[ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.

Han Zhou zhouhan at gmail.com
Tue Oct 9 00:40:37 UTC 2018


>>
>> Giving a second thought, it seems there is still a problem.
>>
>> There should be two sets of SSL related parameters we should consider in
the active-standby scenario.
>> - One set of parameters is for the server side. For ipaddr2 use case,
both active and standby nodes will need them. For LB use case, where only
the active node should listen on the port, only the active node should need
these parameters.
>> - Another set of parameters is for the client side, together with the
--sync-from parameter, so that the standby node can connect to the active
node as a client using SSL. These parameters are needed in standby node
only.
>>
>> I didn't see how is this addressed. Did I miss anything?
>>
>> For the server side SSL parameters, it should be valid to use DB
settings instead of command line options. (For client side, it may not be
possible to use DB settings since the standby nodes need to get the SSL
parameters before connecting to the (active) DB).
>
> >> Just to clarify, for active-standby scenario, since we dont know who
will became active server any time, it is safe to use same certs on all
central nodes irrespective of which node is client or server.

Ok, thanks. It is clarified after discussion that we are combining the
server side and client side ssl keys/certs to the same value for all
central nodes in the active-standby setup. I didn't know that same settings
actually work for both server and client, so it sounds good for me.


More information about the dev mailing list