Re: [ovs-dev] [PATCH v5 6/6] Documentation: OVN RBAC and IPsec tutorial
On Tue, 7 Aug 2018 at 09:46, Qiuyu Xiao wrote: > > This patch adds step-by-step guide for configuring OVN Role-Based Access > Control and IPsec. > > Signed-off-by: Qiuyu Xiao > --- > Documentation/automake.mk | 2 + > Documentation/index.rst | 4 +- > Documentation/tutorials/index.rst | 2 + > Documentation/tutorials/ovn-ipsec.rst | 147 ++ > Documentation/tutorials/ovn-rbac.rst | 134 +++ > 5 files changed, 288 insertions(+), 1 deletion(-) > create mode 100644 Documentation/tutorials/ovn-ipsec.rst > create mode 100644 Documentation/tutorials/ovn-rbac.rst > > diff --git a/Documentation/automake.mk b/Documentation/automake.mk > index 5401b9bad..082438e09 100644 > --- a/Documentation/automake.mk > +++ b/Documentation/automake.mk > @@ -29,6 +29,8 @@ DOC_SOURCE = \ > Documentation/tutorials/ovn-sandbox.rst \ > Documentation/tutorials/ovs-conntrack.rst \ > Documentation/tutorials/ipsec.rst \ > + Documentation/tutorials/ovn-ipsec.rst \ > + Documentation/tutorials/ovn-rbac.rst \ > Documentation/topics/index.rst \ > Documentation/topics/bonding.rst \ > Documentation/topics/idl-compound-indexes.rst \ > diff --git a/Documentation/index.rst b/Documentation/index.rst > index bab5ba1f1..46261235c 100644 > --- a/Documentation/index.rst > +++ b/Documentation/index.rst > @@ -66,7 +66,9 @@ vSwitch? Start here. >:doc:`tutorials/ovn-sandbox` | >:doc:`tutorials/ovn-openstack` | >:doc:`tutorials/ovs-conntrack` | > - :doc:`tutorials/ipsec` > + :doc:`tutorials/ipsec` | > + :doc:`tutorials/ovn-ipsec` | > + :doc:`tutorials/ovn-rbac` > > Deeper Dive > --- > diff --git a/Documentation/tutorials/index.rst > b/Documentation/tutorials/index.rst > index b481090a0..35340ee56 100644 > --- a/Documentation/tutorials/index.rst > +++ b/Documentation/tutorials/index.rst > @@ -44,4 +44,6 @@ vSwitch. > ovs-advanced > ovn-sandbox > ovn-openstack > + ovn-rbac > + ovn-ipsec > ovs-conntrack > diff --git a/Documentation/tutorials/ovn-ipsec.rst > b/Documentation/tutorials/ovn-ipsec.rst > new file mode 100644 > index 0..db3d5bc43 > --- /dev/null > +++ b/Documentation/tutorials/ovn-ipsec.rst > @@ -0,0 +1,147 @@ > +.. > + Licensed under the Apache License, Version 2.0 (the "License"); you may > + not use this file except in compliance with the License. You may obtain > + a copy of the License at > + > + http://www.apache.org/licenses/LICENSE-2.0 > + > + Unless required by applicable law or agreed to in writing, software > + distributed under the License is distributed on an "AS IS" BASIS, > WITHOUT > + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See > the > + License for the specific language governing permissions and limitations > + under the License. > + > + Convention for heading levels in Open vSwitch documentation: > + > + === Heading 0 (reserved for the title in a document) > + --- Heading 1 > + ~~~ Heading 2 > + +++ Heading 3 > + ''' Heading 4 > + > + Avoid deeper levels because they do not render well. > + > +== > +OVN IPsec Tutorial > +== > + > +This document provides a step-by-step guide for encrypting tunnel traffic > with > +IPsec in Open Virtual Network (OVN). OVN tunnel traffic is transported by > +physical routers and switches. These physical devices could be untrusted > +(devices in public network) or might be compromised. Enabling IPsec > encryption > +for the tunnel traffic can prevent the traffic data from being monitored and > +manipulated. More details about the OVN IPsec design can be found in > +``ovn-architecture``\(7) manpage. > + > +This document assumes OVN is installed in your system and runs normally. > Also, > +you need to install OVS IPsec packages in each chassis (refer to > +:ref:`install-ovs-ipsec`). > + > +Generating Certificates and Keys > + > + > +OVN chassis uses CA-signed certificate to authenticate peer chassis for > +building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) > in > +OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or > you > +can generate separate certificates and keys with ``ovs-pki`` (refer to > +:ref:`gen-certs-keys`). > + > +.. note:: > + > + OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS > + field setting the same string as the common name (CN) field. CN should be > + set as the chassis name. ``ovs-pki`` in Open vSwitch 2.10.90 and later I think the version number should be 2.11. > + generates such certificates. Please generate compatible certificates if > you > + use another PKI tool, or an older version of ``ovs-pki``, to manage > + certificates. > + > +Configuring OVN IPsec > +- > + > +You
