On Thu, Dec 8, 2016 at 8:37 AM, Lance Richardson <lrich...@redhat.com>
wrote:
> > From: "Numan Siddique" <nusid...@redhat.com>
> > To: "Lance Richardson" <lrich...@redhat.com>
> > Cc: "ovs dev" <d...@openvswitch.org>
> > Sent: Thursday, December 8, 2016 8:01:07 AM
> > Subject: Re: [ovs-dev] [PATCH 3/3] ovn-ctl: add support for SSL nb/sb db
> connections
> >
> > On Thu, Dec 1, 2016 at 9:07 PM, Lance Richardson <lrich...@redhat.com>
> > wrote:
> >
> > > Add support for SSL connections to OVN northbound and/or
> > > southbound databases.
> > >
> > > To improve security, the NB and SB ovsdb daemons no longer
> > > have open ptcp connections by default. This is a change in
> > > behavior from previous versions, users wishing to use TCP
> > > connections to the NB/SB daemons can either request that
> > > a passive TCP connection be used via ovn-ctl command-line
> > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
> > > scripts):
> > >
> > > --db-sb-default-remote=yes
> > > --db-nb-default-remote=yes
> > >
> > > Or configure a connection after the NB/SB daemons have been
> > > started, e.g.:
> > >
> > > ovn-sbctl set-connection ptcp:6642
> > > ovn-nbctl set-connection ptcp:6641
> > >
> > > Users desiring SSL database connections will need to generate
> certificates
> > > and private key as described in INSTALL.SSL.rst and perform the
> following
> > > one-time configuration steps:
> > >
> > > ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
> > > ovn-sbctl set-connection pssl:6642
> > > ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
> > > ovn-nbctl set-connection pssl:6641
> > >
> > > On the ovn-controller and ovn-controller-vtep side, SSL configuration
> > > must be provided on the command-line when the daemons are started, this
> > > should be provided via the following command-line options (e.g. via
> > > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
> > >
> > > --ovn-controller-ssl-key=<private-key>
> > > --ovn-controller-ssl-cert=<certificate>
> > > --ovn-controller-ssl-ca-cert=<ca-cert>
> > >
> > > The SB database connection should also be configured to use SSL, e.g.:
> > >
> > > ovs-vsctl set Open_vSwitch . \
> > > external-ids:ovn-remote=ssl:w.x.y.z:6642
> > >
> > > Signed-off-by: Lance Richardson <lrich...@redhat.com>
> > > ---
> > > NEWS | 5 ++++
> > > manpages.mk | 4 +++
> > > ovn/utilities/ovn-ctl | 72 ++++++++++++++++++++++++++++++
> > > ++++-----------
> > > ovn/utilities/ovn-ctl.8.xml | 7 +++++
> > > 4 files changed, 71 insertions(+), 17 deletions(-)
> > >
> > > diff --git a/NEWS b/NEWS
> > > index 3a33abf..9ac8808 100644
> > > --- a/NEWS
> > > +++ b/NEWS
> > > @@ -9,6 +9,11 @@ Post-v2.6.0
> > > * Support for source IP address based routing.
> > > * Support for managing SSL and remote connection configuration in
> > > northbound and southbound databases.
> > > + * TCP connections to northbound and southbound databases are no
> > > + longer enabled by default and must be explicitly configured.
> > > + See documentation for ovn-sbctl/ovn-nbctl "set-connection"
> command
> > > + or ovn-ctl "--db-sb-default-remote"/"--db-nb-default-remote"
> > > + options for information regarding enabling TCP connections.
> > > - Fixed regression in table stats maintenance introduced in OVS
> > > 2.3.0, wherein the number of OpenFlow table hits and misses was
> > > not accurate.
