From patchwork Thu Sep 20 16:15:51 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: aginwala aginwala <amginwal@gmail.com>
X-Patchwork-Id: 973512
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="VTdV3p9D"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42HBLY4LTWz9s4V
	for <incoming@patchwork.ozlabs.org>;
	Sat, 22 Sep 2018 10:34:44 +1000 (AEST)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 424E8FE5;
	Sat, 22 Sep 2018 00:34:39 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 26B08FE2
	for <dev@openvswitch.org>; Sat, 22 Sep 2018 00:34:38 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf1-f196.google.com (mail-pf1-f196.google.com
	[209.85.210.196])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 788227E9
	for <dev@openvswitch.org>; Sat, 22 Sep 2018 00:34:37 +0000 (UTC)
Received: by mail-pf1-f196.google.com with SMTP id j8-v6so6660446pff.6
	for <dev@openvswitch.org>; Fri, 21 Sep 2018 17:34:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=yeVFtH6jizcMl2NKSUyi0qWaeK7NaWSLGothmu24lKo=;
	b=VTdV3p9DqooxzEVHa7VzINeDnxWm2PaDHj9Z7w5uwdxU9+2cjPmNlTiHoHPJbqLZKO
	Sf/vH7o4pAWyMB4Wqk6ATRupAbN8jb7BEKS+xYufGl0gqVJnJen0fxUZV9o1NKPtEksz
	YpdaAlXG6KQDOqE5leLqJNGuNK1zC+N0cIxwAPAjPgaNoEKeZy00TXhfMAY8BHrj1BH6
	ImLq9UKJncyEPl85P5Lbhqb+wPTDcwg9MyXTmhio1ome9NRClOHbWUIbCbN6PO5pTY4c
	HiZNFbArq/r/g7E6wjWzrJQJjMFiKI6qGZAYDJdLhstoEaSBUzdr6Vr59tiBCsFu1Xn/
	J3sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=yeVFtH6jizcMl2NKSUyi0qWaeK7NaWSLGothmu24lKo=;
	b=G2dk+6WRrWUhR/I0szAehpCj7MiieF6ZkDgasNRNAcokyA05puqlWZdA9YDXPlNOOW
	Xx+ONw2fHoJCvHqcSFzy5iNdIgxEtxcke0JnRsxIHWAckUTlFKvkzl6XQ1MsTbTfloO6
	8P8/U2KhKNGGPQ4izXfVk4SkyuToxQxWLg6MUQjrFNtGAkhlzHQiRUKO1gyhTZXKTptj
	4AGZ6R2bCzMTCosFXkWSdd96ZXQFOu1f6KZ+SoRp4E8b/AUHd2yWEdcTBa4VQrJdilWl
	cBun/xz4D10NyRhg1rBfr3Af/f+RVMawlYtJ3jY9gnGGwxPfHcTNahridnDTf07oYSKg
	pQyg==
X-Gm-Message-State: APzg51ButbGj1yz73RxKETQUGkKNTN8PT9TM4a0WzfC50QduOsqziVHb
	LcbREpHAbukYCnv87ICOZ7oZBpb5
X-Google-Smtp-Source: 
 ANB0VdaaY6ybGnxt/AeeSj2oqjNgGPt92gCor0hkRetPglhffQyhf5iKsjVd2LXGJPaS2cj9wXT8dQ==
X-Received: by 2002:a62:4dc1:: with SMTP id
	a184-v6mr169583pfb.5.1537576476644;
	Fri, 21 Sep 2018 17:34:36 -0700 (PDT)
Received: from ubuntu.corp.ebay.com ([216.113.160.77])
	by smtp.gmail.com with ESMTPSA id
	k8-v6sm75299328pga.80.2018.09.21.17.34.35
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 21 Sep 2018 17:34:36 -0700 (PDT)
From: amginwal@gmail.com
X-Google-Original-From: aginwala@ebay.com
To: dev@openvswitch.org
Date: Thu, 20 Sep 2018 09:15:51 -0700
Message-Id: <1537460151-22894-1-git-send-email-aginwala@ebay.com>
X-Mailer: git-send-email 1.9.1
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_00, DATE_IN_PAST_24_48,
	DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: aginwala <aginwala@ebay.com>
Subject: [ovs-dev] [PATCH 1/2] ovn-ctl: Allow passing ssl certs when
	starting OVN DBs in ssl mode.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

