Re: [ovs-dev] [PATCH v2] ovsdb-tool: Convert clustered db to standalone db.
Thanks for the review Han.
On Thu, Aug 22, 2019 at 7:27 PM Han Zhou wrote:
> Ali, thanks for the patch. Please see my comments below.
>
> On Thu, Aug 22, 2019 at 5:53 PM wrote:
> >
> > From: Aliasgar Ginwala
> >
> > Add support in ovsdb-tool for migrating clustered dbs to standalone dbs.
> > E.g. usage to migrate nb/sb db to standalone db from raft:
> > ovsdb-tool migrate-cluster-db ovnnb_db.db ovnnb_db_cluster.db
>
> The name "migrate-cluster-db" is a little confusing. It would be better to
> tell the direction from the name. I suggest "cluster-to-standalone", if
> "convert-from-cluster-to-standalone" is too long.
>
> Sure. Can change that.
> >
> > Signed-off-by: Aliasgar Ginwala
> > ---
> > ovsdb/ovsdb-tool.c | 154 -
> > 1 file changed, 152 insertions(+), 2 deletions(-)
> >
> > diff --git a/ovsdb/ovsdb-tool.c b/ovsdb/ovsdb-tool.c
> > index 438f97590..4aa1d4b3f 100644
> > --- a/ovsdb/ovsdb-tool.c
> > +++ b/ovsdb/ovsdb-tool.c
> > @@ -173,6 +173,8 @@ usage(void)
> > " compare-versions A OP B compare OVSDB schema version
> numbers\n"
> > " query [DB] TRNS execute read-only transaction on
> DB\n"
> > " transact [DB] TRNS execute read/write transaction on
> DB\n"
> > + " migrate-cluster-db [DB [DB]]Migrate clustered DB to\n"
> > + "standalone DB\n "
> > " [-m]... show-log [DB] print DB's log entries\n"
> > "The default DB is %s.\n"
> > "The default SCHEMA is %s.\n",
> > @@ -206,7 +208,7 @@ default_schema(void)
> > }
> > return schema;
> > }
> > -
> > +
>
> Any special character change here?
>
> > Checkpatch didn't show me this. Will see why it is showing up.
> > static struct json *
> > parse_json(const char *s)
> > {
> > @@ -244,7 +246,7 @@ read_standalone_schema(const char *filename)
> > ovsdb_storage_close(storage);
> > return schema;
> > }
> > -
> > +
> > static void
> > do_create(struct ovs_cmdl_context *ctx)
> > {
> > @@ -942,6 +944,94 @@ print_raft_record(const struct raft_record *r,
> > }
> > }
> >
> > +static struct ovsdb_log *
> > +write_raft_header_to_file(const struct json *data, const char
> *db_file_name)
> > +{
> > +if (!data) {
> > +return NULL;
> > +}
> > +
> > +if (json_array(data)->n != 2) {
> > +printf(" ***invalid data***\n");
>
> Better to use ovs_fatal() so that the process exit with an error.
>
> > Actually it is ok to print since its not an error. It's just invalid
data since its tool. This is common usage in ovsdb-tool for iterating
invalid data in current code itself. Do you want me to refactor that too? I
can handle that in separate patch to be consistent.
> > +return NULL;
> > +}
> > +
> > +struct ovsdb_log *log;
> > +struct json *schema_json = json_array(data)->elems[0];
> > +if (schema_json->type != JSON_NULL) {
> > +struct ovsdb_schema *schema;
> > +check_ovsdb_error(ovsdb_schema_from_json(schema_json, ));
> > +check_ovsdb_error(ovsdb_log_open(db_file_name, OVSDB_MAGIC,
> > + OVSDB_LOG_CREATE_EXCL, -1, ));
>
> It seems not the right place to open the standalone DB file. It is better
> to be opened in the same place where the clustered DB is opened. The open()
> and close() are better to be paired at same level of call stack.
>
> Yes I considered it before. However, I felt it actually doesn't make
sense to open new standalone db in the very beginning even before parsing
raft header at the minimal if raft header has invalid data. Hence, opened
here. Let me know if you still want me to move there. Agree, it will be
more neat to read in do_migrat() where we also open/close clustered db
files.
