Message ID | 1482363343-6321-1-git-send-email-lrichard@redhat.com |
---|---|
State | Superseded |
Headers | show |
On Wed, Dec 21, 2016 at 06:35:43PM -0500, Lance Richardson wrote: > Add support for SSL connections to OVN northbound and/or > southbound databases. > > To improve security, the NB and SB ovsdb daemons no longer > have open ptcp connections by default. This is a change in > behavior from previous versions, users wishing to use TCP > connections to the NB/SB daemons can either request that > a passive TCP connection be used via ovn-ctl command-line > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > scripts): > > --db-sb-create-remote=yes > --db-nb-create-remote=yes Thanks for writing this, and for rebasing. I don't yet understand the design choices for the --db-?b-create-remote options. The names seem odd to me, since these options are particularly about adding insecure remotes, and so I would expect the names to say something about "legacy" or "insecure". I'm also puzzled why these options, which I'd expect to be supplied time after time to ovn-ctl if they are necessary at all, make a stateful database change. I would have guessed, instead, that they add another --remote option to daemon invocations. Can you help me understand better? Thanks, Ben.
> From: "Ben Pfaff" <blp@ovn.org> > To: "Lance Richardson" <lrichard@redhat.com> > Cc: dev@openvswitch.org, nusiddiq@redhat.com > Sent: Thursday, December 22, 2016 12:04:05 AM > Subject: Re: [PATCH v3] ovn-ctl: add support for SSL nb/sb db connections > > On Wed, Dec 21, 2016 at 06:35:43PM -0500, Lance Richardson wrote: > > Add support for SSL connections to OVN northbound and/or > > southbound databases. > > > > To improve security, the NB and SB ovsdb daemons no longer > > have open ptcp connections by default. This is a change in > > behavior from previous versions, users wishing to use TCP > > connections to the NB/SB daemons can either request that > > a passive TCP connection be used via ovn-ctl command-line > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > > scripts): > > > > --db-sb-create-remote=yes > > --db-nb-create-remote=yes > > Thanks for writing this, and for rebasing. > > I don't yet understand the design choices for the --db-?b-create-remote > options. The names seem odd to me, since these options are particularly > about adding insecure remotes, and so I would expect the names to say > something about "legacy" or "insecure". I'm also puzzled why these > options, which I'd expect to be supplied time after time to ovn-ctl if > they are necessary at all, make a stateful database change. I would > have guessed, instead, that they add another --remote option to daemon > invocations. > > Can you help me understand better? > > Thanks, > > Ben. > OK, picking names is hard (I've heard that somewhere recently :-))... --db-?b-create-insecure-remote does seem to be a better name. --db-?b-create-legacy-remote also seems better, but I wonder if "legacy" might become less meaningful over time if other changes are made in this area. Maybe --db-?sb-create-default-tcp-remote would also be worth considering. v1 of this series created the tcp remote using command-line options. v2 changed the default remote scheme to use remote configuration from the database and added the ability to configure the default remote's inactivity time based on feedback from Rusell and Numan. In retrospect, maybe those changes should have been deferred to a separate patch set. How about this: I rebase v1 of this patch, renaming --db-?b-default-remote to --db-?b-create-insecure-remote in the process? This would require users wanting to configure inactivity probe time for TCP connections to configure the connection in the db, a future patch could add support for configuring the inactivity probe time from the ovsdb-server command line if needed. Thanks, Lance
