[ovs-dev] [PATCH ovn v3 3/3] ovn-dbctl.c: Support ssl cert rotation for daemon mode.

Han Zhou hzhou at ovn.org
Fri May 21 19:48:33 UTC 2021


Update SSL in the server_loop so that updated pki files can be reapplied.

Signed-off-by: Han Zhou <hzhou at ovn.org>
---
 tests/ovn-nbctl.at    | 40 ++++++++++++++++++++++++++++++++++++++++
 utilities/ovn-dbctl.c | 32 +++++++++++++++++++++++++++++++-
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
index 8af55161f..c5c07f738 100644
--- a/tests/ovn-nbctl.at
+++ b/tests/ovn-nbctl.at
@@ -2016,3 +2016,43 @@ AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file --remote=punix:$
 AT_CHECK([ovn-nbctl show], [0], [ignore])
 OVN_NBCTL_TEST_STOP "/terminating with signal 15/d"
 AT_CLEANUP
+
+AT_SETUP([ovn-nbctl - daemon ssl files change])
+dnl Create ovn-nb database.
+AT_CHECK([ovsdb-tool create ovn-nb.db $abs_top_srcdir/ovn-nb.ovsschema])
+
+dnl Start ovsdb-server.
+
+key=testpki-hv1-privkey.pem
+cert=testpki-hv1-cert.pem
+
+key_server=$PKIDIR/testpki-test-privkey.pem
+cert_server=$PKIDIR/testpki-test-cert.pem
+cacert=$PKIDIR/testpki-cacert.pem
+
+key2=testpki-hv2-privkey.pem
+cert3=testpki-hv3-cert.pem
+
+ssl_options="--remote=pssl:0:127.0.0.1 ovn-nb.db -p $key_server -c $cert_server -C $cacert"
+AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file $ssl_options], [0], [], [stderr])
+on_exit "kill `cat ovsdb-server.pid`"
+PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
+
+cp $PKIDIR/$key $key
+cp $PKIDIR/$cert $cert
+
+start_daemon ovn-nbctl --pidfile=ovn-nbctl.pid --db=ssl:127.0.0.1:$TCP_PORT \
+    -p $key -c $cert -C $cacert
+
+check ovn-appctl -t ovn-nbctl run init
+
+# Overwrite with mismatched key and cert
+cp $PKIDIR/$key2 $key
+cp $PKIDIR/$cert3 $cert
+OVS_WAIT_UNTIL([grep mismatch ovn-nbctl.log])
+
+cp $PKIDIR/$key $key
+cp $PKIDIR/$cert $cert
+OVS_WAIT_UNTIL([ovn-appctl -t ovn-nbctl run show])
+
+AT_CLEANUP
diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c
index 12cbb8cac..9c3e21915 100644
--- a/utilities/ovn-dbctl.c
+++ b/utilities/ovn-dbctl.c
@@ -48,6 +48,11 @@ static bool oneline;
 /* --dry-run: Do not commit any changes. */
 static bool dry_run;
 
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
 /* --wait=TYPE: Wait for configuration change to take effect? */
 static enum nbctl_wait_type wait_type = NBCTL_WAIT_NONE;
 
@@ -487,6 +492,18 @@ add_local_option(const char *name, const char *arg,
     return NULL;
 }
 
+static void
+update_ssl_config(void)
+{
+    if (ssl_private_key_file && ssl_certificate_file) {
+        stream_ssl_set_key_and_cert(ssl_private_key_file,
+                                    ssl_certificate_file);
+    }
+    if (ssl_ca_cert_file) {
+        stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+    }
+}
+
 static void
 apply_options_direct(const struct ovn_dbctl_options *dbctl_options,
                      const struct ovs_cmdl_parsed_option *parsed_options,
@@ -561,7 +578,18 @@ apply_options_direct(const struct ovn_dbctl_options *dbctl_options,
         OVN_DAEMON_OPTION_HANDLERS
         VLOG_OPTION_HANDLERS
         TABLE_OPTION_HANDLERS(&table_style)
-        STREAM_SSL_OPTION_HANDLERS
+
+        case 'p':
+            ssl_private_key_file = optarg;
+            break;
+
+        case 'c':
+            ssl_certificate_file = optarg;
+            break;
+
+        case 'C':
+            ssl_ca_cert_file = optarg;
+            break;
 
         case OPT_BOOTSTRAP_CA_CERT:
             stream_ssl_set_ca_cert_file(po->arg, true);
@@ -581,6 +609,7 @@ apply_options_direct(const struct ovn_dbctl_options *dbctl_options,
     if (!db) {
         db = dbctl_options->default_db;
     }
+    update_ssl_config();
 }
 
 static char *
@@ -1074,6 +1103,7 @@ server_loop(const struct ovn_dbctl_options *dbctl_options,
     unixctl_command_register("exit", "", 0, 0, server_cmd_exit, &exiting);
 
     for (;;) {
+        update_ssl_config();
         memory_run();
         if (memory_should_report()) {
             struct simap usage = SIMAP_INITIALIZER(&usage);
-- 
2.30.2



More information about the dev mailing list