[ovs-dev] [PATCH ovn v2 2/3] ovn-northd/ovn-ic: Support ssl cert rotation.

Han Zhou hzhou at ovn.org
Thu May 20 01:14:27 UTC 2021


Update SSL in the main loop so that updated pki files can be reapplied.

Signed-off-by: Han Zhou <hzhou at ovn.org>
---
 ic/ovn-ic.c               | 31 ++++++++++++++++++++++++++++++-
 northd/ovn-northd-ddlog.c | 31 ++++++++++++++++++++++++++++++-
 northd/ovn-northd.c       | 31 ++++++++++++++++++++++++++++++-
 tests/ovn-northd.at       | 38 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 128 insertions(+), 3 deletions(-)

diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
index 18e37a31f..d69583956 100644
--- a/ic/ovn-ic.c
+++ b/ic/ovn-ic.c
@@ -80,6 +80,11 @@ static const char *ovn_ic_nb_db;
 static const char *ovn_ic_sb_db;
 static const char *unixctl_path;
 
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
 
 static void
 usage(void)
@@ -1519,7 +1524,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
         switch (c) {
         OVN_DAEMON_OPTION_HANDLERS;
         VLOG_OPTION_HANDLERS;
-        STREAM_SSL_OPTION_HANDLERS;
+
+        case 'p':
+            ssl_private_key_file = optarg;
+            break;
+
+        case 'c':
+            ssl_certificate_file = optarg;
+            break;
+
+        case 'C':
+            ssl_ca_cert_file = optarg;
+            break;
 
         case 'd':
             ovnsb_db = optarg;
@@ -1585,6 +1601,18 @@ add_column_noalert(struct ovsdb_idl *idl,
     ovsdb_idl_omit_alert(idl, column);
 }
 
+static void
+update_ssl_config(void)
+{
+    if (ssl_private_key_file && ssl_certificate_file) {
+        stream_ssl_set_key_and_cert(ssl_private_key_file,
+                                    ssl_certificate_file);
+    }
+    if (ssl_ca_cert_file) {
+        stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+    }
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -1655,6 +1683,7 @@ main(int argc, char *argv[])
     state.had_lock = false;
     state.paused = false;
     while (!exiting) {
+        update_ssl_config();
         memory_run();
         if (memory_should_report()) {
             struct simap usage = SIMAP_INITIALIZER(&usage);
diff --git a/northd/ovn-northd-ddlog.c b/northd/ovn-northd-ddlog.c
index b7d2c8a5e..73f50e049 100644
--- a/northd/ovn-northd-ddlog.c
+++ b/northd/ovn-northd-ddlog.c
@@ -74,6 +74,11 @@ static const char *ovnnb_db;
 static const char *ovnsb_db;
 static const char *unixctl_path;
 
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
 /* Frequently used table ids. */
 static table_id WARNING_TABLE_ID;
 static table_id NB_CFG_TIMESTAMP_ID;
@@ -1094,7 +1099,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
         switch (c) {
         OVN_DAEMON_OPTION_HANDLERS;
         VLOG_OPTION_HANDLERS;
-        STREAM_SSL_OPTION_HANDLERS;
+
+        case 'p':
+            ssl_private_key_file = optarg;
+            break;
+
+        case 'c':
+            ssl_certificate_file = optarg;
+            break;
+
+        case 'C':
+            ssl_ca_cert_file = optarg;
+            break;
 
         case OPT_DDLOG_RECORD:
             record_file = optarg;
@@ -1140,6 +1156,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
     free(short_options);
 }
 
+static void
+update_ssl_config(void)
+{
+    if (ssl_private_key_file && ssl_certificate_file) {
+        stream_ssl_set_key_and_cert(ssl_private_key_file,
+                                    ssl_certificate_file);
+    }
+    if (ssl_ca_cert_file) {
+        stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+    }
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -1219,6 +1247,7 @@ main(int argc, char *argv[])
     /* Main loop. */
     exiting = false;
     while (!exiting) {
+        update_ssl_config();
         memory_run();
         if (memory_should_report()) {
             struct simap usage = SIMAP_INITIALIZER(&usage);
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 0e5092a87..04965dd6e 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -107,6 +107,11 @@ static bool use_ct_inv_match = true;
 static int northd_probe_interval_nb = 0;
 static int northd_probe_interval_sb = 0;
 
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
 #define MAX_OVN_TAGS 4096
 
 /* Pipeline stages. */
@@ -14009,7 +14014,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
         switch (c) {
         OVN_DAEMON_OPTION_HANDLERS;
         VLOG_OPTION_HANDLERS;
-        STREAM_SSL_OPTION_HANDLERS;
+
+        case 'p':
+            ssl_private_key_file = optarg;
+            break;
+
+        case 'c':
+            ssl_certificate_file = optarg;
+            break;
+
+        case 'C':
+            ssl_ca_cert_file = optarg;
+            break;
 
         case 'd':
             ovnsb_db = optarg;
@@ -14059,6 +14075,18 @@ add_column_noalert(struct ovsdb_idl *idl,
     ovsdb_idl_omit_alert(idl, column);
 }
 
+static void
+update_ssl_config(void)
+{
+    if (ssl_private_key_file && ssl_certificate_file) {
+        stream_ssl_set_key_and_cert(ssl_private_key_file,
+                                    ssl_certificate_file);
+    }
+    if (ssl_ca_cert_file) {
+        stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+    }
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -14375,6 +14403,7 @@ main(int argc, char *argv[])
     state.paused = false;
 
     while (!exiting) {
+        update_ssl_config();
         memory_run();
         if (memory_should_report()) {
             struct simap usage = SIMAP_INITIALIZER(&usage);
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index bff2ade43..3c2aef4b0 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -3556,3 +3556,41 @@ AT_CHECK([grep -c "ct.inv" sw0flows], [0], [dnl
 
 AT_CLEANUP
 ])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([ovn -- northd ssl file change])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
+AT_SKIP_IF([expr "$PKIDIR" : ".*[ 	'\"
+\\]"])
+ovn_start --no-backup-northd
+
+as northd
+OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
+
+key=testpki-hv1-privkey.pem
+cert=testpki-hv1-cert.pem
+cacert=testpki-cacert.pem
+
+key2=testpki-hv2-privkey.pem
+cert3=testpki-hv3-cert.pem
+
+# Use mismatched key and cert when restarting using SSL options
+cp $PKIDIR/$key2 $key
+cp $PKIDIR/$cert3 $cert
+cp $PKIDIR/$cacert $cacert
+start_daemon ovn$NORTHD_TYPE -vjsonrpc \
+    --ovnnb-db=$OVN_NB_DB --ovnsb-db=$SSL_OVN_SB_DB \
+    -p $key -c $cert -C $cacert
+
+# SSL should not connect because of key and cert mismatch
+AT_FAIL_IF([ovn-nbctl --timeout=3 --wait=sb sync])
+
+# Modify the files with the correct key and cert, and reconnect should succeed
+cp $PKIDIR/$key $key
+cp $PKIDIR/$cert $cert
+check ovn-nbctl --wait=sb sync
+
+OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
+AT_CLEANUP
+])
-- 
2.30.2



More information about the dev mailing list