> From: "Lance Richardson" <lrichard@redhat.com> > To: "Ben Pfaff" <blp@ovn.org>, nusiddiq@redhat.com, "Russell Bryant" <russell@ovn.org> > Cc: dev@openvswitch.org > Sent: Thursday, December 22, 2016 7:51:16 AM > Subject: Re: [PATCH v3] ovn-ctl: add support for SSL nb/sb db connections > > > From: "Ben Pfaff" <blp@ovn.org> > > To: "Lance Richardson" <lrichard@redhat.com> > > Cc: dev@openvswitch.org, nusiddiq@redhat.com > > Sent: Thursday, December 22, 2016 12:04:05 AM > > Subject: Re: [PATCH v3] ovn-ctl: add support for SSL nb/sb db connections > > > > On Wed, Dec 21, 2016 at 06:35:43PM -0500, Lance Richardson wrote: > > > Add support for SSL connections to OVN northbound and/or > > > southbound databases. > > > > > > To improve security, the NB and SB ovsdb daemons no longer > > > have open ptcp connections by default. This is a change in > > > behavior from previous versions, users wishing to use TCP > > > connections to the NB/SB daemons can either request that > > > a passive TCP connection be used via ovn-ctl command-line > > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > > > scripts): > > > > > > --db-sb-create-remote=yes > > > --db-nb-create-remote=yes > > > > Thanks for writing this, and for rebasing. > > > > I don't yet understand the design choices for the --db-?b-create-remote > > options. The names seem odd to me, since these options are particularly > > about adding insecure remotes, and so I would expect the names to say > > something about "legacy" or "insecure". I'm also puzzled why these > > options, which I'd expect to be supplied time after time to ovn-ctl if > > they are necessary at all, make a stateful database change. I would > > have guessed, instead, that they add another --remote option to daemon > > invocations. > > > > Can you help me understand better? > > > > Thanks, > > > > Ben. > > > > OK, picking names is hard (I've heard that somewhere recently :-))... > --db-?b-create-insecure-remote does seem to be a better name. > --db-?b-create-legacy-remote also seems better, but I wonder if "legacy" > might become less meaningful over time if other changes are made in this > area. Maybe --db-?sb-create-default-tcp-remote would also be worth > considering. > > v1 of this series created the tcp remote using command-line options. > v2 changed the default remote scheme to use remote configuration from > the database and added the ability to configure the default remote's > inactivity time based on feedback from Rusell and Numan. In retrospect, > maybe those changes should have been deferred to a separate patch set. > > How about this: I rebase v1 of this patch, renaming --db-?b-default-remote > to --db-?b-create-insecure-remote in the process? This would require > users wanting to configure inactivity probe time for TCP connections > to configure the connection in the db, a future patch could add support > for configuring the inactivity probe time from the ovsdb-server command > line if needed. > > Thanks, > > Lance v1 of this patch is here: http://patchwork.ozlabs.org/patch/701571/ Also, it's probably not clear from the above, the motivation for changing from command-line remote configuration to db remote configuration for the "legacy" remote was solely to allow the inactivity probe time to be configured for the connection. Lance
On Thu, Dec 22, 2016 at 08:07:02AM -0500, Lance Richardson wrote: > > From: "Lance Richardson" <lrichard@redhat.com> > > To: "Ben Pfaff" <blp@ovn.org>, nusiddiq@redhat.com, "Russell Bryant" <russell@ovn.org> > > Cc: dev@openvswitch.org > > Sent: Thursday, December 22, 2016 7:51:16 AM > > Subject: Re: [PATCH v3] ovn-ctl: add support for SSL nb/sb db connections > > > > > From: "Ben Pfaff" <blp@ovn.org> > > > To: "Lance Richardson" <lrichard@redhat.com> > > > Cc: dev@openvswitch.org, nusiddiq@redhat.com > > > Sent: Thursday, December 22, 2016 12:04:05 AM > > > Subject: Re: [PATCH v3] ovn-ctl: add support for SSL nb/sb db connections > > > > > > On Wed, Dec 21, 2016 at 06:35:43PM -0500, Lance Richardson wrote: > > > > Add support for SSL