@@ -1,16 +1,18 @@
.so lib/ovs.tmac
.TH ovn\-detrace 1 "@VERSION@" "OVN" "OVN Manual"
+.\" This program's name:
+.ds PN ovn\-detrace
.
.SH NAME
-ovn\-detrace \- convert ``ovs\-appctl ofproto/trace'' output to combine
+\*(PN \- convert ``ovs\-appctl ofproto/trace'' output to combine
OVN logical flow information.
.
.SH SYNOPSIS
-\fBovn\-detrace < \fIfile\fR
+\fB\*(PN < \fIfile\fR
.so lib/common-syn.man
.
.SH DESCRIPTION
-The \fBovn\-detrace\fR program reads \fBovs\-appctl ofproto/trace\fR output on
+The \fB\*(PN\fR program reads \fBovs\-appctl ofproto/trace\fR output on
stdin, looking for flow cookies, and expand each cookie with corresponding OVN
logical flows. It expands logical flow further with the north-bound information
e.g. the ACL that generated the logical flow, when relevant.
@@ -38,12 +40,32 @@ Also decode flow information (like OVS ofport) from the flows by connecting
to the OVS DB.
.
.IP "\fB\-\-ovsdb=\fIserver\fR"
-The OVS DB remote to contact if \fB\-\-ovs\f is present. If the
+The OVS DB remote to contact if \fB\-\-ovs\fR is present. If the
\fBOVS_RUNDIR\fR environment variable is set, its value is used as the
default. Otherwise, the default is \fBunix:@RUNDIR@/db.sock\fR, but this
default is unlikely to be useful outside of single-machine OVN test
environments.
.
+.IP "\fB\-p\fR \fIprivkey.pem\fR"
+.IQ "\fB\-\-private\-key=\fIprivkey.pem\fR"
+Specifies a PEM file containing the private key used as \fB\*(PN\fR's
+identity for outgoing SSL connections.
+.
+.IP "\fB\-c\fR \fIcert.pem\fR"
+.IQ "\fB\-\-certificate=\fIcert.pem\fR"
+Specifies a PEM file containing a certificate that certifies the
+private key specified on \fB\-p\fR or \fB\-\-private\-key\fR to be
+trustworthy. The certificate must be signed by the certificate
+authority (CA) that the peer in SSL connections will use to verify it.
+.
+.IP "\fB\-C\fR \fIcacert.pem\fR"
+.IQ "\fB\-\-ca\-cert=\fIcacert.pem\fR"
+Specifies a PEM file containing the CA certificate that \fB\*(PN\fR
+should use to verify certificates presented to it by SSL peers. (This
+may be the same certificate that SSL peers use to verify the
+certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may
+be a different one, depending on the PKI design in use.)
+.
.SH "SEE ALSO"
.
.BR ovs\-appctl (8), ovn\-sbctl (8), ovn\-nbctl (8), ovn\-trace (8)
@@ -49,7 +49,10 @@ The following options are also available:
-V, --version display version information
--ovnsb=DATABASE use DATABASE as southbound DB
--ovnnb=DATABASE use DATABASE as northbound DB
- --ovsdb=DATABASE use DATABASE as OVS DB\
+ --ovsdb=DATABASE use DATABASE as OVS DB
+ -p, --private-key=FILE file with private key
+ -c, --certificate=FILE file with certificate for private key
+ -C, --ca-cert=FILE file with peer CA certificate\
""" % {'argv0': argv0})
sys.exit(0)
@@ -334,11 +337,16 @@ def print_record_from_cookie(ovnnb_db, cookie_handlers, cookie):
handler.print_record(record)
handler.print_hint(record, ovnnb_db)
+def remote_is_ssl(remote):
+ return remote and (remote.startswith('ssl:') or ',ssl:' in remote)
+
def main():
try:
- options, args = getopt.gnu_getopt(sys.argv[1:], 'hV',
+ options, args = getopt.gnu_getopt(sys.argv[1:], 'hVp:c:C:',
['help', 'version', 'ovs',
- 'ovnsb=', 'ovnnb=', 'ovsdb='])
+ 'ovnsb=', 'ovnnb=', 'ovsdb=',
+ 'private-key=', 'certificate=',
+ 'ca-cert='])
except (getopt.GetoptError, geo):
sys.stderr.write("%s: %s\n" % (argv0, geo.msg))
sys.exit(1)
@@ -348,6 +356,10 @@ def main():
ovs_db = None
ovs = False
+ ssl_pk = None
+ ssl_cert = None
+ ssl_ca_cert = None
+
for key, value in options:
if key in ['-h', '--help']:
usage()
@@ -359,6 +371,12 @@ def main():
ovnnb_db = value
elif key in ['--ovsdb']:
ovs_db = value
+ elif key in ['-p', '--private-key']:
+ ssl_pk = value
+ elif key in ['-c', '--certificate']:
+ ssl_cert = value
+ elif key in ['-C', '--ca-cert']:
+ ssl_ca_cert = value
elif key in ['--ovs']:
ovs = True
else:
@@ -369,6 +387,20 @@ def main():
"(use --help for help)\n" % argv0)
sys.exit(1)
+ # If at least one of the remotes is SSL, make sure the SSL required args
+ # were passed.
+ for db in [ovnnb_db, ovnsb_db, ovs_db]:
+ if remote_is_ssl(db) and \
+ (not ssl_pk or not ssl_cert or not ssl_ca_cert):
+ sys.stderr.write('%s: SSL connection requires private key, '
+ 'certificate for private key, and peer CA '
+ 'certificate as arguments.\n' % argv0)
+ sys.exit(1)
+
+ Stream.ssl_set_private_key_file(ssl_pk)
+ Stream.ssl_set_certificate_file(ssl_cert)
+ Stream.ssl_set_ca_cert_file(ssl_ca_cert)
+
ovn_rundir = os.getenv('OVN_RUNDIR', '@OVN_RUNDIR@')
ovs_rundir = os.getenv('OVS_RUNDIR', dirs.RUNDIR)
Additional command line arguments are added to ovn-detrace to allow connecting to NB/SB/OVS DBs via SSL. Signed-off-by: Dumitru Ceara <dceara@redhat.com> --- utilities/ovn-detrace.1.in | 30 ++++++++++++++++++++++++++---- utilities/ovn-detrace.in | 38 +++++++++++++++++++++++++++++++++++--- 2 files changed, 61 insertions(+), 7 deletions(-)