[ovs-dev,2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.

Message ID 1537460381-23234-1-git-send-email-aginwala@ebay.com
State Superseded
Headers show
Series
  • [ovs-dev,1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode.
Related show

Commit Message

aginwala aginwala Sept. 20, 2018, 4:19 p.m.
When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl
 certs for starting standby DBs. Hence, we need this change.

Signed-off-by: aginwala <aginwala@ebay.com>
---
 ovn/utilities/ovndb-servers.ocf | 74 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 73 insertions(+), 1 deletion(-)

Comments

Numan Siddique Sept. 27, 2018, 4:32 p.m. | #1
On Sat, Sep 22, 2018 at 6:08 AM <amginwal@gmail.com> wrote:

>  When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl
>  certs for starting standby DBs. Hence, we need this change.
>
> Signed-off-by: aginwala <aginwala@ebay.com>
>

Hi Aliasgar,

I will  try this out and get back to you with any comments.

Thanks
Numan


> ---
>  ovn/utilities/ovndb-servers.ocf | 74
> ++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 73 insertions(+), 1 deletion(-)
>
> diff --git a/ovn/utilities/ovndb-servers.ocf
> b/ovn/utilities/ovndb-servers.ocf
> index 52141c7..80f81ae 100755
> --- a/ovn/utilities/ovndb-servers.ocf
> +++ b/ovn/utilities/ovndb-servers.ocf
> @@ -10,6 +10,12 @@
>  : ${MANAGE_NORTHD_DEFAULT="no"}
>  : ${INACTIVE_PROBE_DEFAULT="5000"}
>  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>
>  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
>  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name
> OVN_REPL_INFO -s ovn_ovsdb_master_server"
> @@ -21,6 +27,13 @@
> SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
>
>  SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
>  MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
>
>  INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> +
>
>  # In order for pacemaker to work with LB, we can set
> LISTEN_ON_MASTER_IP_ONLY
>  # to false and pass LB vip IP while creating pcs resource.
> @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
>    <content type="string" />
>    </parameter>
>
> +  <parameter name="ovn_nb_db_privkey" unique="1">
> +  <longdesc lang="en">
> +  OVN NB DB private key absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
> +  <parameter name="ovn_nb_db_cert" unique="1">
> +  <longdesc lang="en">
> +  OVN NB DB certificate absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
> +  <parameter name="ovn_nb_db_cacert" unique="1">
> +  <longdesc lang="en">
> +  OVN NB DB CA certificate absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
> +  <parameter name="ovn_sb_db_privkey" unique="1">
> +  <longdesc lang="en">
> +  OVN SB DB private key absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
> +  <parameter name="ovn_sb_db_cert" unique="1">
> +  <longdesc lang="en">
> +  OVN SB DB certificate absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
> +  <parameter name="ovn_sb_db_cacert" unique="1">
> +  <longdesc lang="en">
> +  OVN SB DB CA certificate absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
>    </parameters>
>
>    <actions>
> @@ -326,6 +387,18 @@ ovsdb_server_start() {
>         set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
>      fi
>
> +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> +            set $@ --db-nb-create-insecure-remote=no
> +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> +    fi
> +    if [ "x${SB_MASTER_PROTO}" = xssl ]; then
> +            set $@ --db-sb-create-insecure-remote=no
> +            set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY}
> +            set $@ --ovn-sb-db-ssl-cert=${SB_CERT}
> +            set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT}
> +    fi
>      if [ "x${present_master}" = x ]; then
>          # No master detected, or the previous master is not among the
>          # set starting.
> @@ -343,7 +416,6 @@ ovsdb_server_start() {
>          set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS}
> --db-sb-sync-from-addr=${INVALID_IP_ADDRESS}
>
>      elif [ ${present_master} != ${host_name} ]; then
> -        # TODO: for using LB vip, need to test for ssl.
>          if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then
>              if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
>                  set $@ --db-nb-create-insecure-remote=yes
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
Han Zhou Oct. 4, 2018, 5:15 p.m. | #2
Thanks Ali, please see my comm

On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote:
>
>  When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl
>  certs for starting standby DBs. Hence, we need this change.
>
> Signed-off-by: aginwala <aginwala@ebay.com>
> ---
>  ovn/utilities/ovndb-servers.ocf | 74
++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 73 insertions(+), 1 deletion(-)
>
> diff --git a/ovn/utilities/ovndb-servers.ocf
b/ovn/utilities/ovndb-servers.ocf
> index 52141c7..80f81ae 100755
> --- a/ovn/utilities/ovndb-servers.ocf
> +++ b/ovn/utilities/ovndb-servers.ocf
> @@ -10,6 +10,12 @@
>  : ${MANAGE_NORTHD_DEFAULT="no"}
>  : ${INACTIVE_PROBE_DEFAULT="5000"}
>  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>
>  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
>  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
--name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> @@ -21,6 +27,13 @@
SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
>
 SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
>  MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
>
 INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> +
>
>  # In order for pacemaker to work with LB, we can set
LISTEN_ON_MASTER_IP_ONLY
>  # to false and pass LB vip IP while creating pcs resource.
> @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
>    <content type="string" />
>    </parameter>
>
> +  <parameter name="ovn_nb_db_privkey" unique="1">
> +  <longdesc lang="en">
> +  OVN NB DB private key absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
> +  <parameter name="ovn_nb_db_cert" unique="1">
> +  <longdesc lang="en">
> +  OVN NB DB certificate absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
> +  <parameter name="ovn_nb_db_cacert" unique="1">
> +  <longdesc lang="en">
> +  OVN NB DB CA certificate absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
> +  <parameter name="ovn_sb_db_privkey" unique="1">
> +  <longdesc lang="en">
> +  OVN SB DB private key absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
> +  <parameter name="ovn_sb_db_cert" unique="1">
> +  <longdesc lang="en">
> +  OVN SB DB certificate absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
> +  <parameter name="ovn_sb_db_cacert" unique="1">
> +  <longdesc lang="en">
> +  OVN SB DB CA certificate absolute path for ssl setup.
> +  </longdesc>
> +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
> +  <content type="string" />
> +  </parameter>
> +
>    </parameters>
>
>    <actions>
> @@ -326,6 +387,18 @@ ovsdb_server_start() {
>         set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
>      fi
>
> +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> +            set $@ --db-nb-create-insecure-remote=no
"no" is the default value, so this line is not needed.

> +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
This should be needed only for standby which sets
--db-sb-use-remote-in-db=no.

> +    fi
> +    if [ "x${SB_MASTER_PROTO}" = xssl ]; then
> +            set $@ --db-sb-create-insecure-remote=no
> +            set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY}
> +            set $@ --ovn-sb-db-ssl-cert=${SB_CERT}
> +            set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT}
> +    fi
>      if [ "x${present_master}" = x ]; then
>          # No master detected, or the previous master is not among the
>          # set starting.
> @@ -343,7 +416,6 @@ ovsdb_server_start() {
>          set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS}
--db-sb-sync-from-addr=${INVALID_IP_ADDRESS}
>
>      elif [ ${present_master} != ${host_name} ]; then
> -        # TODO: for using LB vip, need to test for ssl.
>          if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then
>              if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
>                  set $@ --db-nb-create-insecure-remote=yes
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
aginwala aginwala Oct. 6, 2018, 1:34 a.m. | #3
Thanks for the review Han. Please find the comments inline below:

On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote:

> Thanks Ali, please see my comm
>
> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote:
> >
> >  When starting OVN DBs in HA using pacemaker with ssl, we need to pass
> ssl
> >  certs for starting standby DBs. Hence, we need this change.
> >
> > Signed-off-by: aginwala <aginwala@ebay.com>
> > ---
> >  ovn/utilities/ovndb-servers.ocf | 74
> ++++++++++++++++++++++++++++++++++++++++-
> >  1 file changed, 73 insertions(+), 1 deletion(-)
> >
> > diff --git a/ovn/utilities/ovndb-servers.ocf
> b/ovn/utilities/ovndb-servers.ocf
> > index 52141c7..80f81ae 100755
> > --- a/ovn/utilities/ovndb-servers.ocf
> > +++ b/ovn/utilities/ovndb-servers.ocf
> > @@ -10,6 +10,12 @@
> >  : ${MANAGE_NORTHD_DEFAULT="no"}
> >  : ${INACTIVE_PROBE_DEFAULT="5000"}
> >  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >
> >  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> >  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
> --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> > @@ -21,6 +27,13 @@
> SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> >
>  SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> >  MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> >
>  INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> > +
> >
> >  # In order for pacemaker to work with LB, we can set
> LISTEN_ON_MASTER_IP_ONLY
> >  # to false and pass LB vip IP while creating pcs resource.
> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> >    <content type="string" />
> >    </parameter>
> >
> > +  <parameter name="ovn_nb_db_privkey" unique="1">
> > +  <longdesc lang="en">
> > +  OVN NB DB private key absolute path for ssl setup.
> > +  </longdesc>
> > +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
> > +  <content type="string" />
> > +  </parameter>
> > +
> > +  <parameter name="ovn_nb_db_cert" unique="1">
> > +  <longdesc lang="en">
> > +  OVN NB DB certificate absolute path for ssl setup.
> > +  </longdesc>
> > +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
> > +  <content type="string" />
> > +  </parameter>
> > +
> > +  <parameter name="ovn_nb_db_cacert" unique="1">
> > +  <longdesc lang="en">
> > +  OVN NB DB CA certificate absolute path for ssl setup.
> > +  </longdesc>
> > +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
> > +  <content type="string" />
> > +  </parameter>
> > +
> > +  <parameter name="ovn_sb_db_privkey" unique="1">
> > +  <longdesc lang="en">
> > +  OVN SB DB private key absolute path for ssl setup.
> > +  </longdesc>
> > +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
> > +  <content type="string" />
> > +  </parameter>
> > +
> > +  <parameter name="ovn_sb_db_cert" unique="1">
> > +  <longdesc lang="en">
> > +  OVN SB DB certificate absolute path for ssl setup.
> > +  </longdesc>
> > +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
> > +  <content type="string" />
> > +  </parameter>
> > +
> > +  <parameter name="ovn_sb_db_cacert" unique="1">
> > +  <longdesc lang="en">
> > +  OVN SB DB CA certificate absolute path for ssl setup.
> > +  </longdesc>
> > +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
> > +  <content type="string" />
> > +  </parameter>
> > +
> >    </parameters>
> >
> >    <actions>
> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> >         set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
> >      fi
> >
> > +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> > +            set $@ --db-nb-create-insecure-remote=no
> "no" is the default value, so this line is not needed.
>
>> Sure. This makes sense. Will check out the default behavior and update
it the revised patch!

