl init > - ovn-sbctl init > - > + if [ "$HAVE_OPENSSL" = yes ]; then > + ovn-nbctl set-ssl $sandbox/ovnnb-privkey.pem $sandbox/ovnnb-cert.pem $sandbox/pki/switchca/cacert.pem > + ovn-nbctl set-connection pssl:6641 > + ovn-sbctl set-ssl $sandbox/ovnsb-privkey.pem $sandbox/ovnsb-cert.pem $sandbox/pki/switchca/cacert.pem > + ovn-sbctl set-connection pssl:6642 > + ovs-vsctl set open . external-ids:ovn-remote=ssl:127.0.0.1:6642 > + OVN_CTRLR_PKI="-p $sandbox/ovn-controller-privkey.pem -c $sandbox/ovn-controller-cert.pem -C $sandbox/pki/switchca/cacert.pem" > + else > + ovs-vsctl set open . external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock > + OVN_CTRLR_PKI="" > + fi > rungdb $gdb_ovn_northd $gdb_ovn_northd_ex ovn-northd --detach \ > --no-chdir --pidfile -vconsole:off --log-file \ > --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock \ > --ovnnb-db=unix:"$sandbox"/ovnnb_db.sock > rungdb $gdb_ovn_controller $gdb_ovn_controller_ex ovn-controller \ > - --detach --no-chdir --pidfile -vconsole:off --log-file > + $OVN_CTRLR_PKI --detach --no-chdir --pidfile -vconsole:off --log-file > rungdb $gdb_ovn_controller_vtep $gdb_ovn_controller_vtep_ex \ > ovn-controller-vtep --detach --no-chdir --pidfile -vconsole:off \ > - --log-file --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock > + $OVN_CTRLR_PKI --log-file --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock > fi > > cat <<EOF > -- > 2.7.4 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> From: "Russell Bryant" <russell@ovn.org> > To: "Lance Richardson" <lrichard@redhat.com> > Cc: "ovs dev" <dev@openvswitch.org> > Sent: Wednesday, March 22, 2017 4:02:28 PM > Subject: Re: [ovs-dev] [RFC] sandbox: use ssl for ovn-controller to sb db connection > > On Wed, Mar 22, 2017 at 1:19 PM, Lance Richardson <lrichard@redhat.com> > wrote: > > When SSL support is available, use SSL for the ovn-controller > > to southbound database connection. When configured without > > SSL, unix socket connections are used. > > > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > > --- > > tutorial/automake.mk | 3 ++- > > tutorial/ovs-sandbox | 42 ++++++++++++++++++++++++++++++++++++------ > > 2 files changed, 38 insertions(+), 7 deletions(-) > > I imagine you're using this to help with development and manual > testing of the ovsdb-server ACL work for OVN? I can see how it'd be > helpful for that so I'm OK with it. > Right, that's my main interest in this at the moment. > I guess we're fairly confident that SSL is at least part of the > solution (either with generic ovsdb ACLs or a trusted daemon), so I > think we could merge this now. > OK. Even ignoring the ovsdb ACL work, it is probably reasonable to use SSL in the sandbox environment since (I believe) many OVN users will want to use SSL in production environments. > I haven't tested it myself yet. I'll give it a shot if you decide to > post the non-RFC version. > OK, I will re-post shortly. Thanks! Lance
diff --git a/tutorial/automake.mk b/tutorial/automake.mk index ce8415e..b7ea10c 100644 --- a/tutorial/automake.mk +++ b/tutorial/automake.mk @@ -8,4 +8,5 @@ EXTRA_DIST += \ tutorial/t-stage4 \ tutorial/ovn-setup.sh sandbox: all - cd $(srcdir)/tutorial && MAKE=$(MAKE) ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS) + cd $(srcdir)/tutorial && MAKE=$(MAKE) HAVE_OPENSSL=$(HAVE_OPENSSL) \ + ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS) diff --git a/tutorial/ovs-sandbox b/tutorial/ovs-sandbox index a28dcbf..3da1c48 100755 --- a/tutorial/ovs-sandbox +++ b/tutorial/ovs-sandbox @@ -331,6 +331,14 @@ if $ovn; then ovsdb_sb_server_args="ovnsb.db" ovsdb_sb_backup_server_args="ovnsb2.db" ovsdb_nb_server_args="ovnnb.db" + + if [ "$HAVE_OPENSSL" = yes ]; then + OVS_PKI="run ovs-pki --dir=$sandbox/pki --log=$sandbox/ovs-pki.log" + $OVS_PKI -B 1024 init + $OVS_PKI -B 1024 req+sign ovnsb switch + $OVS_PKI -B 