[ovs-dev] [PATCH 1/1] Rationalize ovn-ctl arguments.

Russell Bryant russell at ovn.org
Thu Mar 31 00:23:23 UTC 2016


On Wed, Mar 30, 2016 at 8:15 PM, Ben Pfaff <blp at ovn.org> wrote:

> On Wed, Mar 30, 2016 at 07:56:51PM -0400, Russell Bryant wrote:
> > On Wed, Mar 30, 2016 at 2:40 PM, Ben Pfaff <blp at ovn.org> wrote:
> > > I'm starting to get really disturbed that ssl isn't the default here.
> >
> > We need to add SSL config to these tables.
>
> I'm not sure that it makes sense to have SSL configuration in
> OVN_Northbound or OVN_Southbound, because the clients would need to
> connect to the databases before they could obtain the configuration.
> I'd guess that SSL configuration would have to be populated to each
> hypervisor as a separate step before it joins OVN for the first time.
>
> Or maybe I misunderstand your point.
>

I honestly haven't thought through this in enough detail, but:

I was talking about the server side config.  ovsdb-server for OVS is
started with:

         set "$@" --private-key=db:Open_vSwitch,SSL,private_key



         set "$@" --certificate=db:Open_vSwitch,SSL,certificate
         set "$@" --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert

I assumed we might add the same SSL table to the OVN dbs.  Then again, it
seems kind of awkward to me to have this in the DB.  I'd expect it to be
something only configured locally.

Anyway, I'd love to see this get sorted out and have SSL everywhere the
default.

-- 
Russell Bryant



More information about the dev mailing list