[ovs-dev] ovn: Improving southbound database security

[Russell Bryant]

On Thu, Oct 20, 2016 at 1:47 PM, Ben Pfaff <blp at ovn.org> wrote:

> On Thu, Oct 13, 2016 at 07:32:53PM +0530, Numan Siddique wrote:
>
> > ​5) Remove support from ovn-controller updating the 'Chassis.hv_cfg'
> > column​ and handle the side effect in "--wait=hv" in ovn-nbctl.
>
> The ability to wait for hypervisors to catch up is pretty valuable.  I'm
> not super happy about losing it.
>

I'm not either.

The only compromise I could come up with was retain it, but document that
it won't work if you run the SB DB in a read-only mode.  That's how we'd
recommend it to be done in production, so the feature would become a
test-only feature, but then the tests wouldn't be helping ensure we only
read from the sb db otherwise.

-- 
Russell Bryant