| Message ID | 1482432884-7616-1-git-send-email-lrichard@redhat.com |
|---|---|
| State | Superseded |
| Headers | show |
I see that Numan acked this. Russell, are you satisfied? Thanks, Ben. On Thu, Dec 22, 2016 at 01:54:44PM -0500, Lance Richardson wrote: > Add support for SSL connections to OVN northbound and/or > southbound databases. > > To improve security, the NB and SB ovsdb daemons no longer > have open ptcp connections by default. This is a change in > behavior from previous versions, users wishing to use TCP > connections to the NB/SB daemons can either request that > a passive TCP connection be used via ovn-ctl command-line > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > scripts): > > --db-sb-create-insecure-remote=yes > --db-nb-create-insecure-remote=yes > > Or configure a connection after the NB/SB daemons have been > started, e.g.: > > ovn-sbctl set-connection ptcp:6642 > ovn-nbctl set-connection ptcp:6641 > > Users desiring SSL database connections will need to generate certificates > and private key as described in INSTALL.SSL.rst and perform the following > one-time configuration steps: > > ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> > ovn-sbctl set-connection pssl:6642 > ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> > ovn-nbctl set-connection pssl:6641 > > On the ovn-controller and ovn-controller-vtep side, SSL configuration > must be provided on the command-line when the daemons are started, this > should be provided via the following command-line options (e.g. via > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): > > --ovn-controller-ssl-key=<private-key> > --ovn-controller-ssl-cert=<certificate> > --ovn-controller-ssl-ca-cert=<ca-cert> > > The SB database connection should also be configured to use SSL, e.g.: > > ovs-vsctl set Open_vSwitch . \ > external-ids:ovn-remote=ssl:w.x.y.z:6642 > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > Acked-by: Ben Pfaff <blp@ovn.org> > --- > v5: - Corrected "==" between option and value for command-line options > in the ovn-ctl man page, a single "=" should have been used. Fixed > new instances as well as pre-existing instances. > > v4: - reverted to v1 scheme for creating default (insecure), dropping > feedback from Russell at http://patchwork.ozlabs.org/patch/701571/. > - changed --db-?b-create-remote to --db-?b-create-insecure-remote > > v3: - rebased > - s/db-sb-default-remote/db-sb-create-remote/ in man page > - s/db-nb-default-remote/db-nb-create-remote/ in man page > > v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE. > - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE. > - Create default remote configuration in db instead of > via command-line options. > > Testing Notes: > - Verified tcp connections operational with /etc/sysconfig/ovn-northd: > OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes --db-nb-create-insecure-remote=yes" > > - Verified tcp connections operational without /etc/sysconfig/ovn-northd and: > ovn-sbctl set-connection ptcp:6642 > ovn-nbctl set-connection ptcp:6641 > > - Verified SSL connection to sb db with (on central node): > ovn-sbctl set-ssl /ctl-privkey.pem /ctl-cert.pem /cacert.pem > ovn-sbctl set-connection pssl:6642 > > And (on compute nodes): > In /etc/sysconfig/ovn-controller: > OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \ > --ovn-controller-ssl-cert=/ctl-cert.pem \ > --ovn-controller-ssl-ca-cert=/cacert.pem" > ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl:xx.xx.xx.xx:6642 > > NEWS | 6 ++++ > manpages.mk | 4 +++ > ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++++++----------- > ovn/utilities/ovn-ctl.8.xml | 17 +++++++---- > 4 files changed, 77 insertions(+), 22 deletions(-) > > diff --git a/NEWS b/NEWS > index 882f611..ec44dd5 100644 > --- a/NEWS > +++ b/NEWS > @@ -10,6 +10,12 @@ Post-v2.6.0 > * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 actions. > * Support for managing SSL and remote connection configuration in > northbound and southbound databases. > + * TCP connections to northbound and southbound databases are no > + longer enabled by default and must be explicitly configured. > + See documentation for ovn-sbctl/ovn-nbctl "set-connection" > + command or the ovn-ctl "--db-sb-create-insecure-remote" and > + "--db-nb-create-insecure-remote" command-line options for > + information regarding remote connection configuration. > - Fixed regression in table stats maintenance introduced in OVS > 2.3.0, wherein the number of OpenFlow table hits and misses was > not accurate. > diff --git a/manpages.mk b/manpages.mk > index 742bd66..825e2bc 100644 > --- a/manpages.mk > +++ b/manpages.mk > @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \ > lib/vlog-syn.man \ > lib/vlog.man \ > ovsdb/remote-active.man \ > + ovsdb/remote-active.man \ > + ovsdb/remote-passive.man \ > ovsdb/remote-passive.man > ovsdb/ovsdb-client.1.in: > lib/common-syn.man: > @@ -58,6 +60,8 @@ lib/table.man: > lib/vlog-syn.man: > lib/vlog.man: > ovsdb/remote-active.man: > +ovsdb/remote-active.man: > +ovsdb/remote-passive.man: > ovsdb/remote-passive.man: > > ovsdb/ovsdb-server.1: \ > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl > index 73e78e5..a696d5e 100755 > --- a/ovn/utilities/ovn-ctl > +++ b/ovn/utilities/ovn-ctl > @@ -50,7 +50,7 @@ stop_ovsdb () { > > demote_ovnnb() { > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file > + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file > fi > > if test -e $ovnnb_active_conf_file; then > @@ -64,7 +64,7 @@ demote_ovnnb() { > > demote_ovnsb() { > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file > + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file > fi > > if test -e $ovnsb_active_conf_file; then > @@ -93,15 +93,21 @@ start_ovsdb () { > > set ovsdb-server > > - set "$@" --detach --monitor $OVN_NB_LOG \ > - --log-file=$OVN_NB_LOGFILE \ > - --remote=punix:$DB_NB_SOCK \ > - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ > - --pidfile=$DB_NB_PID \ > - --unixctl=ovnnb_db.ctl > + set "$@" --detach --monitor > + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE > + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID > + set "$@" --remote=db:OVN_Northbound,NB_Global,connections > + set "$@" --unixctl=ovnnb_db.ctl > + set "$@" --private-key=db:OVN_Northbound,SSL,private_key > + set "$@" --certificate=db:OVN_Northbound,SSL,certificate > + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert > + > + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then > + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR > + fi > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file > + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file > fi > > if test -e $ovnnb_active_conf_file; then > @@ -118,15 +124,21 @@ start_ovsdb () { > > set ovsdb-server > > - set "$@" --detach --monitor $OVN_SB_LOG \ > - --log-file=$OVN_SB_LOGFILE \ > - --remote=punix:$DB_SB_SOCK \ > - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ > - --pidfile=$DB_SB_PID \ > - --unixctl=ovnsb_db.ctl > + set "$@" --detach --monitor > + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE > + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID > + set "$@" --remote=db:OVN_Southbound,SB_Global,connections > + set "$@" --unixctl=ovnsb_db.ctl > + set "$@" --private-key=db:OVN_Southbound,SSL,private_key > + set "$@" --certificate=db:OVN_Southbound,SSL,certificate > + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert > + > + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then > + set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR > + fi > > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file > + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file > fi > > if test -e $ovnsb_active_conf_file; then > @@ -208,12 +220,22 @@ start_northd () { > start_controller () { > set ovn-controller "unix:$DB_SOCK" > set "$@" $OVN_CONTROLLER_LOG > + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then > + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY > + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT > + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT > + fi > OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" > } > > start_controller_vtep () { > set ovn-controller-vtep "unix:$DB_SOCK" > set "$@" -vconsole:emer -vsyslog:err -vfile:info > + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then > + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY > + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT > + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT > + fi > OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" > } > > @@ -275,6 +297,7 @@ set_defaults () { > DB_NB_FILE=$dbdir/ovnnb_db.db > DB_NB_ADDR=0.0.0.0 > DB_NB_PORT=6641 > + DB_NB_SYNC_FROM_PROTO=tcp > DB_NB_SYNC_FROM_ADDR= > DB_NB_SYNC_FROM_PORT=6641 > > @@ -283,6 +306,7 @@ set_defaults () { > DB_SB_FILE=$dbdir/ovnsb_db.db > DB_SB_ADDR=0.0.0.0 > DB_SB_PORT=6642 > + DB_SB_SYNC_FROM_PROTO=tcp > DB_SB_SYNC_FROM_ADDR= > DB_SB_SYNC_FROM_PORT=6642 > > @@ -307,6 +331,13 @@ set_defaults () { > OVN_SB_LOG="-vconsole:off" > OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log" > OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log" > + > + OVN_CONTROLLER_SSL_KEY="" > + OVN_CONTROLLER_SSL_CERT="" > + OVN_CONTROLLER_SSL_CA_CERT="" > + > + DB_SB_CREATE_INSECURE_REMOTE="no" > + DB_NB_CREATE_INSECURE_REMOTE="no" > } > > set_option () { > @@ -350,6 +381,9 @@ Options: > --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for debugging > --ovn-controller-priority=NICE set ovn-northd's niceness (default: $OVN_CONTROLLER_PRIORITY) > --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind for debugging > + --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file > + --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file > + --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file > --ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be > automatically started and stopped along > with ovn-northd. The default is "yes". If > @@ -376,9 +410,13 @@ File location options: > --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE) > --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE) > --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address (default: $DB_NB_SYNC_FROM_ADDR) > - --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) > + --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) > + --db-nb-sync-from-proto=PROTO OVN Northbound active db transport (default: $DB_NB_SYNC_FROM_PROTO) > + --db-nb-create-insecure-remote=yes|no Create ptcp OVN Northbound remote (default: $DB_NB_CREATE_INSECURE_REMOTE) > --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address (default: $DB_SB_SYNC_FROM_ADDR) > --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: $DB_SB_SYNC_FROM_PORT) > + --db-sb-sync-from-proto=PROTO OVN Southbound active db transport (default: $DB_SB_SYNC_FROM_PROTO) > + --db-sb-create-insecure-remote=yes|no Create ptcp OVN Southbound remote (default: $DB_SB_CREATE_INSECURE_REMOTE) > > Default directories with "configure" option and environment variable override: > logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR) > diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml > index ff7366c..c4884f8 100644 > --- a/ovn/utilities/ovn-ctl.8.xml > +++ b/ovn/utilities/ovn-ctl.8.xml > @@ -38,17 +38,24 @@ > <p><code>-h</code> | <code>--help</code></p> > > <h1>File location options</h1> > - <p><code>--db-sock==<var>SOCKET</var></code></p> > - <p><code>--db-nb-file==<var>FILE</var></code></p> > - <p><code>--db-sb-file==<var>FILE</var></code></p> > - <p><code>--db-nb-schema==<var>FILE</var></code></p> > - <p><code>--db-sb-schema==<var>FILE</var></code></p> > + <p><code>--db-sock=<var>SOCKET</var></code></p> > + <p><code>--db-nb-file=<var>FILE</var></code></p> > + <p><code>--db-sb-file=<var>FILE</var></code></p> > + <p><code>--db-nb-schema=<var>FILE</var></code></p> > + <p><code>--db-sb-schema=<var>FILE</var></code></p> > + <p><code>--db-sb-create-insecure-remote=<var>yes|no</var></code></p> > + <p><code>--db-nb-create-insecure-remote=<var>yes|no</var></code></p> > + <p><code>--ovn-controller-ssl-key=<var>KEY</var></code></p> > + <p><code>--ovn-controller-ssl-cert=<var>CERT</var></code></p> > + <p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p> > > <h1>Address and port options</h1> > <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> > <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p> > + <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p> > <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p> > <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p> > + <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p> > > <h1>Configuration files</h1> > <p>Following are the optional configuration files. If present, it should be located in the etc dir</p> > -- > 2.5.5 >
On Fri, Dec 23, 2016 at 5:13 AM, Ben Pfaff <blp@ovn.org> wrote: > I see that Numan acked this. Russell, are you satisfied? > > Thanks, > > Ben. > > On Thu, Dec 22, 2016 at 01:54:44PM -0500, Lance Richardson wrote: > > Add support for SSL connections to OVN northbound and/or > > southbound databases. > > > > To improve security, the NB and SB ovsdb daemons no longer > > have open ptcp connections by default. This is a change in > > behavior from previous versions, users wishing to use TCP > > connections to the NB/SB daemons can either request that > > a passive TCP connection be used via ovn-ctl command-line > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > > scripts): > > > > --db-sb-create-insecure-remote=yes > > --db-nb-create-insecure-remote=yes > > > > Or configure a connection after the NB/SB daemons have been > > started, e.g.: > > > > ovn-sbctl set-connection ptcp:6642 > > ovn-nbctl set-connection ptcp:6641 > > > > Users desiring SSL database connections will need to generate > certificates > > and private key as described in INSTALL.SSL.rst and perform the following > > one-time configuration steps: > > > > ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> > > ovn-sbctl set-connection pssl:6642 > > ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> > > ovn-nbctl set-connection pssl:6641 > > > > On the ovn-controller and ovn-controller-vtep side, SSL configuration > > must be provided on the command-line when the daemons are started, this > > should be provided via the following command-line options (e.g. via > > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): > > > > --ovn-controller-ssl-key=<private-key> > > --ovn-controller-ssl-cert=<certificate> > > --ovn-controller-ssl-ca-cert=<ca-cert> > > > > The SB database connection should also be configured to use SSL, e.g.: > > > > ovs-vsctl set Open_vSwitch . \ > > external-ids:ovn-remote=ssl:w.x.y.z:6642 > > > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > > Acked-by: Ben Pfaff <blp@ovn.org> > > --- > > v5: - Corrected "==" between option and value for command-line options > > in the ovn-ctl man page, a single "=" should have been used. Fixed > > new instances as well as pre-existing instances. > > > > v4: - reverted to v1 scheme for creating default (insecure), dropping > > feedback from Russell at http://patchwork.ozlabs.org/patch/701571/ > . > > - changed --db-?b-create-remote to --db-?b-create-insecure-remote > > > > v3: - rebased > > - s/db-sb-default-remote/db-sb-create-remote/ in man page > > - s/db-nb-default-remote/db-nb-create-remote/ in man page > > > > v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE. > > - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE. > > - Create default remote configuration in db instead of > > via command-line options. > > > > Testing Notes: > > - Verified tcp connections operational with /etc/sysconfig/ovn-northd: > > OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes > --db-nb-create-insecure-remote=yes" > > > > - Verified tcp connections operational without > /etc/sysconfig/ovn-northd and: > > ovn-sbctl set-connection ptcp:6642 > > ovn-nbctl set-connection ptcp:6641 > > > > - Verified SSL connection to sb db with (on