[ovs-dev,v3,1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode.

Message ID 1539082846-29711-1-git-send-email-aginwala@ebay.com
State Accepted
Headers show
Series
  • [ovs-dev,v3,1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode.
Related show

Commit Message

aginwala aginwala Oct. 9, 2018, 11 a.m.
For OVN DBs to work with SSL in HA, we need to have capability to pass ssl
certs when starting OVN DBs. Say when starting OVN DBs in active passive mode,
in order for the standby DBs to sync from master node, it cannot sync
because the required ssl certs are not passed when standby DBs are initialized.
Hence, we need to have this option.

e.g. start nb db with ssl certs as below:
/usr/share/openvswitch/scripts/ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
--ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
--ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
--db-nb-create-insecure-remote=no start_nb_ovsdb

When certs are passed in the command line, it will read certs from the path
mentioned instead of default db configs.

Certs can be generated based on ovs ssl docs:
http://docs.openvswitch.org/en/latest/howto/ssl/

Signed-off-by: aginwala <aginwala@ebay.com>
---
 ovn/utilities/ovn-ctl       | 41 ++++++++++++++++++++++++++++++++++++++---
 ovn/utilities/ovn-ctl.8.xml | 14 ++++++++++++++
 2 files changed, 52 insertions(+), 3 deletions(-)

Comments

Han Zhou Oct. 10, 2018, 7:58 p.m. | #1
On Tue, Oct 9, 2018 at 3:11 PM aginwala <amginwal@gmail.com> wrote:
>
> For OVN DBs to work with SSL in HA, we need to have capability to pass ssl
> certs when starting OVN DBs. Say when starting OVN DBs in active passive
mode,
> in order for the standby DBs to sync from master node, it cannot sync
> because the required ssl certs are not passed when standby DBs are
initialized.
> Hence, we need to have this option.
>
> e.g. start nb db with ssl certs as below:
> /usr/share/openvswitch/scripts/ovn-ctl
--ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
> --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
> --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
> --db-nb-create-insecure-remote=no start_nb_ovsdb
>
> When certs are passed in the command line, it will read certs from the
path
> mentioned instead of default db configs.
>
> Certs can be generated based on ovs ssl docs:
> http://docs.openvswitch.org/en/latest/howto/ssl/
>
> Signed-off-by: aginwala <aginwala@ebay.com>
> ---
>  ovn/utilities/ovn-ctl       | 41
++++++++++++++++++++++++++++++++++++++---
>  ovn/utilities/ovn-ctl.8.xml | 14 ++++++++++++++
>  2 files changed, 52 insertions(+), 3 deletions(-)
>
> diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> index 3ff0df6..d71071a 100755
> --- a/ovn/utilities/ovn-ctl
> +++ b/ovn/utilities/ovn-ctl
> @@ -116,6 +116,9 @@ start_ovsdb__() {
>      local addr
>      local active_conf_file
>      local use_remote_in_db
> +    local ovn_db_ssl_key
> +    local ovn_db_ssl_cert
> +    local ovn_db_ssl_cacert
>      eval pid=\$DB_${DB}_PID
>      eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
>      eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
> @@ -137,6 +140,9 @@ start_ovsdb__() {
>      eval addr=\$DB_${DB}_ADDR
>      eval active_conf_file=\$ovn${db}_active_conf_file
>      eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
> +    eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
> +    eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
> +    eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
>
>      # Check and eventually start ovsdb-server for DB
>      if pidfile_is_running $pid; then
> @@ -183,9 +189,23 @@ $cluster_remote_port
>      if test X"$use_remote_in_db" != Xno; then
>          set "$@" --remote=db:$schema_name,$table_name,connections
>      fi
> -    set "$@" --private-key=db:$schema_name,SSL,private_key
> -    set "$@" --certificate=db:$schema_name,SSL,certificate
> -    set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> +
> +    if test X"$ovn_db_ssl_key" != X; then
> +        set "$@" --private-key=$ovn_db_ssl_key
> +    else
> +        set "$@" --private-key=db:$schema_name,SSL,private_key
> +    fi
> +    if test X"$ovn_db_ssl_cert" != X; then
> +        set "$@" --certificate=$ovn_db_ssl_cert
> +    else
> +        set "$@" --certificate=db:$schema_name,SSL,certificate
> +    fi
> +    if test X"$ovn_db_ssl_cacert" != X; then
> +        set "$@" --ca-cert=$ovn_db_ssl_cacert
> +    else
> +        set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> +    fi
> +
>      set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
>      set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
>
> @@ -481,6 +501,15 @@ set_defaults () {
>      OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK"
>      DB_NB_USE_REMOTE_IN_DB="yes"
>      DB_SB_USE_REMOTE_IN_DB="yes"
> +
> +    OVN_NB_DB_SSL_KEY=""
> +    OVN_NB_DB_SSL_CERT=""
> +    OVN_NB_DB_SSL_CA_CERT=""
> +
> +    OVN_SB_DB_SSL_KEY=""
> +    OVN_SB_DB_SSL_CERT=""
> +    OVN_SB_DB_SSL_CA_CERT=""
> +
>  }
>
>  set_option () {
> @@ -536,6 +565,12 @@ Options:
>    --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
>    --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate
file
>    --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN
Southbound SSL CA certificate file
> +  --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file
> +  --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file
> +  --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file
> +  --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file
> +  --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file
> +  --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file
>    --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases
should be
>                                     automatically started and stopped
along
>                                     with ovn-northd. The default is
"yes". If
> diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
> index 3b0e67a..c5294d7 100644
> --- a/ovn/utilities/ovn-ctl.8.xml
> +++ b/ovn/utilities/ovn-ctl.8.xml
> @@ -198,4 +198,18 @@
>            start_northd
>        </code>
>      </p>
> +
> +    <h2>Passing ssl keys when starting OVN dbs will supercede the
default ssl values in db</h2>
> +    <h3>Starting standalone ovn db server passing SSL certificates</h3>
> +    <p>
> +      <code>
> +        # ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem
> +          --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem
> +          --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
> +          --ovn-sb-db-ssl-key=/etc/openvswitch/ovnsb-privkey.pem
> +          --ovn-sb-db-ssl-cert=/etc/openvswitch/ovnsb-cert.pem
> +          --ovn-sb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
> +           start_northd
> +      </code>
> +    </p>
>  </manpage>
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Acked-by: Han Zhou <hzhou8@ebay.com>
Ben Pfaff Oct. 11, 2018, 9:05 p.m. | #2
On Wed, Oct 10, 2018 at 12:58:24PM -0700, Han Zhou wrote:
> On Tue, Oct 9, 2018 at 3:11 PM aginwala <amginwal@gmail.com> wrote:
> >
> > For OVN DBs to work with SSL in HA, we need to have capability to pass ssl
