From patchwork Tue Oct 9 11:00:45 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: aginwala aginwala
X-Patchwork-Id: 981535
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
envelope-from=ovs-dev-bounces@openvswitch.org;
receiver=)
Authentication-Results: ozlabs.org;
dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
dkim=fail reason="signature verification failed" (2048-bit key;
unprotected) header.d=gmail.com header.i=@gmail.com
header.b="PwD5phbz"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
[140.211.169.12])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 42VBKB1gRVz9s8r
for ;
Wed, 10 Oct 2018 09:11:42 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
by mail.linuxfoundation.org (Postfix) with ESMTP id 37AE0B92;
Tue, 9 Oct 2018 22:11:39 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 7A3ECB69
for ; Tue, 9 Oct 2018 22:11:37 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com
[209.85.210.193])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1110D815
for ; Tue, 9 Oct 2018 22:11:36 +0000 (UTC)
Received: by mail-pf1-f193.google.com with SMTP id u12-v6so1531236pfn.12
for ; Tue, 09 Oct 2018 15:11:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:to:cc:subject:date:message-id;
bh=GxYQ8YU6UlPof4DWQjcnghpcu6W8HRyVyF10/83gGJQ=;
b=PwD5phbzg5tvVkyqSaybfSLxH9QfEArT1ozLIEFXRbeoQ2zuD/xWBr2UYmVrbQqV8V
xlZhNGxpazt3R/LS5MuTdkHgJjwInR+HomI5NUNtEN98zUkQjBXE8Eo2h0Iw74LqVPlO
oZQXD2i7bzqh9In5vLfSylSwewcsWb+oGA0KoSmRxczxhWjbNxMd55Mt925768+lgRU2
ecMXEtZ93WF9eo6eLKIe3PAJuXdns21+eIoKaSbAm8yDTUuLytTlhRZDOjne1Ispof+a
oLAaVVMRTOvDqJIHZy3M5BwqT0EfEaSol46/loRNSM8xe9wJuGA23q3r+qKGGVFs07OY
LLMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:cc:subject:date:message-id;
bh=GxYQ8YU6UlPof4DWQjcnghpcu6W8HRyVyF10/83gGJQ=;
b=VM1myZlKf7I+FZ8B0vEVTZ9iL8WThgwLK2FaN18txF4C0pLogZizCH3rUW6zuBYVVB
0Znk318jL+o8rfOqI/yysjuLXBImCpeOyO/rfIcsxj4ldW8PJMRvV5jfA+gSOvBU+/GK
IFdlzEg24gOvghOIDc4uCHvbge2r58EbmHlyq6zjycrFekqtRmsyv+L4EJkSxLSictAR
gxNp7gDo6rvkhfObZXOdlnMf85G+rBQdy96tuORBExOJiEas9QTyZ03+daB4mXnixpcU
m/sD1EVQBR1lcbDpssqnEwxCwDy2h1q4Fc8swZGCBHmq4dYH2si/lBOyOat8vHdHVAMB
zsrg==
X-Gm-Message-State: ABuFfoi5/c0TggKGfT5lmfpQfe/2B5iQVs8ZrK0bP5p3TUOZuoVAFHNX
28LdWWi3H0BCZR9UZf5CBglf1zlJ
X-Google-Smtp-Source:
ACcGV61v4AlJhl6mactYm71FjwJMSVmktGVBLIRjNVQvAPrdWNoW+lmc8JjRd5FDh7Oby0JP454amA==
X-Received: by 2002:a62:579c:: with SMTP id
i28-v6mr32311659pfj.158.1539123096296;
Tue, 09 Oct 2018 15:11:36 -0700 (PDT)
Received: from ubuntu.corp.ebay.com ([216.113.160.77])
by smtp.gmail.com with ESMTPSA id
u124-v6sm44225006pgc.0.2018.10.09.15.11.34
(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Tue, 09 Oct 2018 15:11:35 -0700 (PDT)
From: aginwala
X-Google-Original-From: aginwala
To: dev@openvswitch.org
Date: Tue, 9 Oct 2018 04:00:45 -0700
Message-Id: <1539082846-29711-1-git-send-email-aginwala@ebay.com>
X-Mailer: git-send-email 1.9.1
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00, DATE_IN_PAST_06_12,
DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: aginwala
Subject: [ovs-dev] [PATCH v3 1/2] ovn-ctl: Allow passing ssl certs when
starting OVN DBs in ssl mode.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org
For OVN DBs to work with SSL in HA, we need to have capability to pass ssl
certs when starting OVN DBs. Say when starting OVN DBs in active passive mode,
in order for the standby DBs to sync from master node, it cannot sync
because the required ssl certs are not passed when standby DBs are initialized.
Hence, we need to have this option.
e.g. start nb db with ssl certs as below:
/usr/share/openvswitch/scripts/ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
--ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
--ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
--db-nb-create-insecure-remote=no start_nb_ovsdb
When certs are passed in the command line, it will read certs from the path
mentioned instead of default db configs.
Certs can be generated based on ovs ssl docs:
http://docs.openvswitch.org/en/latest/howto/ssl/
Signed-off-by: aginwala
Acked-by: Han Zhou
---
ovn/utilities/ovn-ctl | 41 ++++++++++++++++++++++++++++++++++++++---
ovn/utilities/ovn-ctl.8.xml | 14 ++++++++++++++
2 files changed, 52 insertions(+), 3 deletions(-)
diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
index 3ff0df6..d71071a 100755
--- a/ovn/utilities/ovn-ctl
+++ b/ovn/utilities/ovn-ctl
@@ -116,6 +116,9 @@ start_ovsdb__() {
local addr
local active_conf_file
local use_remote_in_db
+ local ovn_db_ssl_key
+ local ovn_db_ssl_cert
+ local ovn_db_ssl_cacert
eval pid=\$DB_${DB}_PID
eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
@@ -137,6 +140,9 @@ start_ovsdb__() {
eval addr=\$DB_${DB}_ADDR
eval active_conf_file=\$ovn${db}_active_conf_file
eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
+ eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
+ eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
+ eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
# Check and eventually start ovsdb-server for DB
if pidfile_is_running $pid; then
@@ -183,9 +189,23 @@ $cluster_remote_port
if test X"$use_remote_in_db" != Xno; then
set "$@" --remote=db:$schema_name,$table_name,connections
fi
- set "$@" --private-key=db:$schema_name,SSL,private_key
- set "$@" --certificate=db:$schema_name,SSL,certificate
- set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
+
+ if test X"$ovn_db_ssl_key" != X; then
+ set "$@" --private-key=$ovn_db_ssl_key
+ else
+ set "$@" --private-key=db:$schema_name,SSL,private_key
+ fi
+ if test X"$ovn_db_ssl_cert" != X; then
+ set "$@" --certificate=$ovn_db_ssl_cert
+ else
+ set "$@" --certificate=db:$schema_name,SSL,certificate
+ fi
+ if test X"$ovn_db_ssl_cacert" != X; then
+ set "$@" --ca-cert=$ovn_db_ssl_cacert
+ else
+ set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
+ fi
+
set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
@@ -481,6 +501,15 @@ set_defaults () {
OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK"
DB_NB_USE_REMOTE_IN_DB="yes"
DB_SB_USE_REMOTE_IN_DB="yes"
+
+ OVN_NB_DB_SSL_KEY=""
+ OVN_NB_DB_SSL_CERT=""
+ OVN_NB_DB_SSL_CA_CERT=""
+
+ OVN_SB_DB_SSL_KEY=""
+ OVN_SB_DB_SSL_CERT=""
+ OVN_SB_DB_SSL_CA_CERT=""
+
}
set_option () {
@@ -536,6 +565,12 @@ Options:
--ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
--ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file
--ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file
+ --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file
+ --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file
+ --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file
+ --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file
+ --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file
+ --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file
--ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be
automatically started and stopped along
with ovn-northd. The default is "yes". If
diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
index 3b0e67a..c5294d7 100644
--- a/ovn/utilities/ovn-ctl.8.xml