For OVN DBs to work with SSL in HA, we need to have capability to
 pass ssl certs when starting OVN DBs. Say when starting OVN DBs in active
 passive mode, in order for the standby DBs to sync from master node, it
 cannot sync because the required ssl certs are not passed when standby DBs
 are initialized. Hence, we need to have this option.

e.g. start nb db with ssl certs as below:
/usr/share/openvswitch/scripts/ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
--ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
--ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
--db-nb-create-insecure-remote=no start_nb_ovsdb

Certs can be generated based on ovs ssl docs:
http://docs.openvswitch.org/en/latest/howto/ssl/

Signed-off-by: aginwala <aginwala@ebay.com>
---
 ovn/utilities/ovn-ctl | 50 +++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 43 insertions(+), 7 deletions(-)

diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
index 3ff0df6..4f45f3d 100755
--- a/ovn/utilities/ovn-ctl
+++ b/ovn/utilities/ovn-ctl
@@ -116,6 +116,9 @@ start_ovsdb__() {
     local addr
     local active_conf_file
     local use_remote_in_db
+    local ovn_db_ssl_key
+    local ovn_db_ssl_cert
+    local ovn_db_ssl_cacert
     eval pid=\$DB_${DB}_PID
     eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
     eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
@@ -137,6 +140,9 @@ start_ovsdb__() {
     eval addr=\$DB_${DB}_ADDR
     eval active_conf_file=\$ovn${db}_active_conf_file
     eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
+    eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
+    eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
+    eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
 
     # Check and eventually start ovsdb-server for DB
     if pidfile_is_running $pid; then
@@ -182,17 +188,32 @@ $cluster_remote_port
 
     if test X"$use_remote_in_db" != Xno; then
         set "$@" --remote=db:$schema_name,$table_name,connections
+        if test X"$create_insecure_remote" = Xno; then
+            set "$@" --remote=pssl:$port:$addr
+        elif test X"$create_insecure_remote" = Xyes; then
+            set "$@" --remote=ptcp:$port:$addr
+        fi
     fi
-    set "$@" --private-key=db:$schema_name,SSL,private_key
-    set "$@" --certificate=db:$schema_name,SSL,certificate
-    set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
-    set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
-    set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
 
-    if test X"$create_insecure_remote" = Xyes; then
-        set "$@" --remote=ptcp:$port:$addr
+    if test X"$ovn_db_ssl_key" != X; then
+        set "$@" --private-key=$ovn_db_ssl_key
+    else
+        set "$@" --private-key=db:$schema_name,SSL,private_key
+    fi
+    if test X"$ovn_db_ssl_cert" != X; then
+        set "$@" --certificate=$ovn_db_ssl_cert
+    else
+        set "$@" --certificate=db:$schema_name,SSL,certificate
+    fi
+    if test X"$ovn_db_ssl_cacert" != X; then
+        set "$@" --ca-cert=$ovn_db_ssl_cacert
+    else
+        set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
     fi
 
+    set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
+    set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
+
     if test $mode = active_passive; then
         set "$@" --sync-from=`cat $active_conf_file`
     fi
@@ -481,6 +502,15 @@ set_defaults () {
     OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK"
     DB_NB_USE_REMOTE_IN_DB="yes"
     DB_SB_USE_REMOTE_IN_DB="yes"
+
+    OVN_NB_DB_SSL_KEY=""
+    OVN_NB_DB_SSL_CERT=""
+    OVN_NB_DB_SSL_CA_CERT=""
+
+    OVN_SB_DB_SSL_KEY=""
+    OVN_SB_DB_SSL_CERT=""
+    OVN_SB_DB_SSL_CA_CERT=""
+
 }
 
 set_option () {
@@ -536,6 +566,12 @@ Options:
   --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
   --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file
   --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file
+  --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file
+  --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file
+  --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file
+  --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file
+  --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file
+  --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file
   --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases should be
                                    automatically started and stopped along
                                    with ovn-northd. The default is "yes". If