[ovs-dev] [PATCH v3 1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode.

Han Zhou zhouhan at gmail.com
Wed Oct 10 19:58:24 UTC 2018 

On Tue, Oct 9, 2018 at 3:11 PM aginwala <amginwal at gmail.com> wrote:
>
> For OVN DBs to work with SSL in HA, we need to have capability to pass ssl
> certs when starting OVN DBs. Say when starting OVN DBs in active passive
mode,
> in order for the standby DBs to sync from master node, it cannot sync
> because the required ssl certs are not passed when standby DBs are
initialized.
> Hence, we need to have this option.
>
> e.g. start nb db with ssl certs as below:
> /usr/share/openvswitch/scripts/ovn-ctl
--ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
> --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
> --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
> --db-nb-create-insecure-remote=no start_nb_ovsdb
>
> When certs are passed in the command line, it will read certs from the
path
> mentioned instead of default db configs.
>
> Certs can be generated based on ovs ssl docs:
> http://docs.openvswitch.org/en/latest/howto/ssl/
>
> Signed-off-by: aginwala <aginwala at ebay.com>
> ---
>  ovn/utilities/ovn-ctl       | 41
++++++++++++++++++++++++++++++++++++++---
>  ovn/utilities/ovn-ctl.8.xml | 14 ++++++++++++++
>  2 files changed, 52 insertions(+), 3 deletions(-)
>
> diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> index 3ff0df6..d71071a 100755
> --- a/ovn/utilities/ovn-ctl
> +++ b/ovn/utilities/ovn-ctl
> @@ -116,6 +116,9 @@ start_ovsdb__() {
>      local addr
>      local active_conf_file
>      local use_remote_in_db
> +    local ovn_db_ssl_key
> +    local ovn_db_ssl_cert
> +    local ovn_db_ssl_cacert
>      eval pid=\$DB_${DB}_PID
>      eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
>      eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
> @@ -137,6 +140,9 @@ start_ovsdb__() {
>      eval addr=\$DB_${DB}_ADDR
>      eval active_conf_file=\$ovn${db}_active_conf_file
>      eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
> +    eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
> +    eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
> +    eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
>
>      # Check and eventually start ovsdb-server for DB
>      if pidfile_is_running $pid; then
> @@ -183,9 +189,23 @@ $cluster_remote_port
>      if test X"$use_remote_in_db" != Xno; then
>          set "$@" --remote=db:$schema_name,$table_name,connections
>      fi
> -    set "$@" --private-key=db:$schema_name,SSL,private_key
> -    set "$@" --certificate=db:$schema_name,SSL,certificate
> -    set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> +
> +    if test X"$ovn_db_ssl_key" != X; then
> +        set "$@" --private-key=$ovn_db_ssl_key
> +    else
> +        set "$@" --private-key=db:$schema_name,SSL,private_key
> +    fi
> +    if test X"$ovn_db_ssl_cert" != X; then
> +        set "$@" --certificate=$ovn_db_ssl_cert
> +    else
> +        set "$@" --certificate=db:$schema_name,SSL,certificate
> +    fi
> +    if test X"$ovn_db_ssl_cacert" != X; then
> +        set "$@" --ca-cert=$ovn_db_ssl_cacert
> +    else
> +        set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> +    fi
> +
>      set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
>      set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
>
> @@ -481,6 +501,15 @@ set_defaults () {
>      OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK"
>      DB_NB_USE_REMOTE_IN_DB="yes"
>      DB_SB_USE_REMOTE_IN_DB="yes"
> +
> +    OVN_NB_DB_SSL_KEY=""
> +    OVN_NB_DB_SSL_CERT=""
> +    OVN_NB_DB_SSL_CA_CERT=""
> +
> +    OVN_SB_DB_SSL_KEY=""
> +    OVN_SB_DB_SSL_CERT=""
> +    OVN_SB_DB_SSL_CA_CERT=""
> +
>  }
>
>  set_option () {
> @@ -536,6 +565,12 @@ Options:
>    --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
>    --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate
file
>    --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN
Southbound SSL CA certificate file
> +  --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file
> +  --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file
> +  --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file
> +  --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file
> +  --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file
> +  --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file
>    --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases
should be
>                                     automatically started and stopped
along
>                                     with ovn-northd. The default is
"yes". If
> diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
> index 3b0e67a..c5294d7 100644
> --- a/ovn/utilities/ovn-ctl.8.xml
> +++ b/ovn/utilities/ovn-ctl.8.xml
> @@ -198,4 +198,18 @@
>            start_northd
>        </code>
>      </p>
> +
> +    <h2>Passing ssl keys when starting OVN dbs will supercede the
default ssl values in db</h2>
> +    <h3>Starting standalone ovn db server passing SSL certificates</h3>
> +    <p>
> +      <code>
> +        # ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem
> +          --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem
> +          --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
> +          --ovn-sb-db-ssl-key=/etc/openvswitch/ovnsb-privkey.pem
> +          --ovn-sb-db-ssl-cert=/etc/openvswitch/ovnsb-cert.pem
> +          --ovn-sb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
> +           start_northd
> +      </code>
> +    </p>
>  </manpage>
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Acked-by: Han Zhou <hzhou8 at ebay.com>

More information about the dev mailing list