From patchwork Tue Jul 7 15:53:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1324427 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=CyjgXIrK; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B1RnG5ZpVz9sV4 for ; Wed, 8 Jul 2020 01:53:54 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id D0EEA890D1; Tue, 7 Jul 2020 15:53:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oV+yXD6vkkd4; Tue, 7 Jul 2020 15:53:51 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id 58EE288FF8; Tue, 7 Jul 2020 15:53:51 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 404A3C07FF; Tue, 7 Jul 2020 15:53:51 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 25F24C016F for ; Tue, 7 Jul 2020 15:53:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 155FF8824A for ; Tue, 7 Jul 2020 15:53:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3pEJuw7x_uRc for ; Tue, 7 Jul 2020 15:53:49 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 7A25088248 for ; Tue, 7 Jul 2020 15:53:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1594137228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cbOQebg58DvETTXv9lI19bPiA+lcYjAZyQbxHWBcNN4=; b=CyjgXIrKqNIaXY1axwcQXue15ewrYoPGN/I75hC/Soa7+Lp4yDOilyZFvp3Wsex2Hqguwv nj+aHVh6u+vqrCiowwoYI64o8Su5xu0LYFoMmIS/71zvHxFxwH6kylt1osCxqWkySZtP9h ilJPWWSMEi//HZt8wcW1A9KfK5hA0G0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-392-dlnsdPL6NDCb9GS5NVM9WQ-1; Tue, 07 Jul 2020 11:53:45 -0400 X-MC-Unique: dlnsdPL6NDCb9GS5NVM9WQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A1BD618FE86A for ; Tue, 7 Jul 2020 15:53:43 +0000 (UTC) Received: from dceara.remote.csb (ovpn-114-175.ams2.redhat.com [10.36.114.175]) by smtp.corp.redhat.com (Postfix) with ESMTP id 072845FC38 for ; Tue, 7 Jul 2020 15:53:42 +0000 (UTC) From: Dumitru Ceara To: dev@openvswitch.org Date: Tue, 7 Jul 2020 17:53:40 +0200 Message-Id: <20200707155339.25156.76118.stgit@dceara.remote.csb> In-Reply-To: <20200707155328.25156.32410.stgit@dceara.remote.csb> References: <20200707155328.25156.32410.stgit@dceara.remote.csb> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dceara@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 1/2] ovn-detrace: Add support for multiple remotes. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The --ovnnb/--ovnsb/--ovsdb arguments now accept a list of remotes for the case when the databases are clustered. Signed-off-by: Dumitru Ceara --- utilities/ovn-detrace.in | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/utilities/ovn-detrace.in b/utilities/ovn-detrace.in index e8101e3..4b2e914 100755 --- a/utilities/ovn-detrace.in +++ b/utilities/ovn-detrace.in @@ -67,6 +67,8 @@ def chassis_str(chassis): return 'chassis-name "%s", chassis-str "%s"' % (ch.name, ch.hostname) class OVSDB(object): + STREAM_TIMEOUT_MS = 1000 + @staticmethod def wait_for_db_change(idl): seq = idl.change_seqno @@ -78,18 +80,25 @@ class OVSDB(object): if time.time() >= stop: raise Exception('Retry Timeout') - def __init__(self, db_sock, schema_name): - self._db_sock = db_sock + def __init__(self, remote, schema_name): + self.remote = remote self._txn = None schema = self._get_schema(schema_name) schema.register_all() - self._idl_conn = idl.Idl(db_sock, schema) + self._idl_conn = idl.Idl(remote, schema) OVSDB.wait_for_db_change(self._idl_conn) # Initial Sync with DB def _get_schema(self, schema_name): - error, strm = Stream.open_block(Stream.open(self._db_sock)) - if error: - raise Exception("Unable to connect to %s" % self._db_sock) + stream = None + for r in self.remote.split(','): + error, strm = Stream.open_block(Stream.open(r), + OVSDB.STREAM_TIMEOUT_MS) + if not error and strm: + break + strm = None + if not strm: + raise Exception("Unable to connect to %s" % self.remote) + rpc = jsonrpc.Connection(strm) req = jsonrpc.Message.create_request('get_schema', [schema_name]) error, resp = rpc.transact_block(req) From patchwork Tue Jul 7 15:53:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1324428 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=dVkkA8kh; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B1RnY3ykFz9sRW for ; Wed, 8 Jul 2020 01:54:09 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id E0A2D88237; Tue, 7 Jul 2020 15:54:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63C0phJRH0Ae; Tue, 7 Jul 2020 15:54:04 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by fraxinus.osuosl.org (Postfix) with ESMTP id 8A81A88230; Tue, 7 Jul 2020 15:54:04 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6FF85C016F; Tue, 7 Jul 2020 15:54:04 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 478C7C0895 for ; Tue, 7 Jul 2020 15:54:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 2C48D89ABD for ; Tue, 7 Jul 2020 15:54:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTlHoACT2dgL for ; Tue, 7 Jul 2020 15:54:02 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by hemlock.osuosl.org (Postfix) with ESMTPS id DEEFB89A34 for ; Tue, 7 Jul 2020 15:54:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1594137240; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DbR7iwh0/BMrmPsKzGubE8Lw0sPKci4b2aRGKhKIU+I=; b=dVkkA8khdVDN3hkDAD1jSNx2hKlutYdp47X1sjdjV501MmdJxt3r70C4FtPYUwaWBbwj22 Dg3yrLikQ7Gsb5Oy8BPquaJFnhTqPOSg21jgECxbF8lkAuSAKKwrU+bmpTCEXKW16lAsh0 jwZ+rXNrD60Ykm/OSUS4uJQ67A7nzRM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-29-F4esWwA5Nw-V6_YgtrEvzg-1; Tue, 07 Jul 2020 11:53:56 -0400 X-MC-Unique: F4esWwA5Nw-V6_YgtrEvzg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 21E63107ACF4 for ; Tue, 7 Jul 2020 15:53:53 +0000 (UTC) Received: from dceara.remote.csb (ovpn-114-175.ams2.redhat.com [10.36.114.175]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9EEEC5C1BB for ; Tue, 7 Jul 2020 15:53:52 +0000 (UTC) From: Dumitru Ceara To: dev@openvswitch.org Date: Tue, 7 Jul 2020 17:53:50 +0200 Message-Id: <20200707155348.25156.23207.stgit@dceara.remote.csb> In-Reply-To: <20200707155328.25156.32410.stgit@dceara.remote.csb> References: <20200707155328.25156.32410.stgit@dceara.remote.csb> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dceara@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 2/2] ovn-detrace: Support SSL remotes. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Additional command line arguments are added to ovn-detrace to allow connecting to NB/SB/OVS DBs via SSL. Signed-off-by: Dumitru Ceara --- utilities/ovn-detrace.1.in | 30 ++++++++++++++++++++++++++---- utilities/ovn-detrace.in | 38 +++++++++++++++++++++++++++++++++++--- 2 files changed, 61 insertions(+), 7 deletions(-) diff --git a/utilities/ovn-detrace.1.in b/utilities/ovn-detrace.1.in index 04e532f..7feba07 100644 --- a/utilities/ovn-detrace.1.in +++ b/utilities/ovn-detrace.1.in @@ -1,16 +1,18 @@ .so lib/ovs.tmac .TH ovn\-detrace 1 "@VERSION@" "OVN" "OVN Manual" +.\" This program's name: +.ds PN ovn\-detrace . .SH NAME -ovn\-detrace \- convert ``ovs\-appctl ofproto/trace'' output to combine +\*(PN \- convert ``ovs\-appctl ofproto/trace'' output to combine OVN logical flow information. . .SH SYNOPSIS -\fBovn\-detrace < \fIfile\fR +\fB\*(PN < \fIfile\fR .so lib/common-syn.man . .SH DESCRIPTION -The \fBovn\-detrace\fR program reads \fBovs\-appctl ofproto/trace\fR output on +The \fB\*(PN\fR program reads \fBovs\-appctl ofproto/trace\fR output on stdin, looking for flow cookies, and expand each cookie with corresponding OVN logical flows. It expands logical flow further with the north-bound information e.g. the ACL that generated the logical flow, when relevant. @@ -38,12 +40,32 @@ Also decode flow information (like OVS ofport) from the flows by connecting to the OVS DB. . .IP "\fB\-\-ovsdb=\fIserver\fR" -The OVS DB remote to contact if \fB\-\-ovs\f is present. If the +The OVS DB remote to contact if \fB\-\-ovs\fR is present. If the \fBOVS_RUNDIR\fR environment variable is set, its value is used as the default. Otherwise, the default is \fBunix:@RUNDIR@/db.sock\fR, but this default is unlikely to be useful outside of single-machine OVN test environments. . +.IP "\fB\-p\fR \fIprivkey.pem\fR" +.IQ "\fB\-\-private\-key=\fIprivkey.pem\fR" +Specifies a PEM file containing the private key used as \fB\*(PN\fR's +identity for outgoing SSL connections. +. +.IP "\fB\-c\fR \fIcert.pem\fR" +.IQ "\fB\-\-certificate=\fIcert.pem\fR" +Specifies a PEM file containing a certificate that certifies the +private key specified on \fB\-p\fR or \fB\-\-private\-key\fR to be +trustworthy. The certificate must be signed by the certificate +authority (CA) that the peer in SSL connections will use to verify it. +. +.IP "\fB\-C\fR \fIcacert.pem\fR" +.IQ "\fB\-\-ca\-cert=\fIcacert.pem\fR" +Specifies a PEM file containing the CA certificate that \fB\*(PN\fR +should use to verify certificates presented to it by SSL peers. (This +may be the same certificate that SSL peers use to verify the +certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may +be a different one, depending on the PKI design in use.) +. .SH "SEE ALSO" . .BR ovs\-appctl (8), ovn\-sbctl (8), ovn\-nbctl (8), ovn\-trace (8) diff --git a/utilities/ovn-detrace.in b/utilities/ovn-detrace.in index 4b2e914..4f8dd5f 100755 --- a/utilities/ovn-detrace.in +++ b/utilities/ovn-detrace.in @@ -49,7 +49,10 @@ The following options are also available: -V, --version display version information --ovnsb=DATABASE use DATABASE as southbound DB --ovnnb=DATABASE use DATABASE as northbound DB - --ovsdb=DATABASE use DATABASE as OVS DB\ + --ovsdb=DATABASE use DATABASE as OVS DB + -p, --private-key=FILE file with private key + -c, --certificate=FILE file with certificate for private key + -C, --ca-cert=FILE file with peer CA certificate\ """ % {'argv0': argv0}) sys.exit(0) @@ -334,11 +337,16 @@ def print_record_from_cookie(ovnnb_db, cookie_handlers, cookie): handler.print_record(record) handler.print_hint(record, ovnnb_db) +def remote_is_ssl(remote): + return remote and (remote.startswith('ssl:') or ',ssl:' in remote) + def main(): try: - options, args = getopt.gnu_getopt(sys.argv[1:], 'hV', + options, args = getopt.gnu_getopt(sys.argv[1:], 'hVp:c:C:', ['help', 'version', 'ovs', - 'ovnsb=', 'ovnnb=', 'ovsdb=']) + 'ovnsb=', 'ovnnb=', 'ovsdb=', + 'private-key=', 'certificate=', + 'ca-cert=']) except (getopt.GetoptError, geo): sys.stderr.write("%s: %s\n" % (argv0, geo.msg)) sys.exit(1) @@ -348,6 +356,10 @@ def main(): ovs_db = None ovs = False + ssl_pk = None + ssl_cert = None + ssl_ca_cert = None + for key, value in options: if key in ['-h', '--help']: usage() @@ -359,6 +371,12 @@ def main(): ovnnb_db = value elif key in ['--ovsdb']: ovs_db = value + elif key in ['-p', '--private-key']: + ssl_pk = value + elif key in ['-c', '--certificate']: + ssl_cert = value + elif key in ['-C', '--ca-cert']: + ssl_ca_cert = value elif key in ['--ovs']: ovs = True else: @@ -369,6 +387,20 @@ def main(): "(use --help for help)\n" % argv0) sys.exit(1) + # If at least one of the remotes is SSL, make sure the SSL required args + # were passed. + for db in [ovnnb_db, ovnsb_db, ovs_db]: + if remote_is_ssl(db) and \ + (not ssl_pk or not ssl_cert or not ssl_ca_cert): + sys.stderr.write('%s: SSL connection requires private key, ' + 'certificate for private key, and peer CA ' + 'certificate as arguments.\n' % argv0) + sys.exit(1) + + Stream.ssl_set_private_key_file(ssl_pk) + Stream.ssl_set_certificate_file(ssl_cert) + Stream.ssl_set_ca_cert_file(ssl_ca_cert) + ovn_rundir = os.getenv('OVN_RUNDIR', '@OVN_RUNDIR@') ovs_rundir = os.getenv('OVS_RUNDIR', dirs.RUNDIR)