[ovs-dev] [PATCH 2/2] vswitchd: Refresh SSL keys and certificates more frequently.
Justin Pettit
jpettit at nicira.com
Thu Aug 5 19:47:07 UTC 2010
Looks good.
--Justin
On Aug 5, 2010, at 10:00 AM, Ben Pfaff wrote:
> Until now, the ovs-vswitchd main loop has refreshed keys and certificates
> from their files only when the database changes. This works fine if new
> keys and certificates are installed with new file names, because the update
> to the database to point to the new files will cause them to be read. But
> if the new keys and certificates are copied over the existing files, then
> the delay until they are read is indefinite.
>
> This commit fixes the problem by changing the SSL configuration so that it
> is rechecked on every trip through the ovs-vswitchd main loop.
>
> Bug #2921.
> ---
> vswitchd/bridge.c | 37 ++++++++++++++++++-------------------
> 1 files changed, 18 insertions(+), 19 deletions(-)
>
> diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
> index 0397e0a..7174f2c 100644
> --- a/vswitchd/bridge.c
> +++ b/vswitchd/bridge.c
> @@ -344,18 +344,6 @@ bridge_configure_once(const struct ovsrec_open_vswitch *cfg)
> svec_destroy(&dpif_types);
> }
>
> -#ifdef HAVE_OPENSSL
> -static void
> -bridge_configure_ssl(const struct ovsrec_ssl *ssl)
> -{
> - /* XXX SSL should be configurable on a per-bridge basis. */
> - if (ssl) {
> - stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate);
> - stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert);
> - }
> -}
> -#endif
> -
> /* Attempt to create the network device 'iface_name' through the netdev
> * library. */
> static int
> @@ -595,11 +583,6 @@ bridge_reconfigure(const struct ovsrec_open_vswitch *ovs_cfg)
> shash_destroy(&old_br);
> shash_destroy(&new_br);
>
> -#ifdef HAVE_OPENSSL
> - /* Configure SSL. */
> - bridge_configure_ssl(ovs_cfg->ssl);
> -#endif
> -
> /* Reconfigure all bridges. */
> LIST_FOR_EACH (br, struct bridge, node, &all_bridges) {
> bridge_reconfigure_one(br);
> @@ -1105,7 +1088,10 @@ iface_refresh_stats(struct iface *iface)
> void
> bridge_run(void)
> {
> + const struct ovsrec_open_vswitch *cfg;
> +
> bool datapath_destroyed;
> + bool database_changed;
> struct bridge *br;
>
> /* Let each bridge do the work that it needs to do. */
> @@ -1121,8 +1107,9 @@ bridge_run(void)
> }
>
> /* (Re)configure if necessary. */
> - if (ovsdb_idl_run(idl) || datapath_destroyed) {
> - const struct ovsrec_open_vswitch *cfg = ovsrec_open_vswitch_first(idl);
> + database_changed = ovsdb_idl_run(idl);
> + cfg = ovsrec_open_vswitch_first(idl);
> + if (database_changed || datapath_destroyed) {
> if (cfg) {
> struct ovsdb_idl_txn *txn = ovsdb_idl_txn_create(idl);
>
> @@ -1141,6 +1128,18 @@ bridge_run(void)
> }
> }
>
> +#ifdef HAVE_OPENSSL
> + /* Re-configure SSL. We do this on every trip through the main loop,
> + * instead of just when the database changes, because the contents of the
> + * key and certificate files can change without the database changing. */
> + if (cfg && cfg->ssl) {
> + const struct ovsrec_ssl *ssl = cfg->ssl;
> +
> + stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate);
> + stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert);
> + }
> +#endif
> +
> /* Refresh interface stats if necessary. */
> if (time_msec() >= iface_stats_timer) {
> struct ovsdb_idl_txn *txn;
> --
> 1.7.1
>
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org
More information about the dev
mailing list