central node): > > ovn-sbctl set-ssl /ctl-privkey.pem /ctl-cert.pem /cacert.pem > > ovn-sbctl set-connection pssl:6642 > > > > And (on compute nodes): > > In /etc/sysconfig/ovn-controller: > > OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \ > > --ovn-controller-ssl-cert=/ctl-cert.pem \ > > --ovn-controller-ssl-ca-cert=/cacert.pem" > > ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl: > xx.xx.xx.xx:6642 > > > > NEWS | 6 ++++ > > manpages.mk | 4 +++ > > ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++ > ++++----------- > > ovn/utilities/ovn-ctl.8.xml | 17 +++++++---- > > 4 files changed, 77 insertions(+), 22 deletions(-) > > > > diff --git a/NEWS b/NEWS > > index 882f611..ec44dd5 100644 > > --- a/NEWS > > +++ b/NEWS > > @@ -10,6 +10,12 @@ Post-v2.6.0 > > * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 > actions. > > * Support for managing SSL and remote connection configuration in > > northbound and southbound databases. > > + * TCP connections to northbound and southbound databases are no > > + longer enabled by default and must be explicitly configured. > > + See documentation for ovn-sbctl/ovn-nbctl "set-connection" > > + command or the ovn-ctl "--db-sb-create-insecure-remote" and > > + "--db-nb-create-insecure-remote" command-line options for > > + information regarding remote connection configuration. > > - Fixed regression in table stats maintenance introduced in OVS > > 2.3.0, wherein the number of OpenFlow table hits and misses was > > not accurate. > > diff --git a/manpages.mk b/manpages.mk > > index 742bd66..825e2bc 100644 > > --- a/manpages.mk > > +++ b/manpages.mk > > @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \ > > lib/vlog-syn.man \ > > lib/vlog.man \ > > ovsdb/remote-active.man \ > > + ovsdb/remote-active.man \ > > + ovsdb/remote-passive.man \ > > ovsdb/remote-passive.man > > ovsdb/ovsdb-client.1.in: > > lib/common-syn.man: > > @@ -58,6 +60,8 @@ lib/table.man: > > lib/vlog-syn.man: > > lib/vlog.man: > > ovsdb/remote-active.man: > > +ovsdb/remote-active.man: > > +ovsdb/remote-passive.man: > > ovsdb/remote-passive.man: > > > > ovsdb/ovsdb-server.1: \ > > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl > > index 73e78e5..a696d5e 100755 > > --- a/ovn/utilities/ovn-ctl > > +++ b/ovn/utilities/ovn-ctl > > @@ -50,7 +50,7 @@ stop_ovsdb () { > > > > demote_ovnnb() { > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > $ovnnb_active_conf_file > > + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > $ovnnb_active_conf_file > > fi > > > > if test -e $ovnnb_active_conf_file; then > > @@ -64,7 +64,7 @@ demote_ovnnb() { > > > > demote_ovnsb() { > > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > $ovnsb_active_conf_file > > + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > $ovnsb_active_conf_file > > fi > > > > if test -e $ovnsb_active_conf_file; then > > @@ -93,15 +93,21 @@ start_ovsdb () { > > > > set ovsdb-server > > > > - set "$@" --detach --monitor $OVN_NB_LOG \ > > - --log-file=$OVN_NB_LOGFILE \ > > - --remote=punix:$DB_NB_SOCK \ > > - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ > > - --pidfile=$DB_NB_PID \ > > - --unixctl=ovnnb_db.ctl > > + set "$@" --detach --monitor > > + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE > > + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID > > + set "$@" --remote=db:OVN_Northbound,NB_Global,connections > > + set "$@" --unixctl=ovnnb_db.ctl > > + set "$@" --private-key=db:OVN_Northbound,SSL,private_key > > + set "$@" --certificate=db:OVN_Northbound,SSL,certificate > > + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert > > + > > + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then > > + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR > > + fi > > > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > $ovnnb_active_conf_file > > + echo "$DB_NB_SYNC_FROM_PROTO:$DB_ > NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file > > fi > > > > if test -e $ovnnb_active_conf_file; then > > @@ -118,15 +124,21 @@ start_ovsdb () { > > > > set ovsdb-server > > > > - set "$@" --detach --monitor $OVN_SB_LOG \ > > - --log-file=$OVN_SB_LOGFILE \ > > - --remote=punix:$DB_SB_SOCK \ > > - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ > > - --pidfile=$DB_SB_PID \ > > - --unixctl=ovnsb_db.ctl > > + set "$@" --detach --monitor > > + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE > > + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID > > + set "$@" --remote=db:OVN_Southbound,SB_Global,connections > > + set "$@" --unixctl=ovnsb_db.ctl > > + set "$@" --private-key=db:OVN_Southbound,SSL,private_key > > + set "$@" --certificate=db:OVN_Southbound,SSL,certificate > > + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert > > + > > + if test X"$ > > DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then > There is a typo here. It should be DB_ S B_CREATE_INSECURE_REMOTE > + set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR > > + fi > > > > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > $ovnsb_active_conf_file > > + echo "$DB_SB_SYNC_FROM_PROTO:$DB_ > SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file > > fi > > > > if test -e $ovnsb_active_conf_file; then > > @@ -208,12 +220,22 @@ start_northd () { > > start_controller () { > > set ovn-controller "unix:$DB_SOCK" > > set "$@" $OVN_CONTROLLER_LOG > > + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then > > + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY > > + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT > > + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT > > + fi > > OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" > "$OVN_CONTROLLER_WRAPPER" "$@" > > } > > > > start_controller_vtep () { > > set ovn-controller-vtep "unix:$DB_SOCK" > > set "$@" -vconsole:emer -vsyslog:err -vfile:info > > + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then > > + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY > > + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT > > + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT > > + fi > > OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" > "$OVN_CONTROLLER_WRAPPER" "$@" > > } > > > > @@ -275,6 +297,7 @@ set_defaults () { > > DB_NB_FILE=$dbdir/ovnnb_db.db > > DB_NB_ADDR=0.0.0.0 > > DB_NB_PORT=6641 > > + DB_NB_SYNC_FROM_PROTO=tcp > > DB_NB_SYNC_FROM_ADDR= > > DB_NB_SYNC_FROM_PORT=6641 > > > > @@ -283,6 +306,7 @@ set_defaults () { > > DB_SB_FILE=$dbdir/ovnsb_db.db > > DB_SB_ADDR=0.0.0.0 > > DB_SB_PORT=6642 > > + DB_SB_SYNC_FROM_PROTO=tcp > > DB_SB_SYNC_FROM_ADDR= > > DB_SB_SYNC_FROM_PORT=6642 > > > > @@ -307,6 +331,13 @@ set_defaults () { > > OVN_SB_LOG="-vconsole:off" > > OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log" > > OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log" > > + > > + OVN_CONTROLLER_SSL_KEY="" > > + OVN_CONTROLLER_SSL_CERT="" > > + OVN_CONTROLLER_SSL_CA_CERT="" > > + > > + DB_SB_CREATE_INSECURE_REMOTE="no" > > + DB_NB_CREATE_INSECURE_REMOTE="no" > > } > > > > set_option () { > > @@ -350,6 +381,9 @@ Options: > > --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for > debugging > > --ovn-controller-priority=NICE set ovn-northd's niceness > (default: $OVN_CONTROLLER_PRIORITY) > > --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind > for debugging > > + --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file > > + --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file > > + --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate > file > > --ovn-manage-ovsdb=yes|no Whether or not the OVN databases > should be > > automatically started and stopped > along > > with ovn-northd. The default is > "yes". If > > @@ -376,9 +410,13 @@ File location options: > > --ovn-nb-logfile=FILE OVN Northbound log file (default: > $OVN_NB_LOGFILE) > > --ovn-sb-logfile=FILE OVN Southbound log file (default: > $OVN_SB_LOGFILE) > > --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address > (default: $DB_NB_SYNC_FROM_ADDR) > > - --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port > (default: $DB_NB_SYNC_FROM_PORT) > > + --db-nb-sync-from-port=PORT OVN Northbound active db tcp port > (default: $DB_NB_SYNC_FROM_PORT) > > + --db-nb-sync-from-proto=PROTO OVN Northbound active db transport > (default: $DB_NB_SYNC_FROM_PROTO) > > + --db-nb-create-insecure-remote=yes|no Create ptcp OVN Northbound > remote (default: $DB_NB_CREATE_INSECURE_REMOTE) > > --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address > (default: $DB_SB_SYNC_FROM_ADDR) > > --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port > (default: $DB_SB_SYNC_FROM_PORT) > > + --db-sb-sync-from-proto=PROTO OVN Southbound active db transport > (default: $DB_SB_SYNC_FROM_PROTO) > > + --db-sb-create-insecure-remote=yes|no Create ptcp OVN Southbound > remote (default: $DB_SB_CREATE_INSECURE_REMOTE) > > > > Default directories with "configure" option and environment variable > override: > > logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR) > > diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml > > index ff7366c..c4884f8 100644 > > --- a/ovn/utilities/ovn-ctl.8.xml > > +++ b/ovn/utilities/ovn-ctl.8.xml > > @@ -38,17 +38,24 @@ > > <p><code>-h</code> | <code>--help</code></p> > > > > <h1>File location options</h1> > > - <p><code>--db-sock==<var>SOCKET</var></code></p> > > - <p><code>--db-nb-file==<var>FILE</var></code></p> > > - <p><code>--db-sb-file==<var>FILE</var></code></p> > > - <p><code>--db-nb-schema==<var>FILE</var></code></p> > > - <p><code>--db-sb-schema==<var>FILE</var></code></p> > > + <p><code>--db-sock=<var>SOCKET</var></code></p> > > + <p><code>--db-nb-file=<var>FILE</var></code></p> > > + <p><code>--db-sb-file=<var>FILE</var></code></p> > > + <p><code>--db-nb-schema=<var>FILE</var></code></p> > > + <p><code>--db-sb-schema=<var>FILE</var></code></p> > > + <p><code>--db-sb-create-insecure-remote=<var>yes|no</ > var></code></p> > > + <p><code>--db-nb-create-insecure-remote=<var>yes|no</ > var></code></p> > > + <p><code>--ovn-controller-ssl-key=<var>KEY</var></code></p> > > + <p><code>--ovn-controller-ssl-cert=<var>CERT</var></code></p> > > + <p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p> > > > > <h1>Address and port options</h1> > > <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> > > <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p> > > + <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p> > > <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p> > > <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p> > > + <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p> > > > > <h1>Configuration files</h1> > > <p>Following are the optional configuration files. If present, it > should be located in the etc dir</p> > > -- > > 2.5.5 > > >
I have a question to ask: How to do OVSDB Replication used SSL ? If OVSDB cluster used by pacemaker, the OVSDB standby node is read-noly. And unable to execute command "ovn-nbctl set-ssl" Whether the SSL table is need not read-only ? Thanks, On 2016/12/27 19:04, Numan Siddique wrote: > On Fri, Dec 23, 2016 at 5:13 AM, Ben Pfaff <blp@ovn.org> wrote: > >> I see that Numan acked this. Russell, are you satisfied? >> >> Thanks, >> >> Ben. >> >> On Thu, Dec 22, 2016 at 01:54:44PM -0500, Lance Richardson wrote: >>> Add support for SSL connections to OVN northbound and/or >>> southbound databases. >>> >>> To improve security, the NB and SB ovsdb daemons no longer >>> have open ptcp connections by default. This is a change in >>> behavior from previous versions, users wishing to use TCP >>> connections to the NB/SB daemons can either request that >>> a passive TCP connection be used via ovn-ctl command-line >>> options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup >>> scripts): >>> >>> --db-sb-create-insecure-remote=yes >>> --db-nb-create-insecure-remote=yes >>> >>> Or configure a connection after the NB/SB daemons have been >>> started, e.g.: >>> >>> ovn-sbctl set-connection ptcp:6642 >>> ovn-nbctl set-connection ptcp:6641 >>> >>> Users desiring SSL database connections will need to generate >> certificates >>> and private key as described in INSTALL.SSL.rst and perform the following >>> one-time configuration steps: >>> >>> ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> >>> ovn-sbctl set-connection pssl:6642 >>> ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> >>> ovn-nbctl set-connection pssl:6641 >>> >>> On the ovn-controller and ovn-controller-vtep side, SSL configuration >>> must be provided on the command-line when the daemons are started, this >>> should be provided via the following command-line options (e.g. via >>> OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): >>> >>> --ovn-controller-ssl-key=<private-key> >>> --ovn-controller-ssl-cert=<certificate> >>> --ovn-controller-ssl-ca-cert=<ca-cert> >>> >>> The SB database connection should also be configured to use SSL, e.g.: >>> >>> ovs-vsctl set Open_vSwitch . \ >>> external-ids:ovn-remote=ssl:w.x.y.z:6642 >>> >>> Signed-off-by: Lance Richardson <lrichard@redhat.com> >>> Acked-by: Ben Pfaff <blp@ovn.org> >>> --- >>> v5: - Corrected "==" between option and value for command-line options >>> in the ovn-ctl man page, a single "=" should have been used. Fixed >>> new instances as well as pre-existing instances. >>> >>> v4: - reverted to v1 scheme for creating default (insecure), dropping >>> feedback from Russell at http://patchwork.ozlabs.org/patch/701571/ >> . >>> - changed --db-?b-create-remote to --db-?b-create-insecure-remote >>> >>> v3: - rebased >>> - s/db-sb-default-remote/db-sb-create-remote/ in man page >>> - s/db-nb-default-remote/db-nb-create-remote/ in man page >>> >>> v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE. >>> - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE. >>> - Create default remote configuration in db instead of >>> via command-line options. >>> >>> Testing Notes: >>> - Verified tcp connections operational with /etc/sysconfig/ovn-northd: >>> OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes >> --db-nb-create-insecure-remote=yes" >>> - Verified tcp connections operational without >> /etc/sysconfig/ovn-northd and: >>> ovn-sbctl set-connection ptcp:6642 >>> ovn-nbctl set-connection ptcp:6641 >>> >>> - Verified SSL connection to sb db with (on central node): >>> ovn-sbctl set-ssl /ctl-privkey.pem /ctl-cert.pem /cacert.pem >>> ovn-sbctl set-connection pssl:6642 >>> >>> And (on compute nodes): >>> In /etc/sysconfig/ovn-controller: >>> OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \ >>> --ovn-controller-ssl-cert=/ctl-cert.pem \ >>> --ovn-controller-ssl-ca-cert=/cacert.pem" >>> ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl: >> xx.xx.xx.xx:6642 >>> NEWS | 6 ++++ >>> manpages.mk | 4 +++ >>> ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++ >> ++++----------- >>> ovn/utilities/ovn-ctl.8.xml | 17 +++++++---- >>> 4 files changed, 77 insertions(+), 22 deletions(-) >>> >>> diff --git a/NEWS b/NEWS >>> index 882f611..ec44dd5 100644 >>> --- a/NEWS >>> +++ b/NEWS >>> @@ -10,6 +10,12 @@ Post-v2.6.0 >>> * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 >> actions. >>> * Support for managing SSL and remote connection configuration in >>> northbound and southbound databases. >>> + * TCP connections to northbound and southbound databases are no >>> + longer enabled by default and must be explicitly configured. >>> + See documentation for ovn-sbctl/ovn-nbctl "set-connection" >>> + command or the ovn-ctl "--db-sb-create-insecure-remote" and >>> + "--db-nb-create-insecure-remote" command-line options for >>> + information regarding remote connection configuration. >>> - Fixed regression in table stats maintenance introduced in OVS >>> 2.3.0, wherein the number of OpenFlow table hits and misses was >>> not accurate. >>> diff --git a/manpages.mk b/manpages.mk >>> index 742bd66..825e2bc 100644 >>> --- a/manpages.mk >>> +++ b/manpages.mk >>> @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \ >>> lib/vlog-syn.man \ >>> lib/vlog.man \ >>> ovsdb/remote-active.man \ >>> + ovsdb/remote-active.man \ >>> + ovsdb/remote-passive.man \ >>> ovsdb/remote-passive.man >>> ovsdb/ovsdb-client.1.in: >>> lib/common-syn.man: >>> @@ -58,6 +60,8 @@ lib/table.man: >>> lib/vlog-syn.man: >>> lib/vlog.man: >>> ovsdb/remote-active.man: >>> +ovsdb/remote-active.man: >>> +ovsdb/remote-passive.man: >>> ovsdb/remote-passive.man: >>> >>> ovsdb/ovsdb-server.1: \ >>> diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl >>> index 73e78e5..a696d5e 100755 >>> --- a/ovn/utilities/ovn-ctl >>> +++ b/ovn/utilities/ovn-ctl >>> @@ -50,7 +50,7 @@ stop_ovsdb () { >>> >>> demote_ovnnb() { >>> if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then >>> - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > >> $ovnnb_active_conf_file >>> + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" >>> $ovnnb_active_conf_file >>> fi >>> >>> if test -e $ovnnb_active_conf_file; then >>> @@ -64,7 +64,7 @@ demote_ovnnb() { >>> >>> demote_ovnsb() { >>> if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then >>> - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > >> $ovnsb_active_conf_file >>> + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" >>> $ovnsb_active_conf_file >>> fi >>> >>> if test -e $ovnsb_active_conf_file; then >>> @@ -93,15 +93,21 @@ start_ovsdb () { >>> >>> set ovsdb-server >>> >>> - set "$@" --detach --monitor $OVN_NB_LOG \ >>> - --log-file=$OVN_NB_LOGFILE \ >>> - --remote=punix:$DB_NB_SOCK \ >>> - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ >>> - --pidfile=$DB_NB_PID \ >>> - --unixctl=ovnnb_db.ctl >>> + set "$@" --detach --monitor >>> + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE >>> + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID >>> + set "$@" --remote=db:OVN_Northbound,NB_Global,connections >>> + set "$@" --unixctl=ovnnb_db.ctl >>> + set "$@" --private-key=db:OVN_Northbound,SSL,private_key >>> + set "$@" --certificate=db:OVN_Northbound,SSL,certificate >>> + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert >>> + >>> + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then >>> + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR >>> + fi >>> >>> if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then >>> - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > >> $ovnnb_active_conf_file >>> + echo "$DB_NB_SYNC_FROM_PROTO:$DB_ >> NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file >>> fi >>> >>> if test -e $ovnnb_active_conf_file; then >>> @@ -118,15 +124,21 @@ start_ovsdb () { >>> >>> set ovsdb-server >>> >>> - set "$@" --detach --monitor $OVN_SB_LOG \ >>> - --log-file=$OVN_SB_LOGFILE \ >>> - --remote=punix:$DB_SB_SOCK \ >>> - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ >>> - --pidfile=$DB_SB_PID \ >>> - --unixctl=ovnsb_db.ctl >>> + set "$@" --detach --monitor >>> + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE >>> + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID >>> + set "$@" --remote=db:OVN_Southbound,SB_Global,connections >>> + set "$@" --unixctl=ovnsb_db.ctl >>> + set "$@" --private-key=db:OVN_Southbound,SSL,private_key >>> + set "$@" --certificate=db:OVN_Southbound,SSL,certificate >>> + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert >>> + >>> + if test X"$ >> >> DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then >> > > There is a typo here. It should be > > > > DB_ > S > B_CREATE_INSECURE_REMOTE > > >> + set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR >>> + fi >>> >>> if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then >>> - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > >> $ovnsb_active_conf_file >>> + echo "$DB_SB_SYNC_FROM_PROTO:$DB_ >> SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file >>> fi >>> >>> if test -e $ovnsb_active_conf_file; then >>> @@ -208,12 +220,22 @@ start_northd () { >>> start_controller () { >>> set ovn-controller "unix:$DB_SOCK" >>> set "$@" $OVN_CONTROLLER_LOG >>> + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then >>> + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY >>> + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT >>> + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT >>> + fi >>> OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" >> "$OVN_CONTROLLER_WRAPPER" "$@" >>> } >>> >>> start_controller_vtep () { >>> set ovn-controller-vtep "unix:$DB_SOCK" >>> set "$@" -vconsole:emer -vsyslog:err -vfile:info >>> + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then >>> + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY >>> + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT >>> + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT >>> + fi >>> OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" >> "$OVN_CONTROLLER_WRAPPER" "$@" >>> } >>> >>> @@ -275,6 +297,7 @@ set_defaults () { >>> DB_NB_FILE=$dbdir/ovnnb_db.db >>> DB_NB_ADDR=0.0.0.0 >>> DB_NB_PORT=6641 >>> + DB_NB_SYNC_FROM_PROTO=tcp >>> DB_NB_SYNC_FROM_ADDR= >>> DB_NB_SYNC_FROM_PORT=6641 >>> >>> @@ -283,6 +306,7 @@ set_defaults () { >>> DB_SB_FILE=$dbdir/ovnsb_db.db >>> DB_SB_ADDR=0.0.0.0 >>> DB_SB_PORT=6642 >>> + DB_SB_SYNC_FROM_PROTO=tcp >>> DB_SB_SYNC_FROM_ADDR= >>> DB_SB_SYNC_FROM_PORT=6642 >>> >>> @@ -307,6 +331,13 @@ set_defaults () { >>> OVN_SB_LOG="-vconsole:off" >>> OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log" >>> OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log" >>> + >>> + OVN_CONTROLLER_SSL_KEY="" >>> + OVN_CONTROLLER_SSL_CERT="" >>> + OVN_CONTROLLER_SSL_CA_CERT="" >>> + >>> + DB_SB_CREATE_INSECURE_REMOTE="no" >>> + DB_NB_CREATE_INSECURE_REMOTE="no" >>> } >>> >>> set_option () { >>> @@ -350,6 +381,9 @@ Options: >>> --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for >> debugging >>> --ovn-controller-priority=NICE set ovn-northd's niceness >> (default: $OVN_CONTROLLER_PRIORITY) >>> --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind >> for debugging >>> + --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file >>> + --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file >>> + --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate >> file >>> --ovn-manage-ovsdb=yes|no Whether or not the OVN databases >> should be >>> automatically started and stopped >> along >>> with ovn-northd. The default is >> "yes". If >>> @@ -376,9 +410,13 @@ File location options: >>> --ovn-nb-logfile=FILE OVN Northbound log file (default: >> $OVN_NB_LOGFILE) >>> --ovn-sb-logfile=FILE OVN Southbound log file (default: >> $OVN_SB_LOGFILE) >>> --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address >> (default: $DB_NB_SYNC_FROM_ADDR) >>> - --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port >> (default: $DB_NB_SYNC_FROM_PORT) >>> + --db-nb-sync-from-port=PORT OVN Northbound active db tcp port >> (default: $DB_NB_SYNC_FROM_PORT) >>> + --db-nb-sync-from-proto=PROTO OVN Northbound active db transport >> (default: $DB_NB_SYNC_FROM_PROTO) >>> + --db-nb-create-insecure-remote=yes|no Create ptcp OVN Northbound >> remote (default: $DB_NB_CREATE_INSECURE_REMOTE) >>> --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address >> (default: $DB_SB_SYNC_FROM_ADDR) >>> --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port >> (default: $DB_SB_SYNC_FROM_PORT) >>> + --db-sb-sync-from-proto=PROTO OVN Southbound active db transport >> (default: $DB_SB_SYNC_FROM_PROTO) >>> + --db-sb-create-insecure-remote=yes|no Create ptcp OVN Southbound >> remote (default: $DB_SB_CREATE_INSECURE_REMOTE) >>> Default directories with "configure" option and environment variable >> override: >>> logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR) >>> diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml >>> index ff7366c..c4884f8 100644 >>> --- a/ovn/utilities/ovn-ctl.8.xml >>> +++ b/ovn/utilities/ovn-ctl.8.xml >>> @@ -38,17 +38,24 @@ >>> <p><code>-h</code> | <code>--help</code></p> >>> >>> <h1>File location