On Tue, Jul 31, 2018 at 02:08:54PM -0700, Qiuyu Xiao wrote:
> This patch adds step-by-step guide for configuring OVN Role-Based Access
> Control and IPsec.
>
> Signed-off-by: Qiuyu Xiao <[email protected]>
Here are my suggestions for this patch (really for this one, this time).
I'll look forward to v5 of this series!
Thanks,
Ben.
--8<--------------------------cut here-------------------------->8--
diff --git a/Documentation/index.rst b/Documentation/index.rst
index bab5ba1f1a98..46261235c732 100644
--- a/Documentation/index.rst
+++ b/Documentation/index.rst
@@ -66,7 +66,9 @@ vSwitch? Start here.
:doc:`tutorials/ovn-sandbox` |
:doc:`tutorials/ovn-openstack` |
:doc:`tutorials/ovs-conntrack` |
- :doc:`tutorials/ipsec`
+ :doc:`tutorials/ipsec` |
+ :doc:`tutorials/ovn-ipsec` |
+ :doc:`tutorials/ovn-rbac`
Deeper Dive
-----------
diff --git a/Documentation/tutorials/ovn-ipsec.rst
b/Documentation/tutorials/ovn-ipsec.rst
index 76269c46a784..5a8701905fa1 100644
--- a/Documentation/tutorials/ovn-ipsec.rst
+++ b/Documentation/tutorials/ovn-ipsec.rst
@@ -43,15 +43,17 @@ Generating Certificates and Keys
OVN chassis uses CA-signed certificate to authenticate peer chassis for
building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) in
OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or you
-can generate seperate certificates and keys with ``ovs-pki`` (refer to
+can generate separate certificates and keys with ``ovs-pki`` (refer to
:ref:`gen-certs-keys`).
.. note::
OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS
field setting the same string as the common name (CN) field. CN should be
- set as the chassis name. Please generate compatible certificates if you use
- another PKI tool to manage certificates.
+ set as the chassis name. ``ovs-pki`` in Open vSwitch 2.10.90 and later
+ generates such certificates. Please generate compatible certificates if you
+ use another PKI tool, or an older version of ``ovs-pki``, to manage
+ certificates.
Configuring OVN IPsec
---------------------
@@ -67,27 +69,27 @@ each chassis. Use the following command::
Enabling OVN IPsec
------------------
-To enable OVN IPsec, set `ipsec` column in `NB_Global` table of the northbound
-database to be true::
+To enable OVN IPsec, set ``ipsec`` column in ``NB_Global`` table of the
+northbound database to true::
$ ovn-nbctl set nb_global . ipsec=true
With OVN IPsec enabled, all tunnel traffic in OVN will be encrypted with IPsec.
-To disable it, set `ipsec` column in `NB_Global` table of the northbound
-database to be false::
+To disable it, set ``ipsec`` column in ``NB_Global`` table of the northbound
+database to false::
$ ovn-nbctl set nb_global . ipsec=false
Troubleshooting
---------------
-ovs-monitor-ipsec daemon in each chassis manages and monitors the IPsec tunnel
-state. Use the following ovs-apptcl command to get ovs-monitor-ipsec internal
-representation of tunnel configuration::
+The ``ovs-monitor-ipsec`` daemon in each chassis manages and monitors the IPsec
+tunnel state. Use the following ``ovs-appctl`` command to view
+``ovs-monitor-ipsec`` internal representation of tunnel configuration::
$ ovs-appctl -t ovs-monitor-ipsec tunnels/show
-If there is misconfiguration then ovs-appctl should indicate why.
+If there is a misconfiguration, then ``ovs-appctl`` should indicate why.
For example::
Interface name: ovn-host_2-0 v1 (CONFIGURED) <--- Should be set to
CONFIGURED.
@@ -119,13 +121,13 @@ For example::
tunnel
If you don't see any active connections, try to run the following command to
-refresh the ovs-monitor-ipsec daemon::
+refresh the ``ovs-monitor-ipsec`` daemon::
$ ovs-appctl -t ovs-monitor-ipsec refresh
-You can also check the logs of the ovs-monitor-ipsec daemon and the IKE daemon
-to locate issues. The logs of the ovs-monitor-ipsec is in
-/var/log/openvswitch/ovs-monitor-ipsec.log.
+You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE
+daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to
+``/var/log/openvswitch/ovs-monitor-ipsec.log``.
Bug Reporting
-------------
diff --git a/Documentation/tutorials/ovn-rbac.rst
b/Documentation/tutorials/ovn-rbac.rst
index ff93ba54bdc6..ec163e2df369 100644
--- a/Documentation/tutorials/ovn-rbac.rst
+++ b/Documentation/tutorials/ovn-rbac.rst
@@ -81,7 +81,7 @@ address `machine_3-ip`. `machine_3` also hosts public key
infrastructure (PKI).
.. note::
- chassis_1 must be the same string as the external_ids:system-id in the
+ chassis_1 must be the same string as ``external_ids:system-id`` in the
Open_vSwitch table (the chassis name) of machine_1. Same applies for
chassis_2.
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