> > certs when starting OVN DBs. Say when starting OVN DBs in active passive
> mode,
> > in order for the standby DBs to sync from master node, it cannot sync
> > because the required ssl certs are not passed when standby DBs are
> initialized.
> > Hence, we need to have this option.
> >
> > e.g. start nb db with ssl certs as below:
> > /usr/share/openvswitch/scripts/ovn-ctl
> --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
> > --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
> > --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
> > --db-nb-create-insecure-remote=no start_nb_ovsdb
> >
> > When certs are passed in the command line, it will read certs from the
> path
> > mentioned instead of default db configs.
> >
> > Certs can be generated based on ovs ssl docs:
> > http://docs.openvswitch.org/en/latest/howto/ssl/
> >
> > Signed-off-by: aginwala <aginwala@ebay.com>
> > ---
> >  ovn/utilities/ovn-ctl       | 41
> ++++++++++++++++++++++++++++++++++++++---
> >  ovn/utilities/ovn-ctl.8.xml | 14 ++++++++++++++
> >  2 files changed, 52 insertions(+), 3 deletions(-)
> >
> > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> > index 3ff0df6..d71071a 100755
> > --- a/ovn/utilities/ovn-ctl
> > +++ b/ovn/utilities/ovn-ctl
> > @@ -116,6 +116,9 @@ start_ovsdb__() {
> >      local addr
> >      local active_conf_file
> >      local use_remote_in_db
> > +    local ovn_db_ssl_key
> > +    local ovn_db_ssl_cert
> > +    local ovn_db_ssl_cacert
> >      eval pid=\$DB_${DB}_PID
> >      eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
> >      eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
> > @@ -137,6 +140,9 @@ start_ovsdb__() {
> >      eval addr=\$DB_${DB}_ADDR
> >      eval active_conf_file=\$ovn${db}_active_conf_file
> >      eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
> > +    eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
> > +    eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
> > +    eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
> >
> >      # Check and eventually start ovsdb-server for DB
> >      if pidfile_is_running $pid; then
> > @@ -183,9 +189,23 @@ $cluster_remote_port
> >      if test X"$use_remote_in_db" != Xno; then
> >          set "$@" --remote=db:$schema_name,$table_name,connections
> >      fi
> > -    set "$@" --private-key=db:$schema_name,SSL,private_key
> > -    set "$@" --certificate=db:$schema_name,SSL,certificate
> > -    set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> > +
> > +    if test X"$ovn_db_ssl_key" != X; then
> > +        set "$@" --private-key=$ovn_db_ssl_key
> > +    else
> > +        set "$@" --private-key=db:$schema_name,SSL,private_key
> > +    fi
> > +    if test X"$ovn_db_ssl_cert" != X; then
> > +        set "$@" --certificate=$ovn_db_ssl_cert
> > +    else
> > +        set "$@" --certificate=db:$schema_name,SSL,certificate
> > +    fi
> > +    if test X"$ovn_db_ssl_cacert" != X; then
> > +        set "$@" --ca-cert=$ovn_db_ssl_cacert
> > +    else
> > +        set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> > +    fi
> > +
> >      set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
> >      set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
> >
> > @@ -481,6 +501,15 @@ set_defaults () {
> >      OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK"
> >      DB_NB_USE_REMOTE_IN_DB="yes"
> >      DB_SB_USE_REMOTE_IN_DB="yes"
> > +
> > +    OVN_NB_DB_SSL_KEY=""
> > +    OVN_NB_DB_SSL_CERT=""
> > +    OVN_NB_DB_SSL_CA_CERT=""
> > +
> > +    OVN_SB_DB_SSL_KEY=""
> > +    OVN_SB_DB_SSL_CERT=""
> > +    OVN_SB_DB_SSL_CA_CERT=""
> > +
> >  }
> >
> >  set_option () {
> > @@ -536,6 +565,12 @@ Options:
> >    --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
> >    --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate
> file
> >    --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN
> Southbound SSL CA certificate file
> > +  --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file
> > +  --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file
> > +  --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file
> > +  --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file
> > +  --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file
> > +  --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file
> >    --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases
> should be
> >                                     automatically started and stopped
> along
> >                                     with ovn-northd. The default is
> "yes". If
> > diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
> > index 3b0e67a..c5294d7 100644
> > --- a/ovn/utilities/ovn-ctl.8.xml
> > +++ b/ovn/utilities/ovn-ctl.8.xml
> > @@ -198,4 +198,18 @@
> >            start_northd
> >        </code>
> >      </p>
> > +
> > +    <h2>Passing ssl keys when starting OVN dbs will supercede the
> default ssl values in db</h2>
> > +    <h3>Starting standalone ovn db server passing SSL certificates</h3>
> > +    <p>
> > +      <code>
> > +        # ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem
> > +          --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem
> > +          --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
> > +          --ovn-sb-db-ssl-key=/etc/openvswitch/ovnsb-privkey.pem
> > +          --ovn-sb-db-ssl-cert=/etc/openvswitch/ovnsb-cert.pem
> > +          --ovn-sb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
> > +           start_northd
> > +      </code>
> > +    </p>
> >  </manpage>
> > --
> > 1.9.1
> >
> > _______________________________________________
> > dev mailing list
> > dev@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> 
> Acked-by: Han Zhou <hzhou8@ebay.com>

