Message ID | 1539082846-29711-2-git-send-email-aginwala@ebay.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,v3,1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode. | expand |
On Wed, Oct 10, 2018 at 3:42 AM aginwala <amginwal@gmail.com> wrote: > When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl > certs for starting standby DBs. Hence, we need this change. > > Signed-off-by: aginwala <aginwala@ebay.com> > Acked-by: Han Zhou <hzhou8@ebay.com> > Acked-by: Numan Siddique <nusiddiq@redhat.com> > --- > ovn/utilities/ovndb-servers.ocf | 72 > ++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 71 insertions(+), 1 deletion(-) > > diff --git a/ovn/utilities/ovndb-servers.ocf > b/ovn/utilities/ovndb-servers.ocf > index 52141c7..1031330 100755 > --- a/ovn/utilities/ovndb-servers.ocf > +++ b/ovn/utilities/ovndb-servers.ocf > @@ -10,6 +10,12 @@ > : ${MANAGE_NORTHD_DEFAULT="no"} > : ${INACTIVE_PROBE_DEFAULT="5000"} > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name > OVN_REPL_INFO -s ovn_ovsdb_master_server" > @@ -21,6 +27,13 @@ > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > + > > # In order for pacemaker to work with LB, we can set > LISTEN_ON_MASTER_IP_ONLY > # to false and pass LB vip IP while creating pcs resource. > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > <content type="string" /> > </parameter> > > + <parameter name="ovn_nb_db_privkey" unique="1"> > + <longdesc lang="en"> > + OVN NB DB private key absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN NB DB private key file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_nb_db_cert" unique="1"> > + <longdesc lang="en"> > + OVN NB DB certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN NB DB cert file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_nb_db_cacert" unique="1"> > + <longdesc lang="en"> > + OVN NB DB CA certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_sb_db_privkey" unique="1"> > + <longdesc lang="en"> > + OVN SB DB private key absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN SB DB private key file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_sb_db_cert" unique="1"> > + <longdesc lang="en"> > + OVN SB DB certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN SB DB cert file</shortdesc> > + <content type="string" /> > + </parameter> > + > + <parameter name="ovn_sb_db_cacert" unique="1"> > + <longdesc lang="en"> > + OVN SB DB CA certificate absolute path for ssl setup. > + </longdesc> > + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> > + <content type="string" /> > + </parameter> > + > </parameters> > > <actions> > @@ -326,6 +387,16 @@ ovsdb_server_start() { > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} > fi > > + if [ "x${NB_MASTER_PROTO}" = xssl ]; then > + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > + fi > + if [ "x${SB_MASTER_PROTO}" = xssl ]; then > + set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY} > + set $@ --ovn-sb-db-ssl-cert=${SB_CERT} > + set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT} > + fi > if [ "x${present_master}" = x ]; then > # No master detected, or the previous master is not among the > # set starting. > @@ -343,7 +414,6 @@ ovsdb_server_start() { > set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} > --db-sb-sync-from-addr=${INVALID_IP_ADDRESS} > > elif [ ${present_master} != ${host_name} ]; then > - # TODO: for using LB vip, need to test for ssl. > if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then > if [ "x${NB_MASTER_PROTO}" = xtcp ]; then > set $@ --db-nb-create-insecure-remote=yes > -- > 1.9.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
On Wed, Oct 10, 2018 at 11:42:08AM +0530, Numan Siddique wrote: > On Wed, Oct 10, 2018 at 3:42 AM aginwala <amginwal@gmail.com> wrote: > > > When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl > > certs for starting standby DBs. Hence, we need this change. > > > > Signed-off-by: aginwala <aginwala@ebay.com> > > Acked-by: Han Zhou <hzhou8@ebay.com> > > > > Acked-by: Numan Siddique <nusiddiq@redhat.com> Thanks, Ali and Numan (and Han). I applied this to master. Let me know if it needs backports.
Thanks Ben: Please backport it to 2.10 and 2.9 On Thu, Oct 11, 2018 at 2:06 PM Ben Pfaff <blp@ovn.org> wrote: > On Wed, Oct 10, 2018 at 11:42:08AM +0530, Numan Siddique wrote: > > On Wed, Oct 10, 2018 at 3:42 AM aginwala <amginwal@gmail.com> wrote: > > > > > When starting OVN DBs in HA using pacemaker with ssl, we need to pass > ssl > > > certs for starting standby DBs. Hence, we need this change. > > > > > > Signed-off-by: aginwala <aginwala@ebay.com> > > > Acked-by: Han Zhou <hzhou8@ebay.com> > > > > > > > Acked-by: Numan Siddique <nusiddiq@redhat.com> > > Thanks, Ali and Numan (and Han). I applied this to master. Let me know > if it needs backports. >
You're welcome. Done. On Thu, Oct 11, 2018 at 02:33:38PM -0700, aginwala aginwala wrote: > Thanks Ben: > > Please backport it to 2.10 and 2.9 > > On Thu, Oct 11, 2018 at 2:06 PM Ben Pfaff <blp@ovn.org> wrote: > > > On Wed, Oct 10, 2018 at 11:42:08AM +0530, Numan Siddique wrote: > > > On Wed, Oct 10, 2018 at 3:42 AM aginwala <amginwal@gmail.com> wrote: > > > > > > > When starting OVN DBs in HA using pacemaker with ssl, we need to pass > > ssl > > > > certs for starting standby DBs. Hence, we need this change. > > > > > > > > Signed-off-by: aginwala <aginwala@ebay.com> > > > > Acked-by: Han Zhou <hzhou8@ebay.com> > > > > > > > > > > Acked-by: Numan Siddique <nusiddiq@redhat.com> > > > > Thanks, Ali and Numan (and Han). I applied this to master. Let me know > > if it needs backports. > >
diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf index 52141c7..1031330 100755 --- a/ovn/utilities/ovndb-servers.ocf +++ b/ovn/utilities/ovndb-servers.ocf @@ -10,6 +10,12 @@ : ${MANAGE_NORTHD_DEFAULT="no"} : ${INACTIVE_PROBE_DEFAULT="5000"} : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server" @@ -21,6 +27,13 @@ SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} + # In order for pacemaker to work with LB, we can set LISTEN_ON_MASTER_IP_ONLY # to false and pass LB vip IP while creating pcs resource. @@ -132,6 +145,54 @@ ovsdb_server_metadata() { <content type="string" /> </parameter> + <parameter name="ovn_nb_db_privkey" unique="1"> + <longdesc lang="en"> + OVN NB DB private key absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN NB DB private key file</shortdesc> + <content type="string" /> + </parameter> + + <parameter name="ovn_nb_db_cert" unique="1"> + <longdesc lang="en"> + OVN NB DB certificate absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN NB DB cert file</shortdesc> + <content type="string" /> + </parameter> + + <parameter name="ovn_nb_db_cacert" unique="1"> + <longdesc lang="en"> + OVN NB DB CA certificate absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> + <content type="string" /> + </parameter> + + <parameter name="ovn_sb_db_privkey" unique="1"> + <longdesc lang="en"> + OVN SB DB private key absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN SB DB private key file</shortdesc> + <content type="string" /> + </parameter> + + <parameter name="ovn_sb_db_cert" unique="1"> + <longdesc lang="en"> + OVN SB DB certificate absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN SB DB cert file</shortdesc> + <content type="string" /> + </parameter> + + <parameter name="ovn_sb_db_cacert" unique="1"> + <longdesc lang="en"> + OVN SB DB CA certificate absolute path for ssl setup. + </longdesc> + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> + <content type="string" /> + </parameter> + </parameters> <actions> @@ -326,6 +387,16 @@ ovsdb_server_start() { set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} fi + if [ "x${NB_MASTER_PROTO}" = xssl ]; then + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} + fi + if [ "x${SB_MASTER_PROTO}" = xssl ]; then + set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY} + set $@ --ovn-sb-db-ssl-cert=${SB_CERT} + set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT} + fi if [ "x${present_master}" = x ]; then # No master detected, or the previous master is not among the # set starting. @@ -343,7 +414,6 @@ ovsdb_server_start() { set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} --db-sb-sync-from-addr=${INVALID_IP_ADDRESS} elif [ ${present_master} != ${host_name} ]; then - # TODO: for using LB vip, need to test for ssl. if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then if [ "x${NB_MASTER_PROTO}" = xtcp ]; then set $@ --db-nb-create-insecure-remote=yes