[ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.

aginwala aginwala amginwal at gmail.com
Tue Oct 9 16:02:22 UTC 2018

Thanks Numan for review. Just to update that V3 will only have changes for
ovn-ctl as per Han's suggestion to add details in help section there. ocf
script will remain unchanged. That is why I have added acked-by on this
patch. :)

On Mon, Oct 8, 2018 at 11:59 PM Numan Siddique <nusiddiq at redhat.com> wrote:

> On Tue, Oct 9, 2018 at 6:11 AM Han Zhou <zhouhan at gmail.com> wrote:
>> >>
>> >> Giving a second thought, it seems there is still a problem.
>> >>
>> >> There should be two sets of SSL related parameters we should consider
>> in
>> the active-standby scenario.
>> >> - One set of parameters is for the server side. For ipaddr2 use case,
>> both active and standby nodes will need them. For LB use case, where only
>> the active node should listen on the port, only the active node should
>> need
>> these parameters.
>> >> - Another set of parameters is for the client side, together with the
>> --sync-from parameter, so that the standby node can connect to the active
>> node as a client using SSL. These parameters are needed in standby node
>> only.
>> >>
>> >> I didn't see how is this addressed. Did I miss anything?
>> >>
>> >> For the server side SSL parameters, it should be valid to use DB
>> settings instead of command line options. (For client side, it may not be
>> possible to use DB settings since the standby nodes need to get the SSL
>> parameters before connecting to the (active) DB).
>> >
>> > >> Just to clarify, for active-standby scenario, since we dont know who
>> will became active server any time, it is safe to use same certs on all
>> central nodes irrespective of which node is client or server.
>> Ok, thanks. It is clarified after discussion that we are combining the
>> server side and client side ssl keys/certs to the same value for all
>> central nodes in the active-standby setup. I didn't know that same
>> settings
>> actually work for both server and client, so it sounds good for me.
> From the pacemaker Resource script perspective, it looks good to me. I
> will take
> another look when you post v3.
> Thanks
> Numan
> _______________________________________________
>> dev mailing list
>> dev at openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

More information about the dev mailing list