+++ b/ovn/utilities/ovn-ctl.8.xml
@@ -198,4 +198,18 @@
start_northd
+
+ Passing ssl keys when starting OVN dbs will supercede the default ssl values in db
+ Starting standalone ovn db server passing SSL certificates
+
+
+ # ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem
+ --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem
+ --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
+ --ovn-sb-db-ssl-key=/etc/openvswitch/ovnsb-privkey.pem
+ --ovn-sb-db-ssl-cert=/etc/openvswitch/ovnsb-cert.pem
+ --ovn-sb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
+ start_northd
+
+
From patchwork Tue Oct 9 11:00:46 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: aginwala aginwala
X-Patchwork-Id: 981536
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
envelope-from=ovs-dev-bounces@openvswitch.org;
receiver=)
Authentication-Results: ozlabs.org;
dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
dkim=fail reason="signature verification failed" (2048-bit key;
unprotected) header.d=gmail.com header.i=@gmail.com
header.b="Z2WiZh3z"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
[140.211.169.12])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 42VBKg2dgZz9s8r
for ;
Wed, 10 Oct 2018 09:12:07 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
by mail.linuxfoundation.org (Postfix) with ESMTP id DA13DC00;
Tue, 9 Oct 2018 22:11:40 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id E4716B88
for ; Tue, 9 Oct 2018 22:11:39 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com
[209.85.215.194])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 83EFF80D
for ; Tue, 9 Oct 2018 22:11:39 +0000 (UTC)
Received: by mail-pg1-f194.google.com with SMTP id f18-v6so1497326pgv.3
for ; Tue, 09 Oct 2018 15:11:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:to:cc:subject:date:message-id:in-reply-to:references;
bh=7MB6eaKXLi29BDWD84EOLLz22vCZ4iKJt9NvX7jFxUU=;
b=Z2WiZh3zFgo6dVxevEB2Aqp3ITg/S9XLqkTTX5ri8po3h9qiGzwj+Reuni3KQCbUHN
mF7mbKHk62Ka1eY7GFpU5OKy+YVjABpF1yxrQXvCX4OwbsjaTFoNPUtf1fWq4WX/eU7L
1KOB1vkVGHPRVMntgih2tNQQrDdIbJcyqMxZH73Wb4OdSeJgm2lv/krnUnbm52cfsKQi
T+pQ7niric9UkPDlC/XZuNK7FMi8MgaOntZC03NYR1NDjNT2id5d13Amfxz9a0ENTeY3
Zv4DQoYsmygesZ4n6LZ0X2pXzom42rTASkchi06giFx9jiunkuNHZfZaQnUvWGLXaOY1
rxPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
:references;
bh=7MB6eaKXLi29BDWD84EOLLz22vCZ4iKJt9NvX7jFxUU=;
b=eCOECpWQomwNA9niUusnC5ZUw3cll6URKJBLFLYiMoRb1DcPIQdDcSi7B8d6a8aLLs
lJQ8aA8qVNvdXQA6PYm1NIySmb07BteMY7XNvDodrBcnA3VzSZYgrJK4UglJ2zNdW1rx
svx+M/y4kld6Q2ByE3Ds1ZEhk2WCVwHRY5r5IMA+ye9ORN9p0Ys7tkpBV48+jA+iCwdi
TbxtKecuop+6CVfNn5dQrrmGA29z9M5R8N5Se+HL1bUZPo3MjIFXVVYkzraO35TzFhI2
RfAhFXRvsN/+L7WvBay3/yNppHuRMjRe3sQmrdtFpVcWu9ha38nmalQYRYzduSIxIqq2
f+Lw==
X-Gm-Message-State: ABuFfojpFF9nodM35HFo7Xzm0gC4lCT/6u0Zk8UUyLkLuJQI7VH5Ei8F
HfauuAerQy3gG0nVkOIiTBTHevwu
X-Google-Smtp-Source:
ACcGV63qOvH1E/s/TAPDaxj1LFLJ8M+6y+H/iIv00YLUIkJxnpAPu+70CsCUfBPJeHcCI3uMcv+muA==
X-Received: by 2002:a63:5fc5:: with SMTP id
t188-v6mr27206273pgb.346.1539123098742;
Tue, 09 Oct 2018 15:11:38 -0700 (PDT)
Received: from ubuntu.corp.ebay.com ([216.113.160.77])
by smtp.gmail.com with ESMTPSA id
u124-v6sm44225006pgc.0.2018.10.09.15.11.37
(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Tue, 09 Oct 2018 15:11:38 -0700 (PDT)
From: aginwala
X-Google-Original-From: aginwala
To: dev@openvswitch.org
Date: Tue, 9 Oct 2018 04:00:46 -0700
Message-Id: <1539082846-29711-2-git-send-email-aginwala@ebay.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1539082846-29711-1-git-send-email-aginwala@ebay.com>