>
> > +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> > +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> > +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> This should be needed only for standby which sets
> --db-sb-use-remote-in-db=no.
>
> As discussed, for each of the modes either ssl or tcp, all the nodes
should have this option set.

>
> > +    fi
> > +    if [ "x${SB_MASTER_PROTO}" = xssl ]; then
> > +            set $@ --db-sb-create-insecure-remote=no
> > +            set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY}
> > +            set $@ --ovn-sb-db-ssl-cert=${SB_CERT}
> > +            set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT}
> > +    fi
> >      if [ "x${present_master}" = x ]; then
> >          # No master detected, or the previous master is not among the
> >          # set starting.
> > @@ -343,7 +416,6 @@ ovsdb_server_start() {
> >          set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS}
> --db-sb-sync-from-addr=${INVALID_IP_ADDRESS}
> >
> >      elif [ ${present_master} != ${host_name} ]; then
> > -        # TODO: for using LB vip, need to test for ssl.
> >          if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then
> >              if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
> >                  set $@ --db-nb-create-insecure-remote=yes
> > --
> > 1.9.1
> >
> > _______________________________________________
> > dev mailing list
> > dev@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
Han Zhou Oct. 8, 2018, 5:58 p.m. | #4
On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal@gmail.com> wrote:
>
> Thanks for the review Han. Please find the comments inline below:
>
> On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote:
>>
>> Thanks Ali, please see my comm
>>
>> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote:
>> >
>> >  When starting OVN DBs in HA using pacemaker with ssl, we need to pass
ssl
>> >  certs for starting standby DBs. Hence, we need this change.
>> >
>> > Signed-off-by: aginwala <aginwala@ebay.com>
>> > ---
>> >  ovn/utilities/ovndb-servers.ocf | 74
++++++++++++++++++++++++++++++++++++++++-
>> >  1 file changed, 73 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/ovn/utilities/ovndb-servers.ocf
b/ovn/utilities/ovndb-servers.ocf
>> > index 52141c7..80f81ae 100755
>> > --- a/ovn/utilities/ovndb-servers.ocf
>> > +++ b/ovn/utilities/ovndb-servers.ocf
>> > @@ -10,6 +10,12 @@
>> >  : ${MANAGE_NORTHD_DEFAULT="no"}
>> >  : ${INACTIVE_PROBE_DEFAULT="5000"}
>> >  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
>> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
>> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
>> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
>> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
>> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>> >
>> >  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
>> >  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
--name OVN_REPL_INFO -s ovn_ovsdb_master_server"
>> > @@ -21,6 +27,13 @@
SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
>> >
 SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
>> >  MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
>> >
 INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
>> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
>> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
>> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
>> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
>> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
>> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
>> > +
>> >
>> >  # In order for pacemaker to work with LB, we can set
LISTEN_ON_MASTER_IP_ONLY
>> >  # to false and pass LB vip IP while creating pcs resource.
>> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
>> >    <content type="string" />
>> >    </parameter>
>> >
>> > +  <parameter name="ovn_nb_db_privkey" unique="1">
>> > +  <longdesc lang="en">
>> > +  OVN NB DB private key absolute path for ssl setup.
>> > +  </longdesc>
>> > +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
>> > +  <content type="string" />
>> > +  </parameter>
>> > +
>> > +  <parameter name="ovn_nb_db_cert" unique="1">
>> > +  <longdesc lang="en">
>> > +  OVN NB DB certificate absolute path for ssl setup.
>> > +  </longdesc>
>> > +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
>> > +  <content type="string" />
>> > +  </parameter>
>> > +
>> > +  <parameter name="ovn_nb_db_cacert" unique="1">
>> > +  <longdesc lang="en">
>> > +  OVN NB DB CA certificate absolute path for ssl setup.
>> > +  </longdesc>
>> > +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
>> > +  <content type="string" />
>> > +  </parameter>
>> > +
>> > +  <parameter name="ovn_sb_db_privkey" unique="1">
>> > +  <longdesc lang="en">
>> > +  OVN SB DB private key absolute path for ssl setup.
>> > +  </longdesc>
>> > +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
>> > +  <content type="string" />
>> > +  </parameter>
>> > +
>> > +  <parameter name="ovn_sb_db_cert" unique="1">
>> > +  <longdesc lang="en">
>> > +  OVN SB DB certificate absolute path for ssl setup.
>> > +  </longdesc>
>> > +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
>> > +  <content type="string" />
>> > +  </parameter>
>> > +
>> > +  <parameter name="ovn_sb_db_cacert" unique="1">
>> > +  <longdesc lang="en">
>> > +  OVN SB DB CA certificate absolute path for ssl setup.
>> > +  </longdesc>
>> > +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
>> > +  <content type="string" />
>> > +  </parameter>
>> > +
>> >    </parameters>
>> >
>> >    <actions>
>> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
>> >         set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
>> >      fi
>> >
>> > +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
>> > +            set $@ --db-nb-create-insecure-remote=no
>> "no" is the default value, so this line is not needed.
>
> >> Sure. This makes sense. Will check out the default behavior and update
it the revised patch!
>>
>>
>> > +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
>> > +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
>> > +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
>> This should be needed only for standby which sets
--db-sb-use-remote-in-db=no.
>
> > As discussed, for each of the modes either ssl or tcp, all the nodes
should have this option set.

Agree. Since this script is for active-standby only, we can assume
active-standby mode always use command line option instead of DB settings.

Acked-by: Han Zhou <hzhou8@ebay.com>
Ben Pfaff Oct. 8, 2018, 6:04 p.m. | #5
On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
> On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal@gmail.com> wrote:
> >
> > Thanks for the review Han. Please find the comments inline below:
> >
> > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote:
> >>
> >> Thanks Ali, please see my comm
> >>
> >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote:
> >> >
> >> >  When starting OVN DBs in HA using pacemaker with ssl, we need to pass
> ssl
> >> >  certs for starting standby DBs. Hence, we need this change.
> >> >
> >> > Signed-off-by: aginwala <aginwala@ebay.com>
> >> > ---
> >> >  ovn/utilities/ovndb-servers.ocf | 74
> ++++++++++++++++++++++++++++++++++++++++-
> >> >  1 file changed, 73 insertions(+), 1 deletion(-)
> >> >
> >> > diff --git a/ovn/utilities/ovndb-servers.ocf
> b/ovn/utilities/ovndb-servers.ocf
> >> > index 52141c7..80f81ae 100755
> >> > --- a/ovn/utilities/ovndb-servers.ocf
> >> > +++ b/ovn/utilities/ovndb-servers.ocf
> >> > @@ -10,6 +10,12 @@
> >> >  : ${MANAGE_NORTHD_DEFAULT="no"}
> >> >  : ${INACTIVE_PROBE_DEFAULT="5000"}
> >> >  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> >
> >> >  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> >> >  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
> --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> >> > @@ -21,6 +27,13 @@
> SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> >> >
>  SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> >> >  MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> >> >
>  INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> >> > +
> >> >
> >> >  # In order for pacemaker to work with LB, we can set
> LISTEN_ON_MASTER_IP_ONLY
> >> >  # to false and pass LB vip IP while creating pcs resource.
> >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> >> >    <content type="string" />
> >> >    </parameter>
> >> >
> >> > +  <parameter name="ovn_nb_db_privkey" unique="1">
> >> > +  <longdesc lang="en">
> >> > +  OVN NB DB private key absolute path for ssl setup.
> >> > +  </longdesc>
> >> > +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
> >> > +  <content type="string" />
> >> > +  </parameter>
> >> > +
> >> > +  <parameter name="ovn_nb_db_cert" unique="1">
> >> > +  <longdesc lang="en">
> >> > +  OVN NB DB certificate absolute path for ssl setup.
> >> > +  </longdesc>
> >> > +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
> >> > +  <content type="string" />
> >> > +  </parameter>
> >> > +
> >> > +  <parameter name="ovn_nb_db_cacert" unique="1">
> >> > +  <longdesc lang="en">
> >> > +  OVN NB DB CA certificate absolute path for ssl setup.
> >> > +  </longdesc>
> >> > +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
> >> > +  <content type="string" />
> >> > +  </parameter>
> >> > +
> >> > +  <parameter name="ovn_sb_db_privkey" unique="1">
> >> > +  <longdesc lang="en">
> >> > +  OVN SB DB private key absolute path for ssl setup.
> >> > +  </longdesc>
> >> > +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
> >> > +  <content type="string" />
> >> > +  </parameter>
> >> > +
> >> > +  <parameter name="ovn_sb_db_cert" unique="1">
> >> > +  <longdesc lang="en">
> >> > +  OVN SB DB certificate absolute path for ssl setup.
> >> > +  </longdesc>
> >> > +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
> >> > +  <content type="string" />
> >> > +  </parameter>
> >> > +
> >> > +  <parameter name="ovn_sb_db_cacert" unique="1">
> >> > +  <longdesc lang="en">
> >> > +  OVN SB DB CA certificate absolute path for ssl setup.
> >> > +  </longdesc>
> >> > +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
> >> > +  <content type="string" />
> >> > +  </parameter>
> >> > +
> >> >    </parameters>
> >> >
> >> >    <actions>
> >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> >> >         set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
> >> >      fi
> >> >
> >> > +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> >> > +            set $@ --db-nb-create-insecure-remote=no
> >> "no" is the default value, so this line is not needed.
> >
> > >> Sure. This makes sense. Will check out the default behavior and update
> it the revised patch!
> >>
> >>
> >> > +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> >> > +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> >> > +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> >> This should be needed only for standby which sets
> --db-sb-use-remote-in-db=no.
> >
> > > As discussed, for each of the modes either ssl or tcp, all the nodes
> should have this option set.
> 
> Agree. Since this script is for active-standby only, we can assume
> active-standby mode always use command line option instead of DB settings.
> 
> Acked-by: Han Zhou <hzhou8@ebay.com>

I haven't followed the discussion here so I'm going to assume that Ali
will post a v2 with Han's ack.

Thanks,

Ben.
aginwala aginwala Oct. 8, 2018, 6:55 p.m. | #6
Yes, that's right.  I will send out v2 in a bit with Han's ack.


Regards,
Aliasgar

On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff <blp@ovn.org> wrote:

> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal@gmail.com>
> wrote:
> > >
> > > Thanks for the review Han. Please find the comments inline below:
> > >
> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote:
> > >>
> > >> Thanks Ali, please see my comm
> > >>
> > >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote:
> > >> >
> > >> >  When starting OVN DBs in HA using pacemaker with ssl, we need to
> pass
> > ssl
> > >> >  certs for starting standby DBs. Hence, we need this change.
> > >> >
> > >> > Signed-off-by: aginwala <aginwala@ebay.com>
> > >> > ---
> > >> >  ovn/utilities/ovndb-servers.ocf | 74
> > ++++++++++++++++++++++++++++++++++++++++-
> > >> >  1 file changed, 73 insertions(+), 1 deletion(-)
> > >> >
> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
> > b/ovn/utilities/ovndb-servers.ocf
> > >> > index 52141c7..80f81ae 100755
> > >> > --- a/ovn/utilities/ovndb-servers.ocf
> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
> > >> > @@ -10,6 +10,12 @@
> > >> >  : ${MANAGE_NORTHD_DEFAULT="no"}
> > >> >  : ${INACTIVE_PROBE_DEFAULT="5000"}
> > >> >  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > >> >
> > >> >  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> > >> >  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> > >> > @@ -21,6 +27,13 @@
> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> > >> >
> >
> SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> > >> >  MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> > >> >
> >
> INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> > >> > +
> > >> >
> > >> >  # In order for pacemaker to work with LB, we can set
> > LISTEN_ON_MASTER_IP_ONLY
> > >> >  # to false and pass LB vip IP while creating pcs resource.
> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> > >> >    <content type="string" />
> > >> >    </parameter>
> > >> >
> > >> > +  <parameter name="ovn_nb_db_privkey" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN NB DB private key absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> > +  <parameter name="ovn_nb_db_cert" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN NB DB certificate absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> > +  <parameter name="ovn_nb_db_cacert" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN NB DB CA certificate absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> > +  <parameter name="ovn_sb_db_privkey" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN SB DB private key absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> > +  <parameter name="ovn_sb_db_cert" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN SB DB certificate absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> > +  <parameter name="ovn_sb_db_cacert" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN SB DB CA certificate absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> >    </parameters>
> > >> >
> > >> >    <actions>
> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> > >> >         set $@ --db-sb-addr=${MASTER_IP}
> --db-sb-port=${SB_MASTER_PORT}
> > >> >      fi
> > >> >
> > >> > +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> > >> > +            set $@ --db-nb-create-insecure-remote=no
> > >> "no" is the default value, so this line is not needed.
> > >
> > > >> Sure. This makes sense. Will check out the default behavior and
> update
> > it the revised patch!
> > >>
> > >>
> > >> > +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> > >> > +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> > >> > +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> > >> This should be needed only for standby which sets
> > --db-sb-use-remote-in-db=no.
> > >
> > > > As discussed, for each of the modes either ssl or tcp, all the nodes
> > should have this option set.
> >
> > Agree. Since this script is for active-standby only, we can assume
> > active-standby mode always use command line option instead of DB
> settings.
> >
> > Acked-by: Han Zhou <hzhou8@ebay.com>
>
> I haven't followed the discussion here so I'm going to assume that Ali
> will post a v2 with Han's ack.
>
> Thanks,
>
> Ben.
>
Han Zhou Oct. 8, 2018, 9:17 p.m. | #7
On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala <amginwal@gmail.com>
wrote:
>
> Yes, that's right.  I will send out v2 in a bit with Han's ack.
>
>
> Regards,
> Aliasgar
>
> On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff <blp@ovn.org> wrote:
>>
>> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
>> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal@gmail.com>
wrote:
>> > >
>> > > Thanks for the review Han. Please find the comments inline below:
>> > >
>> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote:
>> > >>
>> > >> Thanks Ali, please see my comm
>> > >>
>> > >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote:
>> > >> >
>> > >> >  When starting OVN DBs in HA using pacemaker with ssl, we need to
pass
>> > ssl
>> > >> >  certs for starting standby DBs. Hence, we need this change.
>> > >> >
>> > >> > Signed-off-by: aginwala <aginwala@ebay.com>
>> > >> > ---
>> > >> >  ovn/utilities/ovndb-servers.ocf | 74
>> > ++++++++++++++++++++++++++++++++++++++++-
>> > >> >  1 file changed, 73 insertions(+), 1 deletion(-)
>> > >> >
>> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
>> > b/ovn/utilities/ovndb-servers.ocf
>> > >> > index 52141c7..80f81ae 100755
>> > >> > --- a/ovn/utilities/ovndb-servers.ocf
>> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
>> > >> > @@ -10,6 +10,12 @@
>> > >> >  : ${MANAGE_NORTHD_DEFAULT="no"}
>> > >> >  : ${INACTIVE_PROBE_DEFAULT="5000"}
>> > >> >  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
>> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
>> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
>> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
>> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
>> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>> > >> >
>> > >> >  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
>> > >> >  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type
crm_config
>> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
>> > >> > @@ -21,6 +27,13 @@
>> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
>> > >> >
>> >
 SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
>> > >> >
 MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
>> > >> >
>> >
 INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
>> > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
>> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
>> > >> >
+NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
>> > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
>> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
>> > >> >
+SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
>> > >> > +
>> > >> >
>> > >> >  # In order for pacemaker to work with LB, we can set
>> > LISTEN_ON_MASTER_IP_ONLY
>> > >> >  # to false and pass LB vip IP while creating pcs resource.
>> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
>> > >> >    <content type="string" />
>> > >> >    </parameter>
>> > >> >
>> > >> > +  <parameter name="ovn_nb_db_privkey" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN NB DB private key absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> > +  <parameter name="ovn_nb_db_cert" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN NB DB certificate absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> > +  <parameter name="ovn_nb_db_cacert" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN NB DB CA certificate absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> > +  <parameter name="ovn_sb_db_privkey" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN SB DB private key absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> > +  <parameter name="ovn_sb_db_cert" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN SB DB certificate absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> > +  <parameter name="ovn_sb_db_cacert" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN SB DB CA certificate absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> >    </parameters>
>> > >> >
>> > >> >    <actions>
>> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
>> > >> >         set $@ --db-sb-addr=${MASTER_IP}
--db-sb-port=${SB_MASTER_PORT}
>> > >> >      fi
>> > >> >
>> > >> > +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
>> > >> > +            set $@ --db-nb-create-insecure-remote=no
>> > >> "no" is the default value, so this line is not needed.
>> > >
>> > > >> Sure. This makes sense. Will check out the default behavior and
update
>> > it the revised patch!
>> > >>
>> > >>
>> > >> > +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
>> > >> > +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
>> > >> > +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
>> > >> This should be needed only for standby which sets
>> > --db-sb-use-remote-in-db=no.
>> > >
>> > > > As discussed, for each of the modes either ssl or tcp, all the
nodes
>> > should have this option set.
>> >
>> > Agree. Since this script is for active-standby only, we can assume
>> > active-standby mode always use command line option instead of DB
settings.
>> >
>> > Acked-by: Han Zhou <hzhou8@ebay.com>
>>
>> I haven't followed the discussion here so I'm going to assume that Ali
>> will post a v2 with Han's ack.
>>
>> Thanks,
>>
>> Ben.

Giving a second thought, it seems there is still a problem.

There should be two sets of SSL related parameters we should consider in
the active-standby scenario.
- One set of parameters is for the server side. For ipaddr2 use case, both
active and standby nodes will need them. For LB use case, where only the
active node should listen on the port, only the active node should need
these parameters.
- Another set of parameters is for the client side, together with the
--sync-from parameter, so that the standby node can connect to the active
node as a client using SSL. These parameters are needed in standby node
only.

I didn't see how is this addressed. Did I miss anything?

For the server side SSL parameters, it should be valid to use DB settings
instead of command line options. (For client side, it may not be possible
to use DB settings since the standby nodes need to get the SSL parameters
before connecting to the (active) DB).

Thanks,
Han
aginwala aginwala Oct. 8, 2018, 11:51 p.m. | #8
On Mon, Oct 8, 2018 at 2:17 PM Han Zhou <zhouhan@gmail.com> wrote:

>
>
> On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala <amginwal@gmail.com>
> wrote:
> >
> > Yes, that's right.  I will send out v2 in a bit with Han's ack.
> >
> >
> > Regards,
> > Aliasgar
> >
> > On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff <blp@ovn.org> wrote:
> >>
> >> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
> >> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal@gmail.com>
> wrote:
> >> > >
> >> > > Thanks for the review Han. Please find the comments inline below:
> >> > >
> >> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan@gmail.com> wrote:
> >> > >>
> >> > >> Thanks Ali, please see my comm
> >> > >>
> >> > >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal@gmail.com> wrote:
> >> > >> >
> >> > >> >  When starting OVN DBs in HA using pacemaker with ssl, we need
> to pass
> >> > ssl
> >> > >> >  certs for starting standby DBs. Hence, we need this change.
> >> > >> >
> >> > >> > Signed-off-by: aginwala <aginwala@ebay.com>
> >> > >> > ---
> >> > >> >  ovn/utilities/ovndb-servers.ocf | 74
> >> > ++++++++++++++++++++++++++++++++++++++++-
> >> > >> >  1 file changed, 73 insertions(+), 1 deletion(-)
> >> > >> >
> >> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
> >> > b/ovn/utilities/ovndb-servers.ocf
> >> > >> > index 52141c7..80f81ae 100755
> >> > >> > --- a/ovn/utilities/ovndb-servers.ocf
> >> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
> >> > >> > @@ -10,6 +10,12 @@
> >> > >> >  : ${MANAGE_NORTHD_DEFAULT="no"}
> >> > >> >  : ${INACTIVE_PROBE_DEFAULT="5000"}
> >> > >> >  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> >> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> >> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> >> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> >> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> >> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> > >> >
> >> > >> >  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> >> > >> >  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type
> crm_config
> >> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> >> > >> > @@ -21,6 +27,13 @@
> >> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> >> > >> >
> >> >
>  SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> >> > >> >
>  MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> >> > >> >
> >> >
>  INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> >> > >> >
> +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> >> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> >> > >> >
> +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> >> > >> >
> +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> >> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> >> > >> >
> +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> >> > >> > +
> >> > >> >
> >> > >> >  # In order for pacemaker to work with LB, we can set
> >> > LISTEN_ON_MASTER_IP_ONLY
> >> > >> >  # to false and pass LB vip IP while creating pcs resource.
> >> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> >> > >> >    <content type="string" />
> >> > >> >    </parameter>
> >> > >> >
> >> > >> > +  <parameter name="ovn_nb_db_privkey" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN NB DB private key absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> > +  <parameter name="ovn_nb_db_cert" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN NB DB certificate absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> > +  <parameter name="ovn_nb_db_cacert" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN NB DB CA certificate absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> > +  <parameter name="ovn_sb_db_privkey" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN SB DB private key absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> > +  <parameter name="ovn_sb_db_cert" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN SB DB certificate absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> > +  <parameter name="ovn_sb_db_cacert" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN SB DB CA certificate absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> >    </parameters>
> >> > >> >
> >> > >> >    <actions>
> >> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> >> > >> >         set $@ --db-sb-addr=${MASTER_IP}
> --db-sb-port=${SB_MASTER_PORT}
> >> > >> >      fi
> >> > >> >
> >> > >> > +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> >> > >> > +            set $@ --db-nb-create-insecure-remote=no
> >> > >> "no" is the default value, so this line is not needed.
> >> > >
> >> > > >> Sure. This makes sense. Will check out the default behavior and
> update
> >> > it the revised patch!
> >> > >>
> >> > >>
> >> > >> > +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> >> > >> > +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> >> > >> > +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> >> > >> This should be needed only for standby which sets
> >> > --db-sb-use-remote-in-db=no.
> >> > >
> >> > > > As discussed, for each of the modes either ssl or tcp, all the
> nodes
> >> > should have this option set.
> >> >
> >> > Agree. Since this script is for active-standby only, we can assume
> >> > active-standby mode always use command line option instead of DB
> settings.
> >> >
> >> > Acked-by: Han Zhou <hzhou8@ebay.com>
> >>
> >> I haven't followed the discussion here so I'm going to assume that Ali
> >> will post a v2 with Han's ack.
> >>
> >> Thanks,
> >>
> >> Ben.
>
> Giving a second thought, it seems there is still a problem.
>
> There should be two sets of SSL related parameters we should consider in
> the active-standby scenario.
> - One set of parameters is for the server side. For ipaddr2 use case, both
> active and standby nodes will need them. For LB use case, where only the
> active node should listen on the port, only the active node should need
> these parameters.
> - Another set of parameters is for the client side, together with the
> --sync-from parameter, so that the standby node can connect to the active
> node as a client using SSL. These parameters are needed in standby node
> only.
>
> I didn't see how is this addressed. Did I miss anything?
>
> For the server side SSL parameters, it should be valid to use DB settings
> instead of command line options. (For client side, it may not be possible
> to use DB settings since the standby nodes need to get the SSL parameters
> before connecting to the (active) DB).
>
>> Just to clarify, for active-standby scenario, since we dont know who
will became active server any time, it is safe to use same certs on all
central nodes irrespective of which node is client or server.
     For the previous condition I verified and tested that default
condition is insecure=no which works fine and hence have removed that line.
I have addressed the same and have sent out v2  with your ack . Let me know
further. :)

>
>
Thanks,
> Han
>
Han Zhou Oct. 9, 2018, 12:40 a.m. | #9
>>
>> Giving a second thought, it seems there is still a problem.
>>
>> There should be two sets of SSL related parameters we should consider in
the active-standby scenario.
>> - One set of parameters is for the server side. For ipaddr2 use case,
both active and standby nodes will need them. For LB use case, where only
the active node should listen on the port, only the active node should need
these parameters.
>> - Another set of parameters is for the client side, together with the
--sync-from parameter, so that the standby node can connect to the active
node as a client using SSL. These parameters are needed in standby node
only.
>>
>> I didn't see how is this addressed. Did I miss anything?
>>
>> For the server side SSL parameters, it should be valid to use DB
settings instead of command line options. (For client side, it may not be
possible to use DB settings since the standby nodes need to get the SSL
parameters before connecting to the (active) DB).
>
> >> Just to clarify, for active-standby scenario, since we dont know who
will became active server any time, it is safe to use same certs on all
central nodes irrespective of which node is client or server.

Ok, thanks. It is clarified after discussion that we are combining the
server side and client side ssl keys/certs to the same value for all
central nodes in the active-standby setup. I didn't know that same settings
actually work for both server and client, so it sounds good for me.
Numan Siddique Oct. 9, 2018, 6:59 a.m. | #10
On Tue, Oct 9, 2018 at 6:11 AM Han Zhou <zhouhan@gmail.com> wrote:

> >>
> >> Giving a second thought, it seems there is still a problem.
> >>
> >> There should be two sets of SSL related parameters we should consider in
> the active-standby scenario.
> >> - One set of parameters is for the server side. For ipaddr2 use case,
> both active and standby nodes will need them. For LB use case, where only
> the active node should listen on the port, only the active node should need
> these parameters.
> >> - Another set of parameters is for the client side, together with the
> --sync-from parameter, so that the standby node can connect to the active
> node as a client using SSL. These parameters are needed in standby node
> only.
> >>
> >> I didn't see how is this addressed. Did I miss anything?
> >>
> >> For the server side SSL parameters, it should be valid to use DB
> settings instead of command line options. (For client side, it may not be
> possible to use DB settings since the standby nodes need to get the SSL
> parameters before connecting to the (active) DB).
> >
> > >> Just to clarify, for active-standby scenario, since we dont know who
> will became active server any time, it is safe to use same certs on all
> central nodes irrespective of which node is client or server.
>
> Ok, thanks. It is clarified after discussion that we are combining the
> server side and client side ssl keys/certs to the same value for all
> central nodes in the active-standby setup. I didn't know that same settings
> actually work for both server and client, so it sounds good for me.
>

From the pacemaker Resource script perspective, it looks good to me. I will
take
another look when you post v3.

