| Message ID | 1537460381-23234-1-git-send-email-aginwala@ebay.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [ovs-dev,1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode. | expand |
On Sat, Sep 22, 2018 at 6:08 AM <amginwal@gmail.com> wrote: > When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl > certs for starting standby DBs. Hence, we need this change. > > Signed-off-by: aginwala <aginwala@ebay.com> > Hi Aliasgar, I will try this out and get back to you with any comments. Thanks Numan > --- > ovn/utilities/ovndb-servers.ocf | 74 > ++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 73 insertions(+), 1 deletion(-) > > diff --git a/ovn/utilities/ovndb-servers.ocf > b/ovn/utilities/ovndb-servers.ocf > index 52141c7..80f81ae 100755 > --- a/ovn/utilities/ovndb-servers.ocf > +++ b/ovn/utilities/ovndb-servers.ocf > @@ -10,6 +10,12 @@ > : ${MANAGE_NORTHD_DEFAULT="no"} > : ${INACTIVE_PROBE_DEFAULT="5000"} > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name > OVN_REPL_INFO -s ovn_ovsdb_master_server" > @@ -21,6 +27,13 @@ > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > + > > # In order for pacemaker to work with LB, we can set > LISTEN_ON_MASTER_IP_ONLY > # to false and pass LB vip IP while creating pcs resource. > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > <content type="string" /> > </parameter> > > + <parameter name="ovn_nb_db_privkey" unique="1"> > + <longdesc lang="en"> > + OVN NB DB private key absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN NB DB private key file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_nb_db_cert" unique="1"> > + <longdesc lang="en"> > + OVN NB DB certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN NB DB cert file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_nb_db_cacert" unique="1"> > + <longdesc lang="en"> > + OVN NB DB CA certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_sb_db_privkey" unique="1"> > + <longdesc lang="en"> > + OVN SB DB private key absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN SB DB private key file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_sb_db_cert" unique="1"> > + <longdesc lang="en"> > + OVN SB DB certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN SB DB cert file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_sb_db_cacert" unique="1"> > + <longdesc lang="en"> > + OVN SB DB CA certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> > + <content type="string" /> > + </parameter> > + > </parameters> > > <actions> > @@ -326,6 +387,18 @@ ovsdb_server_start() { > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} > fi > > + if [ "x${NB_MASTER_PROTO}" = xssl ]; then > + set $@ --db-nb-create-insecure-remote=no > + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > + fi > + if [ "x${SB_MASTER_PROTO}" = xssl ]; then > + set $@ --db-sb-create-insecure-remote=no > + set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY} > + set $@ --ovn-sb-db-ssl-cert=${SB_CERT} > + set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT} > + fi > if [ "x${present_master}" = x ]; then > # No master detected, or the previous master is not among the > # set starting. > @@ -343,7 +416,6 @@ ovsdb_server_start() { > set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} > --db-sb-sync-from-addr=${INVALID_IP_ADDRESS} > > elif [ ${present_master} != ${host_name} ]; then > - # TODO: for using LB vip, need to test for ssl. > if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then > if [ "x${NB_MASTER_PROTO}" = xtcp ]; then > set $@ --db-nb-create-insecure-remote=yes > -- > 1.9.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
Thanks Ali, please see my comm On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote: > > When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl > certs for starting standby DBs. Hence, we need this change. > > Signed-off-by: aginwala <aginwala@ebay.com> > --- > ovn/utilities/ovndb-servers.ocf | 74 ++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 73 insertions(+), 1 deletion(-) > > diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf > index 52141c7..80f81ae 100755 > --- a/ovn/utilities/ovndb-servers.ocf > +++ b/ovn/utilities/ovndb-servers.ocf > @@ -10,6 +10,12 @@ > : ${MANAGE_NORTHD_DEFAULT="no"} > : ${INACTIVE_PROBE_DEFAULT="5000"} > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > @@ -21,6 +27,13 @@ SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > + > > # In order for pacemaker to work with LB, we can set LISTEN_ON_MASTER_IP_ONLY > # to false and pass LB vip IP while creating pcs resource. > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > <content type="string" /> > </parameter> > > + <parameter name="ovn_nb_db_privkey" unique="1"> > + <longdesc lang="en"> > + OVN NB DB private key absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN NB DB private key file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_nb_db_cert" unique="1"> > + <longdesc lang="en"> > + OVN NB DB certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN NB DB cert file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_nb_db_cacert" unique="1"> > + <longdesc lang="en"> > + OVN NB DB CA certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_sb_db_privkey" unique="1"> > + <longdesc lang="en"> > + OVN SB DB private key absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN SB DB private key file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_sb_db_cert" unique="1"> > + <longdesc lang="en"> > + OVN SB DB certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN SB DB cert file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_sb_db_cacert" unique="1"> > + <longdesc lang="en"> > + OVN SB DB CA certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> > + <content type="string" /> > + </parameter> > + > </parameters> > > <actions> > @@ -326,6 +387,18 @@ ovsdb_server_start() { > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} > fi > > + if [ "x${NB_MASTER_PROTO}" = xssl ]; then > + set $@ --db-nb-create-insecure-remote=no "no" is the default value, so this line is not needed. > + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} This should be needed only for standby which sets --db-sb-use-remote-in-db=no. > + fi > + if [ "x${SB_MASTER_PROTO}" = xssl ]; then > + set $@ --db-sb-create-insecure-remote=no > + set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY} > + set $@ --ovn-sb-db-ssl-cert=${SB_CERT} > + set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT} > + fi > if [ "x${present_master}" = x ]; then > # No master detected, or the previous master is not among the > # set starting. > @@ -343,7 +416,6 @@ ovsdb_server_start() { > set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} --db-sb-sync-from-addr=${INVALID_IP_ADDRESS} > > elif [ ${present_master} != ${host_name} ]; then > - # TODO: for using LB vip, need to test for ssl. > if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then > if [ "x${NB_MASTER_PROTO}" = xtcp ]; then > set $@ --db-nb-create-insecure-remote=yes > -- > 1.9.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Thanks for the review Han. Please find the comments inline below: On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote: > Thanks Ali, please see my comm > > On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote: > > > > When starting OVN DBs in HA using pacemaker with ssl, we need to pass > ssl > > certs for starting standby DBs. Hence, we need this change. > > > > Signed-off-by: aginwala <aginwala@ebay.com> > > --- > > ovn/utilities/ovndb-servers.ocf | 74 > ++++++++++++++++++++++++++++++++++++++++- > > 1 file changed, 73 insertions(+), 1 deletion(-) > > > > diff --git a/ovn/utilities/ovndb-servers.ocf > b/ovn/utilities/ovndb-servers.ocf > > index 52141c7..80f81ae 100755 > > --- a/ovn/utilities/ovndb-servers.ocf > > +++ b/ovn/utilities/ovndb-servers.ocf > > @@ -10,6 +10,12 @@ > > : ${MANAGE_NORTHD_DEFAULT="no"} > > : ${INACTIVE_PROBE_DEFAULT="5000"} > > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > > > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > > @@ -21,6 +27,13 @@ > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > > + > > > > # In order for pacemaker to work with LB, we can set > LISTEN_ON_MASTER_IP_ONLY > > # to false and pass LB vip IP while creating pcs resource. > > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > > <content type="string" /> > > </parameter> > > > > + <parameter name="ovn_nb_db_privkey" unique="1"> > > + <longdesc lang="en"> > > + OVN NB DB private key absolute path for ssl setup. > > + </longdesc> > > + <shortdesc lang="en">OVN NB DB private key file</shortdesc> > > + <content type="string" /> > > + </parameter> > > + > > + <parameter name="ovn_nb_db_cert" unique="1"> > > + <longdesc lang="en"> > > + OVN NB DB certificate absolute path for ssl setup. > > + </longdesc> > > + <shortdesc lang="en">OVN NB DB cert file</shortdesc> > > + <content type="string" /> > > + </parameter> > > + > > + <parameter name="ovn_nb_db_cacert" unique="1"> > > + <longdesc lang="en"> > > + OVN NB DB CA certificate absolute path for ssl setup. > > + </longdesc> > > + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> > > + <content type="string" /> > > + </parameter> > > + > > + <parameter name="ovn_sb_db_privkey" unique="1"> > > + <longdesc lang="en"> > > + OVN SB DB private key absolute path for ssl setup. > > + </longdesc> > > + <shortdesc lang="en">OVN SB DB private key file</shortdesc> > > + <content type="string" /> > > + </parameter> > > + > > + <parameter name="ovn_sb_db_cert" unique="1"> > > + <longdesc lang="en"> > > + OVN SB DB certificate absolute path for ssl setup. > > + </longdesc> > > + <shortdesc lang="en">OVN SB DB cert file</shortdesc> > > + <content type="string" /> > > + </parameter> > > + > > + <parameter name="ovn_sb_db_cacert" unique="1"> > > + <longdesc lang="en"> > > + OVN SB DB CA certificate absolute path for ssl setup. > > + </longdesc> > > + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> > > + <content type="string" /> > > + </parameter> > > + > > </parameters> > > > > <actions> > > @@ -326,6 +387,18 @@ ovsdb_server_start() { > > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} > > fi > > > > + if [ "x${NB_MASTER_PROTO}" = xssl ]; then > > + set $@ --db-nb-create-insecure-remote=no > "no" is the default value, so this line is not needed. > >> Sure. This makes sense. Will check out the default behavior and update it the revised patch! > > > + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > > + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > > + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > This should be needed only for standby which sets > --db-sb-use-remote-in-db=no. > > As discussed, for each of the modes either ssl or tcp, all the nodes should have this option set. > > > + fi > > + if [ "x${SB_MASTER_PROTO}" = xssl ]; then > > + set $@ --db-sb-create-insecure-remote=no > > + set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY} > > + set $@ --ovn-sb-db-ssl-cert=${SB_CERT} > > + set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT} > > + fi > > if [ "x${present_master}" = x ]; then > > # No master detected, or the previous master is not among the > > # set starting. > > @@ -343,7 +416,6 @@ ovsdb_server_start() { > > set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} > --db-sb-sync-from-addr=${INVALID_IP_ADDRESS} > > > > elif [ ${present_master} != ${host_name} ]; then > > - # TODO: for using LB vip, need to test for ssl. > > if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then > > if [ "x${NB_MASTER_PROTO}" = xtcp ]; then > > set $@ --db-nb-create-insecure-remote=yes > > -- > > 1.9.1 > > > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal@gmail.com> wrote: > > Thanks for the review Han. Please find the comments inline below: > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote: >> >> Thanks Ali, please see my comm >> >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote: >> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl >> > certs for starting standby DBs. Hence, we need this change. >> > >> > Signed-off-by: aginwala <aginwala@ebay.com> >> > --- >> > ovn/utilities/ovndb-servers.ocf | 74 ++++++++++++++++++++++++++++++++++++++++- >> > 1 file changed, 73 insertions(+), 1 deletion(-) >> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf >> > index 52141c7..80f81ae 100755 >> > --- a/ovn/utilities/ovndb-servers.ocf >> > +++ b/ovn/utilities/ovndb-servers.ocf >> > @@ -10,6 +10,12 @@ >> > : ${MANAGE_NORTHD_DEFAULT="no"} >> > : ${INACTIVE_PROBE_DEFAULT="5000"} >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} >> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server" >> > @@ -21,6 +27,13 @@ SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} >> > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} >> > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} >> > + >> > >> > # In order for pacemaker to work with LB, we can set LISTEN_ON_MASTER_IP_ONLY >> > # to false and pass LB vip IP while creating pcs resource. >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { >> > <content type="string" /> >> > </parameter> >> > >> > + <parameter name="ovn_nb_db_privkey" unique="1"> >> > + <longdesc lang="en"> >> > + OVN NB DB private key absolute path for ssl setup. >> > + </longdesc> >> > + <shortdesc lang="en">OVN NB DB private key file</shortdesc> >> > + <content type="string" /> >> > + </parameter> >> > + >> > + <parameter name="ovn_nb_db_cert" unique="1"> >> > + <longdesc lang="en"> >> > + OVN NB DB certificate absolute path for ssl setup. >> > + </longdesc> >> > + <shortdesc lang="en">OVN NB DB cert file</shortdesc> >> > + <content type="string" /> >> > + </parameter> >> > + >> > + <parameter name="ovn_nb_db_cacert" unique="1"> >> > + <longdesc lang="en"> >> > + OVN NB DB CA certificate absolute path for ssl setup. >> > + </longdesc> >> > + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> >> > + <content type="string" /> >> > + </parameter> >> > + >> > + <parameter name="ovn_sb_db_privkey" unique="1"> >> > + <longdesc lang="en"> >> > + OVN SB DB private key absolute path for ssl setup. >> > + </longdesc> >> > + <shortdesc lang="en">OVN SB DB private key file</shortdesc> >> > + <content type="string" /> >> > + </parameter> >> > + >> > + <parameter name="ovn_sb_db_cert" unique="1"> >> > + <longdesc lang="en"> >> > + OVN SB DB certificate absolute path for ssl setup. >> > + </longdesc> >> > + <shortdesc lang="en">OVN SB DB cert file</shortdesc> >> > + <content type="string" /> >> > + </parameter> >> > + >> > + <parameter name="ovn_sb_db_cacert" unique="1"> >> > + <longdesc lang="en"> >> > + OVN SB DB CA certificate absolute path for ssl setup. >> > + </longdesc> >> > + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> >> > + <content type="string" /> >> > + </parameter> >> > + >> > </parameters> >> > >> > <actions> >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { >> > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} >> > fi >> > >> > + if [ "x${NB_MASTER_PROTO}" = xssl ]; then >> > + set $@ --db-nb-create-insecure-remote=no >> "no" is the default value, so this line is not needed. > > >> Sure. This makes sense. Will check out the default behavior and update it the revised patch! >> >> >> > + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} >> > + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} >> > + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} >> This should be needed only for standby which sets --db-sb-use-remote-in-db=no. > > > As discussed, for each of the modes either ssl or tcp, all the nodes should have this option set. Agree. Since this script is for active-standby only, we can assume active-standby mode always use command line option instead of DB settings. Acked-by: Han Zhou <hzhou8@ebay.com>
On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote: > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal@gmail.com> wrote: > > > > Thanks for the review Han. Please find the comments inline below: > > > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote: > >> > >> Thanks Ali, please see my comm > >> > >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote: > >> > > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to pass > ssl > >> > certs for starting standby DBs. Hence, we need this change. > >> > > >> > Signed-off-by: aginwala <aginwala@ebay.com> > >> > --- > >> > ovn/utilities/ovndb-servers.ocf | 74 > ++++++++++++++++++++++++++++++++++++++++- > >> > 1 file changed, 73 insertions(+), 1 deletion(-) > >> > > >> > diff --git a/ovn/utilities/ovndb-servers.ocf > b/ovn/utilities/ovndb-servers.ocf > >> > index 52141c7..80f81ae 100755 > >> > --- a/ovn/utilities/ovndb-servers.ocf > >> > +++ b/ovn/utilities/ovndb-servers.ocf > >> > @@ -10,6 +10,12 @@ > >> > : ${MANAGE_NORTHD_DEFAULT="no"} > >> > : ${INACTIVE_PROBE_DEFAULT="5000"} > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > >> > > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > >> > @@ -21,6 +27,13 @@ > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > >> > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > >> > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > >> > + > >> > > >> > # In order for pacemaker to work with LB, we can set > LISTEN_ON_MASTER_IP_ONLY > >> > # to false and pass LB vip IP while creating pcs resource. > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > >> > <content type="string" /> > >> > </parameter> > >> > > >> > + <parameter name="ovn_nb_db_privkey" unique="1"> > >> > + <longdesc lang="en"> > >> > + OVN NB DB private key absolute path for ssl setup. > >> > + </longdesc> > >> > + <shortdesc lang="en">OVN NB DB private key file</shortdesc> > >> > + <content type="string" /> > >> > + </parameter> > >> > + > >> > + <parameter name="ovn_nb_db_cert" unique="1"> > >> > + <longdesc lang="en"> > >> > + OVN NB DB certificate absolute path for ssl setup. > >> > + </longdesc> > >> > + <shortdesc lang="en">OVN NB DB cert file</shortdesc> > >> > + <content type="string" /> > >> > + </parameter> > >> > + > >> > + <parameter name="ovn_nb_db_cacert" unique="1"> > >> > + <longdesc lang="en"> > >> > + OVN NB DB CA certificate absolute path for ssl setup. > >> > + </longdesc> > >> > + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> > >> > + <content type="string" /> > >> > + </parameter> > >> > + > >> > + <parameter name="ovn_sb_db_privkey" unique="1"> > >> > + <longdesc lang="en"> > >> > + OVN SB DB private key absolute path for ssl setup. > >> > + </longdesc> > >> > + <shortdesc lang="en">OVN SB DB private key file</shortdesc> > >> > + <content type="string" /> > >> > + </parameter> > >> > + > >> > + <parameter name="ovn_sb_db_cert" unique="1"> > >> > + <longdesc lang="en"> > >> > + OVN SB DB certificate absolute path for ssl setup. > >> > + </longdesc> > >> > + <shortdesc lang="en">OVN SB DB cert file</shortdesc> > >> > + <content type="string" /> > >> > + </parameter> > >> > + > >> > + <parameter name="ovn_sb_db_cacert" unique="1"> > >> > + <longdesc lang="en"> > >> > + OVN SB DB CA certificate absolute path for ssl setup. > >> > + </longdesc> > >> > + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> > >> > + <content type="string" /> > >> > + </parameter> > >> > + > >> > </parameters> > >> > > >> > <actions> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { > >> > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} > >> > fi > >> > > >> > + if [ "x${NB_MASTER_PROTO}" = xssl ]; then > >> > + set $@ --db-nb-create-insecure-remote=no > >> "no" is the default value, so this line is not needed. > > > > >> Sure. This makes sense. Will check out the default behavior and update > it the revised patch! > >> > >> > >> > + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > >> > + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > >> > + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > >> This should be needed only for standby which sets > --db-sb-use-remote-in-db=no. > > > > > As discussed, for each of the modes either ssl or tcp, all the nodes > should have this option set. > > Agree. Since this script is for active-standby only, we can assume > active-standby mode always use command line option instead of DB settings. > > Acked-by: Han Zhou <hzhou8@ebay.com> I haven't followed the discussion here so I'm going to assume that Ali will post a v2 with Han's ack. Thanks, Ben.
Yes, that's right. I will send out v2 in a bit with Han's ack. Regards, Aliasgar On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff <blp@ovn.org> wrote: > On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote: > > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal@gmail.com> > wrote: > > > > > > Thanks for the review Han. Please find the comments inline below: > > > > > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote: > > >> > > >> Thanks Ali, please see my comm > > >> > > >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote: > > >> > > > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to > pass > > ssl > > >> > certs for starting standby DBs. Hence, we need this change. > > >> > > > >> > Signed-off-by: aginwala <aginwala@ebay.com> > > >> > --- > > >> > ovn/utilities/ovndb-servers.ocf | 74 > > ++++++++++++++++++++++++++++++++++++++++- > > >> > 1 file changed, 73 insertions(+), 1 deletion(-) > > >> > > > >> > diff --git a/ovn/utilities/ovndb-servers.ocf > > b/ovn/utilities/ovndb-servers.ocf > > >> > index 52141c7..80f81ae 100755 > > >> > --- a/ovn/utilities/ovndb-servers.ocf > > >> > +++ b/ovn/utilities/ovndb-servers.ocf > > >> > @@ -10,6 +10,12 @@ > > >> > : ${MANAGE_NORTHD_DEFAULT="no"} > > >> > : ${INACTIVE_PROBE_DEFAULT="5000"} > > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > >> > > > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config > > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > > >> > @@ -21,6 +27,13 @@ > > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > > >> > > > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > > >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > > >> > > > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > > >> > + > > >> > > > >> > # In order for pacemaker to work with LB, we can set > > LISTEN_ON_MASTER_IP_ONLY > > >> > # to false and pass LB vip IP while creating pcs resource. > > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > > >> > <content type="string" /> > > >> > </parameter> > > >> > > > >> > + <parameter name="ovn_nb_db_privkey" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN NB DB private key absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN NB DB private key file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > + <parameter name="ovn_nb_db_cert" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN NB DB certificate absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN NB DB cert file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > + <parameter name="ovn_nb_db_cacert" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN NB DB CA certificate absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > + <parameter name="ovn_sb_db_privkey" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN SB DB private key absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN SB DB private key file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > + <parameter name="ovn_sb_db_cert" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN SB DB certificate absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN SB DB cert file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > + <parameter name="ovn_sb_db_cacert" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN SB DB