[ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.

Han Zhou zhouhan at gmail.com
Mon Oct 8 21:17:01 UTC 2018


On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala <amginwal at gmail.com>
wrote:
>
> Yes, that's right.  I will send out v2 in a bit with Han's ack.
>
>
> Regards,
> Aliasgar
>
> On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff <blp at ovn.org> wrote:
>>
>> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
>> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal at gmail.com>
wrote:
>> > >
>> > > Thanks for the review Han. Please find the comments inline below:
>> > >
>> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan at gmail.com> wrote:
>> > >>
>> > >> Thanks Ali, please see my comm
>> > >>
>> > >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal at gmail.com> wrote:
>> > >> >
>> > >> >  When starting OVN DBs in HA using pacemaker with ssl, we need to
pass
>> > ssl
>> > >> >  certs for starting standby DBs. Hence, we need this change.
>> > >> >
>> > >> > Signed-off-by: aginwala <aginwala at ebay.com>
>> > >> > ---
>> > >> >  ovn/utilities/ovndb-servers.ocf | 74
>> > ++++++++++++++++++++++++++++++++++++++++-
>> > >> >  1 file changed, 73 insertions(+), 1 deletion(-)
>> > >> >
>> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
>> > b/ovn/utilities/ovndb-servers.ocf
>> > >> > index 52141c7..80f81ae 100755
>> > >> > --- a/ovn/utilities/ovndb-servers.ocf
>> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
>> > >> > @@ -10,6 +10,12 @@
>> > >> >  : ${MANAGE_NORTHD_DEFAULT="no"}
>> > >> >  : ${INACTIVE_PROBE_DEFAULT="5000"}
>> > >> >  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
>> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
>> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
>> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
>> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
>> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>> > >> >
>> > >> >  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
>> > >> >  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type
crm_config
>> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
>> > >> > @@ -21,6 +27,13 @@
>> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
>> > >> >
>> >
 SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
>> > >> >
 MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
>> > >> >
>> >
 INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
>> > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
>> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
>> > >> >
+NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
>> > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
>> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
>> > >> >
+SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
>> > >> > +
>> > >> >
>> > >> >  # In order for pacemaker to work with LB, we can set
>> > LISTEN_ON_MASTER_IP_ONLY
>> > >> >  # to false and pass LB vip IP while creating pcs resource.
>> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
>> > >> >    <content type="string" />
>> > >> >    </parameter>
>> > >> >
>> > >> > +  <parameter name="ovn_nb_db_privkey" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN NB DB private key absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> > +  <parameter name="ovn_nb_db_cert" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN NB DB certificate absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> > +  <parameter name="ovn_nb_db_cacert" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN NB DB CA certificate absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> > +  <parameter name="ovn_sb_db_privkey" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN SB DB private key absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> > +  <parameter name="ovn_sb_db_cert" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN SB DB certificate absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> > +  <parameter name="ovn_sb_db_cacert" unique="1">
>> > >> > +  <longdesc lang="en">
>> > >> > +  OVN SB DB CA certificate absolute path for ssl setup.
>> > >> > +  </longdesc>
>> > >> > +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
>> > >> > +  <content type="string" />
>> > >> > +  </parameter>
>> > >> > +
>> > >> >    </parameters>
>> > >> >
>> > >> >    <actions>
>> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
>> > >> >         set $@ --db-sb-addr=${MASTER_IP}
--db-sb-port=${SB_MASTER_PORT}
>> > >> >      fi
>> > >> >
>> > >> > +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
>> > >> > +            set $@ --db-nb-create-insecure-remote=no
>> > >> "no" is the default value, so this line is not needed.
>> > >
>> > > >> Sure. This makes sense. Will check out the default behavior and
update
>> > it the revised patch!
>> > >>
>> > >>
>> > >> > +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
>> > >> > +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
>> > >> > +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
>> > >> This should be needed only for standby which sets
>> > --db-sb-use-remote-in-db=no.
>> > >
>> > > > As discussed, for each of the modes either ssl or tcp, all the
nodes
>> > should have this option set.
>> >
>> > Agree. Since this script is for active-standby only, we can assume
>> > active-standby mode always use command line option instead of DB
settings.
>> >
>> > Acked-by: Han Zhou <hzhou8 at ebay.com>
>>
>> I haven't followed the discussion here so I'm going to assume that Ali
>> will post a v2 with Han's ack.
>>
>> Thanks,
>>
>> Ben.

Giving a second thought, it seems there is still a problem.

There should be two sets of SSL related parameters we should consider in
the active-standby scenario.
- One set of parameters is for the server side. For ipaddr2 use case, both
active and standby nodes will need them. For LB use case, where only the
active node should listen on the port, only the active node should need
these parameters.
- Another set of parameters is for the client side, together with the
--sync-from parameter, so that the standby node can connect to the active
node as a client using SSL. These parameters are needed in standby node
only.

I didn't see how is this addressed. Did I miss anything?

For the server side SSL parameters, it should be valid to use DB settings
instead of command line options. (For client side, it may not be possible
to use DB settings since the standby nodes need to get the SSL parameters
before connecting to the (active) DB).

Thanks,
Han


More information about the dev mailing list