From patchwork Tue Jul 7 15:53:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1324428 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=dVkkA8kh; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B1RnY3ykFz9sRW for ; Wed, 8 Jul 2020 01:54:09 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id E0A2D88237; Tue, 7 Jul 2020 15:54:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63C0phJRH0Ae; Tue, 7 Jul 2020 15:54:04 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by fraxinus.osuosl.org (Postfix) with ESMTP id 8A81A88230; Tue, 7 Jul 2020 15:54:04 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6FF85C016F; Tue, 7 Jul 2020 15:54:04 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 478C7C0895 for ; Tue, 7 Jul 2020 15:54:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 2C48D89ABD for ; Tue, 7 Jul 2020 15:54:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTlHoACT2dgL for ; Tue, 7 Jul 2020 15:54:02 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by hemlock.osuosl.org (Postfix) with ESMTPS id DEEFB89A34 for ; Tue, 7 Jul 2020 15:54:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1594137240; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DbR7iwh0/BMrmPsKzGubE8Lw0sPKci4b2aRGKhKIU+I=; b=dVkkA8khdVDN3hkDAD1jSNx2hKlutYdp47X1sjdjV501MmdJxt3r70C4FtPYUwaWBbwj22 Dg3yrLikQ7Gsb5Oy8BPquaJFnhTqPOSg21jgECxbF8lkAuSAKKwrU+bmpTCEXKW16lAsh0 jwZ+rXNrD60Ykm/OSUS4uJQ67A7nzRM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-29-F4esWwA5Nw-V6_YgtrEvzg-1; Tue, 07 Jul 2020 11:53:56 -0400 X-MC-Unique: F4esWwA5Nw-V6_YgtrEvzg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 21E63107ACF4 for ; Tue, 7 Jul 2020 15:53:53 +0000 (UTC) Received: from dceara.remote.csb (ovpn-114-175.ams2.redhat.com [10.36.114.175]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9EEEC5C1BB for ; Tue, 7 Jul 2020 15:53:52 +0000 (UTC) From: Dumitru Ceara To: dev@openvswitch.org Date: Tue, 7 Jul 2020 17:53:50 +0200 Message-Id: <20200707155348.25156.23207.stgit@dceara.remote.csb> In-Reply-To: <20200707155328.25156.32410.stgit@dceara.remote.csb> References: <20200707155328.25156.32410.stgit@dceara.remote.csb> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dceara@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 2/2] ovn-detrace: Support SSL remotes. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Additional command line arguments are added to ovn-detrace to allow connecting to NB/SB/OVS DBs via SSL. Signed-off-by: Dumitru Ceara --- utilities/ovn-detrace.1.in | 30 ++++++++++++++++++++++++++---- utilities/ovn-detrace.in | 38 +++++++++++++++++++++++++++++++++++--- 2 files changed, 61 insertions(+), 7 deletions(-) diff --git a/utilities/ovn-detrace.1.in b/utilities/ovn-detrace.1.in index 04e532f..7feba07 100644 --- a/utilities/ovn-detrace.1.in +++ b/utilities/ovn-detrace.1.in @@ -1,16 +1,18 @@ .so lib/ovs.tmac .TH ovn\-detrace 1 "@VERSION@" "OVN" "OVN Manual" +.\" This program's name: +.ds PN ovn\-detrace . .SH NAME -ovn\-detrace \- convert ``ovs\-appctl ofproto/trace'' output to combine +\*(PN \- convert ``ovs\-appctl ofproto/trace'' output to combine OVN logical flow information. . .SH SYNOPSIS -\fBovn\-detrace < \fIfile\fR +\fB\*(PN < \fIfile\fR .so lib/common-syn.man . .SH DESCRIPTION -The \fBovn\-detrace\fR program reads \fBovs\-appctl ofproto/trace\fR output on +The \fB\*(PN\fR program reads \fBovs\-appctl ofproto/trace\fR output on stdin, looking for flow cookies, and expand each cookie with corresponding OVN logical flows. It expands logical flow further with the north-bound information e.g. the ACL that generated the logical flow, when relevant. @@ -38,12 +40,32 @@ Also decode flow information (like OVS ofport) from the flows by connecting to the OVS DB. . .IP "\fB\-\-ovsdb=\fIserver\fR" -The OVS DB remote to