[ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.

Numan Siddique nusiddiq at redhat.com
Tue Oct 9 06:59:02 UTC 2018

On Tue, Oct 9, 2018 at 6:11 AM Han Zhou <zhouhan at gmail.com> wrote:

> >>
> >> Giving a second thought, it seems there is still a problem.
> >>
> >> There should be two sets of SSL related parameters we should consider in
> the active-standby scenario.
> >> - One set of parameters is for the server side. For ipaddr2 use case,
> both active and standby nodes will need them. For LB use case, where only
> the active node should listen on the port, only the active node should need
> these parameters.
> >> - Another set of parameters is for the client side, together with the
> --sync-from parameter, so that the standby node can connect to the active
> node as a client using SSL. These parameters are needed in standby node
> only.
> >>
> >> I didn't see how is this addressed. Did I miss anything?
> >>
> >> For the server side SSL parameters, it should be valid to use DB
> settings instead of command line options. (For client side, it may not be
> possible to use DB settings since the standby nodes need to get the SSL
> parameters before connecting to the (active) DB).
> >
> > >> Just to clarify, for active-standby scenario, since we dont know who
> will became active server any time, it is safe to use same certs on all
> central nodes irrespective of which node is client or server.
> Ok, thanks. It is clarified after discussion that we are combining the
> server side and client side ssl keys/certs to the same value for all
> central nodes in the active-standby setup. I didn't know that same settings
> actually work for both server and client, so it sounds good for me.

>From the pacemaker Resource script perspective, it looks good to me. I will
another look when you post v3.


> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

More information about the dev mailing list