Yes, that's right. I will send out v2 in a bit with Han's ack.
Regards, Aliasgar On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff <b...@ovn.org> wrote: > On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote: > > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala <amgin...@gmail.com> > wrote: > > > > > > Thanks for the review Han. Please find the comments inline below: > > > > > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou <zhou...@gmail.com> wrote: > > >> > > >> Thanks Ali, please see my comm > > >> > > >> On Fri, Sep 21, 2018 at 5:38 PM <amgin...@gmail.com> wrote: > > >> > > > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to > pass > > ssl > > >> > certs for starting standby DBs. Hence, we need this change. > > >> > > > >> > Signed-off-by: aginwala <aginw...@ebay.com> > > >> > --- > > >> > ovn/utilities/ovndb-servers.ocf | 74 > > ++++++++++++++++++++++++++++++++++++++++- > > >> > 1 file changed, 73 insertions(+), 1 deletion(-) > > >> > > > >> > diff --git a/ovn/utilities/ovndb-servers.ocf > > b/ovn/utilities/ovndb-servers.ocf > > >> > index 52141c7..80f81ae 100755 > > >> > --- a/ovn/utilities/ovndb-servers.ocf > > >> > +++ b/ovn/utilities/ovndb-servers.ocf > > >> > @@ -10,6 +10,12 @@ > > >> > : ${MANAGE_NORTHD_DEFAULT="no"} > > >> > : ${INACTIVE_PROBE_DEFAULT="5000"} > > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > >> > > > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config > > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > > >> > @@ -21,6 +27,13 @@ > > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > > >> > > > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > > >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > > >> > > > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > > >> > + > > >> > > > >> > # In order for pacemaker to work with LB, we can set > > LISTEN_ON_MASTER_IP_ONLY > > >> > # to false and pass LB vip IP while creating pcs resource. > > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > > >> > <content type="string" /> > > >> > </parameter> > > >> > > > >> > + <parameter name="ovn_nb_db_privkey" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN NB DB private key absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN NB DB private key file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > + <parameter name="ovn_nb_db_cert" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN NB DB certificate absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN NB DB cert file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > + <parameter name="ovn_nb_db_cacert" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN NB DB CA certificate absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN NB DB cacert file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > + <parameter name="ovn_sb_db_privkey" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN SB DB private key absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN SB DB private key file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > + <parameter name="ovn_sb_db_cert" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN SB DB certificate absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN SB DB cert file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > + <parameter name="ovn_sb_db_cacert" unique="1"> > > >> > + <longdesc lang="en"> > > >> > + OVN SB DB CA certificate absolute path for ssl setup. > > >> > + </longdesc> > > >> > + <shortdesc lang="en">OVN SB DB cacert file</shortdesc> > > >> > + <content type="string" /> > > >> > + </parameter> > > >> > + > > >> > </parameters> > > >> > > > >> > <actions> > > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { > > >> > set $@ --db-sb-addr=${MASTER_IP} > --db-sb-port=${SB_MASTER_PORT} > > >> > fi > > >> > > > >> > + if [ "x${NB_MASTER_PROTO}" = xssl ]; then > > >> > + set $@ --db-nb-create-insecure-remote=no > > >> "no" is the default value, so this line is not needed. > > > > > > >> Sure. This makes sense. Will check out the default behavior and > update > > it the revised patch! > > >> > > >> > > >> > + set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > > >> > + set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > > >> > + set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > > >> This should be needed only for standby which sets > > --db-sb-use-remote-in-db=no. > > > > > > > As discussed, for each of the modes either ssl or tcp, all the nodes > > should have this option set. > > > > Agree. Since this script is for active-standby only, we can assume > > active-standby mode always use command line option instead of DB > settings. > > > > Acked-by: Han Zhou <hzh...@ebay.com> > > I haven't followed the discussion here so I'm going to assume that Ali > will post a v2 with Han's ack. > > Thanks, > > Ben. > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev