[ovs-dev] [PATCH v5] ovn-ctl: add support for SSL nb/sb db connections
Lance Richardson
lrichard at redhat.com
Wed Dec 28 01:48:44 UTC 2016
> From: "Numan Siddique" <nusiddiq at redhat.com>
> To: "Ben Pfaff" <blp at ovn.org>
> Cc: "Lance Richardson" <lrichard at redhat.com>, "Russell Bryant" <russell at ovn.org>, "ovs dev" <dev at openvswitch.org>
> Sent: Tuesday, December 27, 2016 4:04:19 AM
> Subject: Re: [PATCH v5] ovn-ctl: add support for SSL nb/sb db connections
>
> On Fri, Dec 23, 2016 at 5:13 AM, Ben Pfaff <blp at ovn.org> wrote:
>
> > I see that Numan acked this. Russell, are you satisfied?
> >
> > Thanks,
> >
> > Ben.
> >
> > On Thu, Dec 22, 2016 at 01:54:44PM -0500, Lance Richardson wrote:
> > > Add support for SSL connections to OVN northbound and/or
> > > southbound databases.
> > >
> > > To improve security, the NB and SB ovsdb daemons no longer
> > > have open ptcp connections by default. This is a change in
> > > behavior from previous versions, users wishing to use TCP
> > > connections to the NB/SB daemons can either request that
> > > a passive TCP connection be used via ovn-ctl command-line
> > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
> > > scripts):
> > >
> > > --db-sb-create-insecure-remote=yes
> > > --db-nb-create-insecure-remote=yes
> > >
> > > Or configure a connection after the NB/SB daemons have been
> > > started, e.g.:
> > >
> > > ovn-sbctl set-connection ptcp:6642
> > > ovn-nbctl set-connection ptcp:6641
> > >
> > > Users desiring SSL database connections will need to generate
> > certificates
> > > and private key as described in INSTALL.SSL.rst and perform the following
> > > one-time configuration steps:
> > >
> > > ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
> > > ovn-sbctl set-connection pssl:6642
> > > ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
> > > ovn-nbctl set-connection pssl:6641
> > >
> > > On the ovn-controller and ovn-controller-vtep side, SSL configuration
> > > must be provided on the command-line when the daemons are started, this
> > > should be provided via the following command-line options (e.g. via
> > > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
> > >
> > > --ovn-controller-ssl-key=<private-key>
> > > --ovn-controller-ssl-cert=<certificate>
> > > --ovn-controller-ssl-ca-cert=<ca-cert>
> > >
> > > The SB database connection should also be configured to use SSL, e.g.:
> > >
> > > ovs-vsctl set Open_vSwitch . \
> > > external-ids:ovn-remote=ssl:w.x.y.z:6642
> > >
> > > Signed-off-by: Lance Richardson <lrichard at redhat.com>
> > > Acked-by: Ben Pfaff <blp at ovn.org>
> > > ---
> > > v5: - Corrected "==" between option and value for command-line options
> > > in the ovn-ctl man page, a single "=" should have been used. Fixed
> > > new instances as well as pre-existing instances.
> > >
> > > v4: - reverted to v1 scheme for creating default (insecure), dropping
> > > feedback from Russell at http://patchwork.ozlabs.org/patch/701571/
> > .
> > > - changed --db-?b-create-remote to --db-?b-create-insecure-remote
> > >
> > > v3: - rebased
> > > - s/db-sb-default-remote/db-sb-create-remote/ in man page
> > > - s/db-nb-default-remote/db-nb-create-remote/ in man page
> > >
> > > v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE.
> > > - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE.
> > > - Create default remote configuration in db instead of
> > > via command-line options.
> > >
> > > Testing Notes:
> > > - Verified tcp connections operational with /etc/sysconfig/ovn-northd:
> > > OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes
> > --db-nb-create-insecure-remote=yes"
> > >
> > > - Verified tcp connections operational without
> > /etc/sysconfig/ovn-northd and:
> > > ovn-sbctl set-connection ptcp:6642
> > > ovn-nbctl set-connection ptcp:6641
> > >
> > > - Verified SSL connection to sb db with (on central node):
> > > ovn-sbctl set-ssl /ctl-privkey.pem /ctl-cert.pem /cacert.pem
> > > ovn-sbctl set-connection pssl:6642
> > >
> > > And (on compute nodes):
> > > In /etc/sysconfig/ovn-controller:
> > > OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \
> > > --ovn-controller-ssl-cert=/ctl-cert.pem \
> > > --ovn-controller-ssl-ca-cert=/cacert.pem"
> > > ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl:
> > xx.xx.xx.xx:6642
> > >
> > > NEWS | 6 ++++
> > > manpages.mk | 4 +++
> > > ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++
> > ++++-----------
> > > ovn/utilities/ovn-ctl.8.xml | 17 +++++++----
> > > 4 files changed, 77 insertions(+), 22 deletions(-)
> > >
> > > diff --git a/NEWS b/NEWS
> > > index 882f611..ec44dd5 100644
> > > --- a/NEWS
> > > +++ b/NEWS
> > > @@ -10,6 +10,12 @@ Post-v2.6.0
> > > * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6
> > actions.
