On Tue, Oct 9, 2018 at 6:11 AM Han Zhou <zhou...@gmail.com> wrote: > >> > >> Giving a second thought, it seems there is still a problem. > >> > >> There should be two sets of SSL related parameters we should consider in > the active-standby scenario. > >> - One set of parameters is for the server side. For ipaddr2 use case, > both active and standby nodes will need them. For LB use case, where only > the active node should listen on the port, only the active node should need > these parameters. > >> - Another set of parameters is for the client side, together with the > --sync-from parameter, so that the standby node can connect to the active > node as a client using SSL. These parameters are needed in standby node > only. > >> > >> I didn't see how is this addressed. Did I miss anything? > >> > >> For the server side SSL parameters, it should be valid to use DB > settings instead of command line options. (For client side, it may not be > possible to use DB settings since the standby nodes need to get the SSL > parameters before connecting to the (active) DB). > > > > >> Just to clarify, for active-standby scenario, since we dont know who > will became active server any time, it is safe to use same certs on all > central nodes irrespective of which node is client or server. > > Ok, thanks. It is clarified after discussion that we are combining the > server side and client side ssl keys/certs to the same value for all > central nodes in the active-standby setup. I didn't know that same settings > actually work for both server and client, so it sounds good for me. >
>From the pacemaker Resource script perspective, it looks good to me. I will take another look when you post v3. Thanks Numan _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev