From patchwork Thu May 13 22:46:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Han Zhou X-Patchwork-Id: 1478245 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fh6GL36sNz9sW5 for ; Fri, 14 May 2021 08:46:32 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 7B43084636; Thu, 13 May 2021 22:46:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKFCK1Cpce_u; Thu, 13 May 2021 22:46:29 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTP id AB83F8462B; Thu, 13 May 2021 22:46:28 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8BA01C000D; Thu, 13 May 2021 22:46:28 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id BFA39C0001 for ; Thu, 13 May 2021 22:46:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 98CBB8462B for ; Thu, 13 May 2021 22:46:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMBQsqFGp7T1 for ; Thu, 13 May 2021 22:46:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by smtp1.osuosl.org (Postfix) with ESMTPS id AC74884621 for ; Thu, 13 May 2021 22:46:26 +0000 (UTC) X-Originating-IP: 216.228.112.22 Received: from localhost.localdomain.com (thunderhill.nvidia.com [216.228.112.22]) (Authenticated sender: hzhou@ovn.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 3C83140006; Thu, 13 May 2021 22:46:22 +0000 (UTC) From: Han Zhou To: dev@openvswitch.org Date: Thu, 13 May 2021 15:46:10 -0700 Message-Id: <20210513224614.1878220-1-hzhou@ovn.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn 1/5] ovn-controller: Support ssl cert rotation when command line options are used. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When SSL configurations are set in Open_vSwitch SSL table, ovn-controller handles file update properly by re-applying the settings in the main loop. However, it is also valid to set the options in command line of ovn-controller without using the SSL table. In this case, the options are set onetime only and it never reapplies when the file content changes. This patch fixes this by allowing reapplying the command line options in the main loop, if they are set. SSL table settings still takes precedence if both exist. Signed-off-by: Han Zhou --- controller/ovn-controller.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c index 67c51a86f..5a755276b 100644 --- a/controller/ovn-controller.c +++ b/controller/ovn-controller.c @@ -97,6 +97,11 @@ static unixctl_cb_func debug_delay_nb_cfg_report; static char *parse_options(int argc, char *argv[]); OVS_NO_RETURN static void usage(void); +/* SSL options */ +static const char *ssl_private_key_file; +static const char *ssl_certificate_file; +static const char *ssl_ca_cert_file; + /* By default don't set an upper bound for the lflow cache. */ #define DEFAULT_LFLOW_CACHE_MAX_ENTRIES UINT32_MAX #define DEFAULT_LFLOW_CACHE_MAX_MEM_KB (UINT64_MAX / 1024) @@ -441,6 +446,11 @@ update_ssl_config(const struct ovsrec_ssl_table *ssl_table) if (ssl) { stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate); stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert); + } else if (ssl_private_key_file && ssl_certificate_file && + ssl_ca_cert_file) { + stream_ssl_set_key_and_cert(ssl_private_key_file, + ssl_certificate_file); + stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false); } } @@ -3320,7 +3330,19 @@ parse_options(int argc, char *argv[]) VLOG_OPTION_HANDLERS OVN_DAEMON_OPTION_HANDLERS - STREAM_SSL_OPTION_HANDLERS + + case 'p': + ssl_private_key_file = optarg; + break; + + case 'c': + ssl_certificate_file = optarg; + break; + + case 'C': + ssl_ca_cert_file = optarg; + break; + case OPT_PEER_CA_CERT: stream_ssl_set_peer_ca_cert_file(optarg); From patchwork Thu May 13 22:46:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Han Zhou X-Patchwork-Id: 1478247 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fh6GS1hbSz9sW5 for ; Fri, 14 May 2021 08:46:40 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 35E0684653; Thu, 13 May 2021 22:46:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tEhUEvoOtcdi; Thu, 13 May 2021 22:46:32 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTP id 0B64B84638; Thu, 13 May 2021 22:46:31 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4769CC0022; Thu, 13 May 2021 22:46:30 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 350C9C0001 for ; Thu, 13 May 2021 22:46:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 22D9D41831 for ; Thu, 13 May 2021 22:46:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id udPDDo1u9S_i for ; Thu, 13 May 2021 22:46:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by smtp4.osuosl.org (Postfix) with ESMTPS id 1FAD941829 for ; Thu, 13 May 2021 22:46:26 +0000 (UTC) X-Originating-IP: 216.228.112.22 Received: from localhost.localdomain.com (thunderhill.nvidia.com [216.228.112.22]) (Authenticated sender: hzhou@ovn.