contact if \fB\-\-ovs\f is present. If the +The OVS DB remote to contact if \fB\-\-ovs\fR is present. If the \fBOVS_RUNDIR\fR environment variable is set, its value is used as the default. Otherwise, the default is \fBunix:@RUNDIR@/db.sock\fR, but this default is unlikely to be useful outside of single-machine OVN test environments. . +.IP "\fB\-p\fR \fIprivkey.pem\fR" +.IQ "\fB\-\-private\-key=\fIprivkey.pem\fR" +Specifies a PEM file containing the private key used as \fB\*(PN\fR's +identity for outgoing SSL connections. +. +.IP "\fB\-c\fR \fIcert.pem\fR" +.IQ "\fB\-\-certificate=\fIcert.pem\fR" +Specifies a PEM file containing a certificate that certifies the +private key specified on \fB\-p\fR or \fB\-\-private\-key\fR to be +trustworthy. The certificate must be signed by the certificate +authority (CA) that the peer in SSL connections will use to verify it. +. +.IP "\fB\-C\fR \fIcacert.pem\fR" +.IQ "\fB\-\-ca\-cert=\fIcacert.pem\fR" +Specifies a PEM file containing the CA certificate that \fB\*(PN\fR +should use to verify certificates presented to it by SSL peers. (This +may be the same certificate that SSL peers use to verify the +certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may +be a different one, depending on the PKI design in use.) +. .SH "SEE ALSO" . .BR ovs\-appctl (8), ovn\-sbctl (8), ovn\-nbctl (8), ovn\-trace (8) diff --git a/utilities/ovn-detrace.in b/utilities/ovn-detrace.in index 4b2e914..4f8dd5f 100755 --- a/utilities/ovn-detrace.in +++ b/utilities/ovn-detrace.in @@ -49,7 +49,10 @@ The following options are also available: -V, --version display version information --ovnsb=DATABASE use DATABASE as southbound DB --ovnnb=DATABASE use DATABASE as northbound DB - --ovsdb=DATABASE use DATABASE as OVS DB\ + --ovsdb=DATABASE use DATABASE as OVS DB + -p, --private-key=FILE file with private key + -c, --certificate=FILE file with certificate for private key + -C, --ca-cert=FILE file with peer CA certificate\ """ % {'argv0': argv0}) sys.exit(0) @@ -334,11 +337,16 @@ def print_record_from_cookie(ovnnb_db, cookie_handlers, cookie): handler.print_record(record) handler.print_hint(record, ovnnb_db) +def remote_is_ssl(remote): + return remote and (remote.startswith('ssl:') or ',ssl:' in remote) + def main(): try: - options, args = getopt.gnu_getopt(sys.argv[1:], 'hV', + options, args = getopt.gnu_getopt(sys.argv[1:], 'hVp:c:C:', ['help', 'version', 'ovs', - 'ovnsb=', 'ovnnb=', 'ovsdb=']) + 'ovnsb=', 'ovnnb=', 'ovsdb=', + 'private-key=', 'certificate=', + 'ca-cert=']) except (getopt.GetoptError, geo): sys.stderr.write("%s: %s\n" % (argv0, geo.msg)) sys.exit(1) @@ -348,6 +356,10 @@ def main(): ovs_db = None ovs = False + ssl_pk = None + ssl_cert = None + ssl_ca_cert = None + for key, value in options: if key in ['-h', '--help']: usage() @@ -359,6 +371,12 @@ def main(): ovnnb_db = value elif key in ['--ovsdb']: ovs_db = value + elif key in ['-p', '--private-key']: + ssl_pk = value + elif key in ['-c', '--certificate']: + ssl_cert = value + elif key in ['-C', '--ca-cert']: + ssl_ca_cert = value elif key in ['--ovs']: ovs = True else: @@ -369,6 +387,20 @@ def main(): "(use --help for help)\n" % argv0) sys.exit(1) + # If at least one of the remotes is SSL, make sure the SSL required args + # were passed. + for db in [ovnnb_db, ovnsb_db, ovs_db]: + if remote_is_ssl(db) and \ + (not ssl_pk or not ssl_cert or not ssl_ca_cert): + sys.stderr.write('%s: SSL connection requires private key, ' + 'certificate for private key, and peer CA ' + 'certificate as arguments.\n' % argv0) + sys.exit(1) + + Stream.ssl_set_private_key_file(ssl_pk) + Stream.ssl_set_certificate_file(ssl_cert) + Stream.ssl_set_ca_cert_file(ssl_ca_cert) + ovn_rundir = os.getenv('OVN_RUNDIR', '@OVN_RUNDIR@') ovs_rundir = os.getenv('OVS_RUNDIR', dirs.RUNDIR)