[ovs-discuss] [External] : Re: ovsdb-server --private-key=db:OVN_Northbound, SSL, private_key etc

Ben Pfaff blp at ovn.org
Tue Jul 20 18:21:30 UTC 2021


On Tue, Jul 20, 2021 at 10:27:30AM +0100, Brendan Doyle wrote:
> 
> 
> On 19/07/2021 17:32, Ben Pfaff wrote:
> > On Mon, Jul 19, 2021 at 04: 29:07PM +0100, Brendan Doyle wrote:
> > 
> > > When I start OVN/OVs using ovn-ctl /ovs-ctl the ovsdb-server processes have
> > > SSL credentials of the form:
> > > 
> > > --private-key=db:Open_vSwitch,SSL,private_key
> > > --certificate=db:Open_vSwitch,SSL,certificate
> > > --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert
> > > 
> > > --private-key=db:OVN_Northbound,SSL,private_key
> > > --certificate=db:OVN_Northbound,SSL,certificate
> > > --ca-cert=db:OVN_Northbound,SSL,ca_cert
> > > --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols
> > > --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers
> > > 
> > > --private-key=db:OVN_Southbound,SSL,private_key
> > > --certificate=db:OVN_Southbound,SSL,certificate
> > > --ca-cert=db:OVN_Southbound,SSL,ca_cert
> > > --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols
> > > --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers
> > > 
> > >  From what I gather this means it gets these values from the database, OVS,
> > > OVN North/South?
> > > 
> > > But does that mean that SSL is enabled by default and use a default set of
> > > credentials/cipers?
> > > 
> > > Or does it mean If these values (Open_vSwitch,SSL,certificate e,g) are not
> > > set in the OVS, or OVN North/South bound data base
> > > then the connections are not SSL.
> > > 
> > > And if the later is the case how are these set?
> > It means that SSL/TLS connections will use these values.  Whether SSL is
> > in use is separately configured.  If you see "pssl:..." in a remote,
> > that's an SSL one; "ptcp:..." is for non-SSL TCP.
> 
> 
> OK not used if SSL not configured. If SSL configured uses the credentials
> pointed to by
> --private-key etc, which can be in the Open_vSwitch, OVN_Northbound or
> OVN_Southbound
> databases in the specified table or else where. So wondering are there
> helper tools
> (ovn-ctl /ovs-ctl ?) to set these DB tables or are they created/manipulated
> by modifying the
> DB directly. Guess read the manual.

ovs-vsctl, ovn-nbctl, and ovn-sbctl have commands to manipulate these
tables.


More information about the discuss mailing list