>
> > +check_ovsdb_error(ovsdb_log_write_and_free(log, schema_json));
> > +check_ovsdb_error(ovsdb_log_commit_block(log));
> > +}
> > +
> > +struct json *data_json = json_array(data)->elems[1];
> > +if (!data_json || data_json->type != JSON_OBJECT) {
> > +return NULL;
> > +}
> > +if (data_json->type != JSON_NULL) {
> > +check_ovsdb_error(ovsdb_log_write_and_free(log, data_json));
> > +check_ovsdb_error(ovsdb_log_commit_block(log));
> > +}
> > +return log;
> > +}
> > +
> > +static struct ovsdb_log *
> > +write_raft_header(const struct raft_header *h, const char *db_file_name)
> > +{
> > +if (h->snap_index) {
> > +return write_raft_header_to_file(h->snap.data, db_file_name);
> > +}
> > +return NULL;
> > +}
> > +
> > +static void
> > +write_raft_records_to_file(const struct json *data, struct ovsdb_log
> *log_data)
> > +{
> > +if (json_array(data)->n != 2) {
> > +printf(" ***invalid data***\n");
>
> Better to use ovs_fatal() so that the process exit with an error.
>
> Same as above.
>
> > +return;
> > +}
> > +
> > +struct json *data_json =
Re: [ovs-dev] [PATCH v1] ovsdb-tool: Convert clustered db to standalone db.
Thanks Aron. I addressed this warning and sent v2. Didn't see it in subsequent make as it appeared only first time so couldn't notice. On Thu, Aug 22, 2019 at 5:00 PM 0-day Robot wrote: > Bleep bloop. Greetings Aliasgar Ginwala, I am a robot and I have tried > out your patch. > Thanks for your contribution. > > I encountered some error that I wasn't expecting. See the details below. > > > build: > gcc -std=gnu99 -DHAVE_CONFIG_H -I.-I ./include -I ./include -I ./lib > -I ./lib-Wstrict-prototypes -Wall -Wextra -Wno-sign-compare > -Wpointer-arith -Wformat -Wformat-security -Wswitch-enum -Wunused-parameter > -Wbad-function-cast -Wcast-align -Wstrict-prototypes -Wold-style-definition > -Wmissing-prototypes -Wmissing-field-initializers -fno-strict-aliasing > -Wshadow -Werror -Werror -g -O2 -MT utilities/ovs-ofctl.o -MD -MP -MF > $depbase.Tpo -c -o utilities/ovs-ofctl.o utilities/ovs-ofctl.c &&\ > mv -f $depbase.Tpo $depbase.Po > /bin/sh ./libtool --tag=CC --mode=link gcc -std=gnu99 > -Wstrict-prototypes -Wall -Wextra -Wno-sign-compare -Wpointer-arith > -Wformat -Wformat-security -Wswitch-enum -Wunused-parameter > -Wbad-function-cast -Wcast-align -Wstrict-prototypes -Wold-style-definition > -Wmissing-prototypes -Wmissing-field-initializers -fno-strict-aliasing > -Wshadow -Werror -Werror -g -O2 -o utilities/ovs-ofctl > utilities/ovs-ofctl.o ofproto/libofproto.la lib/libopenvswitch.la > -lpthread -lrt -lm -lunbound > libtool: link: gcc -std=gnu99 -Wstrict-prototypes -Wall -Wextra > -Wno-sign-compare -Wpointer-arith -Wformat -Wformat-security -Wswitch-enum > -Wunused-parameter -Wbad-function-cast -Wcast-align -Wstrict-prototypes > -Wold-style-definition -Wmissing-prototypes -Wmissing-field-initializers > -fno-strict-aliasing -Wshadow -Werror -Werror -g -O2 -o utilities/ovs-ofctl > utilities/ovs-ofctl.o ofproto/.libs/libofproto.a > /var/lib/jenkins/jobs/upstream_build_from_pw/workspace/lib/.libs/libsflow.a > lib/.libs/libopenvswitch.a -lssl -lcrypto -lcap-ng -lpthread -lrt -lm > -lunbound > depbase=`echo utilities/ovs-vsctl.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ > gcc -std=gnu99 -DHAVE_CONFIG_H -I.