[ovs-dev] [PATCH ovn v2 9/9] tests: Test with SSL and RBAC for controller by default
Frode Nordahl
frode.nordahl at canonical.com
Fri Mar 5 12:16:31 UTC 2021
To help ourself to not forget updating RBAC rules when we land
changes to existing functionality and new features we must enable
SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds
with OpenSSL enabled.
Signed-off-by: Frode Nordahl <frode.nordahl at canonical.com>
---
tests/automake.mk | 9 +++++++--
tests/ofproto-macros.at | 12 ++++++++++++
tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++--
tests/ovn-northd.at | 6 +++---
4 files changed, 58 insertions(+), 7 deletions(-)
diff --git a/tests/automake.mk b/tests/automake.mk
index 771dddea2..ba8567da4 100644
--- a/tests/automake.mk
+++ b/tests/automake.mk
@@ -237,7 +237,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES)
if HAVE_OPENSSL
OVS_PKI_DIR = $(CURDIR)/tests/pki
-TESTPKI_CNS = test test2
+# NOTE: Certificate generation has to be done serially, and each one adds a few
+# seconds to the test run. Please try to re-use one of the many CNs already
+# used in the existing tests.
+TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1
TESTPKI_FILES = $(shell \
for cn in $(TESTPKI_CNS); do \
echo tests/testpki-$$cn-cert.pem ; \
@@ -262,9 +265,11 @@ tests/pki/stamp:
$(AM_V_at)rm -f tests/pki/stamp
$(AM_V_at)rm -rf tests/pki
$(AM_V_GEN)$(OVS_PKI) init && \
+ cd tests/pki && \
for cn in $(TESTPKI_CNS); do \
- $(OVS_PKI) req+sign tests/pki/$$cn; \
+ $(OVS_PKI) -u req+sign $$cn; \
done && \
+ cd ../../ && \
: > tests/pki/stamp
CLEANFILES += tests/ovs-pki.log
diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
index 3d7ac08b3..23d793a95 100644
--- a/tests/ofproto-macros.at
+++ b/tests/ofproto-macros.at
@@ -104,6 +104,7 @@ start_daemon () {
#
# sim_add hv0
# as hv0 ovs-vsctl add-br br0
+PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
sims=
sim_add () {
echo "adding simulator '$1'"
@@ -126,6 +127,17 @@ sim_add () {
# Start ovs-vswitchd
as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl
as $1 ovs-appctl vlog/disable-rate-limit vconn
+ if test X$HAVE_OPENSSL = Xyes; then
+ if test -f $PKIDIR/testpki-$1-privkey.pem; then
+ as $1 ovs-vsctl set-ssl \
+ $PKIDIR/testpki-$1-privkey.pem \
+ $PKIDIR/testpki-$1-cert.pem \
+ $PKIDIR/testpki-cacert.pem \
+ || return 1
+ else
+ echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk"
+ fi
+ fi
}
# "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1.
diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at
index be8114de2..25f3dbe34 100644
--- a/tests/ovn-macros.at
+++ b/tests/ovn-macros.at
@@ -124,7 +124,18 @@ ovn_init_db () {
mkdir "$d" || return 1
: > "$d"/.$1.db.~lock~
as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema
- as $as_d start_daemon ovsdb-server -vjsonrpc --remote=punix:"$d"/$1.sock "$d"/$1.db
+
+ local remote_in_db=
+ if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then
+ remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem"
+ fi
+
+ as $as_d start_daemon ovsdb-server \
+ -vjsonrpc \
+ --remote=punix:"$d"/$1.sock \
+ $remote_in_db \
+ "$d"/$1.db
+
local var=`echo $1_db | tr a-z- A-Z_`
AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var
}
@@ -193,6 +204,24 @@ ovn_start () {
ovn_start_northd backup $AZ
fi
+ if test X$HAVE_OPENSSL = Xyes; then
+ # Create the SB DB pssl+RBAC connection. Ideally we could pre-create
+ # SB_Global and Connection with ovsdb-tool transact at DB creation
+ # time, but unfortunately that does not work, northd-ddlog will replace
+ # the SB_Global record on startup.
+ ovn-sbctl \
+ -- --id=@c create connection \
+ target=\"pssl:0:127.0.0.1\" role=ovn-controller \
+ -- add SB_Global . connections @c
+ local d=$ovs_base
+ if test -n "$AZ"; then
+ d=$d/$AZ
+ fi
+ PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT])
+ var="SSL_OVN_SB_DB"
+ AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var
+ fi
+
if test -n "$AZ"; then
ovn-nbctl --wait=sb sync || exit $?
@@ -257,11 +286,16 @@ ovn_az_attach() {
local ovn_remote
if test X"$az" = XNONE; then
- ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock
+ if test X$HAVE_OPENSSL = Xyes; then
+ ovn_remote=$SSL_OVN_SB_DB
+ else
+ ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock
+ fi
else
ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock
fi
ovs-vsctl \
+ -- set Open_vSwitch . external-ids:hostname=$sandbox \
-- set Open_vSwitch . external-ids:system-id=$sandbox \
-- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \
-- set Open_vSwitch . external-ids:ovn-encap-type=$encap \
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index f3f88fa12..979a10b7d 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -746,7 +746,7 @@ check_row_count Datapath_Binding 1
lf=$(count_rows Logical_Flow)
# Make nbdb ovsdb-server drop connection from ovn-northd.
-conn=$(as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes)
+conn=$(as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes|grep ^punix)
check as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/remove-remote "$conn"
conn2=punix:`pwd`/special.sock
check as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/add-remote "$conn2"
@@ -781,7 +781,7 @@ check_row_count Datapath_Binding 1
lf=$(count_rows Logical_Flow)
# Make sbdb ovsdb-server drop connection from ovn-northd.
-conn=$(as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes)
+conn=$(as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes|grep ^punix)
check as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/remove-remote "$conn"
conn2=punix:`pwd`/special.sock
check as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/add-remote "$conn2"
@@ -2878,4 +2878,4 @@ wait_row_count FDB 0
ovn-sbctl list FDB
AT_CLEANUP
-])
\ No newline at end of file
+])
--
2.30.0
More information about the dev
mailing list