[ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.

aginwala aginwala amginwal at gmail.com
Mon Oct 8 23:51:43 UTC 2018 

On Mon, Oct 8, 2018 at 2:17 PM Han Zhou <zhouhan at gmail.com> wrote:

>
>
> On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala <amginwal at gmail.com>
> wrote:
> >
> > Yes, that's right.  I will send out v2 in a bit with Han's ack.
> >
> >
> > Regards,
> > Aliasgar
> >
> > On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff <blp at ovn.org> wrote:
> >>
> >> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
> >> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amginwal at gmail.com>
> wrote:
> >> > >
> >> > > Thanks for the review Han. Please find the comments inline below:
> >> > >
> >> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhouhan at gmail.com> wrote:
> >> > >>
> >> > >> Thanks Ali, please see my comm
> >> > >>
> >> > >> On Fri, Sep 21, 2018 at 5:38 PM <amginwal at gmail.com> wrote:
> >> > >> >
> >> > >> >  When starting OVN DBs in HA using pacemaker with ssl, we need
> to pass
> >> > ssl
> >> > >> >  certs for starting standby DBs. Hence, we need this change.
> >> > >> >
> >> > >> > Signed-off-by: aginwala <aginwala at ebay.com>
> >> > >> > ---
> >> > >> >  ovn/utilities/ovndb-servers.ocf | 74
> >> > ++++++++++++++++++++++++++++++++++++++++-
> >> > >> >  1 file changed, 73 insertions(+), 1 deletion(-)
> >> > >> >
> >> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
> >> > b/ovn/utilities/ovndb-servers.ocf
> >> > >> > index 52141c7..80f81ae 100755
> >> > >> > --- a/ovn/utilities/ovndb-servers.ocf
> >> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
> >> > >> > @@ -10,6 +10,12 @@
> >> > >> >  : ${MANAGE_NORTHD_DEFAULT="no"}
> >> > >> >  : ${INACTIVE_PROBE_DEFAULT="5000"}
> >> > >> >  : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> >> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> >> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> >> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> >> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> >> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> > >> >
> >> > >> >  CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> >> > >> >  CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type
> crm_config
> >> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> >> > >> > @@ -21,6 +27,13 @@
> >> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> >> > >> >
> >> >
>  SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> >> > >> >
>  MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> >> > >> >
> >> >
>  INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> >> > >> >
> +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> >> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> >> > >> >
> +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> >> > >> >
> +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> >> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> >> > >> >
> +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> >> > >> > +
> >> > >> >
> >> > >> >  # In order for pacemaker to work with LB, we can set
> >> > LISTEN_ON_MASTER_IP_ONLY
> >> > >> >  # to false and pass LB vip IP while creating pcs resource.
> >> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> >> > >> >    <content type="string" />
> >> > >> >    </parameter>
> >> > >> >
> >> > >> > +  <parameter name="ovn_nb_db_privkey" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN NB DB private key absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> > +  <parameter name="ovn_nb_db_cert" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN NB DB certificate absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> > +  <parameter name="ovn_nb_db_cacert" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN NB DB CA certificate absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> > +  <parameter name="ovn_sb_db_privkey" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN SB DB private key absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> > +  <parameter name="ovn_sb_db_cert" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN SB DB certificate absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> > +  <parameter name="ovn_sb_db_cacert" unique="1">
> >> > >> > +  <longdesc lang="en">
> >> > >> > +  OVN SB DB CA certificate absolute path for ssl setup.
> >> > >> > +  </longdesc>
> >> > >> > +  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
> >> > >> > +  <content type="string" />
> >> > >> > +  </parameter>
> >> > >> > +
> >> > >> >    </parameters>
> >> > >> >
> >> > >> >    <actions>
> >> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> >> > >> >         set $@ --db-sb-addr=${MASTER_IP}
> --db-sb-port=${SB_MASTER_PORT}
> >> > >> >      fi
> >> > >> >
> >> > >> > +    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> >> > >> > +            set $@ --db-nb-create-insecure-remote=no
> >> > >> "no" is the default value, so this line is not needed.
> >> > >
> >> > > >> Sure. This makes sense. Will check out the default behavior and
> update
> >> > it the revised patch!
> >> > >>
> >> > >>
> >> > >> > +            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> >> > >> > +            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> >> > >> > +            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> >> > >> This should be needed only for standby which sets
> >> > --db-sb-use-remote-in-db=no.
> >> > >
> >> > > > As discussed, for each of the modes either ssl or tcp, all the
> nodes
> >> > should have this option set.
> >> >
> >> > Agree. Since this script is for active-standby only, we can assume
> >> > active-standby mode always use command line option instead of DB
> settings.
> >> >
> >> > Acked-by: Han Zhou <hzhou8 at ebay.com>
> >>
> >> I haven't followed the discussion here so I'm going to assume that Ali
> >> will post a v2 with Han's ack.
> >>
> >> Thanks,
> >>
> >> Ben.
>
> Giving a second thought, it seems there is still a problem.
>
> There should be two sets of SSL related parameters we should consider in
> the active-standby scenario.
> - One set of parameters is for the server side. For ipaddr2 use case, both
> active and standby nodes will need them. For LB use case, where only the
> active node should listen on the port, only the active node should need
> these parameters.
> - Another set of parameters is for the client side, together with the
> --sync-from parameter, so that the standby node can connect to the active
> node as a client using SSL. These parameters are needed in standby node
> only.
>
> I didn't see how is this addressed. Did I miss anything?
>
> For the server side SSL parameters, it should be valid to use DB settings
> instead of command line options. (For client side, it may not be possible
> to use DB settings since the standby nodes need to get the SSL parameters
> before connecting to the (active) DB).
>
>> Just to clarify, for active-standby scenario, since we dont know who
will became active server any time, it is safe to use same certs on all
central nodes irrespective of which node is client or server.
     For the previous condition I verified and tested that default
condition is insecure=no which works fine and hence have removed that line.
I have addressed the same and have sent out v2  with your ack . Let me know
further. :)

>
>
Thanks,
> Han
>

More information about the dev mailing list