[ovs-dev] [PATCH v5] ovn-ctl: add support for SSL nb/sb db connections

Lance Richardson lrichard at redhat.com
Wed Dec 28 01:48:44 UTC 2016


> From: "Numan Siddique" <nusiddiq at redhat.com>
> To: "Ben Pfaff" <blp at ovn.org>
> Cc: "Lance Richardson" <lrichard at redhat.com>, "Russell Bryant" <russell at ovn.org>, "ovs dev" <dev at openvswitch.org>
> Sent: Tuesday, December 27, 2016 4:04:19 AM
> Subject: Re: [PATCH v5] ovn-ctl: add support for SSL nb/sb db connections
> 
> On Fri, Dec 23, 2016 at 5:13 AM, Ben Pfaff <blp at ovn.org> wrote:
> 
> > I see that Numan acked this.  Russell, are you satisfied?
> >
> > Thanks,
> >
> > Ben.
> >
> > On Thu, Dec 22, 2016 at 01:54:44PM -0500, Lance Richardson wrote:
> > > Add support for SSL connections to OVN northbound and/or
> > > southbound databases.
> > >
> > > To improve security, the NB and SB ovsdb daemons no longer
> > > have open ptcp connections by default.  This is a change in
> > > behavior from previous versions, users wishing to use TCP
> > > connections to the NB/SB daemons can either request that
> > > a passive TCP connection be used via ovn-ctl command-line
> > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
> > > scripts):
> > >
> > >     --db-sb-create-insecure-remote=yes
> > >     --db-nb-create-insecure-remote=yes
> > >
> > > Or configure a connection after the NB/SB daemons have been
> > > started, e.g.:
> > >
> > >     ovn-sbctl set-connection ptcp:6642
> > >     ovn-nbctl set-connection ptcp:6641
> > >
> > > Users desiring SSL database connections will need to generate
> > certificates
> > > and private key as described in INSTALL.SSL.rst and perform the following
> > > one-time configuration steps:
> > >
> > >    ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
> > >    ovn-sbctl set-connection pssl:6642
> > >    ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
> > >    ovn-nbctl set-connection pssl:6641
> > >
> > > On the ovn-controller and ovn-controller-vtep side, SSL configuration
> > > must be provided on the command-line when the daemons are started, this
> > > should be provided via the following command-line options (e.g. via
> > > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
> > >
> > >    --ovn-controller-ssl-key=<private-key>
> > >    --ovn-controller-ssl-cert=<certificate>
> > >    --ovn-controller-ssl-ca-cert=<ca-cert>
> > >
> > > The SB database connection should also be configured to use SSL, e.g.:
> > >
> > >     ovs-vsctl set Open_vSwitch . \
> > >               external-ids:ovn-remote=ssl:w.x.y.z:6642
> > >
> > > Signed-off-by: Lance Richardson <lrichard at redhat.com>
> > > Acked-by: Ben Pfaff <blp at ovn.org>
> > > ---
> > > v5: - Corrected "==" between option and value for command-line options
> > >       in the ovn-ctl man page, a single "=" should have been used. Fixed
> > >       new instances as well as pre-existing instances.
> > >
> > > v4: - reverted to v1 scheme for creating default (insecure), dropping
> > >       feedback from Russell at http://patchwork.ozlabs.org/patch/701571/
> > .
> > >     - changed --db-?b-create-remote to --db-?b-create-insecure-remote
> > >
> > > v3: - rebased
> > >     - s/db-sb-default-remote/db-sb-create-remote/ in man page
> > >     - s/db-nb-default-remote/db-nb-create-remote/ in man page
> > >
> > > v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE.
> > >     - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE.
> > >     - Create default remote configuration in db instead of
> > >       via command-line options.
> > >
> > > Testing Notes:
> > >    - Verified tcp connections operational with /etc/sysconfig/ovn-northd:
> > >      OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes
> > --db-nb-create-insecure-remote=yes"
> > >
> > >    - Verified tcp connections operational without
> > /etc/sysconfig/ovn-northd and:
> > >      ovn-sbctl set-connection ptcp:6642
> > >      ovn-nbctl set-connection ptcp:6641
> > >
> > >    - Verified SSL connection to sb db with (on central node):
> > >      ovn-sbctl set-ssl /ctl-privkey.pem  /ctl-cert.pem /cacert.pem
> > >      ovn-sbctl set-connection pssl:6642
> > >
> > >      And (on compute nodes):
> > >      In /etc/sysconfig/ovn-controller:
> > >      OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \
> > >                           --ovn-controller-ssl-cert=/ctl-cert.pem \
> > >                           --ovn-controller-ssl-ca-cert=/cacert.pem"
> > >      ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl:
> > xx.xx.xx.xx:6642
> > >
> > >  NEWS                        |  6 ++++
> > >  manpages.mk                 |  4 +++
> > >  ovn/utilities/ovn-ctl       | 72 ++++++++++++++++++++++++++++++
> > ++++-----------
> > >  ovn/utilities/ovn-ctl.8.xml | 17 +++++++----
> > >  4 files changed, 77 insertions(+), 22 deletions(-)
> > >
> > > diff --git a/NEWS b/NEWS
> > > index 882f611..ec44dd5 100644
> > > --- a/NEWS
> > > +++ b/NEWS
> > > @@ -10,6 +10,12 @@ Post-v2.6.0
> > >       * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6
> > actions.
> > >       * Support for managing SSL and remote connection configuration in
> > >         northbound and southbound databases.