Thanks
Numan
aginwala aginwala Oct. 9, 2018, 4:02 p.m. | #11
Thanks Numan for review. Just to update that V3 will only have changes for
ovn-ctl as per Han's suggestion to add details in help section there. ocf
script will remain unchanged. That is why I have added acked-by on this
patch. :)


On Mon, Oct 8, 2018 at 11:59 PM Numan Siddique <nusiddiq@redhat.com> wrote:

>
>
> On Tue, Oct 9, 2018 at 6:11 AM Han Zhou <zhouhan@gmail.com> wrote:
>
>> >>
>> >> Giving a second thought, it seems there is still a problem.
>> >>
>> >> There should be two sets of SSL related parameters we should consider
>> in
>> the active-standby scenario.
>> >> - One set of parameters is for the server side. For ipaddr2 use case,
>> both active and standby nodes will need them. For LB use case, where only
>> the active node should listen on the port, only the active node should
>> need
>> these parameters.
>> >> - Another set of parameters is for the client side, together with the
>> --sync-from parameter, so that the standby node can connect to the active
>> node as a client using SSL. These parameters are needed in standby node
>> only.
>> >>
>> >> I didn't see how is this addressed. Did I miss anything?
>> >>
>> >> For the server side SSL parameters, it should be valid to use DB
>> settings instead of command line options. (For client side, it may not be
>> possible to use DB settings since the standby nodes need to get the SSL
>> parameters before connecting to the (active) DB).
>> >
>> > >> Just to clarify, for active-standby scenario, since we dont know who
>> will became active server any time, it is safe to use same certs on all
>> central nodes irrespective of which node is client or server.
>>
>> Ok, thanks. It is clarified after discussion that we are combining the
>> server side and client side ssl keys/certs to the same value for all
>> central nodes in the active-standby setup. I didn't know that same
>> settings
>> actually work for both server and client, so it sounds good for me.
>>
>
> From the pacemaker Resource script perspective, it looks good to me. I
> will take
> another look when you post v3.
>
> Thanks
> Numan
>
> _______________________________________________
>> dev mailing list
>> dev@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
>

Patch

diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf
index 52141c7..80f81ae 100755
--- a/ovn/utilities/ovndb-servers.ocf
+++ b/ovn/utilities/ovndb-servers.ocf
@@ -10,6 +10,12 @@ 
 : ${MANAGE_NORTHD_DEFAULT="no"}
 : ${INACTIVE_PROBE_DEFAULT="5000"}
 : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
+: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
+: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
+: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
+: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
+: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
+: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
 
 CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
 CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
@@ -21,6 +27,13 @@  SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
 SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
 MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
 INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
+NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
+NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
+NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
+SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
+SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
+SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
+
 
 # In order for pacemaker to work with LB, we can set LISTEN_ON_MASTER_IP_ONLY
 # to false and pass LB vip IP while creating pcs resource.
@@ -132,6 +145,54 @@  ovsdb_server_metadata() {
   <content type="string" />
   </parameter>
 
+  <parameter name="ovn_nb_db_privkey" unique="1">
+  <longdesc lang="en">
+  OVN NB DB private key absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
+  <content type="string" />
+  </parameter>
+
+  <parameter name="ovn_nb_db_cert" unique="1">
+  <longdesc lang="en">
+  OVN NB DB certificate absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
+  <content type="string" />
+  </parameter>
+
+  <parameter name="ovn_nb_db_cacert" unique="1">
+  <longdesc lang="en">
+  OVN NB DB CA certificate absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
+  <content type="string" />
+  </parameter>
+
+  <parameter name="ovn_sb_db_privkey" unique="1">
+  <longdesc lang="en">
+  OVN SB DB private key absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
+  <content type="string" />
+  </parameter>
+
+  <parameter name="ovn_sb_db_cert" unique="1">
+  <longdesc lang="en">
+  OVN SB DB certificate absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
+  <content type="string" />
+  </parameter>
+
+  <parameter name="ovn_sb_db_cacert" unique="1">
+  <longdesc lang="en">
+  OVN SB DB CA certificate absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
+  <content type="string" />
+  </parameter>
+
   </parameters>
 
   <actions>
@@ -326,6 +387,18 @@  ovsdb_server_start() {
        set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
     fi
 
+    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
+            set $@ --db-nb-create-insecure-remote=no
+            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
+            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
+            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
+    fi
+    if [ "x${SB_MASTER_PROTO}" = xssl ]; then
+            set $@ --db-sb-create-insecure-remote=no
+            set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY}
+            set $@ --ovn-sb-db-ssl-cert=${SB_CERT}
+            set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT}
+    fi
     if [ "x${present_master}" = x ]; then
         # No master detected, or the previous master is not among the
         # set starting.
@@ -343,7 +416,6 @@  ovsdb_server_start() {
         set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} --db-sb-sync-from-addr=${INVALID_IP_ADDRESS}
 
     elif [ ${present_master} != ${host_name} ]; then
-        # TODO: for using LB vip, need to test for ssl.
         if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then
             if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
                 set $@ --db-nb-create-insecure-remote=yes