[ovs-dev] [PATCH v6] ovn-ctl: add support for SSL nb/sb db connections
Guoshuai Li
ligs at dtdream.com
Thu Jan 5 02:08:42 UTC 2017
on 2017/1/4 23:36, Lance Richardson say:
>> From: "Guoshuai Li" <ligs at dtdream.com>
>> To: "Lance Richardson" <lrichard at redhat.com>, blp at ovn.org, russell at ovn.org, nusiddiq at redhat.com, dev at openvswitch.org
>> Sent: Tuesday, January 3, 2017 8:58:40 PM
>> Subject: Re: [ovs-dev] [PATCH v6] ovn-ctl: add support for SSL nb/sb db connections
>>
>> on 2017/1/4 2:29, Lance Richardson say:
>>> Add support for SSL connections to OVN northbound and/or
>>> southbound databases.
>>>
>>> To improve security, the NB and SB ovsdb daemons no longer
>>> have open ptcp connections by default. This is a change in
>>> behavior from previous versions, users wishing to use TCP
>>> connections to the NB/SB daemons can either request that
>>> a passive TCP connection be used via ovn-ctl command-line
>>> options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
>>> scripts):
>>>
>>> --db-sb-create-insecure-remote=yes
>>> --db-nb-create-insecure-remote=yes
>>>
>>> Or configure a connection after the NB/SB daemons have been
>>> started, e.g.:
>>>
>>> ovn-sbctl set-connection ptcp:6642
>>> ovn-nbctl set-connection ptcp:6641
>>>
>>> Users desiring SSL database connections will need to generate certificates
>>> and private key as described in INSTALL.SSL.rst and perform the following
>>> one-time configuration steps:
>>>
>>> ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
>>> ovn-sbctl set-connection pssl:6642
>>> ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
>>> ovn-nbctl set-connection pssl:6641
>>>
>>> On the ovn-controller and ovn-controller-vtep side, SSL configuration
>>> must be provided on the command-line when the daemons are started, this
>>> should be provided via the following command-line options (e.g. via
>>> OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
>>>
>>> --ovn-controller-ssl-key=<private-key>
>>> --ovn-controller-ssl-cert=<certificate>
>>> --ovn-controller-ssl-ca-cert=<ca-cert>
>> Put the certificate file path in ovsdb is better? Similar to ovn-remove
>> in Open_vSwitch table.
> Hi Guoshuai,
>
> Currently the only way to specify SSL certificate/key configuration to
> ovn-controller is via command-line options, as was used in this patch.
>
> Enabling ovn-controller to use SSL configuration stored in the Open_vSwitch
> SSL table does make sense to me, especially since this is the db where
> we configure ovn-remote.
>
> Some questions I have (perhaps others will weigh in):
>
> (1) Should we support both methods (command line and db) for providing SSL
> configuration to ovn-controller, or only one?
> (2) If we do want both, would it be acceptable to enable db configuration
> in a follow-on patch?
>
> Thanks,
>
> Lance
Yes, you are right.
I think support both methods are better,
today we first support the command line, and then support the database.
I also hope this patch can be applied quickly.
Thanks
Guoshuai
More information about the dev
mailing list