@@ -80,6 +80,11 @@ static const char *ovn_ic_nb_db;
static const char *ovn_ic_sb_db;
static const char *unixctl_path;
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
static void
usage(void)
@@ -1519,7 +1524,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
switch (c) {
OVN_DAEMON_OPTION_HANDLERS;
VLOG_OPTION_HANDLERS;
- STREAM_SSL_OPTION_HANDLERS;
+
+ case 'p':
+ ssl_private_key_file = optarg;
+ break;
+
+ case 'c':
+ ssl_certificate_file = optarg;
+ break;
+
+ case 'C':
+ ssl_ca_cert_file = optarg;
+ break;
case 'd':
ovnsb_db = optarg;
@@ -1585,6 +1601,18 @@ add_column_noalert(struct ovsdb_idl *idl,
ovsdb_idl_omit_alert(idl, column);
}
+static void
+update_ssl_config(void)
+{
+ if (ssl_private_key_file && ssl_certificate_file) {
+ stream_ssl_set_key_and_cert(ssl_private_key_file,
+ ssl_certificate_file);
+ }
+ if (ssl_ca_cert_file) {
+ stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+ }
+}
+
int
main(int argc, char *argv[])
{
@@ -1655,6 +1683,7 @@ main(int argc, char *argv[])
state.had_lock = false;
state.paused = false;
while (!exiting) {
+ update_ssl_config();
memory_run();
if (memory_should_report()) {
struct simap usage = SIMAP_INITIALIZER(&usage);
@@ -74,6 +74,11 @@ static const char *ovnnb_db;
static const char *ovnsb_db;
static const char *unixctl_path;
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
/* Frequently used table ids. */
static table_id WARNING_TABLE_ID;
static table_id NB_CFG_TIMESTAMP_ID;
@@ -1097,7 +1102,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
switch (c) {
OVN_DAEMON_OPTION_HANDLERS;
VLOG_OPTION_HANDLERS;
- STREAM_SSL_OPTION_HANDLERS;
+
+ case 'p':
+ ssl_private_key_file = optarg;
+ break;
+
+ case 'c':
+ ssl_certificate_file = optarg;
+ break;
+
+ case 'C':
+ ssl_ca_cert_file = optarg;
+ break;
case OPT_DDLOG_RECORD:
record_file = optarg;
@@ -1143,6 +1159,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
free(short_options);
}
+static void
+update_ssl_config(void)
+{
+ if (ssl_private_key_file && ssl_certificate_file) {
+ stream_ssl_set_key_and_cert(ssl_private_key_file,
+ ssl_certificate_file);
+ }
+ if (ssl_ca_cert_file) {
+ stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+ }
+}
+
int
main(int argc, char *argv[])
{
@@ -1222,6 +1250,7 @@ main(int argc, char *argv[])
/* Main loop. */
exiting = false;
while (!exiting) {
+ update_ssl_config();
memory_run();
if (memory_should_report()) {
struct simap usage = SIMAP_INITIALIZER(&usage);
@@ -107,6 +107,11 @@ static bool use_ct_inv_match = true;
static int northd_probe_interval_nb = 0;
static int northd_probe_interval_sb = 0;
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
#define MAX_OVN_TAGS 4096
/* Pipeline stages. */
@@ -14009,7 +14014,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
switch (c) {
OVN_DAEMON_OPTION_HANDLERS;
VLOG_OPTION_HANDLERS;
- STREAM_SSL_OPTION_HANDLERS;
+
+ case 'p':
+ ssl_private_key_file = optarg;
+ break;
+
+ case 'c':
+ ssl_certificate_file = optarg;
+ break;
+
+ case 'C':
+ ssl_ca_cert_file = optarg;
+ break;
case 'd':
ovnsb_db = optarg;
@@ -14059,6 +14075,18 @@ add_column_noalert(struct ovsdb_idl *idl,
ovsdb_idl_omit_alert(idl, column);
}
+static void
+update_ssl_config(void)
+{
+ if (ssl_private_key_file && ssl_certificate_file) {
+ stream_ssl_set_key_and_cert(ssl_private_key_file,
+ ssl_certificate_file);
+ }
+ if (ssl_ca_cert_file) {
+ stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+ }
+}
+
int
main(int argc, char *argv[])
{
@@ -14375,6 +14403,7 @@ main(int argc, char *argv[])
state.paused = false;
while (!exiting) {
+ update_ssl_config();
memory_run();
if (memory_should_report()) {
struct simap usage = SIMAP_INITIALIZER(&usage);
@@ -3556,3 +3556,41 @@ AT_CHECK([grep -c "ct.inv" sw0flows], [0], [dnl
AT_CLEANUP
])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([ovn -- northd ssl file change])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
+AT_SKIP_IF([expr "$PKIDIR" : ".*[ '\"
+\\]"])
+ovn_start --no-backup-northd
+
+as northd
+OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
+
+key=testpki-hv1-privkey.pem
+cert=testpki-hv1-cert.pem
+cacert=testpki-cacert.pem
+
+key2=testpki-hv2-privkey.pem
+cert3=testpki-hv3-cert.pem
+
+# Use mismatched key and cert when restarting using SSL options
+cp $PKIDIR/$key2 $key
+cp $PKIDIR/$cert3 $cert
+cp $PKIDIR/$cacert $cacert
+start_daemon ovn$NORTHD_TYPE -vjsonrpc \
+ --ovnnb-db=$OVN_NB_DB --ovnsb-db=$SSL_OVN_SB_DB \
+ -p $key -c $cert -C $cacert
+
+# SSL should not connect because of key and cert mismatch
+AT_FAIL_IF([ovn-nbctl --timeout=3 --wait=sb sync])
+
+# Modify the files with the correct key and cert, and reconnect should succeed
+cp $PKIDIR/$key $key
+cp $PKIDIR/$cert $cert
+check ovn-nbctl --wait=sb sync
+
+OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
+AT_CLEANUP
+])
Update SSL in the main loop so that updated pki files can be reapplied. Signed-off-by: Han Zhou <hzhou@ovn.org> --- ic/ovn-ic.c | 31 ++++++++++++++++++++++++++++++- northd/ovn-northd-ddlog.c | 31 ++++++++++++++++++++++++++++++- northd/ovn-northd.c | 31 ++++++++++++++++++++++++++++++- tests/ovn-northd.at | 38 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 128 insertions(+), 3 deletions(-)