From patchwork Thu May 13 22:46:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Han Zhou X-Patchwork-Id: 1478245 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fh6GL36sNz9sW5 for ; Fri, 14 May 2021 08:46:32 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 7B43084636; Thu, 13 May 2021 22:46:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKFCK1Cpce_u; Thu, 13 May 2021 22:46:29 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTP id AB83F8462B; Thu, 13 May 2021 22:46:28 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8BA01C000D; Thu, 13 May 2021 22:46:28 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id BFA39C0001 for ; Thu, 13 May 2021 22:46:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 98CBB8462B for ; Thu, 13 May 2021 22:46:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMBQsqFGp7T1 for ; Thu, 13 May 2021 22:46:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by smtp1.osuosl.org (Postfix) with ESMTPS id AC74884621 for ; Thu, 13 May 2021 22:46:26 +0000 (UTC) X-Originating-IP: 216.228.112.22 Received: from localhost.localdomain.com (thunderhill.nvidia.com [216.228.112.22]) (Authenticated sender: hzhou@ovn.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 3C83140006; Thu, 13 May 2021 22:46:22 +0000 (UTC) From: Han Zhou To: dev@openvswitch.org Date: Thu, 13 May 2021 15:46:10 -0700 Message-Id: <20210513224614.1878220-1-hzhou@ovn.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn 1/5] ovn-controller: Support ssl cert rotation when command line options are used. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When SSL configurations are set in Open_vSwitch SSL table, ovn-controller handles file update properly by re-applying the settings in the main loop. However, it is also valid to set the options in command line of ovn-controller without using the SSL table. In this case, the options are set onetime only and it never reapplies when the file content changes. This patch fixes this by allowing reapplying the command line options in the main loop, if they are set. SSL table settings still takes precedence if both exist. Signed-off-by: Han Zhou --- controller/ovn-controller.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c index 67c51a86f..5a755276b 100644 --- a/controller/ovn-controller.c +++ b/controller/ovn-controller.c @@ -97,6 +97,11 @@ static unixctl_cb_func debug_delay_nb_cfg_report; static char *parse_options(int argc, char *argv[]); OVS_NO_RETURN static void usage(void); +/* SSL options */ +static const char *ssl_private_key_file; +static const char *ssl_certificate_file; +static const char *ssl_ca_cert_file; + /* By default don't set an upper bound for the lflow cache. */ #define DEFAULT_LFLOW_CACHE_MAX_ENTRIES UINT32_MAX #define DEFAULT_LFLOW_CACHE_MAX_MEM_KB (UINT64_MAX / 1024) @@ -441,6 +446,11 @@ update_ssl_config(const struct ovsrec_ssl_table *ssl_table) if (ssl) { stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate); stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert); + } else if (ssl_private_key_file && ssl_certificate_file && + ssl_ca_cert_file) { + stream_ssl_set_key_and_cert(ssl_private_key_file, + ssl_certificate_file); + stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false); } } @@ -3320,7 +3330,19 @@ parse_options(int argc, char *argv[]) VLOG_OPTION_HANDLERS OVN_DAEMON_OPTION_HANDLERS - STREAM_SSL_OPTION_HANDLERS + + case 'p': + ssl_private_key_file = optarg; + break; + + case 'c': + ssl_certificate_file = optarg; + break; + + case 'C': + ssl_ca_cert_file = optarg; + break; + case OPT_PEER_CA_CERT: stream_ssl_set_peer_ca_cert_file(optarg);