Message ID | 20170612224239.12808-1-lrichard@redhat.com |
---|---|
State | Accepted |
Delegated to: | Russell Bryant |
Headers | show |
On Mon, Jun 12, 2017 at 6:42 PM, Lance Richardson <lrichard@redhat.com> wrote: > Enable OVN_Southbound RBAC by default in the sandbox environment, > provide a new option "--no-ovn-rbac" to disable it. > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > --- > tutorial/ovs-sandbox | 17 +++++++++++++---- > 1 file changed, 13 insertions(+), 4 deletions(-) Thanks for the patch. It seems to work fine for me. I applied this to master. I noticed that the backup southbound database is generating a lot of errors in the log, though it's unrelated to this patch. I believe it was caused by the earlier patch to make ovs-sandbox use SSL by default. 2017-06-13T17:04:07.433Z|00007|socket_util|ERR|6642: bind: Address already in use 2017-06-13T17:04:07.433Z|00008|ovsdb_jsonrpc_server|ERR|pssl:6642: listen failed: Address already in use I'm not sure the best way to clean this up. Perhaps we could just run each southbound db in its own net namespace.
On Tue, Jun 13, 2017 at 01:13:31PM -0400, Russell Bryant wrote: > On Mon, Jun 12, 2017 at 6:42 PM, Lance Richardson <lrichard@redhat.com> wrote: > > Enable OVN_Southbound RBAC by default in the sandbox environment, > > provide a new option "--no-ovn-rbac" to disable it. > > > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > > --- > > tutorial/ovs-sandbox | 17 +++++++++++++---- > > 1 file changed, 13 insertions(+), 4 deletions(-) > > Thanks for the patch. It seems to work fine for me. I applied this to master. > > I noticed that the backup southbound database is generating a lot of > errors in the log, though it's unrelated to this patch. I believe it > was caused by the earlier patch to make ovs-sandbox use SSL by > default. > > 2017-06-13T17:04:07.433Z|00007|socket_util|ERR|6642: bind: Address > already in use > 2017-06-13T17:04:07.433Z|00008|ovsdb_jsonrpc_server|ERR|pssl:6642: > listen failed: Address already in use > > I'm not sure the best way to clean this up. Perhaps we could just run > each southbound db in its own net namespace. Maybe run it on a different port?
> From: "Russell Bryant" <russell@ovn.org> > To: "Lance Richardson" <lrichard@redhat.com> > Cc: "ovs dev" <dev@openvswitch.org> > Sent: Tuesday, 13 June, 2017 1:13:31 PM > Subject: Re: [ovs-dev] [PATCH] sandbox: ovn rbac support for sandbox environment > > On Mon, Jun 12, 2017 at 6:42 PM, Lance Richardson <lrichard@redhat.com> > wrote: > > Enable OVN_Southbound RBAC by default in the sandbox environment, > > provide a new option "--no-ovn-rbac" to disable it. > > > > Signed-off-by: Lance Richardson <lrichard@redhat.com> > > --- > > tutorial/ovs-sandbox | 17 +++++++++++++---- > > 1 file changed, 13 insertions(+), 4 deletions(-) > > Thanks for the patch. It seems to work fine for me. I applied this to > master. > > I noticed that the backup southbound database is generating a lot of > errors in the log, though it's unrelated to this patch. I believe it > was caused by the earlier patch to make ovs-sandbox use SSL by > default. > > 2017-06-13T17:04:07.433Z|00007|socket_util|ERR|6642: bind: Address > already in use > 2017-06-13T17:04:07.433Z|00008|ovsdb_jsonrpc_server|ERR|pssl:6642: > listen failed: Address already in use > I see.. before SSL was enabled, a separate AF_UNIX socket was used for each southbound db, with SSL enabled we do have a collision. It's not clear to me what you can do with the backup db in the sandbox environment other than use ovn-sbctl to inspect its contents as mentioned in the script. If that's it, maybe we could simply remove this option when starting the backup ovsdb-server (the AF_UNIX socket is still available): --remote=db:OVN_Southbound,SB_Global,connections \ > I'm not sure the best way to clean this up. Perhaps we could just run > each southbound db in its own net namespace. Hopefully we can find a way that avoids needing administrative privileges... > > -- > Russell Bryant >
On Tue, Jun 13, 2017 at 1:24 PM, Ben Pfaff <blp@ovn.org> wrote: > On Tue, Jun 13, 2017 at 01:13:31PM -0400, Russell Bryant wrote: >> On Mon, Jun 12, 2017 at 6:42 PM, Lance Richardson <lrichard@redhat.com> wrote: >> > Enable OVN_Southbound RBAC by default in the sandbox environment, >> > provide a new option "--no-ovn-rbac" to disable it. >> > >> > Signed-off-by: Lance Richardson <lrichard@redhat.com> >> > --- >> > tutorial/ovs-sandbox | 17 +++++++++++++---- >> > 1 file changed, 13 insertions(+), 4 deletions(-) >> >> Thanks for the patch. It seems to work fine for me. I applied this to master. >> >> I noticed that the backup southbound database is generating a lot of >> errors in the log, though it's unrelated to this patch. I believe it >> was caused by the earlier patch to make ovs-sandbox use SSL by >> default. >> >> 2017-06-13T17:04:07.433Z|00007|socket_util|ERR|6642: bind: Address >> already in use >> 2017-06-13T17:04:07.433Z|00008|ovsdb_jsonrpc_server|ERR|pssl:6642: >> listen failed: Address already in use >> >> I'm not sure the best way to clean this up. Perhaps we could just run >> each southbound db in its own net namespace. > > Maybe run it on a different port? I was thinking it wouldn't work because we're setting up the ssl connection in the OVN_Southbound db, which is replicated between the two, so they're both trying to listen on the same port. If we can set up the connection only as command line args instead of through the db, a different port would work.
diff --git a/tutorial/ovs-sandbox b/tutorial/ovs-sandbox index a03018a..15a3a0a 100755 --- a/tutorial/ovs-sandbox +++ b/tutorial/ovs-sandbox @@ -69,6 +69,7 @@ built=false ovn=false ovnsb_schema= ovnnb_schema= +ovn_rbac=true dummy=override for option; do @@ -118,6 +119,7 @@ These options force ovs-sandbox to use an installed Open vSwitch: for any daemon set to run under gdb -S, --schema=FILE use FILE as vswitch.ovsschema -o, --ovn enable OVN + --no-ovn-rbac disable role-based access control for OVN Other options: -h, --help Print this usage message. @@ -186,6 +188,9 @@ EOF -o|--ovn) ovn=true ;; + --no-ovn-rbac) + ovn_rbac=false + ;; -R|--gdb-run) gdb_vswitchd_ex=true gdb_ovsdb_ex=true @@ -337,7 +342,7 @@ if $ovn; then $OVS_PKI -B 1024 init $OVS_PKI -B 1024 req+sign ovnsb switch $OVS_PKI -B 1024 req+sign ovnnb switch - $OVS_PKI -B 1024 req+sign ovn-controller switch + $OVS_PKI -B 1024 -u req+sign chassis-1 switch fi fi rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir --pidfile -vconsole:off --log-file \ @@ -399,7 +404,7 @@ if $ovn; then ovn-nbctl init ovn-sbctl init - ovs-vsctl set open . external-ids:system-id=56b18105-5706-46ef-80c4-ff20979ab068 + ovs-vsctl set open . external-ids:system-id=chassis-1 ovs-vsctl set open . external-ids:hostname=sandbox ovs-vsctl set open . external-ids:ovn-encap-type=geneve ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1 @@ -408,9 +413,13 @@ if $ovn; then ovn-nbctl set-ssl $sandbox/ovnnb-privkey.pem $sandbox/ovnnb-cert.pem $sandbox/pki/switchca/cacert.pem ovn-nbctl set-connection pssl:6641 ovn-sbctl set-ssl $sandbox/ovnsb-privkey.pem $sandbox/ovnsb-cert.pem $sandbox/pki/switchca/cacert.pem - ovn-sbctl set-connection pssl:6642 + if $ovn_rbac; then + ovn-sbctl set-connection role=ovn-controller pssl:6642 + else + ovn-sbctl set-connection pssl:6642 + fi ovs-vsctl set open . external-ids:ovn-remote=ssl:127.0.0.1:6642 - OVN_CTRLR_PKI="-p $sandbox/ovn-controller-privkey.pem -c $sandbox/ovn-controller-cert.pem -C $sandbox/pki/switchca/cacert.pem" + OVN_CTRLR_PKI="-p $sandbox/chassis-1-privkey.pem -c $sandbox/chassis-1-cert.pem -C $sandbox/pki/switchca/cacert.pem" else ovs-vsctl set open . external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock OVN_CTRLR_PKI=""
Enable OVN_Southbound RBAC by default in the sandbox environment, provide a new option "--no-ovn-rbac" to disable it. Signed-off-by: Lance Richardson <lrichard@redhat.com> --- tutorial/ovs-sandbox | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-)