[ovs-dev] [RFC] sandbox: use ssl for ovn-controller to sb db connection

Russell Bryant russell at ovn.org
Wed Mar 22 20:02:28 UTC 2017


On Wed, Mar 22, 2017 at 1:19 PM, Lance Richardson <lrichard at redhat.com> wrote:
> When SSL support is available, use SSL for the ovn-controller
> to southbound database connection. When configured without
> SSL, unix socket connections are used.
>
> Signed-off-by: Lance Richardson <lrichard at redhat.com>
> ---
>  tutorial/automake.mk |  3 ++-
>  tutorial/ovs-sandbox | 42 ++++++++++++++++++++++++++++++++++++------
>  2 files changed, 38 insertions(+), 7 deletions(-)

I imagine you're using this to help with development and manual
testing of the ovsdb-server ACL work for OVN?  I can see how it'd be
helpful for that so I'm OK with it.

I guess we're fairly confident that SSL is at least part of the
solution (either with generic ovsdb ACLs or a trusted daemon), so I
think we could merge this now.

I haven't tested it myself yet.  I'll give it a shot if you decide to
post the non-RFC version.

>
> diff --git a/tutorial/automake.mk b/tutorial/automake.mk
> index ce8415e..b7ea10c 100644
> --- a/tutorial/automake.mk
> +++ b/tutorial/automake.mk
> @@ -8,4 +8,5 @@ EXTRA_DIST += \
>         tutorial/t-stage4 \
>         tutorial/ovn-setup.sh
>  sandbox: all
> -       cd $(srcdir)/tutorial && MAKE=$(MAKE) ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS)
> +       cd $(srcdir)/tutorial && MAKE=$(MAKE) HAVE_OPENSSL=$(HAVE_OPENSSL) \
> +               ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS)
> diff --git a/tutorial/ovs-sandbox b/tutorial/ovs-sandbox
> index a28dcbf..3da1c48 100755
> --- a/tutorial/ovs-sandbox
> +++ b/tutorial/ovs-sandbox
> @@ -331,6 +331,14 @@ if $ovn; then
>      ovsdb_sb_server_args="ovnsb.db"
>      ovsdb_sb_backup_server_args="ovnsb2.db"
>      ovsdb_nb_server_args="ovnnb.db"
> +
> +    if [ "$HAVE_OPENSSL" = yes ]; then
> +        OVS_PKI="run ovs-pki --dir=$sandbox/pki --log=$sandbox/ovs-pki.log"
> +        $OVS_PKI -B 1024 init
> +        $OVS_PKI -B 1024 req+sign ovnsb switch
> +        $OVS_PKI -B 1024 req+sign ovnnb switch
> +        $OVS_PKI -B 1024 req+sign ovn-controller switch
> +    fi
>  fi
>  rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir --pidfile -vconsole:off --log-file \
>      --remote=punix:"$sandbox"/db.sock $ovsdb_server_args
> @@ -338,15 +346,27 @@ if $ovn; then
>      rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \
>          --pidfile="$sandbox"/ovnnb_db.pid -vconsole:off \
>          --log-file="$sandbox"/ovnnb_db.log \
> +        --remote=db:OVN_Northbound,NB_Global,connections \
> +        --private-key=db:OVN_Northbound,SSL,private_key \
> +        --certificate=db:OVN_Northbound,SSL,certificate \
> +        --ca-cert=db:OVN_Northbound,SSL,ca_cert \
>          --remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args
>      rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \
>          --pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \
>          --log-file="$sandbox"/ovnsb_db.log \
> +        --remote=db:OVN_Southbound,SB_Global,connections \
> +        --private-key=db:OVN_Southbound,SSL,private_key \
> +        --certificate=db:OVN_Southbound,SSL,certificate \
> +        --ca-cert=db:OVN_Southbound,SSL,ca_cert \
>          --remote=punix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_server_args
>      # Start SB back up server
>      rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \
>          --pidfile="$sandbox"/ovnsb_db2.pid  -vconsole:off \
>          --log-file="$sandbox"/ovnsb_db2.log \
> +        --remote=db:OVN_Southbound,SB_Global,connections \
> +        --private-key=db:OVN_Southbound,SSL,private_key \
> +        --certificate=db:OVN_Southbound,SSL,certificate \
> +        --ca-cert=db:OVN_Southbound,SSL,ca_cert \
>          --remote=punix:"$sandbox"/ovnsb_db2.sock \
>          --unixctl="$sandbox"/sb_backup_unixctl \
>          --sync-from=unix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_backup_server_args
> @@ -372,24 +392,34 @@ rungdb $gdb_vswitchd $gdb_vswitchd_ex ovs-vswitchd --detach --no-chdir --pidfile
>      --enable-dummy=$dummy -vvconn -vnetdev_dummy
>
>  if $ovn; then
> +    ovn-nbctl init
> +    ovn-sbctl init
> +
>      ovs-vsctl set open . external-ids:system-id=56b18105-5706-46ef-80c4-ff20979ab068
>      ovs-vsctl set open . external-ids:hostname=sandbox
> -    ovs-vsctl set open . external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock
>      ovs-vsctl set open . external-ids:ovn-encap-type=geneve
>      ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1
>
> -    ovn-nbctl init
> -    ovn-sbctl init
> -
> +    if [ "$HAVE_OPENSSL" = yes ]; then
> +        ovn-nbctl set-ssl $sandbox/ovnnb-privkey.pem  $sandbox/ovnnb-cert.pem $sandbox/pki/switchca/cacert.pem
> +        ovn-nbctl set-connection pssl:6641
> +        ovn-sbctl set-ssl $sandbox/ovnsb-privkey.pem  $sandbox/ovnsb-cert.pem $sandbox/pki/switchca/cacert.pem
> +        ovn-sbctl set-connection pssl:6642
> +        ovs-vsctl set open . external-ids:ovn-remote=ssl:127.0.0.1:6642
> +        OVN_CTRLR_PKI="-p $sandbox/ovn-controller-privkey.pem -c $sandbox/ovn-controller-cert.pem -C $sandbox/pki/switchca/cacert.pem"
> +    else
> +        ovs-vsctl set open . external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock
> +        OVN_CTRLR_PKI=""
> +    fi
>      rungdb $gdb_ovn_northd $gdb_ovn_northd_ex ovn-northd --detach \
>          --no-chdir --pidfile -vconsole:off --log-file \
>          --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock \
>          --ovnnb-db=unix:"$sandbox"/ovnnb_db.sock
>      rungdb $gdb_ovn_controller $gdb_ovn_controller_ex ovn-controller \
> -        --detach --no-chdir --pidfile -vconsole:off --log-file
> +        $OVN_CTRLR_PKI --detach --no-chdir --pidfile -vconsole:off --log-file
>      rungdb $gdb_ovn_controller_vtep $gdb_ovn_controller_vtep_ex \
>          ovn-controller-vtep --detach --no-chdir --pidfile -vconsole:off \
> -        --log-file --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock
> +        $OVN_CTRLR_PKI --log-file --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock
>  fi
>
>  cat <<EOF
> --
> 2.7.4
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev



-- 
Russell Bryant


More information about the dev mailing list