[ovs-dev] [PATCH v6] ovn-ctl: add support for SSL nb/sb db connections
Guoshuai Li
ligs at dtdream.com
Wed Jan 4 01:58:40 UTC 2017
on 2017/1/4 2:29, Lance Richardson say:
> Add support for SSL connections to OVN northbound and/or
> southbound databases.
>
> To improve security, the NB and SB ovsdb daemons no longer
> have open ptcp connections by default. This is a change in
> behavior from previous versions, users wishing to use TCP
> connections to the NB/SB daemons can either request that
> a passive TCP connection be used via ovn-ctl command-line
> options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
> scripts):
>
> --db-sb-create-insecure-remote=yes
> --db-nb-create-insecure-remote=yes
>
> Or configure a connection after the NB/SB daemons have been
> started, e.g.:
>
> ovn-sbctl set-connection ptcp:6642
> ovn-nbctl set-connection ptcp:6641
>
> Users desiring SSL database connections will need to generate certificates
> and private key as described in INSTALL.SSL.rst and perform the following
> one-time configuration steps:
>
> ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
> ovn-sbctl set-connection pssl:6642
> ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
> ovn-nbctl set-connection pssl:6641
>
> On the ovn-controller and ovn-controller-vtep side, SSL configuration
> must be provided on the command-line when the daemons are started, this
> should be provided via the following command-line options (e.g. via
> OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
>
> --ovn-controller-ssl-key=<private-key>
> --ovn-controller-ssl-cert=<certificate>
> --ovn-controller-ssl-ca-cert=<ca-cert>
Put the certificate file path in ovsdb is better? Similar to ovn-remove
in Open_vSwitch table.
> The SB database connection should also be configured to use SSL, e.g.:
>
> ovs-vsctl set Open_vSwitch . \
> external-ids:ovn-remote=ssl:w.x.y.z:6642
>
> Acked-by: Ben Pfaff <blp at ovn.org>
> Signed-off-by: Lance Richardson <lrichard at redhat.com>
> ---
> v6: - Corrected typo (DB_NB_CREATE_INSECURE_REMOTE vs
> DB_SB_CREATE_INSECURE_REMOTE).
>
> v5: - Corrected "==" between option and value for command-line options
> in the ovn-ctl man page, a single "=" should have been used. Fixed
> new instances as well as pre-existing instances.
>
> v4: - reverted to v1 scheme for creating default (insecure), dropping
> feedback from Russell at http://patchwork.ozlabs.org/patch/701571/.
> - changed --db-?b-create-remote to --db-?b-create-insecure-remote
>
> v3: - rebased
> - s/db-sb-default-remote/db-sb-create-remote/ in man page
> - s/db-nb-default-remote/db-nb-create-remote/ in man page
>
> v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE.
> - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE.
> - Create default remote configuration in db instead of
> via command-line options.
>
> NEWS | 6 ++++
> manpages.mk | 4 +++
> ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++++++-----------
> ovn/utilities/ovn-ctl.8.xml | 17 +++++++----
> 4 files changed, 77 insertions(+), 22 deletions(-)
>
> diff --git a/NEWS b/NEWS
> index aead685..08f31d9 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -12,6 +12,12 @@ Post-v2.6.0
> - put_dhcp_opts and put_dhcp_optsv6 actions may now be traced.
> * Support for managing SSL and remote connection configuration in
> northbound and southbound databases.
> + * TCP connections to northbound and southbound databases are no
> + longer enabled by default and must be explicitly configured.
> + See documentation for ovn-sbctl/ovn-nbctl "set-connection"
> + command or the ovn-ctl "--db-sb-create-insecure-remote" and
> + "--db-nb-create-insecure-remote" command-line options for
> + information regarding remote connection configuration.
> - Fixed regression in table stats maintenance introduced in OVS
> 2.3.0, wherein the number of OpenFlow table hits and misses was
> not accurate.
> diff --git a/manpages.mk b/manpages.mk
> index 742bd66..825e2bc 100644
> --- a/manpages.mk
> +++ b/manpages.mk
> @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \
> lib/vlog-syn.man \
> lib/vlog.man \
> ovsdb/remote-active.man \
> + ovsdb/remote-active.man \
> + ovsdb/remote-passive.man \
> ovsdb/remote-passive.man
> ovsdb/ovsdb-client.1.in:
> lib/common-syn.man:
> @@ -58,6 +60,8 @@ lib/table.man:
> lib/vlog-syn.man:
> lib/vlog.man:
> ovsdb/remote-active.man:
> +ovsdb/remote-active.man:
> +ovsdb/remote-passive.man:
> ovsdb/remote-passive.man:
>
> ovsdb/ovsdb-server.1: \
> diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> index 73e78e5..90d0463 100755
> --- a/ovn/utilities/ovn-ctl
> +++ b/ovn/utilities/ovn-ctl
> @@ -50,7 +50,7 @@ stop_ovsdb () {
>
> demote_ovnnb() {
> if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
> + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
> fi
>
> if test -e $ovnnb_active_conf_file; then
> @@ -64,7 +64,7 @@ demote_ovnnb() {
>
> demote_ovnsb() {
> if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
> - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
> + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
> fi
>
> if test -e $ovnsb_active_conf_file; then
> @@ -93,15 +93,21 @@ start_ovsdb () {
>
> set ovsdb-server
>
> - set "$@" --detach --monitor $OVN_NB_LOG \
> - --log-file=$OVN_NB_LOGFILE \
> - --remote=punix:$DB_NB_SOCK \
> - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \
> - --pidfile=$DB_NB_PID \
> - --unixctl=ovnnb_db.ctl
> + set "$@" --detach --monitor
> + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE
> + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID
> + set "$@" --remote=db:OVN_Northbound,NB_Global,connections
> + set "$@" --unixctl=ovnnb_db.ctl
> + set "$@" --private-key=db:OVN_Northbound,SSL,private_key
> + set "$@" --certificate=db:OVN_Northbound,SSL,certificate
> + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
> +
> + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then
> + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
> + fi
>
> if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
> + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
> fi
>
> if test -e $ovnnb_active_conf_file; then
> @@ -118,15 +124,21 @@ start_ovsdb () {
>
> set ovsdb-server
>
> - set "$@" --detach --monitor $OVN_SB_LOG \
> - --log-file=$OVN_SB_LOGFILE \
> - --remote=punix:$DB_SB_SOCK \
> - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \
> - --pidfile=$DB_SB_PID \
> - --unixctl=ovnsb_db.ctl
> + set "$@" --detach --monitor
> + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE
> + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID
> + set "$@" --remote=db:OVN_Southbound,SB_Global,connections
> + set "$@" --unixctl=ovnsb_db.ctl
> + set "$@" --private-key=db:OVN_Southbound,SSL,private_key
> + set "$@" --certificate=db:OVN_Southbound,SSL,certificate
> + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert
> +
> + if test X"$DB_SB_CREATE_INSECURE_REMOTE" = Xyes; then
> + set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR
> + fi
>
> if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
> - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
> + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
> fi
>
> if test -e $ovnsb_active_conf_file; then
> @@ -208,12 +220,22 @@ start_northd () {
> start_controller () {
> set ovn-controller "unix:$DB_SOCK"
> set "$@" $OVN_CONTROLLER_LOG
> + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
> + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
> + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
> + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
> + fi
> OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@"
> }
>
> start_controller_vtep () {
> set ovn-controller-vtep "unix:$DB_SOCK"
> set "$@" -vconsole:emer -vsyslog:err -vfile:info
> + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
> + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
> + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
> + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
> + fi
> OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@"
> }
>
> @@ -275,6 +297,7 @@ set_defaults () {
> DB_NB_FILE=$dbdir/ovnnb_db.db
> DB_NB_ADDR=0.0.0.0
> DB_NB_PORT=6641
> + DB_NB_SYNC_FROM_PROTO=tcp
> DB_NB_SYNC_FROM_ADDR=
> DB_NB_SYNC_FROM_PORT=6641
>
> @@ -283,6 +306,7 @@ set_defaults () {
> DB_SB_FILE=$dbdir/ovnsb_db.db
> DB_SB_ADDR=0.0.0.0
> DB_SB_PORT=6642
> + DB_SB_SYNC_FROM_PROTO=tcp
> DB_SB_SYNC_FROM_ADDR=
> DB_SB_SYNC_FROM_PORT=6642
>
> @@ -307,6 +331,13 @@ set_defaults () {
> OVN_SB_LOG="-vconsole:off"
> OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log"
> OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log"
> +
> + OVN_CONTROLLER_SSL_KEY=""
> + OVN_CONTROLLER_SSL_CERT=""
> + OVN_CONTROLLER_SSL_CA_CERT=""
> +
> + DB_SB_CREATE_INSECURE_REMOTE="no"
> + DB_NB_CREATE_INSECURE_REMOTE="no"
> }
>
> set_option () {
> @@ -350,6 +381,9 @@ Options:
> --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for debugging
> --ovn-controller-priority=NICE set ovn-northd's niceness (default: $OVN_CONTROLLER_PRIORITY)
> --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind for debugging
> + --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file
> + --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
> + --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file
> --ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be
> automatically started and stopped along
> with ovn-northd. The default is "yes". If
> @@ -376,9 +410,13 @@ File location options:
> --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE)
> --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE)
> --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address (default: $DB_NB_SYNC_FROM_ADDR)
> - --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT)
> + --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT)
> + --db-nb-sync-from-proto=PROTO OVN Northbound active db transport (default: $DB_NB_SYNC_FROM_PROTO)
> + --db-nb-create-insecure-remote=yes|no Create ptcp OVN Northbound remote (default: $DB_NB_CREATE_INSECURE_REMOTE)
> --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address (default: $DB_SB_SYNC_FROM_ADDR)
> --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: $DB_SB_SYNC_FROM_PORT)
> + --db-sb-sync-from-proto=PROTO OVN Southbound active db transport (default: $DB_SB_SYNC_FROM_PROTO)
> + --db-sb-create-insecure-remote=yes|no Create ptcp OVN Southbound remote (default: $DB_SB_CREATE_INSECURE_REMOTE)
>
> Default directories with "configure" option and environment variable override:
> logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR)
> diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
> index ff7366c..c4884f8 100644
> --- a/ovn/utilities/ovn-ctl.8.xml
> +++ b/ovn/utilities/ovn-ctl.8.xml
> @@ -38,17 +38,24 @@
> <p><code>-h</code> | <code>--help</code></p>
>
> <h1>File location options</h1>
> - <p><code>--db-sock==<var>SOCKET</var></code></p>
> - <p><code>--db-nb-file==<var>FILE</var></code></p>
> - <p><code>--db-sb-file==<var>FILE</var></code></p>
> - <p><code>--db-nb-schema==<var>FILE</var></code></p>
> - <p><code>--db-sb-schema==<var>FILE</var></code></p>
> + <p><code>--db-sock=<var>SOCKET</var></code></p>
> + <p><code>--db-nb-file=<var>FILE</var></code></p>
> + <p><code>--db-sb-file=<var>FILE</var></code></p>
> + <p><code>--db-nb-schema=<var>FILE</var></code></p>
> + <p><code>--db-sb-schema=<var>FILE</var></code></p>
> + <p><code>--db-sb-create-insecure-remote=<var>yes|no</var></code></p>
> + <p><code>--db-nb-create-insecure-remote=<var>yes|no</var></code></p>
> + <p><code>--ovn-controller-ssl-key=<var>KEY</var></code></p>
> + <p><code>--ovn-controller-ssl-cert=<var>CERT</var></code></p>
> + <p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p>
>
> <h1>Address and port options</h1>
> <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p>
> <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p>
> + <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p>
> <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p>
> <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p>
> + <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p>
>
> <h1>Configuration files</h1>
> <p>Following are the optional configuration files. If present, it should be located in the etc dir</p>
More information about the dev
mailing list