[ovs-dev] [PATCH ovn 1/4] ovn-northd.at: Fix test "northd ssl file change -- ovn-northd-ddlog".

Mark Michelson mmichels at redhat.com
Mon Jun 14 18:56:08 UTC 2021


On 6/11/21 6:30 PM, Han Zhou wrote:
> 
> 
> On Fri, Jun 11, 2021 at 11:24 AM Mark Michelson <mmichels at redhat.com 
> <mailto:mmichels at redhat.com>> wrote:
>  >
>  > Hi Han,
>  >
>  > I'm fine with fixing the test this way, since like you said it's not
>  > meant to test RBAC.
>  >
>  > Acked-by: Mark Michelson <mmichels at redhat.com 
> <mailto:mmichels at redhat.com>>
>  >
> Thanks Mark! I applied the patch 1-3 of this series to master and 
> branch-2.16. I will address your comment for patch 4.
> 
>  > However, based on how this sounds, there is still a bug in
>  > ovn-northd-ddlog wrt RBAC, and that should still be fixed since this
>  > could cause failures for other tests.
>  >
> 
> In fact this is not a fault of ovn-northd-ddlog. It may be a general 
> problem of north RBAC - the only role we defined is for ovn-controller, 
> which is set in the Connection table's "role" column for the SSL connect 
> method. It means there is no role for northd to apply RBAC. So if northd 
> wants to use SSL, it needs a different SSL connection (probably a 
> different port) in the connection table without setting the "role" 
> (leave it empty). It has been discussed somewhere (probably in github) 
> for a workaround to the problem, is to use iptables rules or other FW 
> mechanism to allow access to the port dedicated for northd (without 
> RBAC) only from northd IPs.

Unless a test specifically is testing SSL between northd and the 
southbound database, it's probably OK for northd to connect to the 
southbound database using a unix socket by default. Then if SSL is 
required for a specific test, then create the second connection using a 
separate port.

> 
> For this test, it fails because the SSL connection created by the 
> ovn_start() already sets the "role" to ovn-controller, so through this 
> connection it is not allowed to update tables other than the ones 
> allowed for ovn-controller role. For the regular ovn-northd this test 
> case always succeeds because in fact the regular ovn-northd handles 
> sb_cfg update incorrectly when the update to SB fails. It updates the 
> expected sb_cfg back to NB even if it is not written to SB successfully. 
> It can be fixed as a separate patch (not something urgent though).
> 

I agree. This isn't something super urgent.

> Thanks,
> Han
> 
>  > On 6/11/21 2:24 AM, Han Zhou wrote:
>  > > This test fails for ovn-northd-ddlog because of the RBAC role when 
> using
>  > > the SSL connection. RBAC is not the purpose of the test case, so this
>  > > patch fixes it without enabling RBAC.
>  > >
>  > > Signed-off-by: Han Zhou <hzhou at ovn.org <mailto:hzhou at ovn.org>>
>  > > ---
>  > >   tests/ovn-northd.at <http://ovn-northd.at> | 19 +++++++++++++++++--
>  > >   1 file changed, 17 insertions(+), 2 deletions(-)
>  > >
>  > > diff --git a/tests/ovn-northd.at <http://ovn-northd.at> 
> b/tests/ovn-northd.at <http://ovn-northd.at>
>  > > index 4692775ad..ad1732da3 100644
>  > > --- a/tests/ovn-northd.at <http://ovn-northd.at>
>  > > +++ b/tests/ovn-northd.at <http://ovn-northd.at>
>  > > @@ -3618,9 +3618,23 @@ ovn_start --backup-northd=none
>  > >   as northd
>  > >   OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
>  > >
>  > > +as ovn-sb
>  > > +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
>  > > +
>  > > +key_server=testpki-test-privkey.pem
>  > > +cert_server=testpki-test-cert.pem
>  > > +cacert=testpki-cacert.pem
>  > > +
>  > > +cd ovn-sb
>  > > +rm ovsdb-server.log
>  > > +ssl_options="--remote=pssl:0:127.0.0.1 ovn-sb.db -p 
> $PKIDIR/$key_server -c $PKIDIR/$cert_server -C $PKIDIR/$cacert"
>  > > +AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file 
> $ssl_options], [0], [], [stderr])
>  > > +on_exit "kill `cat ovsdb-server.pid`"
>  > > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
>  > > +cd ..
>  > > +
>  > >   key=testpki-hv1-privkey.pem
>  > >   cert=testpki-hv1-cert.pem
>  > > -cacert=testpki-cacert.pem
>  > >
>  > >   key2=testpki-hv2-privkey.pem
>  > >   cert3=testpki-hv3-cert.pem
>  > > @@ -3629,8 +3643,9 @@ cert3=testpki-hv3-cert.pem
>  > >   cp $PKIDIR/$key2 $key
>  > >   cp $PKIDIR/$cert3 $cert
>  > >   cp $PKIDIR/$cacert $cacert
>  > > +as northd
>  > >   start_daemon ovn$NORTHD_TYPE -vjsonrpc \
>  > > -    --ovnnb-db=$OVN_NB_DB --ovnsb-db=$SSL_OVN_SB_DB \
>  > > +    --ovnnb-db=$OVN_NB_DB --ovnsb-db=ssl:127.0.0.1:$TCP_PORT \
>  > >       -p $key -c $cert -C $cacert
>  > >
>  > >   # SSL should not connect because of key and cert mismatch
>  > >
>  >



More information about the dev mailing list