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id A78E640007; Thu, 13 May 2021 22:46:24 +0000 (UTC) From: Han Zhou To: dev@openvswitch.org Date: Thu, 13 May 2021 15:46:11 -0700 Message-Id: <20210513224614.1878220-2-hzhou@ovn.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210513224614.1878220-1-hzhou@ovn.org> References: <20210513224614.1878220-1-hzhou@ovn.org> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn 2/5] ovn-northd: Support ssl cert rotation. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Update SSL in the main loop so that updated pki files can be reapplied. Signed-off-by: Han Zhou --- northd/ovn-northd.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index f503ddd5e..4804093fd 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -107,6 +107,11 @@ static bool use_ct_inv_match = true; static int northd_probe_interval_nb = 0; static int northd_probe_interval_sb = 0; +/* SSL options */ +static const char *ssl_private_key_file; +static const char *ssl_certificate_file; +static const char *ssl_ca_cert_file; + #define MAX_OVN_TAGS 4096 /* Pipeline stages. */ @@ -13978,7 +13983,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) switch (c) { OVN_DAEMON_OPTION_HANDLERS; VLOG_OPTION_HANDLERS; - STREAM_SSL_OPTION_HANDLERS; + + case 'p': + ssl_private_key_file = optarg; + break; + + case 'c': + ssl_certificate_file = optarg; + break; + + case 'C': + ssl_ca_cert_file = optarg; + break; case 'd': ovnsb_db = optarg; @@ -14028,6 +14044,16 @@ add_column_noalert(struct ovsdb_idl *idl, ovsdb_idl_omit_alert(idl, column); } +static void +update_ssl_config(void) +{ + if (!ssl_private_key_file || !ssl_certificate_file || !ssl_ca_cert_file) { + return; + } + stream_ssl_set_key_and_cert(ssl_private_key_file, ssl_certificate_file); + stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false); +} + int main(int argc, char *argv[]) { @@ -14344,6 +14370,7 @@ main(int argc, char *argv[]) state.paused = false; while (!exiting) { + update_ssl_config(); memory_run(); if (memory_should_report()) { struct simap usage = SIMAP_INITIALIZER(&usage); From patchwork Thu May 13 22:46:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Han Zhou X-Patchwork-Id: 1478248 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fh6GW1X2xz9sW5 for ; Fri, 14 May 2021 08:46:43 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id A437E84660; Thu, 13 May 2021 22:46:34 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rLndyfe-5xpr; Thu, 13 May 2021 22:46:33 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTP id 3E00784633; Thu, 13 May 2021 22:46:32 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5B2AAC0028; Thu, 13 May 2021 22:46:31 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5638BC0022 for ; Thu, 13 May 2021 22:46:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 511E184631 for ; Thu, 13 May 2021 22:46:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yVtk8U54f2Li for ; Thu, 13 May 2021 22:46:28 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by smtp1.osuosl.org (Postfix) with ESMTPS id 8DC2984621 for ; Thu, 13 May 2021 22:46:28 +0000 (UTC) X-Originating-IP: 216.228.112.22 Received: from localhost.localdomain.com (thunderhill.nvidia.com [216.228.112.22]) (Authenticated sender: hzhou@ovn.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 25AA740009; Thu, 13 May 2021 22:46:25 +0000 (UTC) From: Han Zhou To: dev@openvswitch.org Date: Thu, 13 May 2021 15:46:12 -0700 Message-Id: <20210513224614.1878220-3-hzhou@ovn.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210513224614.1878220-1-hzhou@ovn.org> References: <20210513224614.1878220-1-hzhou@ovn.org> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn 3/5] ovn-northd-ddlog: Support ssl cert rotation. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Update SSL in the main loop so that updated pki files can be reapplied. Signed-off-by: Han Zhou --- northd/ovn-northd-ddlog.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/northd/ovn-northd-ddlog.c b/northd/ovn-northd-ddlog.c index b7d2c8a5e..46f734c11 100644 --- a/northd/ovn-northd-ddlog.c +++ b/northd/ovn-northd-ddlog.c @@ -74,6 +74,11 @@ static const char *ovnnb_db; static const char *ovnsb_db; static const char *unixctl_path; +/* SSL options */ +static const char *ssl_private_key_file; +static const char *ssl_certificate_file; +static const char *ssl_ca_cert_file; + /* Frequently used table ids. */ static table_id WARNING_TABLE_ID; static table_id NB_CFG_TIMESTAMP_ID; @@ -1094,7 +1099,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) switch (c) { OVN_DAEMON_OPTION_HANDLERS; VLOG_OPTION_HANDLERS; - STREAM_SSL_OPTION_HANDLERS; + + case 'p': + ssl_private_key_file = optarg; + break; + + case 'c': + ssl_certificate_file = optarg; + break; + + case 'C': + ssl_ca_cert_file = optarg; + break; case OPT_DDLOG_RECORD: record_file = optarg; @@ -1140,6 +1156,16 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) free(short_options); } +static void +update_ssl_config(void) +{ + if (!ssl_private_key_file || !ssl_certificate_file || !ssl_ca_cert_file) { + return; + } + stream_ssl_set_key_and_cert(ssl_private_key_file, ssl_certificate_file); + stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false); +} + int main(int argc, char *argv[]) { @@ -1219,6 +1245,7 @@ main(int argc, char *argv[]) /* Main loop. */ exiting = false; while (!exiting) { + update_ssl_config(); memory_run(); if (memory_should_report()) { struct simap usage = SIMAP_INITIALIZER(&usage); From patchwork Thu May 13 22:46:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Han Zhou X-Patchwork-Id: 1478246 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fh6GQ43bHz9sW5 for ; Fri, 14 May 2021 08:46:38 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 47D0A60A52; Thu, 13 May 2021 22:46:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ywVqVD3LI33e; Thu, 13 May 2021 22:46:34 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTP id 6434260B98; Thu, 13 May 2021 22:46:33 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1528FC0022; Thu, 13 May 2021 22:46:33 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 59333C001C for ; Thu, 13 May 2021 22:46:31 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 14C3D41832 for ; Thu, 13 May 2021 22:46:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OAJ5k2leiMzZ for ; Thu, 13 May 2021 22:46:30 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by smtp4.osuosl.org (Postfix) with ESMTPS id 04DE241835 for ; Thu, 13 May 2021 22:46:29 +0000 (UTC) X-Originating-IP: 216.228.112.22 Received: from localhost.localdomain.com (thunderhill.nvidia.com [216.228.112.22]) (Authenticated sender: hzhou@ovn.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 93B4B4000A; Thu, 13 May 2021 22:46:27 +0000 (UTC) From: Han Zhou To: dev@openvswitch.org Date: Thu, 13 May 2021 15:46:13 -0700 Message-Id: <20210513224614.1878220-4-hzhou@ovn.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210513224614.1878220-1-hzhou@ovn.org> References: <20210513224614.1878220-1-hzhou@ovn.org> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn 4/5] ovn-ic: Support ssl cert rotation. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Update SSL in the main loop so that updated pki files can be reapplied. Signed-off-by: Han Zhou --- ic/ovn-ic.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 18e37a31f..dec29fcfd 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -80,6 +80,11 @@ static const char *ovn_ic_nb_db; static const char *ovn_ic_sb_db; static const char *unixctl_path; +/* SSL options */ +static const char *ssl_private_key_file; +static const char *ssl_certificate_file; +static const char *ssl_ca_cert_file; + static void usage(void) @@ -1519,7 +1524,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) switch (c) { OVN_DAEMON_OPTION_HANDLERS; VLOG_OPTION_HANDLERS; - STREAM_SSL_OPTION_HANDLERS; + + case 'p': + ssl_private_key_file = optarg; + break; + + case 'c': + ssl_certificate_file = optarg; + break; + + case 'C': + ssl_ca_cert_file = optarg; + break; case 'd': ovnsb_db = optarg; @@ -1585,6 +1601,16 @@ add_column_noalert(struct ovsdb_idl *idl, ovsdb_idl_omit_alert(idl, column); } +static void +update_ssl_config(void) +{ + if (!ssl_private_key_file || !ssl_certificate_file || !ssl_ca_cert_file) { + return; + } + stream_ssl_set_key_and_cert(ssl_private_key_file, ssl_certificate_file); + stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false); +} + int main(int argc, char *argv[]) { @@ -1655,6 +1681,7 @@ main(int argc, char *argv[]) state.had_lock = false; state.paused = false; while (!exiting) { + update_ssl_config(); memory_run(); if (memory_should_report()) { struct simap usage = SIMAP_INITIALIZER(&usage); From patchwork Thu May 13 22:46:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Han Zhou X-Patchwork-Id: 1478249 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fh6GY6wZmz9sW5 for ; Fri, 14 May 2021 08:46:45 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id DD06F8468A; Thu, 13 May 2021 22:46:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWtiV-dPq6DG; Thu, 13 May 2021 22:46:36 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTP id 4676E84675; Thu, 13 May 2021 22:46:35 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 323F1C0001; Thu, 13 May 2021 22:46:35 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2EA3AC0023 for ; Thu, 13 May 2021 22:46:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id B3F7E4042B for ; Thu, 13 May 2021 22:46:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SJQGAaQ4iPnw for ; Thu, 13 May 2021 22:46:32 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by smtp2.osuosl.org (Postfix) with ESMTPS id CECF9405CC for ; Thu, 13 May 2021 22:46:31 +0000 (UTC) X-Originating-IP: 216.228.112.22 Received: from localhost.localdomain.com (thunderhill.nvidia.com [216.228.112.22]) (Authenticated sender: hzhou@ovn.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 101D44000B; Thu, 13 May 2021 22:46:28 +0000 (UTC) From: Han Zhou To: dev@openvswitch.org Date: Thu, 13 May 2021 15:46:14 -0700 Message-Id: <20210513224614.1878220-5-hzhou@ovn.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210513224614.1878220-1-hzhou@ovn.org> References: <20210513224614.1878220-1-hzhou@ovn.org> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn 5/5] ovn-nbctl: Support ssl cert rotation for daemon mode. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Update SSL in the server_loop so that updated pki files can be reapplied. Signed-off-by: Han Zhou --- utilities/ovn-nbctl.c | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 48fd0b7ee..290b4d30d 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -57,6 +57,11 @@ static bool oneline; /* --dry-run: Do not commit any changes. */ static bool dry_run; +/* SSL options */ +static const char *ssl_private_key_file; +static const char *ssl_certificate_file; +static const char *ssl_ca_cert_file; + /* --wait=TYPE: Wait for configuration change to take effect? */ enum nbctl_wait_type { NBCTL_WAIT_NONE, /* Do not wait. */ @@ -549,6 +554,16 @@ add_local_option(const char *name, const char *arg, return NULL; } +static void +update_ssl_config(void) +{ + if (!ssl_private_key_file || !ssl_certificate_file || !ssl_ca_cert_file) { + return; + } + stream_ssl_set_key_and_cert(ssl_private_key_file, ssl_certificate_file); + stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false); +} + static void apply_options_direct(const struct ovs_cmdl_parsed_option *parsed_options, size_t n, struct shash *local_options) @@ -621,7 +636,18 @@ apply_options_direct(const struct ovs_cmdl_parsed_option *parsed_options, OVN_DAEMON_OPTION_HANDLERS VLOG_OPTION_HANDLERS TABLE_OPTION_HANDLERS(&table_style) - STREAM_SSL_OPTION_HANDLERS + + case 'p': + ssl_private_key_file = optarg; + break; + + case 'c': + ssl_certificate_file = optarg; + break; + + case 'C': + ssl_ca_cert_file = optarg; + break; case OPT_BOOTSTRAP_CA_CERT: stream_ssl_set_ca_cert_file(po->arg, true); @@ -641,6 +667,7 @@ apply_options_direct(const struct ovs_cmdl_parsed_option *parsed_options, if (!db) { db = default_nb_db(); } + update_ssl_config(); } static void @@ -6956,6 +6983,7 @@ server_loop(struct ovsdb_idl *idl, int argc, char *argv[]) server_cmd_init(idl, &exiting); for (;;) { + update_ssl_config(); memory_run(); if (memory_should_report()) { struct simap usage = SIMAP_INITIALIZER(&usage);