Re: [ovs-dev] [PATCH ovn] docs: Add note about RBAC and remote ovn-northd connection
Bleep bloop. Greetings Numan Siddique, I am a robot and I have tried out your patch. Thanks for your contribution. I encountered some error that I wasn't expecting. See the details below. checkpatch: ERROR: Committer Numan Siddique needs to sign off. Lines checked: 66, Warnings: 0, Errors: 1 Please check this out. If you feel there has been an error, please email acon...@redhat.com Thanks, 0-day Robot ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] docs: Add note about RBAC and remote ovn-northd connection
On Fri, Nov 8, 2019 at 11:56 AM Numan Siddique wrote: > > On Fri, Nov 8, 2019 at 11:22 AM Frode Nordahl > wrote: > > > > Signed-off-by: Frode Nordahl > > Acked-by: Aliasgar Ginwala > > Submitted-at: https://github.com/ovn-org/ovn/pull/25 > > I applied this patch to master. > Sorry I didn't notice that you already had sent the patch to the ML > and I resubmitted here - https://patchwork.ozlabs.org/patch/1191808/. No worries, and thank you for the merge! I'll stick to sending patches through ml/patchworks in the future. -- Frode Nordahl > Thanks > Numan > > > --- > > .../topics/role-based-access-control.rst | 7 ++ > > Documentation/tutorials/ovn-rbac.rst | 25 +++ > > 2 files changed, 32 insertions(+) > > > > diff --git a/Documentation/topics/role-based-access-control.rst > > b/Documentation/topics/role-based-access-control.rst > > index 2acd1e88b..e13e2d5dc 100644 > > --- a/Documentation/topics/role-based-access-control.rst > > +++ b/Documentation/topics/role-based-access-control.rst > > @@ -82,6 +82,13 @@ command: > > > > $ ovn-sbctl set-connection role=ovn-controller ssl:192.168.0.1:6642 > > > > +.. note:: > > + > > + There is currently no pre-defined role for ovn-northd. You must > > configure > > + a separate listener on the OVN southbound database that ovn-northd can > > + connect to if your deployment topology require ovn-northd to connect to > > a > > + OVN southbound database instance on a remote machine. > > + > > Pre-defined Roles > > - > > This section describes roles that have been defined internally by OVS/OVN. > > diff --git a/Documentation/tutorials/ovn-rbac.rst > > b/Documentation/tutorials/ovn-rbac.rst > > index 22b169d6d..fc2de5d5d 100644 > > --- a/Documentation/tutorials/ovn-rbac.rst > > +++ b/Documentation/tutorials/ovn-rbac.rst > > @@ -132,3 +132,28 @@ Configuring RBAC > > /path/to/chassis_2-cert.pem /path/to/cacert.pem > >$ ovs-vsctl set open_vswitch . \ > > external_ids:ovn-remote=ssl:machine_3-ip:6642 > > + > > +The OVN central control daemon and RBAC > > +~~~ > > + > > +The OVN central control daemon (`ovn-northd`) needs full write access to > > +the southbound database. When you have one machine hosting the central > > +components, `ovn-northd` can talk to the databases through a local unix > > +socket, bypassing the `ovn-controller` RBAC configured for the listener > > +at port '6642'. However, if you want to deploy multiple machines for > > +hosting the central components, `ovn-northd` will require a remote > > +connection to all of them. > > + > > +1. Configure the southbound database with a second SSL listener on a > > + separate port without RBAC enabled for use by `ovn-northd`. > > + > > + In `machine_3`:: > > + > > + $ ovn-sbctl -- --id=@conn_uuid create Connection \ > > + target="pssl\:16642" \ > > + -- add SB_Global . connections=@conn_uuid > > + > > + .. note:: > > + > > + Care should be taken to restrict access to the above mentioned port > > + so that only trusted machines can connect to it. > > -- > > 2.20.1 > > ___ > > dev mailing list > > d...@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] docs: Add note about RBAC and remote ovn-northd connection
On Fri, Nov 8, 2019 at 11:22 AM Frode Nordahl wrote: > > Signed-off-by: Frode Nordahl > Acked-by: Aliasgar Ginwala > Submitted-at: https://github.com/ovn-org/ovn/pull/25 I applied this patch to master. Sorry I didn't notice that you already had sent the patch to the ML and I resubmitted here - https://patchwork.ozlabs.org/patch/1191808/. Thanks Numan > --- > .../topics/role-based-access-control.rst | 7 ++ > Documentation/tutorials/ovn-rbac.rst | 25 +++ > 2 files changed, 32 insertions(+) > > diff --git a/Documentation/topics/role-based-access-control.rst > b/Documentation/topics/role-based-access-control.rst > index 2acd1e88b..e13e2d5dc 100644 > --- a/Documentation/topics/role-based-access-control.rst > +++ b/Documentation/topics/role-based-access-control.rst > @@ -82,6 +82,13 @@ command: > > $ ovn-sbctl set-connection role=ovn-controller ssl:192.168.0.1:6642 > > +.. note:: > + > + There is currently no pre-defined role for ovn-northd. You must configure > + a separate listener on the OVN southbound database that ovn-northd can > + connect to if your deployment topology require ovn-northd to connect to a > + OVN southbound database instance on a remote machine. > + > Pre-defined Roles > - > This section describes roles that have been defined internally by OVS/OVN. > diff --git a/Documentation/tutorials/ovn-rbac.rst > b/Documentation/tutorials/ovn-rbac.rst > index 22b169d6d..fc2de5d5d 100644 > --- a/Documentation/tutorials/ovn-rbac.rst > +++ b/Documentation/tutorials/ovn-rbac.rst > @@ -132,3 +132,28 @@ Configuring RBAC > /path/to/chassis_2-cert.pem /path/to/cacert.pem >$ ovs-vsctl set open_vswitch . \ > external_ids:ovn-remote=ssl:machine_3-ip:6642 > + > +The OVN central control daemon and RBAC > +~~~ > + > +The OVN central control daemon (`ovn-northd`) needs full write access to > +the southbound database. When you have one machine hosting the central > +components, `ovn-northd` can talk to the databases through a local unix > +socket, bypassing the `ovn-controller` RBAC configured for the listener > +at port '6642'. However, if you want to deploy multiple machines for > +hosting the central components, `ovn-northd` will require a remote > +connection to all of them. > + > +1. Configure the southbound database with a second SSL listener on a > + separate port without RBAC enabled for use by `ovn-northd`. > + > + In `machine_3`:: > + > + $ ovn-sbctl -- --id=@conn_uuid create Connection \ > + target="pssl\:16642" \ > + -- add SB_Global . connections=@conn_uuid > + > + .. note:: > + > + Care should be taken to restrict access to the above mentioned port > + so that only trusted machines can connect to it. > -- > 2.20.1 > ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn] docs: Add note about RBAC and remote ovn-northd connection
From: Frode Nordahl Signed-off-by: Frode Nordahl Acked-by: Aliasgar Ginwala --- .../topics/role-based-access-control.rst | 7 ++ Documentation/tutorials/ovn-rbac.rst | 25 +++ 2 files changed, 32 insertions(+) diff --git a/Documentation/topics/role-based-access-control.rst b/Documentation/topics/role-based-access-control.rst index 2acd1e88b..e13e2d5dc 100644 --- a/Documentation/topics/role-based-access-control.rst +++ b/Documentation/topics/role-based-access-control.rst @@ -82,6 +82,13 @@ command: $ ovn-sbctl set-connection role=ovn-controller ssl:192.168.0.1:6642 +.. note:: + + There is currently no pre-defined role for ovn-northd. You must configure + a separate listener on the OVN southbound database that ovn-northd can + connect to if your deployment topology require ovn-northd to connect to a + OVN southbound database instance on a remote machine. + Pre-defined Roles - This section describes roles that have been defined internally by OVS/OVN. diff --git