[ovs-dev] [PATCH v2 1/3] ovn-sb: add SSL configuration to southbound db schema

Lance Richardson lrichard at redhat.com
Wed Nov 9 13:59:42 UTC 2016


Enhance OVN southbound database schema to allow SSL connection
configuration to be stored and managed within the db.

Signed-off-by: Lance Richardson <lrichard at redhat.com>
---
 ovn/ovn-sb.ovsschema | 21 ++++++++++++++++++---
 ovn/ovn-sb.xml       | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 65 insertions(+), 4 deletions(-)

diff --git a/ovn/ovn-sb.ovsschema b/ovn/ovn-sb.ovsschema
index 89342fe..0212a5e 100644
--- a/ovn/ovn-sb.ovsschema
+++ b/ovn/ovn-sb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Southbound",
     "version": "1.9.0",
-    "cksum": "239060528 9012",
+    "cksum": "2240045372 9719",
     "tables": {
         "SB_Global": {
             "columns": {
@@ -13,7 +13,11 @@
                     "type": {"key": {"type": "uuid",
                                      "refTable": "Connection"},
                                      "min": 0,
-                                     "max": "unlimited"}}},
+                                     "max": "unlimited"}},
+                "ssl": {
+                    "type": {"key": {"type": "uuid",
+                                     "refTable": "SSL"},
+                                     "min": 0, "max": 1}}},
             "maxRows": 1,
             "isRoot": true},
         "Chassis": {
@@ -183,4 +187,15 @@
                                     "min": 0,
                                     "max": "unlimited"},
                                     "ephemeral": true}},
-            "indexes": [["target"]]}}}
+            "indexes": [["target"]]},
+        "SSL": {
+            "columns": {
+                "private_key": {"type": "string"},
+                "certificate": {"type": "string"},
+                "ca_cert": {"type": "string"},
+                "bootstrap_ca_cert": {"type": "boolean"},
+                "external_ids": {"type": {"key": "string",
+                                          "value": "string",
+                                          "min": 0,
+                                          "max": "unlimited"}}},
+            "maxRows": 1}}}
diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml
index 45c473c..1d17fef 100644
--- a/ovn/ovn-sb.xml
+++ b/ovn/ovn-sb.xml
@@ -169,6 +169,9 @@
         connections should be configured.  See the <ref table="Connection"/>
         table for more information.
       </column>
+      <column name="ssl">
+        Global SSL configuration.
+      </column>
     </group>
   </table>
 
@@ -2294,7 +2297,9 @@ tcp.flags = RST;
             <p>
               The specified SSL <var>port</var> on the host at the given
               <var>ip</var>, which must be expressed as an IP address
-              (not a DNS name).
+              (not a DNS name). A valid SSL configuration must be provided
+              when this form is used, this configuration can be specified
+              via command-line options or the <ref table="SSL"/> table.
             </p>
             <p>
               If <var>port</var> is not specified, it defaults to 6640.
@@ -2330,6 +2335,9 @@ tcp.flags = RST;
               address, wrap in square brackets,
               e.g. <code>pssl:6640:[::1]</code>.  If <var>ip</var> is not
               specified then it listens only on IPv4 (but not IPv6) addresses.
+              A valid SSL configuration must be provided when this form is used,
+             this can be specified either via command-line options or the
+             <ref table="SSL"/> table.
             </p>
             <p>
               If <var>port</var> is not specified, it defaults to 6640.
@@ -2502,4 +2510,42 @@ tcp.flags = RST;
       <column name="other_config"/>
     </group>
   </table>
+  <table name="SSL">
+    SSL configuration for ovn-sb database access.
+
+    <column name="private_key">
+      Name of a PEM file containing the private key used as the switch's
+      identity for SSL connections to the controller.
+    </column>
+
+    <column name="certificate">
+      Name of a PEM file containing a certificate, signed by the
+      certificate authority (CA) used by the controller and manager,
+      that certifies the switch's private key, identifying a trustworthy
+      switch.
+    </column>
+
+    <column name="ca_cert">
+      Name of a PEM file containing the CA certificate used to verify
+      that the switch is connected to a trustworthy controller.
+    </column>
+
+    <column name="bootstrap_ca_cert">
+      If set to <code>true</code>, then Open vSwitch will attempt to
+      obtain the CA certificate from the controller on its first SSL
+      connection and save it to the named PEM file. If it is successful,
+      it will immediately drop the connection and reconnect, and from then
+      on all SSL connections must be authenticated by a certificate signed
+      by the CA certificate thus obtained.  <em>This option exposes the
+      SSL connection to a man-in-the-middle attack obtaining the initial
+      CA certificate.</em>  It may still be useful for bootstrapping.
+    </column>
+
+    <group title="Common Columns">
+      The overall purpose of these columns is described under <code>Common
+      Columns</code> at the beginning of this document.
+
+      <column name="external_ids"/>
+    </group>
+  </table>
 </database>
-- 
2.5.5




More information about the dev mailing list