[ovs-dev] [PATCH ovn v2 2/3] ovn-northd/ovn-ic: Support ssl cert rotation.
Han Zhou
hzhou at ovn.org
Thu May 20 01:14:27 UTC 2021
Update SSL in the main loop so that updated pki files can be reapplied.
Signed-off-by: Han Zhou <hzhou at ovn.org>
---
ic/ovn-ic.c | 31 ++++++++++++++++++++++++++++++-
northd/ovn-northd-ddlog.c | 31 ++++++++++++++++++++++++++++++-
northd/ovn-northd.c | 31 ++++++++++++++++++++++++++++++-
tests/ovn-northd.at | 38 ++++++++++++++++++++++++++++++++++++++
4 files changed, 128 insertions(+), 3 deletions(-)
diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
index 18e37a31f..d69583956 100644
--- a/ic/ovn-ic.c
+++ b/ic/ovn-ic.c
@@ -80,6 +80,11 @@ static const char *ovn_ic_nb_db;
static const char *ovn_ic_sb_db;
static const char *unixctl_path;
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
static void
usage(void)
@@ -1519,7 +1524,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
switch (c) {
OVN_DAEMON_OPTION_HANDLERS;
VLOG_OPTION_HANDLERS;
- STREAM_SSL_OPTION_HANDLERS;
+
+ case 'p':
+ ssl_private_key_file = optarg;
+ break;
+
+ case 'c':
+ ssl_certificate_file = optarg;
+ break;
+
+ case 'C':
+ ssl_ca_cert_file = optarg;
+ break;
case 'd':
ovnsb_db = optarg;
@@ -1585,6 +1601,18 @@ add_column_noalert(struct ovsdb_idl *idl,
ovsdb_idl_omit_alert(idl, column);
}
+static void
+update_ssl_config(void)
+{
+ if (ssl_private_key_file && ssl_certificate_file) {
+ stream_ssl_set_key_and_cert(ssl_private_key_file,
+ ssl_certificate_file);
+ }
+ if (ssl_ca_cert_file) {
+ stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+ }
+}
+
int
main(int argc, char *argv[])
{
@@ -1655,6 +1683,7 @@ main(int argc, char *argv[])
state.had_lock = false;
state.paused = false;
while (!exiting) {
+ update_ssl_config();
memory_run();
if (memory_should_report()) {
struct simap usage = SIMAP_INITIALIZER(&usage);
diff --git a/northd/ovn-northd-ddlog.c b/northd/ovn-northd-ddlog.c
index b7d2c8a5e..73f50e049 100644
--- a/northd/ovn-northd-ddlog.c
+++ b/northd/ovn-northd-ddlog.c
@@ -74,6 +74,11 @@ static const char *ovnnb_db;
static const char *ovnsb_db;
static const char *unixctl_path;
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
/* Frequently used table ids. */
static table_id WARNING_TABLE_ID;
static table_id NB_CFG_TIMESTAMP_ID;
@@ -1094,7 +1099,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
switch (c) {
OVN_DAEMON_OPTION_HANDLERS;
VLOG_OPTION_HANDLERS;
- STREAM_SSL_OPTION_HANDLERS;
+
+ case 'p':
+ ssl_private_key_file = optarg;
+ break;
+
+ case 'c':
+ ssl_certificate_file = optarg;
+ break;
+
+ case 'C':
+ ssl_ca_cert_file = optarg;
+ break;
case OPT_DDLOG_RECORD:
record_file = optarg;
@@ -1140,6 +1156,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
free(short_options);
}
+static void
+update_ssl_config(void)
+{
+ if (ssl_private_key_file && ssl_certificate_file) {
+ stream_ssl_set_key_and_cert(ssl_private_key_file,
+ ssl_certificate_file);
+ }
+ if (ssl_ca_cert_file) {
+ stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+ }
+}
+
int
main(int argc, char *argv[])
{
@@ -1219,6 +1247,7 @@ main(int argc, char *argv[])
/* Main loop. */
exiting = false;
while (!exiting) {
+ update_ssl_config();
memory_run();
if (memory_should_report()) {
struct simap usage = SIMAP_INITIALIZER(&usage);
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 0e5092a87..04965dd6e 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -107,6 +107,11 @@ static bool use_ct_inv_match = true;
static int northd_probe_interval_nb = 0;
static int northd_probe_interval_sb = 0;
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
#define MAX_OVN_TAGS 4096
/* Pipeline stages. */
@@ -14009,7 +14014,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
switch (c) {
OVN_DAEMON_OPTION_HANDLERS;
VLOG_OPTION_HANDLERS;
- STREAM_SSL_OPTION_HANDLERS;
+
+ case 'p':
+ ssl_private_key_file = optarg;
+ break;
+
+ case 'c':
+ ssl_certificate_file = optarg;
+ break;
+
+ case 'C':
+ ssl_ca_cert_file = optarg;
+ break;
case 'd':
ovnsb_db = optarg;
@@ -14059,6 +14075,18 @@ add_column_noalert(struct ovsdb_idl *idl,
ovsdb_idl_omit_alert(idl, column);
}
+static void
+update_ssl_config(void)
+{
+ if (ssl_private_key_file && ssl_certificate_file) {
+ stream_ssl_set_key_and_cert(ssl_private_key_file,
+ ssl_certificate_file);
+ }
+ if (ssl_ca_cert_file) {
+ stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+ }
+}
+
int
main(int argc, char *argv[])
{
@@ -14375,6 +14403,7 @@ main(int argc, char *argv[])
state.paused = false;
while (!exiting) {
+ update_ssl_config();
memory_run();
if (memory_should_report()) {
struct simap usage = SIMAP_INITIALIZER(&usage);
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index bff2ade43..3c2aef4b0 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -3556,3 +3556,41 @@ AT_CHECK([grep -c "ct.inv" sw0flows], [0], [dnl
AT_CLEANUP
])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([ovn -- northd ssl file change])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
+AT_SKIP_IF([expr "$PKIDIR" : ".*[ '\"
+\\]"])
+ovn_start --no-backup-northd
+
+as northd
+OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
+
+key=testpki-hv1-privkey.pem
+cert=testpki-hv1-cert.pem
+cacert=testpki-cacert.pem
+
+key2=testpki-hv2-privkey.pem
+cert3=testpki-hv3-cert.pem
+
+# Use mismatched key and cert when restarting using SSL options
+cp $PKIDIR/$key2 $key
+cp $PKIDIR/$cert3 $cert
+cp $PKIDIR/$cacert $cacert
+start_daemon ovn$NORTHD_TYPE -vjsonrpc \
+ --ovnnb-db=$OVN_NB_DB --ovnsb-db=$SSL_OVN_SB_DB \
+ -p $key -c $cert -C $cacert
+
+# SSL should not connect because of key and cert mismatch
+AT_FAIL_IF([ovn-nbctl --timeout=3 --wait=sb sync])
+
+# Modify the files with the correct key and cert, and reconnect should succeed
+cp $PKIDIR/$key $key
+cp $PKIDIR/$cert $cert
+check ovn-nbctl --wait=sb sync
+
+OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
+AT_CLEANUP
+])
--
2.30.2
More information about the dev
mailing list