From patchwork Tue Oct 9 11:00:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: aginwala aginwala X-Patchwork-Id: 981536 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Z2WiZh3z"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42VBKg2dgZz9s8r for ; Wed, 10 Oct 2018 09:12:07 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id DA13DC00; Tue, 9 Oct 2018 22:11:40 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E4716B88 for ; Tue, 9 Oct 2018 22:11:39 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com [209.85.215.194]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 83EFF80D for ; Tue, 9 Oct 2018 22:11:39 +0000 (UTC) Received: by mail-pg1-f194.google.com with SMTP id f18-v6so1497326pgv.3 for ; Tue, 09 Oct 2018 15:11:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=7MB6eaKXLi29BDWD84EOLLz22vCZ4iKJt9NvX7jFxUU=; b=Z2WiZh3zFgo6dVxevEB2Aqp3ITg/S9XLqkTTX5ri8po3h9qiGzwj+Reuni3KQCbUHN mF7mbKHk62Ka1eY7GFpU5OKy+YVjABpF1yxrQXvCX4OwbsjaTFoNPUtf1fWq4WX/eU7L 1KOB1vkVGHPRVMntgih2tNQQrDdIbJcyqMxZH73Wb4OdSeJgm2lv/krnUnbm52cfsKQi T+pQ7niric9UkPDlC/XZuNK7FMi8MgaOntZC03NYR1NDjNT2id5d13Amfxz9a0ENTeY3 Zv4DQoYsmygesZ4n6LZ0X2pXzom42rTASkchi06giFx9jiunkuNHZfZaQnUvWGLXaOY1 rxPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7MB6eaKXLi29BDWD84EOLLz22vCZ4iKJt9NvX7jFxUU=; b=eCOECpWQomwNA9niUusnC5ZUw3cll6URKJBLFLYiMoRb1DcPIQdDcSi7B8d6a8aLLs lJQ8aA8qVNvdXQA6PYm1NIySmb07BteMY7XNvDodrBcnA3VzSZYgrJK4UglJ2zNdW1rx svx+M/y4kld6Q2ByE3Ds1ZEhk2WCVwHRY5r5IMA+ye9ORN9p0Ys7tkpBV48+jA+iCwdi TbxtKecuop+6CVfNn5dQrrmGA29z9M5R8N5Se+HL1bUZPo3MjIFXVVYkzraO35TzFhI2 RfAhFXRvsN/+L7WvBay3/yNppHuRMjRe3sQmrdtFpVcWu9ha38nmalQYRYzduSIxIqq2 f+Lw== X-Gm-Message-State: ABuFfojpFF9nodM35HFo7Xzm0gC4lCT/6u0Zk8UUyLkLuJQI7VH5Ei8F HfauuAerQy3gG0nVkOIiTBTHevwu X-Google-Smtp-Source: ACcGV63qOvH1E/s/TAPDaxj1LFLJ8M+6y+H/iIv00YLUIkJxnpAPu+70CsCUfBPJeHcCI3uMcv+muA== X-Received: by 2002:a63:5fc5:: with SMTP id t188-v6mr27206273pgb.346.1539123098742; Tue, 09 Oct 2018 15:11:38 -0700 (PDT) Received: from ubuntu.corp.ebay.com ([216.113.160.77]) by smtp.gmail.com with ESMTPSA id u124-v6sm44225006pgc.0.2018.10.09.15.11.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 Oct 2018 15:11:38 -0700 (PDT) From: aginwala X-Google-Original-From: aginwala To: dev@openvswitch.org Date: Tue, 9 Oct 2018 04:00:46 -0700 Message-Id: <1539082846-29711-2-git-send-email-aginwala@ebay.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1539082846-29711-1-git-send-email-aginwala@ebay.com> References: <1539082846-29711-1-git-send-email-aginwala@ebay.com> X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00, DATE_IN_PAST_06_12, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: aginwala Subject: [ovs-dev] [PATCH v3 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl certs for starting standby DBs. Hence, we need this change. Signed-off-by: aginwala Acked-by: Han Zhou Acked-by: Numan Siddique --- ovn/utilities/ovndb-servers.ocf | 72 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf index 52141c7..1031330 100755 --- a/ovn/utilities/ovndb-servers.ocf +++ b/ovn/utilities/ovndb-servers.ocf @@ -10,6 +10,12 @@ : ${MANAGE_NORTHD_DEFAULT="no"} : ${INACTIVE_PROBE_DEFAULT="5000"} : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server" @@ -21,6 +27,13 @@ SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} + # In order for pacemaker to work with LB, we can set LISTEN_ON_MASTER_IP_ONLY # to false and pass LB vip IP while creating pcs resource. @@ -132,6 +145,54 @@ ovsdb_server_metadata() { + + + OVN NB DB private key absolute path for ssl setup. + + OVN NB DB private key file + + + + + + OVN NB DB certificate absolute path for ssl setup. + + OVN NB DB cert file + + + + + + OVN NB DB CA certificate absolute path for ssl setup. + + OVN NB DB cacert file + + + + + + OVN SB DB private key absolute path for ssl setup. + + OVN SB DB private key file + + + + + + OVN SB DB certificate absolute path for ssl setup. + + OVN SB DB cert file + + + + + + OVN SB DB CA certificate absolute path for ssl setup. + + OVN SB DB cacert file + + + @@ -326,6 +387,16 @@ ovsdb_server_start() { set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} fi + if [ "x${NB_MASTER_PROTO}" = xssl ]; then + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} + fi + if [ "x${SB_MASTER_PROTO}" = xssl ]; then + set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY} + set $@ --ovn-sb-db-ssl-cert=${SB_CERT} + set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT} + fi if [ "x${present_master}" = x ]; then # No master detected, or the previous master is not among the # set starting. @@ -343,7 +414,6 @@ ovsdb_server_start() { set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} --db-sb-sync-from-addr=${INVALID_IP_ADDRESS} elif [ ${present_master} != ${host_name} ]; then - # TODO: for using LB vip, need to test for ssl. if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then if [ "x${NB_MASTER_PROTO}" = xtcp ]; then set $@ --db-nb-create-insecure-remote=yes