Thanks, Ali and Han.  I applied this to master.  Let me know if it needs
backports.

Patch

diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
index 3ff0df6..d71071a 100755
--- a/ovn/utilities/ovn-ctl
+++ b/ovn/utilities/ovn-ctl
@@ -116,6 +116,9 @@  start_ovsdb__() {
     local addr
     local active_conf_file
     local use_remote_in_db
+    local ovn_db_ssl_key
+    local ovn_db_ssl_cert
+    local ovn_db_ssl_cacert
     eval pid=\$DB_${DB}_PID
     eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
     eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
@@ -137,6 +140,9 @@  start_ovsdb__() {
     eval addr=\$DB_${DB}_ADDR
     eval active_conf_file=\$ovn${db}_active_conf_file
     eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
+    eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
+    eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
+    eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
 
     # Check and eventually start ovsdb-server for DB
     if pidfile_is_running $pid; then
@@ -183,9 +189,23 @@  $cluster_remote_port
     if test X"$use_remote_in_db" != Xno; then
         set "$@" --remote=db:$schema_name,$table_name,connections
     fi
-    set "$@" --private-key=db:$schema_name,SSL,private_key
-    set "$@" --certificate=db:$schema_name,SSL,certificate
-    set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
+
+    if test X"$ovn_db_ssl_key" != X; then
+        set "$@" --private-key=$ovn_db_ssl_key
+    else
+        set "$@" --private-key=db:$schema_name,SSL,private_key
+    fi
+    if test X"$ovn_db_ssl_cert" != X; then
+        set "$@" --certificate=$ovn_db_ssl_cert
+    else
+        set "$@" --certificate=db:$schema_name,SSL,certificate
+    fi
+    if test X"$ovn_db_ssl_cacert" != X; then
+        set "$@" --ca-cert=$ovn_db_ssl_cacert
+    else
+        set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
+    fi
+
     set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
     set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
 
@@ -481,6 +501,15 @@  set_defaults () {
     OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK"
     DB_NB_USE_REMOTE_IN_DB="yes"
     DB_SB_USE_REMOTE_IN_DB="yes"
+
+    OVN_NB_DB_SSL_KEY=""
+    OVN_NB_DB_SSL_CERT=""
+    OVN_NB_DB_SSL_CA_CERT=""
+
+    OVN_SB_DB_SSL_KEY=""
+    OVN_SB_DB_SSL_CERT=""
+    OVN_SB_DB_SSL_CA_CERT=""
+
 }
 
 set_option () {
@@ -536,6 +565,12 @@  Options:
   --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
   --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file
   --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file
+  --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file
+  --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file
+  --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file
+  --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file
+  --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file
+  --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file
   --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases should be
                                    automatically started and stopped along
                                    with ovn-northd. The default is "yes". If
diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
index 3b0e67a..c5294d7 100644
--- a/ovn/utilities/ovn-ctl.8.xml
+++ b/ovn/utilities/ovn-ctl.8.xml
@@ -198,4 +198,18 @@ 
           start_northd
       </code>
     </p>
+
+    <h2>Passing ssl keys when starting OVN dbs will supercede the default ssl values in db</h2>
+    <h3>Starting standalone ovn db server passing SSL certificates</h3>
+    <p>
+      <code>
+        # ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem
+          --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem
+          --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
+          --ovn-sb-db-ssl-key=/etc/openvswitch/ovnsb-privkey.pem
+          --ovn-sb-db-ssl-cert=/etc/openvswitch/ovnsb-cert.pem
+          --ovn-sb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
+           start_northd
+      </code>
+    </p>
 </manpage>