a/Documentation/tutorials/ovn-rbac.rst b/Documentation/tutorials/ovn-rbac.rst index 22b169d6d..fc2de5d5d 100644 --- a/Documentation/tutorials/ovn-rbac.rst +++ b/Documentation/tutorials/ovn-rbac.rst @@ -132,3 +132,28 @@ Configuring RBAC /path/to/chassis_2-cert.pem /path/to/cacert.pem $ ovs-vsctl set open_vswitch . \ external_ids:ovn-remote=ssl:machine_3-ip:6642 + +The OVN central control daemon and RBAC +~~~ + +The OVN central control daemon (`ovn-northd`) needs full write access to +the southbound database. When you have one machine hosting the central +components, `ovn-northd` can talk to the databases through a local unix +socket, bypassing the `ovn-controller` RBAC configured for the listener +at port '6642'. However, if you want to deploy multiple machines for +hosting the central components, `ovn-northd` will require a remote +connection to all of them. + +1. Configure the southbound database with a second SSL listener on a + separate port without RBAC enabled for use by `ovn-northd`. + + In `machine_3`:: + + $ ovn-sbctl -- --id=@conn_uuid create Connection \ + target="pssl\:16642" \ + -- add SB_Global . connections=@conn_uuid + + .. note:: + + Care should be taken to restrict access to the above mentioned port + so that only trusted machines can connect to it. -- 2.23.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn] docs: Add note about RBAC and remote ovn-northd connection
Signed-off-by: Frode Nordahl Acked-by: Aliasgar Ginwala Submitted-at: https://github.com/ovn-org/ovn/pull/25 --- .../topics/role-based-access-control.rst | 7 ++ Documentation/tutorials/ovn-rbac.rst | 25 +++ 2 files changed, 32 insertions(+) diff --git a/Documentation/topics/role-based-access-control.rst b/Documentation/topics/role-based-access-control.rst index 2acd1e88b..e13e2d5dc 100644 --- a/Documentation/topics/role-based-access-control.rst +++ b/Documentation/topics/role-based-access-control.rst @@ -82,6 +82,13 @@ command: $ ovn-sbctl set-connection role=ovn-controller ssl:192.168.0.1:6642 +.. note:: + + There is currently no pre-defined role for ovn-northd. You must configure + a separate listener on the OVN southbound database that ovn-northd can + connect to if your deployment topology require ovn-northd to connect to a + OVN southbound database instance on a remote machine. + Pre-defined Roles - This section describes roles that have been defined internally by OVS/OVN. diff --git a/Documentation/tutorials/ovn-rbac.rst b/Documentation/tutorials/ovn-rbac.rst index 22b169d6d..fc2de5d5d 100644 --- a/Documentation/tutorials/ovn-rbac.rst +++ b/Documentation/tutorials/ovn-rbac.rst @@ -132,3 +132,28 @@ Configuring RBAC /path/to/chassis_2-cert.pem /path/to/cacert.pem $ ovs-vsctl set open_vswitch . \ external_ids:ovn-remote=ssl:machine_3-ip:6642 + +The OVN central control daemon and RBAC +~~~ + +The OVN central control daemon (`ovn-northd`) needs full write access to +the southbound database. When you have one machine hosting the central +components, `ovn-northd` can talk to the databases through a local unix +socket, bypassing the `ovn-controller` RBAC configured for the listener +at port '6642'. However, if you want to deploy multiple machines for +hosting the central components, `ovn-northd` will require a remote +connection to all of them. + +1. Configure the southbound database with a second SSL listener on a + separate port without RBAC enabled for use by `ovn-northd`. + + In `machine_3`:: + + $ ovn-sbctl -- --id=@conn_uuid create Connection \ + target="pssl\:16642" \ + -- add SB_Global . connections=@conn_uuid + + .. note:: + + Care should be taken to restrict access to the above mentioned port + so that only trusted machines can connect to it. -- 2.20.1 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev