On Wed, Oct 10, 2018 at 12:58:24PM -0700, Han Zhou wrote: > On Tue, Oct 9, 2018 at 3:11 PM aginwala <[email protected]> wrote: > > > > For OVN DBs to work with SSL in HA, we need to have capability to pass ssl > > certs when starting OVN DBs. Say when starting OVN DBs in active passive > mode, > > in order for the standby DBs to sync from master node, it cannot sync > > because the required ssl certs are not passed when standby DBs are > initialized. > > Hence, we need to have this option. > > > > e.g. start nb db with ssl certs as below: > > /usr/share/openvswitch/scripts/ovn-ctl > --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \ > > --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \ > > --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \ > > --db-nb-create-insecure-remote=no start_nb_ovsdb > > > > When certs are passed in the command line, it will read certs from the > path > > mentioned instead of default db configs. > > > > Certs can be generated based on ovs ssl docs: > > http://docs.openvswitch.org/en/latest/howto/ssl/ > > > > Signed-off-by: aginwala <[email protected]> > > --- > > ovn/utilities/ovn-ctl | 41 > ++++++++++++++++++++++++++++++++++++++--- > > ovn/utilities/ovn-ctl.8.xml | 14 ++++++++++++++ > > 2 files changed, 52 insertions(+), 3 deletions(-) > > > > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl > > index 3ff0df6..d71071a 100755 > > --- a/ovn/utilities/ovn-ctl > > +++ b/ovn/utilities/ovn-ctl > > @@ -116,6 +116,9 @@ start_ovsdb__() { > > local addr > > local active_conf_file > > local use_remote_in_db > > + local ovn_db_ssl_key > > + local ovn_db_ssl_cert > > + local ovn_db_ssl_cacert > > eval pid=\$DB_${DB}_PID > > eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR > > eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT > > @@ -137,6 +140,9 @@ start_ovsdb__() { > > eval addr=\$DB_${DB}_ADDR > > eval active_conf_file=\$ovn${db}_active_conf_file > > eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB > > + eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY > > + eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT > > + eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT > > > > # Check and eventually start ovsdb-server for DB > > if pidfile_is_running $pid; then > > @@ -183,9 +189,23 @@ $cluster_remote_port > > if test X"$use_remote_in_db" != Xno; then > > set "$@" --remote=db:$schema_name,$table_name,connections > > fi > > - set "$@" --private-key=db:$schema_name,SSL,private_key > > - set "$@" --certificate=db:$schema_name,SSL,certificate > > - set "$@" --ca-cert=db:$schema_name,SSL,ca_cert > > + > > + if test X"$ovn_db_ssl_key" != X; then > > + set "$@" --private-key=$ovn_db_ssl_key > > + else > > + set "$@" --private-key=db:$schema_name,SSL,private_key > > + fi > > + if test X"$ovn_db_ssl_cert" != X; then > > + set "$@" --certificate=$ovn_db_ssl_cert > > + else > > + set "$@" --certificate=db:$schema_name,SSL,certificate > > + fi > > + if test X"$ovn_db_ssl_cacert" != X; then > > + set "$@" --ca-cert=$ovn_db_ssl_cacert > > + else > > + set "$@" --ca-cert=db:$schema_name,SSL,ca_cert > > + fi > > + > > set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols > > set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers > > > > @@ -481,6 +501,15 @@ set_defaults () { > > OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK" > > DB_NB_USE_REMOTE_IN_DB="yes" > > DB_SB_USE_REMOTE_IN_DB="yes" > > + > > + OVN_NB_DB_SSL_KEY="" > > + OVN_NB_DB_SSL_CERT="" > > + OVN_NB_DB_SSL_CA_CERT="" > > + > > + OVN_SB_DB_SSL_KEY="" > > + OVN_SB_DB_SSL_CERT="" > > + OVN_SB_DB_SSL_CA_CERT="" > > + > > } > > > > set_option () { > > @@ -536,6 +565,12 @@ Options: > > --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file > > --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate > file > > --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN > Southbound SSL CA certificate file > > + --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file > > + --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file > > + --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file > > + --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file > > + --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file > > + --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file > > --ovn-manage-ovsdb=yes|no Whether or not the OVN databases > should be > > automatically started and stopped > along > > with ovn-northd. The default is > "yes". If > > diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml > > index 3b0e67a..c5294d7 100644 > > --- a/ovn/utilities/ovn-ctl.8.xml > > +++ b/ovn/utilities/ovn-ctl.8.xml > > @@ -198,4 +198,18 @@ > > start_northd > > </code> > > </p> > > + > > + <h2>Passing ssl keys when starting OVN dbs will supercede the > default ssl values in db</h2> > > + <h3>Starting standalone ovn db server passing SSL certificates</h3> > > + <p> > > + <code> > > + # ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem > > + --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem > > + --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem > > + --ovn-sb-db-ssl-key=/etc/openvswitch/ovnsb-privkey.pem > > + --ovn-sb-db-ssl-cert=/etc/openvswitch/ovnsb-cert.pem > > + --ovn-sb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem > > + start_northd > > + </code> > > + </p> > > </manpage> > > -- > > 1.9.1 > > > > _______________________________________________ > > dev mailing list > > [email protected] > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Acked-by: Han Zhou <[email protected]>
Thanks, Ali and Han. I applied this to master. Let me know if it needs backports. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
