[ovs-dev] [PATCH v3 1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode.

Ben Pfaff blp at ovn.org
Thu Oct 11 21:05:55 UTC 2018


On Wed, Oct 10, 2018 at 12:58:24PM -0700, Han Zhou wrote:
> On Tue, Oct 9, 2018 at 3:11 PM aginwala <amginwal at gmail.com> wrote:
> >
> > For OVN DBs to work with SSL in HA, we need to have capability to pass ssl
> > certs when starting OVN DBs. Say when starting OVN DBs in active passive
> mode,
> > in order for the standby DBs to sync from master node, it cannot sync
> > because the required ssl certs are not passed when standby DBs are
> initialized.
> > Hence, we need to have this option.
> >
> > e.g. start nb db with ssl certs as below:
> > /usr/share/openvswitch/scripts/ovn-ctl
> --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
> > --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
> > --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
> > --db-nb-create-insecure-remote=no start_nb_ovsdb
> >
> > When certs are passed in the command line, it will read certs from the
> path
> > mentioned instead of default db configs.
> >
> > Certs can be generated based on ovs ssl docs:
> > http://docs.openvswitch.org/en/latest/howto/ssl/
> >
> > Signed-off-by: aginwala <aginwala at ebay.com>
> > ---
> >  ovn/utilities/ovn-ctl       | 41
> ++++++++++++++++++++++++++++++++++++++---
> >  ovn/utilities/ovn-ctl.8.xml | 14 ++++++++++++++
> >  2 files changed, 52 insertions(+), 3 deletions(-)
> >
> > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> > index 3ff0df6..d71071a 100755
> > --- a/ovn/utilities/ovn-ctl
> > +++ b/ovn/utilities/ovn-ctl
> > @@ -116,6 +116,9 @@ start_ovsdb__() {
> >      local addr
> >      local active_conf_file
> >      local use_remote_in_db
> > +    local ovn_db_ssl_key
> > +    local ovn_db_ssl_cert
> > +    local ovn_db_ssl_cacert
> >      eval pid=\$DB_${DB}_PID
> >      eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
> >      eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
> > @@ -137,6 +140,9 @@ start_ovsdb__() {
> >      eval addr=\$DB_${DB}_ADDR
> >      eval active_conf_file=\$ovn${db}_active_conf_file
> >      eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
> > +    eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
> > +    eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
> > +    eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
> >
> >      # Check and eventually start ovsdb-server for DB
> >      if pidfile_is_running $pid; then
> > @@ -183,9 +189,23 @@ $cluster_remote_port
> >      if test X"$use_remote_in_db" != Xno; then
> >          set "$@" --remote=db:$schema_name,$table_name,connections
> >      fi
> > -    set "$@" --private-key=db:$schema_name,SSL,private_key
> > -    set "$@" --certificate=db:$schema_name,SSL,certificate
> > -    set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> > +
> > +    if test X"$ovn_db_ssl_key" != X; then
> > +        set "$@" --private-key=$ovn_db_ssl_key
> > +    else
> > +        set "$@" --private-key=db:$schema_name,SSL,private_key
> > +    fi
> > +    if test X"$ovn_db_ssl_cert" != X; then
> > +        set "$@" --certificate=$ovn_db_ssl_cert
> > +    else
> > +        set "$@" --certificate=db:$schema_name,SSL,certificate
> > +    fi
> > +    if test X"$ovn_db_ssl_cacert" != X; then
> > +        set "$@" --ca-cert=$ovn_db_ssl_cacert
> > +    else
> > +        set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> > +    fi
> > +
> >      set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
> >      set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
> >
> > @@ -481,6 +501,15 @@ set_defaults () {
> >      OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK"
> >      DB_NB_USE_REMOTE_IN_DB="yes"
> >      DB_SB_USE_REMOTE_IN_DB="yes"
> > +
> > +    OVN_NB_DB_SSL_KEY=""
> > +    OVN_NB_DB_SSL_CERT=""
> > +    OVN_NB_DB_SSL_CA_CERT=""
> > +
> > +    OVN_SB_DB_SSL_KEY=""
> > +    OVN_SB_DB_SSL_CERT=""
> > +    OVN_SB_DB_SSL_CA_CERT=""
> > +
> >  }
> >
> >  set_option () {
> > @@ -536,6 +565,12 @@ Options:
> >    --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
> >    --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate
> file
> >    --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN
> Southbound SSL CA certificate file
> > +  --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file
> > +  --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file
> > +  --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file
> > +  --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file
> > +  --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file
> > +  --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file
> >    --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases
> should be
> >                                     automatically started and stopped
> along
> >                                     with ovn-northd. The default is
> "yes". If
> > diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
> > index 3b0e67a..c5294d7 100644
> > --- a/ovn/utilities/ovn-ctl.8.xml
> > +++ b/ovn/utilities/ovn-ctl.8.xml
> > @@ -198,4 +198,18 @@
> >            start_northd
> >        </code>
> >      </p>
> > +
> > +    <h2>Passing ssl keys when starting OVN dbs will supercede the
> default ssl values in db</h2>
> > +    <h3>Starting standalone ovn db server passing SSL certificates</h3>
> > +    <p>
> > +      <code>
> > +        # ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem
> > +          --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem
> > +          --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
> > +          --ovn-sb-db-ssl-key=/etc/openvswitch/ovnsb-privkey.pem
> > +          --ovn-sb-db-ssl-cert=/etc/openvswitch/ovnsb-cert.pem
> > +          --ovn-sb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
> > +           start_northd
> > +      </code>
> > +    </p>
> >  </manpage>
> > --
> > 1.9.1
> >
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> 
> Acked-by: Han Zhou <hzhou8 at ebay.com>

Thanks, Ali and Han.  I applied this to master.  Let me know if it needs
backports.


More information about the dev mailing list