1024 req+sign ovnnb switch + $OVS_PKI -B 1024 req+sign ovn-controller switch + fi fi rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir --pidfile -vconsole:off --log-file \ --remote=punix:"$sandbox"/db.sock $ovsdb_server_args @@ -338,15 +346,27 @@ if $ovn; then rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ --pidfile="$sandbox"/ovnnb_db.pid -vconsole:off \ --log-file="$sandbox"/ovnnb_db.log \ + --remote=db:OVN_Northbound,NB_Global,connections \ + --private-key=db:OVN_Northbound,SSL,private_key \ + --certificate=db:OVN_Northbound,SSL,certificate \ + --ca-cert=db:OVN_Northbound,SSL,ca_cert \ --remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ --pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \ --log-file="$sandbox"/ovnsb_db.log \ + --remote=db:OVN_Southbound,SB_Global,connections \ + --private-key=db:OVN_Southbound,SSL,private_key \ + --certificate=db:OVN_Southbound,SSL,certificate \ + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ --remote=punix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_server_args # Start SB back up server rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ --pidfile="$sandbox"/ovnsb_db2.pid -vconsole:off \ --log-file="$sandbox"/ovnsb_db2.log \ + --remote=db:OVN_Southbound,SB_Global,connections \ + --private-key=db:OVN_Southbound,SSL,private_key \ + --certificate=db:OVN_Southbound,SSL,certificate \ + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ --remote=punix:"$sandbox"/ovnsb_db2.sock \ --unixctl="$sandbox"/sb_backup_unixctl \ --sync-from=unix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_backup_server_args @@ -372,24 +392,34 @@ rungdb $gdb_vswitchd $gdb_vswitchd_ex ovs-vswitchd --detach --no-chdir --pidfile --enable-dummy=$dummy -vvconn -vnetdev_dummy if $ovn; then + ovn-nbctl init + ovn-sbctl init + ovs-vsctl set open . external-ids:system-id=56b18105-5706-46ef-80c4-ff20979ab068 ovs-vsctl set open . external-ids:hostname=sandbox - ovs-vsctl set open . external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock ovs-vsctl set open . external-ids:ovn-encap-type=geneve ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1 - ovn-nbctl init - ovn-sbctl init - + if [ "$HAVE_OPENSSL" = yes ]; then + ovn-nbctl set-ssl $sandbox/ovnnb-privkey.pem $sandbox/ovnnb-cert.pem $sandbox/pki/switchca/cacert.pem + ovn-nbctl set-connection pssl:6641 + ovn-sbctl set-ssl $sandbox/ovnsb-privkey.pem $sandbox/ovnsb-cert.pem $sandbox/pki/switchca/cacert.pem + ovn-sbctl set-connection pssl:6642 + ovs-vsctl set open . external-ids:ovn-remote=ssl:127.0.0.1:6642 + OVN_CTRLR_PKI="-p $sandbox/ovn-controller-privkey.pem -c $sandbox/ovn-controller-cert.pem -C $sandbox/pki/switchca/cacert.pem" + else + ovs-vsctl set open . external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock + OVN_CTRLR_PKI="" + fi rungdb $gdb_ovn_northd $gdb_ovn_northd_ex ovn-northd --detach \ --no-chdir --pidfile -vconsole:off --log-file \ --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock \ --ovnnb-db=unix:"$sandbox"/ovnnb_db.sock rungdb $gdb_ovn_controller $gdb_ovn_controller_ex ovn-controller \ - --detach --no-chdir --pidfile -vconsole:off --log-file + $OVN_CTRLR_PKI --detach --no-chdir --pidfile -vconsole:off --log-file rungdb $gdb_ovn_controller_vtep $gdb_ovn_controller_vtep_ex \ ovn-controller-vtep --detach --no-chdir --pidfile -vconsole:off \ - --log-file --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock + $OVN_CTRLR_PKI --log-file --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock fi cat <<EOF
When SSL support is available, use SSL for the ovn-controller to southbound database connection. When configured without SSL, unix socket connections are used. Signed-off-by: Lance Richardson <lrichard@redhat.com> --- tutorial/automake.mk | 3 ++- tutorial/ovs-sandbox | 42 ++++++++++++++++++++++++++++++++++++------ 2 files changed, 38 insertions(+), 7 deletions(-)