connections to OVN northbound and/or > > > > southbound databases. > > > > > > > > To improve security, the NB and SB ovsdb daemons no longer > > > > have open ptcp connections by default. This is a change in > > > > behavior from previous versions, users wishing to use TCP > > > > connections to the NB/SB daemons can either request that > > > > a passive TCP connection be used via ovn-ctl command-line > > > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > > > > scripts): > > > > > > > > --db-sb-create-remote=yes > > > > --db-nb-create-remote=yes > > > > > > Thanks for writing this, and for rebasing. > > > > > > I don't yet understand the design choices for the --db-?b-create-remote > > > options. The names seem odd to me, since these options are particularly > > > about adding insecure remotes, and so I would expect the names to say > > > something about "legacy" or "insecure". I'm also puzzled why these > > > options, which I'd expect to be supplied time after time to ovn-ctl if > > > they are necessary at all, make a stateful database change. I would > > > have guessed, instead, that they add another --remote option to daemon > > > invocations. > > > > > > Can you help me understand better? > > > > > > Thanks, > > > > > > Ben. > > > > > > > OK, picking names is hard (I've heard that somewhere recently :-))... > > --db-?b-create-insecure-remote does seem to be a better name. > > --db-?b-create-legacy-remote also seems better, but I wonder if "legacy" > > might become less meaningful over time if other changes are made in this > > area. Maybe --db-?sb-create-default-tcp-remote would also be worth > > considering. > > > > v1 of this series created the tcp remote using command-line options. > > v2 changed the default remote scheme to use remote configuration from > > the database and added the ability to configure the default remote's > > inactivity time based on feedback from Rusell and Numan. In retrospect, > > maybe those changes should have been deferred to a separate patch set. > > > > How about this: I rebase v1 of this patch, renaming --db-?b-default-remote > > to --db-?b-create-insecure-remote in the process? This would require > > users wanting to configure inactivity probe time for TCP connections > > to configure the connection in the db, a future patch could add support > > for configuring the inactivity probe time from the ovsdb-server command > > line if needed. > > > > Thanks, > > > > Lance > > v1 of this patch is here: > > http://patchwork.ozlabs.org/patch/701571/ > > Also, it's probably not clear from the above, the motivation for changing from > command-line remote configuration to db remote configuration for the "legacy" > remote was solely to allow the inactivity probe time to be configured for > the connection. I am happy with this, but I'd like to hear from Russell and Numan, since I either forgot about or never read their feedback on v1.
diff --git a/NEWS b/NEWS index 882f611..e30273a 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,11 @@ Post-v2.6.0 * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 actions. * Support for managing SSL and remote connection configuration in northbound and southbound databases. + * TCP connections to northbound and southbound databases are no + longer enabled by default and must be explicitly configured. + See documentation for ovn-sbctl/ovn-nbctl "set-connection" command + or ovn-ctl "--db-sb-create-remote"/"--db-nb-create-remote" + options for information regarding enabling TCP connections. - Fixed regression in table stats maintenance introduced in OVS 2.3.0, wherein the number of OpenFlow table hits and misses was not accurate. diff --git a/manpages.mk b/manpages.mk index 742bd66..825e2bc 100644 --- a/manpages.mk +++ b/manpages.mk @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \ lib/vlog-syn.man \ lib/vlog.man \ ovsdb/remote-active.man \ + ovsdb/remote-active.man \ + ovsdb/remote-passive.man \ ovsdb/remote-passive.man