[ovs-dev] [PATCH v6] ovn-ctl: add support for SSL nb/sb db connections

Guoshuai Li ligs at dtdream.com
Thu Jan 5 02:08:42 UTC 2017 


on 2017/1/4 23:36, Lance Richardson say:
>> From: "Guoshuai Li" <ligs at dtdream.com>
>> To: "Lance Richardson" <lrichard at redhat.com>, blp at ovn.org, russell at ovn.org, nusiddiq at redhat.com, dev at openvswitch.org
>> Sent: Tuesday, January 3, 2017 8:58:40 PM
>> Subject: Re: [ovs-dev] [PATCH v6] ovn-ctl: add support for SSL nb/sb db connections
>>
>> on 2017/1/4 2:29, Lance Richardson say:
>>> Add support for SSL connections to OVN northbound and/or
>>> southbound databases.
>>>
>>> To improve security, the NB and SB ovsdb daemons no longer
>>> have open ptcp connections by default.  This is a change in
>>> behavior from previous versions, users wishing to use TCP
>>> connections to the NB/SB daemons can either request that
>>> a passive TCP connection be used via ovn-ctl command-line
>>> options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
>>> scripts):
>>>
>>>       --db-sb-create-insecure-remote=yes
>>>       --db-nb-create-insecure-remote=yes
>>>
>>> Or configure a connection after the NB/SB daemons have been
>>> started, e.g.:
>>>
>>>       ovn-sbctl set-connection ptcp:6642
>>>       ovn-nbctl set-connection ptcp:6641
>>>
>>> Users desiring SSL database connections will need to generate certificates
>>> and private key as described in INSTALL.SSL.rst and perform the following
>>> one-time configuration steps:
>>>
>>>      ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
>>>      ovn-sbctl set-connection pssl:6642
>>>      ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
>>>      ovn-nbctl set-connection pssl:6641
>>>
>>> On the ovn-controller and ovn-controller-vtep side, SSL configuration
>>> must be provided on the command-line when the daemons are started, this
>>> should be provided via the following command-line options (e.g. via
>>> OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
>>>
>>>      --ovn-controller-ssl-key=<private-key>
>>>      --ovn-controller-ssl-cert=<certificate>
>>>      --ovn-controller-ssl-ca-cert=<ca-cert>
>> Put the certificate file path in ovsdb is better?  Similar to ovn-remove
>> in Open_vSwitch table.
> Hi Guoshuai,
>
> Currently the only way to specify SSL certificate/key configuration to
> ovn-controller is via command-line options, as was used in this patch.
>
> Enabling ovn-controller to use SSL configuration stored in the  Open_vSwitch
> SSL table does make sense to me, especially since this is the db where
> we configure ovn-remote.
>
> Some questions I have (perhaps others will weigh in):
>
>   (1) Should we support both methods (command line and db) for providing SSL
>       configuration to ovn-controller, or only one?
>   (2) If we do want both, would it be acceptable to enable db configuration
>       in a follow-on patch?
>
> Thanks,
>
>     Lance

Yes, you are right.
I think support both methods are better,
today we first support the command line, and then support the database.
I also hope this patch can be applied quickly.


Thanks
Guoshuai

More information about the dev mailing list