[ovs-dev] [PATCH v5 6/6] Documentation: OVN RBAC and IPsec tutorial
This patch adds step-by-step guide for configuring OVN Role-Based Access Control and IPsec. Signed-off-by: Qiuyu Xiao --- Documentation/automake.mk | 2 + Documentation/index.rst | 4 +- Documentation/tutorials/index.rst | 2 + Documentation/tutorials/ovn-ipsec.rst | 147 ++ Documentation/tutorials/ovn-rbac.rst | 134 +++ 5 files changed, 288 insertions(+), 1 deletion(-) create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 5401b9bad..082438e09 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -29,6 +29,8 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ Documentation/tutorials/ipsec.rst \ + Documentation/tutorials/ovn-ipsec.rst \ + Documentation/tutorials/ovn-rbac.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ diff --git a/Documentation/index.rst b/Documentation/index.rst index bab5ba1f1..46261235c 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -66,7 +66,9 @@ vSwitch? Start here. :doc:`tutorials/ovn-sandbox` | :doc:`tutorials/ovn-openstack` | :doc:`tutorials/ovs-conntrack` | - :doc:`tutorials/ipsec` + :doc:`tutorials/ipsec` | + :doc:`tutorials/ovn-ipsec` | + :doc:`tutorials/ovn-rbac` Deeper Dive --- diff --git a/Documentation/tutorials/index.rst b/Documentation/tutorials/index.rst index b481090a0..35340ee56 100644 --- a/Documentation/tutorials/index.rst +++ b/Documentation/tutorials/index.rst @@ -44,4 +44,6 @@ vSwitch. ovs-advanced ovn-sandbox ovn-openstack + ovn-rbac + ovn-ipsec ovs-conntrack diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst new file mode 100644 index 0..db3d5bc43 --- /dev/null +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -0,0 +1,147 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +== +OVN IPsec Tutorial +== + +This document provides a step-by-step guide for encrypting tunnel traffic with +IPsec in Open Virtual Network (OVN). OVN tunnel traffic is transported by +physical routers and switches. These physical devices could be untrusted +(devices in public network) or might be compromised. Enabling IPsec encryption +for the tunnel traffic can prevent the traffic data from being monitored and +manipulated. More details about the OVN IPsec design can be found in +``ovn-architecture``\(7) manpage. + +This document assumes OVN is installed in your system and runs normally. Also, +you need to install OVS IPsec packages in each chassis (refer to +:ref:`install-ovs-ipsec`). + +Generating Certificates and Keys + + +OVN chassis uses CA-signed certificate to authenticate peer chassis for +building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) in +OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or you +can generate separate certificates and keys with ``ovs-pki`` (refer to +:ref:`gen-certs-keys`). + +.. note:: + + OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS + field setting the same string as the common name (CN) field. CN should be + set as the chassis name. ``ovs-pki`` in Open vSwitch 2.10.90 and later + generates such certificates. Please generate compatible certificates if you + use another PKI tool, or an older version of ``ovs-pki``, to manage + certificates. + +Configuring OVN IPsec +- + +You need to install the CA certificate, chassis certificate and private key in +each chassis. Use the following command:: + +$ ovs-vsctl set Open_vSwitch . \ +other_config:certificate=/path/to/chassis-cert.pem \ +other_config:private_key=/path/to/chassis-privkey.pem \ +other_config:ca_cert=/path/to/cacert.pem +