ovsdb/ovsdb-client.1.in: lib/common-syn.man: @@ -58,6 +60,8 @@ lib/table.man: lib/vlog-syn.man: lib/vlog.man: ovsdb/remote-active.man: +ovsdb/remote-active.man: +ovsdb/remote-passive.man: ovsdb/remote-passive.man: ovsdb/ovsdb-server.1: \ diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl index 73e78e5..f4526fd 100755 --- a/ovn/utilities/ovn-ctl +++ b/ovn/utilities/ovn-ctl @@ -50,7 +50,7 @@ stop_ovsdb () { demote_ovnnb() { if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file fi if test -e $ovnnb_active_conf_file; then @@ -64,7 +64,7 @@ demote_ovnnb() { demote_ovnsb() { if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file fi if test -e $ovnsb_active_conf_file; then @@ -93,15 +93,17 @@ start_ovsdb () { set ovsdb-server - set "$@" --detach --monitor $OVN_NB_LOG \ - --log-file=$OVN_NB_LOGFILE \ - --remote=punix:$DB_NB_SOCK \ - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ - --pidfile=$DB_NB_PID \ - --unixctl=ovnnb_db.ctl + set "$@" --detach --monitor + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID + set "$@" --remote=db:OVN_Northbound,NB_Global,connections + set "$@" --unixctl=ovnnb_db.ctl + set "$@" --private-key=db:OVN_Northbound,SSL,private_key + set "$@" --certificate=db:OVN_Northbound,SSL,certificate + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file fi if test -e $ovnnb_active_conf_file; then @@ -110,6 +112,25 @@ start_ovsdb () { $@ $DB_NB_FILE ovn-nbctl init + + if test X"$DB_NB_CREATE_REMOTE" = Xyes; then + conn_info=$(ovn-nbctl find Connection target="ptcp\:$DB_NB_PORT\:$DB_NB_ADDR") + conn_uuid=$(echo $conn_info | awk '{print $3'}) + + # Create remote with default configuration if requested. Note that + # this configuration is persistent and will not be removed + # automatically if the value of DB_NB_CREATE_REMOTE is changed to + # "no". + if test X"$conn_uuid" = X; then + ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR" + conn_info=$(ovn-nbctl find Connection target="ptcp\:$DB_NB_PORT\:$DB_NB_ADDR") + conn_uuid=$(echo $conn_info | awk '{print $3'}) + fi + + if test X"$DB_NB_INACTIVITY_PROBE" != X; then + ovn-nbctl set Connection $conn_uuid inactivity_probe=$DB_NB_INACTIVITY_PROBE + fi + fi fi # Check and eventually start ovsdb-server for Southbound DB @@ -118,15 +139,17 @@ start_ovsdb () { set ovsdb-server - set "$@" --detach --monitor $OVN_SB_LOG \ - --log-file=$OVN_SB_LOGFILE \ - --remote=punix:$DB_SB_SOCK \ - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ - --pidfile=$DB_SB_PID \ - --unixctl=ovnsb_db.ctl + set "$@" --detach --monitor + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID + set "$@" --remote=db:OVN_Southbound,SB_Global,connections + set "$@" --unixctl=ovnsb_db.ctl + set "$@" --private-key=db:OVN_Southbound,SSL,private_key + set "$@" --certificate=db:OVN_Southbound,SSL,certificate + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file fi if test -e $ovnsb_active_conf_file; then @@ -135,6 +158,25 @@ start_ovsdb () { $@ $DB_SB_FILE ovn-sbctl init + + if test X"$DB_SB_CREATE_REMOTE" = Xyes; then + conn_info=$(ovn-sbctl find Connection target="ptcp\:$DB_SB_PORT\:$DB_SB_ADDR") + conn_uuid=$(echo $conn_info | awk '{print $3'}) + + # Create remote with default configuration if requested. Note that + # this configuration is persistent and will not be removed + # automatically if the value of DB_SB_CREATE_REMOTE is changed to + # "no". + if test X"$conn_uuid" = X; then + ovn-sbctl set-connection "ptcp:$DB_SB_PORT:$DB_SB_ADDR" + conn_info=$(ovn-sbctl find Connection target="ptcp\:$DB_SB_PORT\:$DB_SB_ADDR") + conn_uuid=$(echo $conn_info | awk '{print $3'}) + fi + + if test X"$DB_SB_INACTIVITY_PROBE" != X; then + ovn-sbctl set Connection $conn_uuid inactivity_probe=$DB_SB_INACTIVITY_PROBE + fi + fi fi } @@ -208,12 +250,22 @@ start_northd () { start_controller () { set ovn-controller "unix:$DB_SOCK" set "$@" $OVN_CONTROLLER_LOG + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT + fi OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" } start_controller_vtep () { set ovn-controller-vtep "unix:$DB_SOCK" set "$@" -vconsole:emer -vsyslog:err -vfile:info + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT + fi OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" } @@ -275,6 +327,7 @@ set_defaults () { DB_NB_FILE=$dbdir/ovnnb_db.db DB_NB_ADDR=0.0.0.0 DB_NB_PORT=6641 + DB_NB_SYNC_FROM_PROTO=tcp DB_NB_SYNC_FROM_ADDR= DB_NB_SYNC_FROM_PORT=6641 @@ -283,6 +336,7 @@ set_defaults () { DB_SB_FILE=$dbdir/ovnsb_db.db DB_SB_ADDR=0.0.0.0 DB_SB_PORT=6642 + DB_SB_SYNC_FROM_PROTO=tcp DB_SB_SYNC_FROM_ADDR= DB_SB_SYNC_FROM_PORT=6642 @@ -307,6 +361,15 @@ set_defaults () { OVN_SB_LOG="-vconsole:off" OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log" OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log" + + OVN_CONTROLLER_SSL_KEY="" + OVN_CONTROLLER_SSL_CERT="" + OVN_CONTROLLER_SSL_CA_CERT="" + + DB_SB_CREATE_REMOTE="no" + DB_NB_CREATE_REMOTE="no" + DB_NB_INACTIVITY_PROBE="" + DB_SB_INACTIVITY_PROBE="" } set_option () { @@ -350,6 +413,9 @@ Options: --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for debugging --ovn-controller-priority=NICE set ovn-northd's niceness (default: $OVN_CONTROLLER_PRIORITY) --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind for debugging + --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file + --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file + --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file --ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be automatically started and stopped along with ovn-northd. The default is "yes". If @@ -376,9 +442,15 @@ File location options: --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE) --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE) --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address (default: $DB_NB_SYNC_FROM_ADDR) - --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) + --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) + --db-nb-sync-from-proto=PROTO OVN Northbound active db transport (default: $DB_NB_SYNC_FROM_PROTO) + --db-nb-create-remote=yes|no Create OVN Northbound remote (default: $DB_NB_CREATE_REMOTE) + --db-nb-inactivity-probe=TIME Set inactivity probe (in msec) for NB remote (default:$DB_NB_INACTIVITY_PROBE) --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address (default: $DB_SB_SYNC_FROM_ADDR) --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: $DB_SB_SYNC_FROM_PORT) + --db-sb-sync-from-proto=PROTO OVN Southbound active db transport (default: $DB_SB_SYNC_FROM_PROTO) + --db-sb-create-remote=yes|no Create OVN Southbound remote (default: $DB_SB_CREATE_REMOTE) + --db-sb-inactivity-probe=TIME Set inactivity probe (in msec) for SB remote (default: $DB_SB_INACTIVITY_PROBE) Default directories with "configure" option and environment variable override: logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR) diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml index ff7366c..31c3eeb 100644 --- a/ovn/utilities/ovn-ctl.8.xml +++ b/ovn/utilities/ovn-ctl.8.xml @@ -43,12 +43,19 @@ <p><code>--db-sb-file==<var>FILE</var></code></p> <p><code>--db-nb-schema==<var>FILE</var></code></p> <p><code>--db-sb-schema==<var>FILE</var></code></p> + <p><code>--db-sb-create-remote==<var>yes|no</var></code></p> + <p><code>--db-nb-create-remote==<var>yes|no</var></code></p> + <p><code>--ovn-controller-ssl-key==<var>KEY</var></code></p> + <p><code>--ovn-controller-ssl-cert==<var>CERT</var></code></p> + <p><code>--ovn-controller-ssl-ca-cert==<var>CERT</var></code></p> <h1>Address and port options</h1> <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p> + <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p> <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p> + <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p> <h1>Configuration files</h1> <p>Following are the optional configuration files. If present, it should be located in the etc dir</p>