From patchwork Mon Jun 12 22:42:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lance Richardson X-Patchwork-Id: 774877 X-Patchwork-Delegate: rbryant@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3wmnwS343Wz9s06 for ; Tue, 13 Jun 2017 08:42:48 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id D0CEE721; Mon, 12 Jun 2017 22:42:45 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 70D56415 for ; Mon, 12 Jun 2017 22:42:44 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 24199FD for ; Mon, 12 Jun 2017 22:42:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EB8C58123F for ; Mon, 12 Jun 2017 22:42:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com EB8C58123F Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=lrichard@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com EB8C58123F Received: from thinkcentre.localdomain.com (ovpn-120-173.rdu2.redhat.com [10.10.120.173]) by smtp.corp.redhat.com (Postfix) with ESMTP id B0AE751C7C for ; Mon, 12 Jun 2017 22:42:40 +0000 (UTC) From: Lance Richardson To: dev@openvswitch.org Date: Mon, 12 Jun 2017 18:42:39 -0400 Message-Id: <20170612224239.12808-1-lrichard@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Mon, 12 Jun 2017 22:42:41 +0000 (UTC) X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH] sandbox: ovn rbac support for sandbox environment X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Enable OVN_Southbound RBAC by default in the sandbox environment, provide a new option "--no-ovn-rbac" to disable it. Signed-off-by: Lance Richardson --- tutorial/ovs-sandbox | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/tutorial/ovs-sandbox b/tutorial/ovs-sandbox index a03018a..15a3a0a 100755 --- a/tutorial/ovs-sandbox +++ b/tutorial/ovs-sandbox @@ -69,6 +69,7 @@ built=false ovn=false ovnsb_schema= ovnnb_schema= +ovn_rbac=true dummy=override for option; do @@ -118,6 +119,7 @@ These options force ovs-sandbox to use an installed Open vSwitch: for any daemon set to run under gdb -S, --schema=FILE use FILE as vswitch.ovsschema -o, --ovn enable OVN + --no-ovn-rbac disable role-based access control for OVN Other options: -h, --help Print this usage message. @@ -186,6 +188,9 @@ EOF -o|--ovn) ovn=true ;; + --no-ovn-rbac) + ovn_rbac=false + ;; -R|--gdb-run) gdb_vswitchd_ex=true gdb_ovsdb_ex=true @@ -337,7 +342,7 @@ if $ovn; then $OVS_PKI -B 1024 init $OVS_PKI -B 1024 req+sign ovnsb switch $OVS_PKI -B 1024 req+sign ovnnb switch - $OVS_PKI -B 1024 req+sign ovn-controller switch + $OVS_PKI -B 1024 -u req+sign chassis-1 switch fi fi rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir --pidfile -vconsole:off --log-file \ @@ -399,7 +404,7 @@ if $ovn; then ovn-nbctl init ovn-sbctl init - ovs-vsctl set open . external-ids:system-id=56b18105-5706-46ef-80c4-ff20979ab068 + ovs-vsctl set open . external-ids:system-id=chassis-1 ovs-vsctl set open . external-ids:hostname=sandbox ovs-vsctl set open . external-ids:ovn-encap-type=geneve ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1 @@ -408,9 +413,13 @@ if $ovn; then ovn-nbctl set-ssl $sandbox/ovnnb-privkey.pem $sandbox/ovnnb-cert.pem $sandbox/pki/switchca/cacert.pem ovn-nbctl set-connection pssl:6641 ovn-sbctl set-ssl $sandbox/ovnsb-privkey.pem $sandbox/ovnsb-cert.pem $sandbox/pki/switchca/cacert.pem - ovn-sbctl set-connection pssl:6642 + if $ovn_rbac; then + ovn-sbctl set-connection role=ovn-controller pssl:6642 + else + ovn-sbctl set-connection pssl:6642 + fi ovs-vsctl set open . external-ids:ovn-remote=ssl:127.0.0.1:6642 - OVN_CTRLR_PKI="-p $sandbox/ovn-controller-privkey.pem -c $sandbox/ovn-controller-cert.pem -C $sandbox/pki/switchca/cacert.pem" + OVN_CTRLR_PKI="-p $sandbox/chassis-1-privkey.pem -c $sandbox/chassis-1-cert.pem -C $sandbox/pki/switchca/cacert.pem" else ovs-vsctl set open . external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock OVN_CTRLR_PKI=""