options</h1> >>> - <p><code>--db-sock==<var>SOCKET</var></code></p> >>> - <p><code>--db-nb-file==<var>FILE</var></code></p> >>> - <p><code>--db-sb-file==<var>FILE</var></code></p> >>> - <p><code>--db-nb-schema==<var>FILE</var></code></p> >>> - <p><code>--db-sb-schema==<var>FILE</var></code></p> >>> + <p><code>--db-sock=<var>SOCKET</var></code></p> >>> + <p><code>--db-nb-file=<var>FILE</var></code></p> >>> + <p><code>--db-sb-file=<var>FILE</var></code></p> >>> + <p><code>--db-nb-schema=<var>FILE</var></code></p> >>> + <p><code>--db-sb-schema=<var>FILE</var></code></p> >>> + <p><code>--db-sb-create-insecure-remote=<var>yes|no</ >> var></code></p> >>> + <p><code>--db-nb-create-insecure-remote=<var>yes|no</ >> var></code></p> >>> + <p><code>--ovn-controller-ssl-key=<var>KEY</var></code></p> >>> + <p><code>--ovn-controller-ssl-cert=<var>CERT</var></code></p> >>> + <p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p> >>> >>> <h1>Address and port options</h1> >>> <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> >>> <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p> >>> + <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p> >>> <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p> >>> <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p> >>> + <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p> >>> >>> <h1>Configuration files</h1> >>> <p>Following are the optional configuration files. If present, it >> should be located in the etc dir</p> >>> -- >>> 2.5.5 >>> > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> From: "Numan Siddique" <nusiddiq@redhat.com> > To: "Ben Pfaff" <blp@ovn.org> > Cc: "Lance Richardson" <lrichard@redhat.com>, "Russell Bryant" <russell@ovn.org>, "ovs dev" <dev@openvswitch.org> > Sent: Tuesday, December 27, 2016 4:04:19 AM > Subject: Re: [PATCH v5] ovn-ctl: add support for SSL nb/sb db connections > > On Fri, Dec 23, 2016 at 5:13 AM, Ben Pfaff <blp@ovn.org> wrote: > > > I see that Numan acked this. Russell, are you satisfied? > > > > Thanks, > > > > Ben. > > > > On Thu, Dec 22, 2016 at 01:54:44PM -0500, Lance Richardson wrote: > > > Add support for SSL connections to OVN northbound and/or > > > southbound databases. > > > > > > To improve security, the NB and SB ovsdb daemons no longer > > > have open ptcp connections by default. This is a change in > > > behavior from previous versions, users wishing to use TCP > > > connections to the NB/SB daemons can either request that > > > a passive TCP connection be used via ovn-ctl command-line > > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > > > scripts): > > > > > > --db-sb-create-insecure-remote=yes > > > --db-nb-create-insecure-remote=yes > > > > > > Or configure a connection after the NB/SB daemons have been > > > started, e.g.: > > > > > > ovn-sbctl set-connection ptcp:6642 > > > ovn-nbctl set-connection ptcp:6641 > > > > > > Users desiring SSL database connections will need to generate > > certificates > > > and private key as described in INSTALL.SSL.rst and perform the following > > > one-time configuration steps: > > > > > > ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> > > > ovn-sbctl set-connection pssl:6642 > > > ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> > > > ovn-nbctl set-connection pssl:6641 > > > > > > On the ovn-controller and ovn-controller-vtep side, SSL configuration > > > must be provided on the command-line when the daemons are started, this > > > should be provided via the following command-line options (e.g. via > > > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): > > > > > > --ovn-controller-ssl-key=<private-key> > > > --ovn-controller-ssl-cert=<certificate> > > > --ovn-controller-ssl-ca-cert=<ca-cert> > > > > > > The SB database connection should also be configured to use SSL, e.g.: > > > > > > ovs-vsctl set Open_vSwitch . \ > > > external-ids:ovn-remote=ssl:w.x.y.z:6642 > > > > > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > > > Acked-by: Ben Pfaff <blp@ovn.org> > > > --- > > > v5: - Corrected "==" between option and value for command-line options > > > in the ovn-ctl man page, a single "=" should have been used. Fixed > > > new instances as well as pre-existing instances. > > > > > > v4: - reverted to v1 scheme for creating default (insecure), dropping > > > feedback from Russell at http://patchwork.ozlabs.org/patch/701571/ > > . > > > - changed --db-?b-create-remote to --db-?b-create-insecure-remote > > > > > > v3: - rebased > > > - s/db-sb-default-remote/db-sb-create-remote/ in man page > > > - s/db-nb-default-remote/db-nb-create-remote/ in man page > > > > > > v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE. > > > - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE. > > > - Create default remote configuration in db instead of > > > via command-line options. > > > > > > Testing Notes: > > > - Verified tcp connections operational with /etc/sysconfig/ovn-northd: > > > OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes > > --db-nb-create-insecure-remote=yes" > > > > > > - Verified tcp connections operational without > > /etc/sysconfig/ovn-northd and: > > > ovn-sbctl set-connection ptcp:6642 > > > ovn-nbctl set-connection ptcp:6641 > > > > > > - Verified SSL connection to sb db with (on central node): > > > ovn-sbctl set-ssl /ctl-privkey.pem /ctl-cert.pem /cacert.pem > > > ovn-sbctl set-connection pssl:6642 > > > > > > And (on compute nodes): > > > In /etc/sysconfig/ovn-controller: > > > OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \ > > > --ovn-controller-ssl-cert=/ctl-cert.pem \ > > > --ovn-controller-ssl-ca-cert=/cacert.pem" > > > ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl: > > xx.xx.xx.xx:6642 > > > > > > NEWS | 6 ++++ > > > manpages.mk | 4 +++ > > > ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++ > > ++++----------- > > > ovn/utilities/ovn-ctl.8.xml | 17 +++++++---- > > > 4 files changed, 77 insertions(+), 22 deletions(-) > > > > > > diff --git a/NEWS b/NEWS > > > index 882f611..ec44dd5 100644 > > > --- a/NEWS > > > +++ b/NEWS > > > @@ -10,6 +10,12 @@ Post-v2.6.0 > > > * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 > > actions. > > > * Support for managing SSL and remote connection configuration in > > > northbound and southbound databases. > > > + * TCP connections to northbound and southbound databases are no > > > + longer enabled by default and must be explicitly configured. > > > + See documentation for ovn-sbctl/ovn-nbctl "set-connection" > > > + command or the ovn-ctl "--db-sb-create-insecure-remote" and > > > + "--db-nb-create-insecure-remote" command-line options for > > > + information regarding remote connection configuration. > > > - Fixed regression in table stats maintenance introduced in OVS > > > 2.3.0, wherein the number of OpenFlow table hits and misses was > > > not accurate. > > > diff --git a/manpages.mk b/manpages.mk > > > index 742bd66..825e2bc 100644 > > > --- a/manpages.mk > > > +++ b/manpages.mk > > > @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \ > > > lib/vlog-syn.man \ > > > lib/vlog.man \ > > > ovsdb/remote-active.man \ > > > + ovsdb/remote-active.man \ > > > + ovsdb/remote-passive.man \ > > > ovsdb/remote-passive.man > > > ovsdb/ovsdb-client.1.in: > > > lib/common-syn.man: > > > @@ -58,6 +60,8 @@ lib/table.man: > > > lib/vlog-syn.man: > > > lib/vlog.man: > > > ovsdb/remote-active.man: > > > +ovsdb/remote-active.man: > > > +ovsdb/remote-passive.man: > > > ovsdb/remote-passive.man: > > > > > > ovsdb/ovsdb-server.1: \ > > > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl > > > index 73e78e5..a696d5e 100755 > > > --- a/ovn/utilities/ovn-ctl > > > +++ b/ovn/utilities/ovn-ctl > > > @@ -50,7 +50,7 @@ stop_ovsdb () { > > > > > > demote_ovnnb() { > > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > > > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > > $ovnnb_active_conf_file > > > + echo > > > "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > > $ovnnb_active_conf_file > > > fi > > > > > > if test -e $ovnnb_active_conf_file; then > > > @@ -64,7 +64,7 @@ demote_ovnnb() { > > > > > > demote_ovnsb() { > > > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > > > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > > $ovnsb_active_conf_file > > > + echo > > > "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > > $ovnsb_active_conf_file > > > fi > > > > > > if test -e $ovnsb_active_conf_file; then > > > @@ -93,15 +93,21 @@ start_ovsdb () { > > > > > > set ovsdb-server > > > > > > - set "$@" --detach --monitor $OVN_NB_LOG \ > > > - --log-file=$OVN_NB_LOGFILE \ > > > - --remote=punix:$DB_NB_SOCK \ > > > - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ > > > - --pidfile=$DB_NB_PID \ > > > - --unixctl=ovnnb_db.ctl > > > + set "$@" --detach --monitor > > > + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE > > > + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID > > > + set "$@" --remote=db:OVN_Northbound,NB_Global,connections > > > + set "$@" --unixctl=ovnnb_db.ctl > > > + set "$@" --private-key=db:OVN_Northbound,SSL,private_key > > > + set "$@" --certificate=db:OVN_Northbound,SSL,certificate > > > + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert > > > + > > > + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then > > > + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR > > > + fi > > > > > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > > > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > > $ovnnb_active_conf_file > > > + echo "$DB_NB_SYNC_FROM_PROTO:$DB_ > > NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file > > > fi > > > > > > if test -e $ovnnb_active_conf_file; then > > > @@ -118,15 +124,21 @@ start_ovsdb () { > > > > > > set ovsdb-server > > > > > > - set "$@" --detach --monitor $OVN_SB_LOG \ > > > - --log-file=$OVN_SB_LOGFILE \ > > > - --remote=punix:$DB_SB_SOCK \ > > > - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ > > > - --pidfile=$DB_SB_PID \ > > > - --unixctl=ovnsb_db.ctl > > > + set "$@" --detach --monitor > > > + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE > > > + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID > > > + set "$@" --remote=db:OVN_Southbound,SB_Global,connections > > > + set "$@" --unixctl=ovnsb_db.ctl > > > + set "$@" --private-key=db:OVN_Southbound,SSL,private_key > > > + set "$@" --certificate=db:OVN_Southbound,SSL,certificate > > > + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert > > > + > > > + if test X"$ > > > > DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then > > > > > There is a typo here. It should be > Whoops, nice catch! Will fix in a follow-up after I return from traveling. My testing missed this, I only tested with both options set to yes and neither set. Will verify all combinations for next pass.
> From: "Guoshuai Li" <ligs@dtdream.com> > To: "Numan Siddique" <nusiddiq@redhat.com>, "Ben Pfaff" <blp@ovn.org> > Cc: "ovs dev" <dev@openvswitch.org> > Sent: Tuesday, December 27, 2016 9:14:33 AM > Subject: Re: [ovs-dev] [PATCH v5] ovn-ctl: add support for SSL nb/sb db connections > > > I have a question to ask: > > > How to do OVSDB Replication used SSL ? > > If OVSDB cluster used by pacemaker, the OVSDB standby node is read-noly. > > And unable to execute command "ovn-nbctl set-ssl" > > Whether the SSL table is need not read-only ? > > Good question... at the moment it seems the only way to initialize the standby's SSL configuration in the db would be to use ovsdb-tool, which would not be the most user-friendly approach. Otherwise, reworking things to specify ovsdb SSL certificates/keys via ovsdb-server command-line options might be needed. Perhaps folks more familiar with ovsdb replication will have better ideas. Thanks, Lance
>> From: "Guoshuai Li" <ligs@dtdream.com> >> To: "Numan Siddique" <nusiddiq@redhat.com>, "Ben Pfaff" <blp@ovn.org> >> Cc: "ovs dev" <dev@openvswitch.org> >> Sent: Tuesday, December 27, 2016 9:14:33 AM >> Subject: Re: [ovs-dev] [PATCH v5] ovn-ctl: add support for SSL nb/sb db connections >> >> >> I have a question to ask: >> >> >> How to do OVSDB Replication used SSL ? >> >> If OVSDB cluster used by pacemaker, the OVSDB standby node is read-noly. >> >> And unable to execute command "ovn-nbctl set-ssl" >> >> Whether the SSL table is need not read-only ? >> >> > Good question... at the moment it seems the only way to initialize the > standby's SSL configuration in the db would be to use ovsdb-tool, which > would not be the most user-friendly approach. Otherwise, reworking things > to specify ovsdb SSL certificates/keys via ovsdb-server command-line > options might be needed. > > Perhaps folks more familiar with ovsdb replication will have better ideas. > > Thanks, > > Lance I find a not good way, quickly execute commands when the pacemaker monitor not timeout: ovs-appctl -t /var/run/openvswitch/ovnnb_db.ctl ovsdb-server/disconnect-active-ovsdb-server ovn-nbctl set-ssl /etc/openvswitch/ovn-privkey.pem /etc/openvswitch/ovn-cert.pem /etc/openvswitch/cacert.pem ovs-appctl -t /var/run/openvswitch/ovnnb_db.ctl ovsdb-server/connect-active-ovsdb-server Other, I also do not have any good way. Thanks, Guoshuai
diff --git a/NEWS b/NEWS index 882f611..ec44dd5 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,12 @@ Post-v2.6.0 * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 actions. * Support for managing SSL and remote connection configuration in northbound and southbound databases. + * TCP connections to northbound and southbound databases are no + longer enabled by default and must be explicitly configured. + See documentation for ovn-sbctl/ovn-nbctl "set-connection" + command or the ovn-ctl "--db-sb-create-insecure-remote" and + "--db-nb-create-insecure-remote" command-line options for + information regarding remote connection configuration. - Fixed regression in table stats maintenance introduced in OVS 2.3.0, wherein the number of OpenFlow table hits and misses was not accurate. diff --git a/manpages.mk b/manpages.mk index 742bd66..825e2bc 100644 --- a/manpages.mk +++ b/manpages.mk @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \ lib/vlog-syn.man \ lib/vlog.man \ ovsdb/remote-active.man \ + ovsdb/remote-active.man \ + ovsdb/remote-passive.man \ ovsdb/remote-passive.man ovsdb/ovsdb-client.1.in: lib/common-syn.man: @@ -58,6 +60,8 @@ lib/table.man: lib/vlog-syn.man: lib/vlog.man: ovsdb/remote-active.man: +ovsdb/remote-active.man: +ovsdb/remote-passive.man: ovsdb/remote-passive.man: ovsdb/ovsdb-server.1: \ diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl index 73e78e5..a696d5e 100755 --- a/ovn/utilities/ovn-ctl +++ b/ovn/utilities/ovn-ctl @@ -50,7 +50,7 @@ stop_ovsdb () { demote_ovnnb() { if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file fi if test -e $ovnnb_active_conf_file; then @@ -64,7 +64,7 @@ demote_ovnnb() { demote_ovnsb() { if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file fi if test -e $ovnsb_active_conf_file; then @@ -93,15 +93,21 @@ start_ovsdb () { set ovsdb-server - set "$@" --detach --monitor $OVN_NB_LOG \ - --log-file=$OVN_NB_LOGFILE \ - --remote=punix:$DB_NB_SOCK \ - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ - --pidfile=$DB_NB_PID \ - --unixctl=ovnnb_db.ctl + set "$@" --detach --monitor + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID + set "$@" --remote=db:OVN_Northbound,NB_Global,connections + set "$@" --unixctl=ovnnb_db.ctl + set "$@" --private-key=db:OVN_Northbound,SSL,private_key + set "$@" --certificate=db:OVN_Northbound,SSL,certificate + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert + + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR + fi if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file fi if test -e $ovnnb_active_conf_file; then @@ -118,15 +124,21 @@ start_ovsdb () { set ovsdb-server - set "$@" --detach --monitor $OVN_SB_LOG \ - --log-file=$OVN_SB_LOGFILE \ - --remote=punix:$DB_SB_SOCK \ - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ - --pidfile=$DB_SB_PID \ - --unixctl=ovnsb_db.ctl + set "$@" --detach --monitor + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID + set "$@" --remote=db:OVN_Southbound,SB_Global,connections + set "$@" --unixctl=ovnsb_db.ctl + set "$@" --private-key=db:OVN_Southbound,SSL,private_key + set "$@" --certificate=db:OVN_Southbound,SSL,certificate + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert + + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then + set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR + fi if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file fi if test -e $ovnsb_active_conf_file; then @@ -208,12 +220,22 @@ start_northd () { start_controller () { set ovn-controller "unix:$DB_SOCK" set "$@" $OVN_CONTROLLER_LOG + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT + fi OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" } start_controller_vtep () { set ovn-controller-vtep "unix:$DB_SOCK" set "$@" -vconsole:emer -vsyslog:err -vfile:info + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT + fi OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" } @@ -275,6 +297,7 @@ set_defaults () { DB_NB_FILE=$dbdir/ovnnb_db.db DB_NB_ADDR=0.0.0.0 DB_NB_PORT=6641 + DB_NB_SYNC_FROM_PROTO=tcp DB_NB_SYNC_FROM_ADDR= DB_NB_SYNC_FROM_PORT=6641 @@ -283,6 +306,7 @@ set_defaults () { DB_SB_FILE=$dbdir/ovnsb_db.db DB_SB_ADDR=0.0.0.0 DB_SB_PORT=6642 + DB_SB_SYNC_FROM_PROTO=tcp DB_SB_SYNC_FROM_ADDR= DB_SB_SYNC_FROM_PORT=6642 @@ -307,6 +331,13 @@ set_defaults () { OVN_SB_LOG="-vconsole:off" OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log" OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log" + + OVN_CONTROLLER_SSL_KEY="" + OVN_CONTROLLER_SSL_CERT="" + OVN_CONTROLLER_SSL_CA_CERT="" + + DB_SB_CREATE_INSECURE_REMOTE="no" + DB_NB_CREATE_INSECURE_REMOTE="no" } set_option () { @@ -350,6 +381,9 @@ Options: --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for debugging --ovn-controller-priority=NICE set ovn-northd's niceness (default: $OVN_CONTROLLER_PRIORITY) --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind for debugging + --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file + --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file + --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file --ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be automatically started and stopped along with ovn-northd. The default is "yes". If @@ -376,9 +410,13 @@ File location options: --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE) --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE) --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address (default: $DB_NB_SYNC_FROM_ADDR) - --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) + --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) + --db-nb-sync-from-proto=PROTO OVN Northbound active db transport (default: $DB_NB_SYNC_FROM_PROTO) + --db-nb-create-insecure-remote=yes|no Create ptcp OVN Northbound remote (default: $DB_NB_CREATE_INSECURE_REMOTE) --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address (default: $DB_SB_SYNC_FROM_ADDR) --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: $DB_SB_SYNC_FROM_PORT) + --db-sb-sync-from-proto=PROTO OVN Southbound active db transport (default: $DB_SB_SYNC_FROM_PROTO) + --db-sb-create-insecure-remote=yes|no Create ptcp OVN Southbound remote (default: $DB_SB_CREATE_INSECURE_REMOTE) Default directories with "configure" option and environment variable override: logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR) diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml index ff7366c..c4884f8 100644 --- a/ovn/utilities/ovn-ctl.8.xml +++ b/ovn/utilities/ovn-ctl.8.xml @@ -38,17 +38,24 @@ <p><code>-h</code> | <code>--help</code></p> <h1>File location options</h1> - <p><code>--db-sock==<var>SOCKET</var></code></p> - <p><code>--db-nb-file==<var>FILE</var></code></p> - <p><code>--db-sb-file==<var>FILE</var></code></p> - <p><code>--db-nb-schema==<var>FILE</var></code></p> - <p><code>--db-sb-schema==<var>FILE</var></code></p> + <p><code>--db-sock=<var>SOCKET</var></code></p> + <p><code>--db-nb-file=<var>FILE</var></code></p> + <p><code>--db-sb-file=<var>FILE</var></code></p> + <p><code>--db-nb-schema=<var>FILE</var></code></p> + <p><code>--db-sb-schema=<var>FILE</var></code></p> + <p><code>--db-sb-create-insecure-remote=<var>yes|no</var></code></p> + <p><code>--db-nb-create-insecure-remote=<var>yes|no</var></code></p> + <p><code>--ovn-controller-ssl-key=<var>KEY</var></code></p> + <p><code>--ovn-controller-ssl-cert=<var>CERT</var></code></p> + <p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p> <h1>Address and port options</h1> <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p> + <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p> <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p> + <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p> <h1>Configuration files</h1> <p>Following are the optional configuration files. If present, it should be located in the etc dir</p>
Add support for SSL connections to OVN northbound and/or southbound databases. To improve security, the NB and SB ovsdb daemons no longer have open ptcp connections by default. This is a change in behavior from previous versions, users wishing to use TCP connections to the NB/SB daemons can either request that a passive TCP connection be used via ovn-ctl command-line options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup scripts): --db-sb-create-insecure-remote=yes --db-nb-create-insecure-remote=yes Or configure a connection after the NB/SB daemons have been started, e.g.: ovn-sbctl set-connection ptcp:6642 ovn-nbctl set-connection ptcp:6641 Users desiring SSL database connections will need to generate certificates and private key as described in INSTALL.SSL.rst and perform the following one-time configuration steps: ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> ovn-sbctl set-connection pssl:6642 ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> ovn-nbctl set-connection pssl:6641 On the ovn-controller and ovn-controller-vtep side, SSL configuration must be provided on the command-line when the daemons are started, this should be provided via the following command-line options (e.g. via OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): --ovn-controller-ssl-key=<private-key> --ovn-controller-ssl-cert=<certificate> --ovn-controller-ssl-ca-cert=<ca-cert> The SB database connection should also be configured to use SSL, e.g.: ovs-vsctl set Open_vSwitch . \ external-ids:ovn-remote=ssl:w.x.y.z:6642 Signed-off-by: Lance Richardson <lrichard@redhat.com> Acked-by: Ben Pfaff <blp@ovn.org> --- v5: - Corrected "==" between option and value for command-line options in the ovn-ctl man page, a single "=" should have been used. Fixed new instances as well as pre-existing instances. v4: - reverted to v1 scheme for creating default (insecure), dropping feedback from Russell at http://patchwork.ozlabs.org/patch/701571/. - changed --db-?b-create-remote to --db-?b-create-insecure-remote v3: - rebased - s/db-sb-default-remote/db-sb-create-remote/ in man page - s/db-nb-default-remote/db-nb-create-remote/ in man page v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE. - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE. - Create default remote configuration in db instead of via command-line options. Testing Notes: - Verified tcp connections operational with /etc/sysconfig/ovn-northd: OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes --db-nb-create-insecure-remote=yes" - Verified tcp connections operational without /etc/sysconfig/ovn-northd and: ovn-sbctl set-connection ptcp:6642 ovn-nbctl set-connection ptcp:6641 - Verified SSL connection to sb db with (on central node): ovn-sbctl set-ssl /ctl-privkey.pem /ctl-cert.pem /cacert.pem ovn-sbctl set-connection pssl:6642 And (on compute nodes): In /etc/sysconfig/ovn-controller: OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \ --ovn-controller-ssl-cert=/ctl-cert.pem \ --ovn-controller-ssl-ca-cert=/cacert.pem" ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl:xx.xx.xx.xx:6642 NEWS | 6 ++++ manpages.mk | 4 +++ ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++++++----------- ovn/utilities/ovn-ctl.8.xml | 17 +++++++---- 4 files changed, 77 insertions(+), 22 deletions(-)