[ovs-dev] [PATCH v3 1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode.
Han Zhou
zhouhan at gmail.com
Wed Oct 10 19:58:24 UTC 2018
On Tue, Oct 9, 2018 at 3:11 PM aginwala <amginwal at gmail.com> wrote:
>
> For OVN DBs to work with SSL in HA, we need to have capability to pass ssl
> certs when starting OVN DBs. Say when starting OVN DBs in active passive
mode,
> in order for the standby DBs to sync from master node, it cannot sync
> because the required ssl certs are not passed when standby DBs are
initialized.
> Hence, we need to have this option.
>
> e.g. start nb db with ssl certs as below:
> /usr/share/openvswitch/scripts/ovn-ctl
--ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
> --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
> --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
> --db-nb-create-insecure-remote=no start_nb_ovsdb
>
> When certs are passed in the command line, it will read certs from the
path
> mentioned instead of default db configs.
>
> Certs can be generated based on ovs ssl docs:
> http://docs.openvswitch.org/en/latest/howto/ssl/
>
> Signed-off-by: aginwala <aginwala at ebay.com>
> ---
> ovn/utilities/ovn-ctl | 41
++++++++++++++++++++++++++++++++++++++---
> ovn/utilities/ovn-ctl.8.xml | 14 ++++++++++++++
> 2 files changed, 52 insertions(+), 3 deletions(-)
>
> diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> index 3ff0df6..d71071a 100755
> --- a/ovn/utilities/ovn-ctl
> +++ b/ovn/utilities/ovn-ctl
> @@ -116,6 +116,9 @@ start_ovsdb__() {
> local addr
> local active_conf_file
> local use_remote_in_db
> + local ovn_db_ssl_key
> + local ovn_db_ssl_cert
> + local ovn_db_ssl_cacert
> eval pid=\$DB_${DB}_PID
> eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
> eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
> @@ -137,6 +140,9 @@ start_ovsdb__() {
> eval addr=\$DB_${DB}_ADDR
> eval active_conf_file=\$ovn${db}_active_conf_file
> eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
> + eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
> + eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
> + eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
>
> # Check and eventually start ovsdb-server for DB
> if pidfile_is_running $pid; then
> @@ -183,9 +189,23 @@ $cluster_remote_port
> if test X"$use_remote_in_db" != Xno; then
> set "$@" --remote=db:$schema_name,$table_name,connections
> fi
> - set "$@" --private-key=db:$schema_name,SSL,private_key
> - set "$@" --certificate=db:$schema_name,SSL,certificate
> - set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> +
> + if test X"$ovn_db_ssl_key" != X; then
> + set "$@" --private-key=$ovn_db_ssl_key
> + else
> + set "$@" --private-key=db:$schema_name,SSL,private_key
> + fi
> + if test X"$ovn_db_ssl_cert" != X; then
> + set "$@" --certificate=$ovn_db_ssl_cert
> + else
> + set "$@" --certificate=db:$schema_name,SSL,certificate
> + fi
> + if test X"$ovn_db_ssl_cacert" != X; then
> + set "$@" --ca-cert=$ovn_db_ssl_cacert
> + else
> + set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> + fi
> +
> set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
> set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
>
> @@ -481,6 +501,15 @@ set_defaults () {
> OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK"
> DB_NB_USE_REMOTE_IN_DB="yes"
> DB_SB_USE_REMOTE_IN_DB="yes"
> +
> + OVN_NB_DB_SSL_KEY=""
> + OVN_NB_DB_SSL_CERT=""
> + OVN_NB_DB_SSL_CA_CERT=""
> +
> + OVN_SB_DB_SSL_KEY=""
> + OVN_SB_DB_SSL_CERT=""
> + OVN_SB_DB_SSL_CA_CERT=""
> +
> }
>
> set_option () {
> @@ -536,6 +565,12 @@ Options:
> --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
> --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate
file
> --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN
Southbound SSL CA certificate file
> + --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file
> + --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file
> + --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file
> + --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file
> + --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file
> + --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file
> --ovn-manage-ovsdb=yes|no Whether or not the OVN databases
should be
> automatically started and stopped
along
> with ovn-northd. The default is
"yes". If
> diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
> index 3b0e67a..c5294d7 100644
> --- a/ovn/utilities/ovn-ctl.8.xml
> +++ b/ovn/utilities/ovn-ctl.8.xml
> @@ -198,4 +198,18 @@
> start_northd
> </code>
> </p>
> +
> + <h2>Passing ssl keys when starting OVN dbs will supercede the
default ssl values in db</h2>
> + <h3>Starting standalone ovn db server passing SSL certificates</h3>
> + <p>
> + <code>
> + # ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem
> + --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem
> + --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
> + --ovn-sb-db-ssl-key=/etc/openvswitch/ovnsb-privkey.pem
> + --ovn-sb-db-ssl-cert=/etc/openvswitch/ovnsb-cert.pem
> + --ovn-sb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
> + start_northd
> + </code>
> + </p>
> </manpage>
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Acked-by: Han Zhou <hzhou8 at ebay.com>
More information about the dev
mailing list