References: <1539082846-29711-1-git-send-email-aginwala@ebay.com>
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00, DATE_IN_PAST_06_12,
DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: aginwala
Subject: [ovs-dev] [PATCH v3 2/2] ovndb-servers.ocf: Add ssl support for
managing OVN DB resources with pacemaker using LB VIP.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org
When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl
certs for starting standby DBs. Hence, we need this change.
Signed-off-by: aginwala
Acked-by: Han Zhou
Acked-by: Numan Siddique
---
ovn/utilities/ovndb-servers.ocf | 72 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 71 insertions(+), 1 deletion(-)
diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf
index 52141c7..1031330 100755
--- a/ovn/utilities/ovndb-servers.ocf
+++ b/ovn/utilities/ovndb-servers.ocf
@@ -10,6 +10,12 @@
: ${MANAGE_NORTHD_DEFAULT="no"}
: ${INACTIVE_PROBE_DEFAULT="5000"}
: ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
+: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
+: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
+: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
+: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
+: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
+: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
@@ -21,6 +27,13 @@ SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
+NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
+NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
+NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
+SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
+SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
+SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
+
# In order for pacemaker to work with LB, we can set LISTEN_ON_MASTER_IP_ONLY
# to false and pass LB vip IP while creating pcs resource.
@@ -132,6 +145,54 @@ ovsdb_server_metadata() {
+
+
+ OVN NB DB private key absolute path for ssl setup.
+
+ OVN NB DB private key file
+
+
+
+
+
+ OVN NB DB certificate absolute path for ssl setup.
+
+ OVN NB DB cert file
+
+
+
+
+
+ OVN NB DB CA certificate absolute path for ssl setup.
+
+ OVN NB DB cacert file
+
+
+
+
+
+ OVN SB DB private key absolute path for ssl setup.
+
+ OVN SB DB private key file
+
+
+
+
+
+ OVN SB DB certificate absolute path for ssl setup.
+
+ OVN SB DB cert file
+
+
+
+
+
+ OVN SB DB CA certificate absolute path for ssl setup.
+
+ OVN SB DB cacert file
+
+
+
@@ -326,6 +387,16 @@ ovsdb_server_start() {
set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
fi
+ if [ "x${NB_MASTER_PROTO}" = xssl ]; then
+ set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
+ set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
+ set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
+ fi
+ if [ "x${SB_MASTER_PROTO}" = xssl ]; then
+ set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY}
+ set $@ --ovn-sb-db-ssl-cert=${SB_CERT}
+ set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT}
+ fi
if [ "x${present_master}" = x ]; then
# No master detected, or the previous master is not among the
# set starting.
@@ -343,7 +414,6 @@ ovsdb_server_start() {
set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} --db-sb-sync-from-addr=${INVALID_IP_ADDRESS}
elif [ ${present_master} != ${host_name} ]; then
- # TODO: for using LB vip, need to test for ssl.
if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then
if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
set $@ --db-nb-create-insecure-remote=yes