> > > * Support for managing SSL and remote connection configuration in
> > > northbound and southbound databases.
> > > + * TCP connections to northbound and southbound databases are no
> > > + longer enabled by default and must be explicitly configured.
> > > + See documentation for ovn-sbctl/ovn-nbctl "set-connection"
> > > + command or the ovn-ctl "--db-sb-create-insecure-remote" and
> > > + "--db-nb-create-insecure-remote" command-line options for
> > > + information regarding remote connection configuration.
> > > - Fixed regression in table stats maintenance introduced in OVS
> > > 2.3.0, wherein the number of OpenFlow table hits and misses was
> > > not accurate.
> > > diff --git a/manpages.mk b/manpages.mk
> > > index 742bd66..825e2bc 100644
> > > --- a/manpages.mk
> > > +++ b/manpages.mk
> > > @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \
> > > lib/vlog-syn.man \
> > > lib/vlog.man \
> > > ovsdb/remote-active.man \
> > > + ovsdb/remote-active.man \
> > > + ovsdb/remote-passive.man \
> > > ovsdb/remote-passive.man
> > > ovsdb/ovsdb-client.1.in:
> > > lib/common-syn.man:
> > > @@ -58,6 +60,8 @@ lib/table.man:
> > > lib/vlog-syn.man:
> > > lib/vlog.man:
> > > ovsdb/remote-active.man:
> > > +ovsdb/remote-active.man:
> > > +ovsdb/remote-passive.man:
> > > ovsdb/remote-passive.man:
> > >
> > > ovsdb/ovsdb-server.1: \
> > > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> > > index 73e78e5..a696d5e 100755
> > > --- a/ovn/utilities/ovn-ctl
> > > +++ b/ovn/utilities/ovn-ctl
> > > @@ -50,7 +50,7 @@ stop_ovsdb () {
> > >
> > > demote_ovnnb() {
> > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> > > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" >
> > $ovnnb_active_conf_file
> > > + echo
> > > "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT"
> > > $ovnnb_active_conf_file
> > > fi
> > >
> > > if test -e $ovnnb_active_conf_file; then
> > > @@ -64,7 +64,7 @@ demote_ovnnb() {
> > >
> > > demote_ovnsb() {
> > > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
> > > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" >
> > $ovnsb_active_conf_file
> > > + echo
> > > "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT"
> > > $ovnsb_active_conf_file
> > > fi
> > >
> > > if test -e $ovnsb_active_conf_file; then
> > > @@ -93,15 +93,21 @@ start_ovsdb () {
> > >
> > > set ovsdb-server
> > >
> > > - set "$@" --detach --monitor $OVN_NB_LOG \
> > > - --log-file=$OVN_NB_LOGFILE \
> > > - --remote=punix:$DB_NB_SOCK \
> > > - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \
> > > - --pidfile=$DB_NB_PID \
> > > - --unixctl=ovnnb_db.ctl
> > > + set "$@" --detach --monitor
> > > + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE
> > > + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID
> > > + set "$@" --remote=db:OVN_Northbound,NB_Global,connections
> > > + set "$@" --unixctl=ovnnb_db.ctl
> > > + set "$@" --private-key=db:OVN_Northbound,SSL,private_key
> > > + set "$@" --certificate=db:OVN_Northbound,SSL,certificate
> > > + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
> > > +
> > > + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then
> > > + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
> > > + fi
> > >
> > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> > > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" >
> > $ovnnb_active_conf_file
> > > + echo "$DB_NB_SYNC_FROM_PROTO:$DB_
> > NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
> > > fi
> > >
> > > if test -e $ovnnb_active_conf_file; then
> > > @@ -118,15 +124,21 @@ start_ovsdb () {
> > >
> > > set ovsdb-server
> > >
> > > - set "$@" --detach --monitor $OVN_SB_LOG \
> > > - --log-file=$OVN_SB_LOGFILE \
> > > - --remote=punix:$DB_SB_SOCK \
> > > - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \
> > > - --pidfile=$DB_SB_PID \
> > > - --unixctl=ovnsb_db.ctl
> > > + set "$@" --detach --monitor
> > > + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE
> > > + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID
> > > + set "$@" --remote=db:OVN_Southbound,SB_Global,connections
> > > + set "$@" --unixctl=ovnsb_db.ctl
> > > + set "$@" --private-key=db:OVN_Southbound,SSL,private_key
> > > + set "$@" --certificate=db:OVN_Southbound,SSL,certificate
> > > + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert
> > > +
> > > + if test X"$
> >
> > DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then
> >
>
>
> There is a typo here. It should be
>
Whoops, nice catch! Will fix in a follow-up after I return from traveling.
My testing missed this, I only tested with both options set to yes and
neither set. Will verify all combinations for next pass.
More information about the dev
mailing list