On Tue, Oct 9, 2018 at 3:11 PM aginwala <[email protected]> wrote: > > For OVN DBs to work with SSL in HA, we need to have capability to pass ssl > certs when starting OVN DBs. Say when starting OVN DBs in active passive mode, > in order for the standby DBs to sync from master node, it cannot sync > because the required ssl certs are not passed when standby DBs are initialized. > Hence, we need to have this option. > > e.g. start nb db with ssl certs as below: > /usr/share/openvswitch/scripts/ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \ > --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \ > --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \ > --db-nb-create-insecure-remote=no start_nb_ovsdb > > When certs are passed in the command line, it will read certs from the path > mentioned instead of default db configs. > > Certs can be generated based on ovs ssl docs: > http://docs.openvswitch.org/en/latest/howto/ssl/ > > Signed-off-by: aginwala <[email protected]> > --- > ovn/utilities/ovn-ctl | 41 ++++++++++++++++++++++++++++++++++++++--- > ovn/utilities/ovn-ctl.8.xml | 14 ++++++++++++++ > 2 files changed, 52 insertions(+), 3 deletions(-) > > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl > index 3ff0df6..d71071a 100755 > --- a/ovn/utilities/ovn-ctl > +++ b/ovn/utilities/ovn-ctl > @@ -116,6 +116,9 @@ start_ovsdb__() { > local addr > local active_conf_file > local use_remote_in_db > + local ovn_db_ssl_key > + local ovn_db_ssl_cert > + local ovn_db_ssl_cacert > eval pid=\$DB_${DB}_PID > eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR > eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT > @@ -137,6 +140,9 @@ start_ovsdb__() { > eval addr=\$DB_${DB}_ADDR > eval active_conf_file=\$ovn${db}_active_conf_file > eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB > + eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY > + eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT > + eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT > > # Check and eventually start ovsdb-server for DB > if pidfile_is_running $pid; then > @@ -183,9 +189,23 @@ $cluster_remote_port > if test X"$use_remote_in_db" != Xno; then > set "$@" --remote=db:$schema_name,$table_name,connections > fi > - set "$@" --private-key=db:$schema_name,SSL,private_key > - set "$@" --certificate=db:$schema_name,SSL,certificate > - set "$@" --ca-cert=db:$schema_name,SSL,ca_cert > + > + if test X"$ovn_db_ssl_key" != X; then > + set "$@" --private-key=$ovn_db_ssl_key > + else > + set "$@" --private-key=db:$schema_name,SSL,private_key > + fi > + if test X"$ovn_db_ssl_cert" != X; then > + set "$@" --certificate=$ovn_db_ssl_cert > + else > + set "$@" --certificate=db:$schema_name,SSL,certificate > + fi > + if test X"$ovn_db_ssl_cacert" != X; then > + set "$@" --ca-cert=$ovn_db_ssl_cacert > + else > + set "$@" --ca-cert=db:$schema_name,SSL,ca_cert > + fi > + > set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols > set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers > > @@ -481,6 +501,15 @@ set_defaults () { > OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK" > DB_NB_USE_REMOTE_IN_DB="yes" > DB_SB_USE_REMOTE_IN_DB="yes" > + > + OVN_NB_DB_SSL_KEY="" > + OVN_NB_DB_SSL_CERT="" > + OVN_NB_DB_SSL_CA_CERT="" > + > + OVN_SB_DB_SSL_KEY="" > + OVN_SB_DB_SSL_CERT="" > + OVN_SB_DB_SSL_CA_CERT="" > + > } > > set_option () { > @@ -536,6 +565,12 @@ Options: > --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file > --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file > --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file > + --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file > + --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file > + --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file > + --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file > + --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file > + --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file > --ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be > automatically started and stopped along > with ovn-northd. The default is "yes". If > diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml > index 3b0e67a..c5294d7 100644 > --- a/ovn/utilities/ovn-ctl.8.xml > +++ b/ovn/utilities/ovn-ctl.8.xml > @@ -198,4 +198,18 @@ > start_northd > </code> > </p> > + > + <h2>Passing ssl keys when starting OVN dbs will supercede the default ssl values in db</h2> > + <h3>Starting standalone ovn db server passing SSL certificates</h3> > + <p> > + <code> > + # ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem > + --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem > + --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem > + --ovn-sb-db-ssl-key=/etc/openvswitch/ovnsb-privkey.pem > + --ovn-sb-db-ssl-cert=/etc/openvswitch/ovnsb-cert.pem > + --ovn-sb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem > + start_northd > + </code> > + </p> > </manpage> > -- > 1.9.1 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Acked-by: Han Zhou <[email protected]> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