CA certificate absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > </parameters> > > >> > > > >> > <actions> > > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { > > >> > set $@ --db-sb-addr=${MASTER_IP} > --db-sb-port=${SB_MASTER_PORT} > > >> > fi > > >> > > > >> > + if [ "x${NB_MASTER_PROTO}" = xssl ]; then > > >> > + set $@ --db-nb-create-insecure-remote=no > > >> "no" is the default value, so this line is not needed. > > > > > > >> Sure. This makes sense. Will check out the default behavior and > update > > it the revised patch! > > >> > > >> > > >> > + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > > >> > + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > > >> > + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > > >> This should be needed only for standby which sets > > --db-sb-use-remote-in-db=no. > > > > > > > As discussed, for each of the modes either ssl or tcp, all the nodes > > should have this option set. > > > > Agree. Since this script is for active-standby only, we can assume > > active-standby mode always use command line option instead of DB > settings. > > > > Acked-by: Han Zhou <hzhou8@ebay.com> > > I haven't followed the discussion here so I'm going to assume that Ali > will post a v2 with Han's ack. > > Thanks, > > Ben. >
On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala <amginwal@gmail.com> wrote: > > Yes, that's right. I will send out v2 in a bit with Han's ack. > > > Regards, > Aliasgar > > On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff <blp@ovn.org> wrote: >> >> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote: >> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal@gmail.com> wrote: >> > > >> > > Thanks for the review Han. Please find the comments inline below: >> > > >> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote: >> > >> >> > >> Thanks Ali, please see my comm >> > >> >> > >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote: >> > >> > >> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to pass >> > ssl >> > >> > certs for starting standby DBs. Hence, we need this change. >> > >> > >> > >> > Signed-off-by: aginwala <aginwala@ebay.com> >> > >> > --- >> > >> > ovn/utilities/ovndb-servers.ocf | 74 >> > ++++++++++++++++++++++++++++++++++++++++- >> > >> > 1 file changed, 73 insertions(+), 1 deletion(-) >> > >> > >> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf >> > b/ovn/utilities/ovndb-servers.ocf >> > >> > index 52141c7..80f81ae 100755 >> > >> > --- a/ovn/utilities/ovndb-servers.ocf >> > >> > +++ b/ovn/utilities/ovndb-servers.ocf >> > >> > @@ -10,6 +10,12 @@ >> > >> > : ${MANAGE_NORTHD_DEFAULT="no"} >> > >> > : ${INACTIVE_PROBE_DEFAULT="5000"} >> > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} >> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} >> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} >> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} >> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} >> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} >> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} >> > >> > >> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" >> > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config >> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" >> > >> > @@ -21,6 +27,13 @@ >> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} >> > >> > >> > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} >> > >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} >> > >> > >> > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} >> > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} >> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} >> > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} >> > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} >> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} >> > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} >> > >> > + >> > >> > >> > >> > # In order for pacemaker to work with LB, we can set >> > LISTEN_ON_MASTER_IP_ONLY >> > >> > # to false and pass LB vip IP while creating pcs resource. >> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { >> > >> > <content type="string" /> >> > >> > </parameter> >> > >> > >> > >> > + <parameter name="ovn_nb_db_privkey" unique="1"> >> > >> > + <longdesc lang="en"> >> > >> > + OVN NB DB private key absolute path for ssl setup. >> > >> > + </longdesc> >> > >> > + <shortdesc lang="en">OVN NB DB private key file</shortdesc> >> > >> > + <content type="string" /> >> > >> > + </parameter> >> > >> > + >> > >> > + <parameter name="ovn_nb_db_cert" unique="1"> >> > >> > + <longdesc lang="en"> >> > >> > + OVN NB DB certificate absolute path for ssl setup. >> > >> > + </longdesc> >> > >> > + <shortdesc lang="en">OVN NB DB cert file</shortdesc> >> > >> > + <content type="string" /> >> > >> > + </parameter> >> > >> > + >> > >> > + <parameter name="ovn_nb_db_cacert" unique="1"> >> > >> > + <longdesc lang="en"> >> > >> > + OVN NB DB CA certificate absolute path for ssl setup. >> > >> > + </longdesc> >> > >> > + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> >> > >> > + <content type="string" /> >> > >> > + </parameter> >> > >> > + >> > >> > + <parameter name="ovn_sb_db_privkey" unique="1"> >> > >> > + <longdesc lang="en"> >> > >> > + OVN SB DB private key absolute path for ssl setup. >> > >> > + </longdesc> >> > >> > + <shortdesc lang="en">OVN SB DB private key file</shortdesc> >> > >> > + <content type="string" /> >> > >> > + </parameter> >> > >> > + >> > >> > + <parameter name="ovn_sb_db_cert" unique="1"> >> > >> > + <longdesc lang="en"> >> > >> > + OVN SB DB certificate absolute path for ssl setup. >> > >> > + </longdesc> >> > >> > + <shortdesc lang="en">OVN SB DB cert file</shortdesc> >> > >> > + <content type="string" /> >> > >> > + </parameter> >> > >> > + >> > >> > + <parameter name="ovn_sb_db_cacert" unique="1"> >> > >> > + <longdesc