[ovs-dev] ovn: Improving southbound database security

Lance Richardson lrichard at redhat.com
Thu Oct 13 19:50:13 UTC 2016


> From: "Andy Zhou" <azhou at ovn.org>
> To: "Ben Pfaff" <blp at ovn.org>
> Cc: "ovs dev" <dev at openvswitch.org>, "Numan Siddique" <nusiddiq at redhat.com>, "Babu Shanmugam" <bschanmu at redhat.com>,
> "Lance Richardson" <lrichard at redhat.com>, "Justin Pettit" <jpettit at ovn.org>, "Russell Bryant" <russell at ovn.org>
> Sent: Thursday, October 13, 2016 3:05:40 PM
> Subject: Re: ovn: Improving southbound database security
> 
> On Thu, Oct 13, 2016 at 11:26 AM, Ben Pfaff <blp at ovn.org> wrote:
> 
> > On Wed, Oct 12, 2016 at 01:51:39PM -0400, Russell Bryant wrote:
> > > 1) Add support to ovsdb-server for read-only remotes.  The port reachable
> > > by ovn-controller would only accept read-only connections.
> >
> > Andy, is this something that you can put on your to-do list?  I guess
> > that it is not a huge amount of work.
> >
> > Thanks,
> >
> > Ben.
> >
> 
> Sure, I think the read-only OVSDB server has already been implemented as
> part of the replication work.
> Currently, it is only tied to active/backup state. We probably just need to
> make this feature decouple from replication.
> 

Right, the prototype RFC I just posted builds on the work done for replication,
essentially this:

         ovsdb_jsonrpc_session_create(remote, jsonrpc_session_open(name, true),
-                                      svr->read_only);
+                                      svr->read_only ||
+                                      stream_or_pstream_is_read_only(name));



More information about the dev mailing list