> > > diff --git a/manpages.mk b/manpages.mk
> > > index 11ec023..742bd66 100644
> > > --- a/manpages.mk
> > > +++ b/manpages.mk
> > > @@ -10,6 +10,8 @@ ovn/utilities/ovn-sbctl.8: \
> > > lib/table.man \
> > > lib/vlog.man \
> > > ovsdb/remote-active.man \
> > > + ovsdb/remote-active.man \
> > > + ovsdb/remote-passive.man \
> > > ovsdb/remote-passive.man
> > > ovn/utilities/ovn-sbctl.8.in:
> > > lib/common.man:
> > > @@ -20,6 +22,8 @@ lib/ssl.man:
> > > lib/table.man:
> > > lib/vlog.man:
> > > ovsdb/remote-active.man:
> > > +ovsdb/remote-active.man:
> > > +ovsdb/remote-passive.man:
> > > ovsdb/remote-passive.man:
> > >
> > > ovsdb/ovsdb-client.1: \
> > > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> > > index 73e78e5..4dade90 100755
> > > --- a/ovn/utilities/ovn-ctl
> > > +++ b/ovn/utilities/ovn-ctl
> > > @@ -50,7 +50,7 @@ stop_ovsdb () {
> > >
> > > demote_ovnnb() {
> > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
> > > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" >
> > > $ovnnb_active_conf_file
> > > + echo
> > > "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT"
> > > > $ovnnb_active_conf_file
> > > fi
> > >
> > > if test -e $ovnnb_active_conf_file; then
> > > @@ -64,7 +64,7 @@ demote_ovnnb() {
> > >
> > > demote_ovnsb() {
> > > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
> > > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" >
> > > $ovnsb_active_conf_file
> > > + echo
> > > "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT"
> > > > $ovnsb_active_conf_file
> > > fi
> > >
> > > if test -e $ovnsb_active_conf_file; then
> > > @@ -93,15 +93,21 @@ start_ovsdb () {
> > >
> > > set ovsdb-server
> > >
> > > - set "$@" --detach --monitor $OVN_NB_LOG \
> > > - --log-file=$OVN_NB_LOGFILE \
> > > - --remote=punix:$DB_NB_SOCK \
> > > - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \
> > > - --pidfile=$DB_NB_PID \
> > > - --unixctl=ovnnb_db.ctl
> > > + set "$@" --detach --monitor
> > > + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE
> > > + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID
> > > + set "$@" --remote=db:OVN_Northbound,NB_Global,connections
> > > + set "$@" --unixctl=ovnnb_db.ctl
> > > + set "$@" --private-key=db:OVN_Northbound,SSL,private_key
> > > + set "$@" --certificate=db:OVN_Northbound,SSL,certificate
> > > + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
> > > +
> > > + if test X"$
> > >
> > > DB_NB_DEFAULT_REMOTE" = Xyes; then
> > > + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
> > > + fi
> > >
> >
> > You think its good to add the remote defined in $DB_NB_ADDR/$DB_NB_PORT
> > into the Connection table by this script if $
> >
> > DB_NB_DEFAULT_REMOTE
> > is set to No.
> >
>
> Hi Numan,
>
> This would imply that unauthenticated/insecure remote access to the
> NB database is always available.
>
> Users wanting to use SSL for the NB database connection are likely
> to be concerned about security and authentication for this connection,
> having a default parallel connection path with unrestricted access
> would make the use of SSL pointless.
>
> An alternative that would preserve existing behavior would be to
> have users needing SSL set e.g. "DB_NB_NO_DEFAULT_REMOTE=yes" in
> their environment, but this would be error-prone. It seems better
> to err on the side of security by default.
>
>
I was looking at this with Numan and thought of another idea.
What would you think of changing the DEFAULT_REMOTE option to be
CREATE_REMOTE to more clearly indicate that the option is telling ovn-ctl
that we want it to go ahead and set up a remote for us.
When CREATE_REMOTE is "yes", instead of adding it to the ovsdb-server
command line, how about we add it to to the Connection table. That way we
can add support for some additional options. This came up from our need to
set the inactivity_probe option. Presumably we could add some more options
to this script to let you enable SSL through options, as well.
Numan had a start at a patch doing something like this here, but it
probably makes sense to just integrate with your patch.
https://github.com/numansiddique/overcloud_image_for_ovn/blob/master/patches/ovs-0005-ovn-ctl-Add-remotes-in-Connection-table-of-NB-and-SB.patch
> Regards,
>
> Lance
>
> > Some thing like below
> >
> > #########
> > if test X"$DB_NB_DEFAULT_REMOTE" = Xno; then
> > ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR"
> > fi
> > #########
> >
> > Thanks
> > Numan
> >
> >
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
--
Russell Bryant
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