lang="en"> >> > >> > + OVN SB DB CA certificate absolute path for ssl setup. >> > >> > + </longdesc> >> > >> > + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> >> > >> > + <content type="string" /> >> > >> > + </parameter> >> > >> > + >> > >> > </parameters> >> > >> > >> > >> > <actions> >> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { >> > >> > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} >> > >> > fi >> > >> > >> > >> > + if [ "x${NB_MASTER_PROTO}" = xssl ]; then >> > >> > + set $@ --db-nb-create-insecure-remote=no >> > >> "no" is the default value, so this line is not needed. >> > > >> > > >> Sure. This makes sense. Will check out the default behavior and update >> > it the revised patch! >> > >> >> > >> >> > >> > + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} >> > >> > + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} >> > >> > + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} >> > >> This should be needed only for standby which sets >> > --db-sb-use-remote-in-db=no. >> > > >> > > > As discussed, for each of the modes either ssl or tcp, all the nodes >> > should have this option set. >> > >> > Agree. Since this script is for active-standby only, we can assume >> > active-standby mode always use command line option instead of DB settings. >> > >> > Acked-by: Han Zhou <hzhou8@ebay.com> >> >> I haven't followed the discussion here so I'm going to assume that Ali >> will post a v2 with Han's ack. >> >> Thanks, >> >> Ben. Giving a second thought, it seems there is still a problem. There should be two sets of SSL related parameters we should consider in the active-standby scenario. - One set of parameters is for the server side. For ipaddr2 use case, both active and standby nodes will need them. For LB use case, where only the active node should listen on the port, only the active node should need these parameters. - Another set of parameters is for the client side, together with the --sync-from parameter, so that the standby node can connect to the active node as a client using SSL. These parameters are needed in standby node only. I didn't see how is this addressed. Did I miss anything? For the server side SSL parameters, it should be valid to use DB settings instead of command line options. (For client side, it may not be possible to use DB settings since the standby nodes need to get the SSL parameters before connecting to the (active) DB). Thanks, Han
On Mon, Oct 8, 2018 at 2:17 PM Han Zhou <zhouhan@gmail.com> wrote: > > > On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala <amginwal@gmail.com> > wrote: > > > > Yes, that's right. I will send out v2 in a bit with Han's ack. > > > > > > Regards, > > Aliasgar > > > > On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff <blp@ovn.org> wrote: > >> > >> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote: > >> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal@gmail.com> > wrote: > >> > > > >> > > Thanks for the review Han. Please find the comments inline below: > >> > > > >> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote: > >> > >> > >> > >> Thanks Ali, please see my comm > >> > >> > >> > >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote: > >> > >> > > >> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need > to pass > >> > ssl > >> > >> > certs for starting standby DBs. Hence, we need this change. > >> > >> > > >> > >> > Signed-off-by: aginwala <aginwala@ebay.com> > >> > >> > --- > >> > >> > ovn/utilities/ovndb-servers.ocf | 74 > >> > ++++++++++++++++++++++++++++++++++++++++- > >> > >> > 1 file changed, 73 insertions(+), 1 deletion(-) > >> > >> > > >> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf > >> > b/ovn/utilities/ovndb-servers.ocf > >> > >> > index 52141c7..80f81ae 100755 > >> > >> > --- a/ovn/utilities/ovndb-servers.ocf > >> > >> > +++ b/ovn/utilities/ovndb-servers.ocf > >> > >> > @@ -10,6 +10,12 @@ > >> > >> > : ${MANAGE_NORTHD_DEFAULT="no"} > >> > >> > : ${INACTIVE_PROBE_DEFAULT="5000"} > >> > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > >> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > >> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > >> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > >> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > >> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > >> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > >> > >> > > >> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > >> > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type > crm_config > >> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > >> > >> > @@ -21,6 +27,13 @@ > >> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > >> > >> > > >> > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > >> > >> > > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > >> > >> > > >> > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > >> > >> > > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > >> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > >> > >> > > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > >> > >> > > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > >> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > >> > >> > > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > >> > >> > + > >> > >> > > >> > >> > # In order for pacemaker to work with LB, we can set > >> > LISTEN_ON_MASTER_IP_ONLY > >> > >> > # to false and pass LB vip IP while creating pcs resource. > >> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > >> > >> > <content type="string" /> > >> > >> > </parameter> > >> > >> > > >> > >> > + <parameter name="ovn_nb_db_privkey" unique="1"> > >> > >> > + <longdesc lang="en"> > >> > >> > + OVN NB DB private key absolute path for ssl setup. > >> > >> > + </longdesc> > >> > >> > + <shortdesc lang="en">OVN NB DB private key file</shortdesc> > >> > >> > + <content