> > > +     * TCP connections to northbound and southbound databases are no
> > > +       longer enabled by default and must be explicitly configured.
> > > +       See documentation for ovn-sbctl/ovn-nbctl "set-connection"
> > > +       command or the ovn-ctl "--db-sb-create-insecure-remote" and
> > > +       "--db-nb-create-insecure-remote" command-line options for
> > > +       information regarding remote connection configuration.
> > >     - Fixed regression in table stats maintenance introduced in OVS
> > >       2.3.0, wherein the number of OpenFlow table hits and misses was
> > >       not accurate.
> > > diff --git a/manpages.mk b/manpages.mk
> > > index 742bd66..825e2bc 100644
> > > --- a/manpages.mk
> > > +++ b/manpages.mk
> > > @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \
> > >       lib/vlog-syn.man \
> > >       lib/vlog.man \
> > >       ovsdb/remote-active.man \
> > > +     ovsdb/remote-active.man \
> > > +     ovsdb/remote-passive.man \
> > >       ovsdb/remote-passive.man
> > >  ovsdb/ovsdb-client.1.in:
> > >  lib/common-syn.man:
> > > @@ -58,6 +60,8 @@ lib/table.man:
> > >  lib/vlog-syn.man:
> > >  lib/vlog.man:
> > >  ovsdb/remote-active.man:
> > > +ovsdb/remote-active.man:
> > > +ovsdb/remote-passive.man:
> > >  ovsdb/remote-passive.man:
> > >
> > >  ovsdb/ovsdb-server.1: \
> > > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> > > index 73e78e5..a696d5e 100755
> > > --- a/ovn/utilities/ovn-ctl
> > > +++ b/ovn/utilities/ovn-ctl
> > > @@ -50,7 +50,7 @@ stop_ovsdb () {
> > >
> > >  demote_ovnnb() {
> > >      if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> > > -        echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" >
> > $ovnnb_active_conf_file
> > > +        echo
> > > "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT"
> > > $ovnnb_active_conf_file
> > >      fi
> > >
> > >      if test -e $ovnnb_active_conf_file; then
> > > @@ -64,7 +64,7 @@ demote_ovnnb() {
> > >
> > >  demote_ovnsb() {
> > >      if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
> > > -        echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" >
> > $ovnsb_active_conf_file
> > > +        echo
> > > "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT"
> > > $ovnsb_active_conf_file
> > >      fi
> > >
> > >      if test -e $ovnsb_active_conf_file; then
> > > @@ -93,15 +93,21 @@ start_ovsdb () {
> > >
> > >          set ovsdb-server
> > >
> > > -        set "$@" --detach --monitor $OVN_NB_LOG \
> > > -            --log-file=$OVN_NB_LOGFILE \
> > > -            --remote=punix:$DB_NB_SOCK \
> > > -            --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \
> > > -            --pidfile=$DB_NB_PID \
> > > -            --unixctl=ovnnb_db.ctl
> > > +        set "$@" --detach --monitor
> > > +        set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE
> > > +        set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID
> > > +        set "$@" --remote=db:OVN_Northbound,NB_Global,connections
> > > +        set "$@" --unixctl=ovnnb_db.ctl
> > > +        set "$@" --private-key=db:OVN_Northbound,SSL,private_key
> > > +        set "$@" --certificate=db:OVN_Northbound,SSL,certificate
> > > +        set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
> > > +
> > > +        if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then
> > > +            set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
> > > +        fi
> > >
> > >          if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> > > -            echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" >
> > $ovnnb_active_conf_file
> > > +            echo "$DB_NB_SYNC_FROM_PROTO:$DB_
> > NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
> > >          fi
> > >
> > >          if test -e $ovnnb_active_conf_file; then
> > > @@ -118,15 +124,21 @@ start_ovsdb () {
> > >
> > >          set ovsdb-server
> > >
> > > -        set "$@" --detach --monitor $OVN_SB_LOG \
> > > -            --log-file=$OVN_SB_LOGFILE \
> > > -            --remote=punix:$DB_SB_SOCK \
> > > -            --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \
> > > -            --pidfile=$DB_SB_PID \
> > > -            --unixctl=ovnsb_db.ctl
> > > +        set "$@" --detach --monitor
> > > +        set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE
> > > +        set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID
> > > +        set "$@" --remote=db:OVN_Southbound,SB_Global,connections
> > > +        set "$@" --unixctl=ovnsb_db.ctl
> > > +        set "$@" --private-key=db:OVN_Southbound,SSL,private_key
> > > +        set "$@" --certificate=db:OVN_Southbound,SSL,certificate
> > > +        set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert
> > > +
> > > +        if test X"$
> > ​​
> > DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then
> >
> 
> 
> ​There is a typo here. It should be ​
> 

Whoops, nice catch! Will fix in a follow-up after I return from traveling.
My testing missed this, I only tested with both options set to yes and 
neither set. Will verify all combinations for next pass.


More information about the dev mailing list