[ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.

aginwala aginwala amginwal at gmail.com
Mon Oct 8 18:55:35 UTC 2018 

Yes, that's right.  I will send out v2 in a bit with Han's ack.


Regards,
Aliasgar

On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff <blp at ovn.org> wrote:

> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal at gmail.com>
> wrote:
> > >
> > > Thanks for the review Han. Please find the comments inline below:
> > >
> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan at gmail.com> wrote:
> > >>
> > >> Thanks Ali, please see my comm
> > >>
> > >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal at gmail.com> wrote:
> > >> >
> > >> >  When starting OVN DBs in HA using pacemaker with ssl, we need to
> pass
> > ssl
> > >> >  certs for starting standby DBs. Hence, we need this change.
> > >> >
> > >> > Signed-off-by: aginwala <aginwala at ebay.com>
> > >> > ---
> > >> >  ovn/utilities/ovndb-servers.ocf | 74
> > ++++++++++++++++++++++++++++++++++++++++-
> > >> >  1 file changed, 73 insertions(+), 1 deletion(-)
> > >> >
> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
> > b/ovn/utilities/ovndb-servers.ocf
> > >> > index 52141c7..80f81ae 100755
> > >> > --- a/ovn/utilities/ovndb-servers.ocf
> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
> > >> > @@ -10,6 +10,12 @@
> > >> >  : ${MANAGE_NORTHD_DEFAULT="no"}
> > >> >  : ${INACTIVE_PROBE_DEFAULT="5000"}
> > >> >  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > >> >
> > >> >  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> > >> >  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> > >> > @@ -21,6 +27,13 @@
> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> > >> >
> >
> SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> > >> >  MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> > >> >
> >
> INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> > >> > +
> > >> >
> > >> >  # In order for pacemaker to work with LB, we can set
> > LISTEN_ON_MASTER_IP_ONLY
> > >> >  # to false and pass LB vip IP while creating pcs resource.
> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> > >> >    <content type="string" />
> > >> >    </parameter>
> > >> >
> > >> > +  <parameter name="ovn_nb_db_privkey" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN NB DB private key absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> > +  <parameter name="ovn_nb_db_cert" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN NB DB certificate absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> > +  <parameter name="ovn_nb_db_cacert" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN NB DB CA certificate absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> > +  <parameter name="ovn_sb_db_privkey" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN SB DB private key absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> > +  <parameter name="ovn_sb_db_cert" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN SB DB certificate absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> > +  <parameter name="ovn_sb_db_cacert" unique="1">
> > >> > +  <longdesc lang="en">
> > >> > +  OVN SB DB CA certificate absolute path for ssl setup.
> > >> > +  </longdesc>
> > >> > +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
> > >> > +  <content type="string" />
> > >> > +  </parameter>
> > >> > +
> > >> >    </parameters>
> > >> >
> > >> >    <actions>
> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> > >> >         set $@ --db-sb-addr=${MASTER_IP}
> --db-sb-port=${SB_MASTER_PORT}
> > >> >      fi
> > >> >
> > >> > +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> > >> > +            set $@ --db-nb-create-insecure-remote=no
> > >> "no" is the default value, so this line is not needed.
> > >
> > > >> Sure. This makes sense. Will check out the default behavior and
> update
> > it the revised patch!
> > >>
> > >>
> > >> > +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> > >> > +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> > >> > +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> > >> This should be needed only for standby which sets
> > --db-sb-use-remote-in-db=no.
> > >
> > > > As discussed, for each of the modes either ssl or tcp, all the nodes
> > should have this option set.
> >
> > Agree. Since this script is for active-standby only, we can assume
> > active-standby mode always use command line option instead of DB
> settings.
> >
> > Acked-by: Han Zhou <hzhou8 at ebay.com>
>
> I haven't followed the discussion here so I'm going to assume that Ali
> will post a v2 with Han's ack.
>
> Thanks,
>
> Ben.
>

More information about the dev mailing list