type="string" /> > >> > >> > + </parameter> > >> > >> > + > >> > >> > + <parameter name="ovn_nb_db_cert" unique="1"> > >> > >> > + <longdesc lang="en"> > >> > >> > + OVN NB DB certificate absolute path for ssl setup. > >> > >> > + </longdesc> > >> > >> > + <shortdesc lang="en">OVN NB DB cert file</shortdesc> > >> > >> > + <content type="string" /> > >> > >> > + </parameter> > >> > >> > + > >> > >> > + <parameter name="ovn_nb_db_cacert" unique="1"> > >> > >> > + <longdesc lang="en"> > >> > >> > + OVN NB DB CA certificate absolute path for ssl setup. > >> > >> > + </longdesc> > >> > >> > + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> > >> > >> > + <content type="string" /> > >> > >> > + </parameter> > >> > >> > + > >> > >> > + <parameter name="ovn_sb_db_privkey" unique="1"> > >> > >> > + <longdesc lang="en"> > >> > >> > + OVN SB DB private key absolute path for ssl setup. > >> > >> > + </longdesc> > >> > >> > + <shortdesc lang="en">OVN SB DB private key file</shortdesc> > >> > >> > + <content type="string" /> > >> > >> > + </parameter> > >> > >> > + > >> > >> > + <parameter name="ovn_sb_db_cert" unique="1"> > >> > >> > + <longdesc lang="en"> > >> > >> > + OVN SB DB certificate absolute path for ssl setup. > >> > >> > + </longdesc> > >> > >> > + <shortdesc lang="en">OVN SB DB cert file</shortdesc> > >> > >> > + <content type="string" /> > >> > >> > + </parameter> > >> > >> > + > >> > >> > + <parameter name="ovn_sb_db_cacert" unique="1"> > >> > >> > + <longdesc lang="en"> > >> > >> > + OVN SB DB CA certificate absolute path for ssl setup. > >> > >> > + </longdesc> > >> > >> > + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> > >> > >> > + <content type="string" /> > >> > >> > + </parameter> > >> > >> > + > >> > >> > </parameters> > >> > >> > > >> > >> > <actions> > >> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { > >> > >> > set $@ --db-sb-addr=${MASTER_IP} > --db-sb-port=${SB_MASTER_PORT} > >> > >> > fi > >> > >> > > >> > >> > + if [ "x${NB_MASTER_PROTO}" = xssl ]; then > >> > >> > + set $@ --db-nb-create-insecure-remote=no > >> > >> "no" is the default value, so this line is not needed. > >> > > > >> > > >> Sure. This makes sense. Will check out the default behavior and > update > >> > it the revised patch! > >> > >> > >> > >> > >> > >> > + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > >> > >> > + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > >> > >> > + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > >> > >> This should be needed only for standby which sets > >> > --db-sb-use-remote-in-db=no. > >> > > > >> > > > As discussed, for each of the modes either ssl or tcp, all the > nodes > >> > should have this option set. > >> > > >> > Agree. Since this script is for active-standby only, we can assume > >> > active-standby mode always use command line option instead of DB > settings. > >> > > >> > Acked-by: Han Zhou <hzhou8@ebay.com> > >> > >> I haven't followed the discussion here so I'm going to assume that Ali > >> will post a v2 with Han's ack. > >> > >> Thanks, > >> > >> Ben. > > Giving a second thought, it seems there is still a problem. > > There should be two sets of SSL related parameters we should consider in > the active-standby scenario. > - One set of parameters is for the server side. For ipaddr2 use case, both > active and standby nodes will need them. For LB use case, where only the > active node should listen on the port, only the active node should need > these parameters. > - Another set of parameters is for the client side, together with the > --sync-from parameter, so that the standby node can connect to the active > node as a client using SSL. These parameters are needed in standby node > only. > > I didn't see how is this addressed. Did I miss anything? > > For the server side SSL parameters, it should be valid to use DB settings > instead of command line options. (For client side, it may not be possible > to use DB settings since the standby nodes need to get the SSL parameters > before connecting to the (active) DB). > >> Just to clarify, for active-standby scenario, since we dont know who will became active server any time, it is safe to use same certs on all central nodes irrespective of which node is client or server. For the previous condition I verified and tested that default condition is insecure=no which works fine and hence have removed that line. I have addressed the same and have sent out v2 with your ack . Let me know further. :) > > Thanks, > Han >
>> >> Giving a second thought, it seems there is still a problem. >> >> There should be two sets of SSL related parameters we should consider in the active-standby scenario. >> - One set of parameters is for the server side. For ipaddr2 use case, both active and standby nodes will need them. For LB use case, where only the active node should listen on the port, only the active node should need these parameters. >> - Another set of parameters is for the client side, together with the --sync-from parameter, so that the standby node can connect to the active node as a client using SSL. These parameters are needed in standby node only. >> >> I didn't see how is this addressed. Did I miss anything? >> >> For the server side SSL parameters, it should be valid to use DB settings instead of command line options. (For client side, it may not be possible to use DB settings since the standby nodes need to get the SSL parameters before connecting to the (active) DB). > > >> Just to clarify, for active-standby scenario, since we dont know who will became active server any time, it is safe to use same certs on all central nodes irrespective of which node is client or server. Ok, thanks. It is clarified after discussion that we are combining the server side and client side ssl keys/certs to the same value for all central nodes in the active-standby setup. I didn't know that same settings actually work for both server and client, so it sounds good for me.
On Tue, Oct 9, 2018 at 6:11 AM Han Zhou <zhouhan@gmail.com> wrote: > >> > >> Giving a second thought, it seems there is still a problem. > >> > >> There should be two sets of SSL related parameters we should consider in > the active-standby scenario. > >> - One set of parameters is for the server side. For ipaddr2 use case, > both active and standby nodes will need them. For LB use case, where only > the active node should listen on the port, only the active node should need > these parameters. > >> - Another set of parameters is for the client side, together with the > --sync-from parameter, so that the standby node can connect to the active > node as a client using SSL. These parameters are needed in standby node > only. > >> > >> I didn't see how is this addressed. Did I miss anything? > >> > >> For the server side SSL parameters, it should be valid to use DB > settings instead of command line options. (For client side, it may not be > possible to use DB settings since the standby nodes need to get the SSL > parameters before connecting to the (active) DB). > > > > >> Just to clarify, for active-standby scenario, since we dont know who > will became active server any time, it is safe to use same certs on all > central nodes irrespective of which node is client or server. > > Ok, thanks. It is clarified after discussion that we are combining the > server side and client side ssl keys/certs to the same value for all > central nodes in the active-standby setup. I didn't know that same settings > actually work for both server and client, so it sounds good for me. > From the pacemaker Resource script perspective, it looks good to me. I will take another look when you post v3. Thanks Numan
Thanks Numan for review. Just to update that V3 will only have changes for ovn-ctl as per Han's suggestion to add details in help section there. ocf script will remain unchanged. That is why I have added acked-by on this patch. :) On Mon, Oct 8, 2018 at 11:59 PM Numan Siddique <nusiddiq@redhat.com> wrote: > > > On Tue, Oct 9, 2018 at 6:11 AM Han Zhou <zhouhan@gmail.com> wrote: > >> >> >> >> Giving a second thought, it seems there is still a problem. >> >> >> >> There should be two sets of SSL related parameters we should consider >> in >> the active-standby scenario. >> >> - One set of parameters is for the server side. For ipaddr2 use case, >> both active and standby nodes will need them. For LB use case, where only >> the active node should listen on the port, only the active node should >> need >> these parameters. >> >> - Another set of parameters is for the client side, together with the >> --sync-from parameter, so that the standby node can connect to the active >> node as a client using SSL. These parameters are needed in standby node >> only. >> >> >> >> I didn't see how is this addressed. Did I miss anything? >> >> >> >> For the server side SSL parameters, it should be valid to use DB >> settings instead of command line options. (For client side, it may not be >> possible to use DB settings since the standby nodes need to get the SSL >> parameters before connecting to the (active) DB). >> > >> > >> Just to clarify, for active-standby scenario, since we dont know who >> will became active server any time, it is safe to use same certs on all >> central nodes irrespective of which node is client or server. >> >> Ok, thanks. It is clarified after discussion that we are combining the >> server side and client side ssl keys/certs to the same value for all >> central nodes in the active-standby setup. I didn't know that same >> settings >> actually work for both server and client, so it sounds good for me. >> > > From the pacemaker Resource script perspective, it looks good to me. I > will take > another look when you post v3. > > Thanks > Numan > > _______________________________________________ >> dev mailing list >> dev@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> >
diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf index 52141c7..80f81ae 100755 --- a/ovn/utilities/ovndb-servers.ocf +++ b/ovn/utilities/ovndb-servers.ocf @@ -10,6 +10,12 @@ : ${MANAGE_NORTHD_DEFAULT="no"} : ${INACTIVE_PROBE_DEFAULT="5000"} : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server" @@ -21,6 +27,13 @@ SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} + # In order for pacemaker to work with LB, we can set LISTEN_ON_MASTER_IP_ONLY # to false and pass LB vip IP while creating pcs resource. @@ -132,6 +145,54 @@ ovsdb_server_metadata() { <content type="string" /> </parameter> + <parameter name="ovn_nb_db_privkey" unique="1"> + <longdesc lang="en"> + OVN NB DB private key absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN NB DB private key file</shortdesc> + <content type="string" /> + </parameter> + + <parameter name="ovn_nb_db_cert" unique="1"> + <longdesc lang="en"> + OVN NB DB certificate absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN NB DB cert file</shortdesc> + <content type="string" /> + </parameter> + + <parameter name="ovn_nb_db_cacert" unique="1"> + <longdesc lang="en"> + OVN NB DB CA certificate absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> + <content type="string" /> + </parameter> + + <parameter name="ovn_sb_db_privkey" unique="1"> + <longdesc lang="en"> + OVN SB DB private key absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN SB DB private key file</shortdesc> + <content type="string" /> + </parameter> + + <parameter name="ovn_sb_db_cert" unique="1"> + <longdesc lang="en"> + OVN SB DB certificate absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN SB DB cert file</shortdesc> + <content type="string" /> + </parameter> + + <parameter name="ovn_sb_db_cacert" unique="1"> + <longdesc lang="en"> + OVN SB DB CA certificate absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> + <content type="string" /> + </parameter> + </parameters> <actions> @@ -326,6 +387,18 @@ ovsdb_server_start() { set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} fi + if [ "x${NB_MASTER_PROTO}" = xssl ]; then + set $@ --db-nb-create-insecure-remote=no + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} + fi + if [ "x${SB_MASTER_PROTO}" = xssl ]; then + set $@ --db-sb-create-insecure-remote=no + set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY} + set $@ --ovn-sb-db-ssl-cert=${SB_CERT} + set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT} + fi if [ "x${present_master}" = x ]; then # No master detected, or the previous master is not among the # set starting. @@ -343,7 +416,6 @@ ovsdb_server_start() { set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} --db-sb-sync-from-addr=${INVALID_IP_ADDRESS} elif [ ${present_master} != ${host_name} ]; then - # TODO: for using LB vip, need to test for ssl. if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then if [ "x${NB_MASTER_PROTO}" = xtcp ]; then set $@ --db-nb-create-insecure-remote=yes
When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl certs for starting standby DBs. Hence, we need this change. Signed-off-by: aginwala <aginwala@ebay.com> --- ovn/utilities/ovndb-servers.ocf | 74 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-)