[ovs-discuss] Question to OVN DB pacemaker script

Han Zhou zhouhan at gmail.com
Wed May 9 19:14:41 UTC 2018


On Wed, May 9, 2018 at 11:51 AM, Numan Siddique <nusiddiq at redhat.com> wrote:

>
>
> On Thu, May 10, 2018 at 12:15 AM, Han Zhou <zhouhan at gmail.com> wrote:
>
>> Thanks Ali for the quick patch. Please see my comments inline.
>>
>> On Wed, May 9, 2018 at 9:30 AM, aginwala <aginwala at asu.edu> wrote:
>> >
>> > Thanks Han and Numan for the clarity to help sort it out.
>> >
>> > For making vip work with using LB in my two node setup, I had changed
>> below code to skip setting master IP  when creating pcs resource for ovndbs
>> and listen on 0.0.0.0 instead. Hence, the discussion seems inline with the
>> code change which is small for sure as below:
>> >
>> >
>> > diff --git a/ovn/utilities/ovndb-servers.ocf
>> b/ovn/utilities/ovndb-servers.ocf
>> > index 164b6bc..d4c9ad7 100755
>> > --- a/ovn/utilities/ovndb-servers.ocf
>> > +++ b/ovn/utilities/ovndb-servers.ocf
>> > @@ -295,8 +295,8 @@ ovsdb_server_start() {
>> >
>> >      set ${OVN_CTL}
>> >
>> > -    set $@ --db-nb-addr=${MASTER_IP} --db-nb-port=${NB_MASTER_PORT}
>> > -    set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
>> > +    set $@ --db-nb-port=${NB_MASTER_PORT}
>> > +    set $@ --db-sb-port=${SB_MASTER_PORT}
>> >
>> >      if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
>> >          set $@ --db-nb-create-insecure-remote=yes
>> >
>>
>> This change solves the IP binding problem. It will just listen on 0.0.0.0.
>>
>
> One problem with this approach I see is that it would listen on all the
> IPs. May be it's not a good idea and may have some security issues.
>
> Can we instead check the value of  MASTER_IP param something like below ?
>
>  if [ "$MASTER_IP" == "0.0.0.0" ]; then
>      set $@ --db-nb-addr=${MASTER_IP} --db-nb-port=${NB_MASTER_PORT}
>      set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
> else
>      set $@ --db-nb-port=${NB_MASTER_PORT}
>      set $@ --db-sb-port=${SB_MASTER_PORT}
> fi
>
> And when you create OVN pacemaker resource in your deployment, you can
> pass master_ip=0.0.0.0
>
> Will this work ?
>
>
Maybe some misunderstanding here. We still need to use master_ip = LB VIP,
so that the standby nodes can "sync-from" the active node. So we cannot
pass 0.0.0.0 explicitly.

I didn't understand your code above either. Why would we specify the
master_ip if we know it is 0.0.0.0? Or do you mean the other way around but
just a typo in the code?

For security of listening on any IP, I am not quit sure. It may be a
problem if the nodes sits on multiple networks and some of them are
considered insecure, and you want to listen on the security one only. If
this is the concern, we can add a parameter e.g. LISTEN_ON_MASTER_IP_ONLY,
and set it to true by default. What do you think?

Thanks,
Han
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20180509/b76aa1b2/attachment-0001.html>


More information about the discuss mailing list