-I ./include -I ./include -I ./lib > -I ./lib-Wstrict-prototypes -Wall -Wextra -Wno-sign-compare > -Wpointer-arith -Wformat -Wformat-security -Wswitch-enum -Wunused-parameter > -Wbad-function-cast -Wcast-align -Wstrict-prototypes -Wold-style-definition > -Wmissing-prototypes -Wmissing-field-initializers -fno-strict-aliasing > -Wshadow -Werror -Werror -g -O2 -MT utilities/ovs-vsctl.o -MD -MP -MF > $depbase.Tpo -c -o utilities/ovs-vsctl.o utilities/ovs-vsctl.c &&\ > mv -f $depbase.Tpo $depbase.Po > /bin/sh ./libtool --tag=CC --mode=link gcc -std=gnu99 > -Wstrict-prototypes -Wall -Wextra -Wno-sign-compare -Wpointer-arith > -Wformat -Wformat-security -Wswitch-enum -Wunused-parameter > -Wbad-function-cast -Wcast-align -Wstrict-prototypes -Wold-style-definition > -Wmissing-prototypes -Wmissing-field-initializers -fno-strict-aliasing > -Wshadow -Werror -Werror -g -O2 -o utilities/ovs-vsctl > utilities/ovs-vsctl.o lib/libopenvswitch.la -lpthread -lrt -lm -lunbound > libtool: link: gcc -std=gnu99 -Wstrict-prototypes -Wall -Wextra > -Wno-sign-compare -Wpointer-arith -Wformat -Wformat-security -Wswitch-enum > -Wunused-parameter -Wbad-function-cast -Wcast-align -Wstrict-prototypes > -Wold-style-definition -Wmissing-prototypes -Wmissing-field-initializers > -fno-strict-aliasing -Wshadow -Werror -Werror -g -O2 -o utilities/ovs-vsctl > utilities/ovs-vsctl.o lib/.libs/libopenvswitch.a -lssl -lcrypto -lcap-ng > -lpthread -lrt -lm -lunbound > depbase=`echo ovsdb/ovsdb-tool.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ > gcc -std=gnu99 -DHAVE_CONFIG_H -I.-I ./include -I ./include -I ./lib > -I ./lib-Wstrict-prototypes -Wall -Wextra -Wno-sign-compare > -Wpointer-arith -Wformat -Wformat-security -Wswitch-enum -Wunused-parameter > -Wbad-function-cast -Wcast-align -Wstrict-prototypes -Wold-style-definition > -Wmissing-prototypes -Wmissing-field-initializers -fno-strict-aliasing > -Wshadow -Werror -Werror -g -O2 -MT ovsdb/ovsdb-tool.o -MD -MP -MF > $depbase.Tpo -c -o ovsdb/ovsdb-tool.o ovsdb/ovsdb-tool.c &&\ > mv -f $depbase.Tpo $depbase.Po > ovsdb/ovsdb-tool.c: In function ‘do_migrate’: > ovsdb/ovsdb-tool.c:1001:26: error: ‘log_data’ may be used uninitialized in > this function [-Werror=maybe-uninitialized] > check_ovsdb_error(ovsdb_log_commit_block(log_data)); > ^ > ovsdb/ovsdb-tool.c:1607:23: note: ‘log_data’ was declared here > struct ovsdb_log *log_data; >^ > cc1: all warnings being treated as errors > make[2]: *** [ovsdb/ovsdb-tool.o] Error 1 > make[2]: Leaving directory > `/var/lib/jenkins/jobs/upstream_build_from_pw/workspace' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory > `/var/lib/jenkins/jobs/upstream_build_from_pw/workspace' > make: *** [all] Error 2 > > > Please check this out. If you feel there
Re: [ovs-dev] [PATCH v3 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Thanks Ben: Please backport it to 2.10 and 2.9 On Thu, Oct 11, 2018 at 2:06 PM Ben Pfaff wrote: > On Wed, Oct 10, 2018 at 11:42:08AM +0530, Numan Siddique wrote: > > On Wed, Oct 10, 2018 at 3:42 AM aginwala wrote: > > > > > When starting OVN DBs in HA using pacemaker with ssl, we need to pass > ssl > > > certs for starting standby DBs. Hence, we need this change. > > > > > > Signed-off-by: aginwala > > > Acked-by: Han Zhou > > > > > > > Acked-by: Numan Siddique > > Thanks, Ali and Numan (and Han). I applied this to master. Let me know > if it needs backports. > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode.
Hi Han:
Have added the man section for ssl in v3. PTAL.
Thanks,
On Mon, Oct 8, 2018 at 6:49 PM aginwala aginwala wrote:
> Sure. I will add ssl usage example with some brief in the ovn-ctl.8.xml
> and send v3 for this patch . Does that sound good?
>
> On Mon, Oct 8, 2018 at 5:32 PM Han Zhou wrote:
>
>>
>>
>> On Mon, Oct 8, 2018 at 4:55 PM aginwala aginwala
>> wrote:
>> >
>> >
>> >
>> > On Mon, Oct 8, 2018 at 10:47 AM Han Zhou wrote:
>> >>
>> >>
>> >>
>> >> On Fri, Oct 5, 2018 at 6:48 PM aginwala aginwala
>> wrote:
>> >> >
>> >> > Thanks for the review Han. Please find the comments inline below:
>> >> > On Thu, Oct 4, 2018 at 9:58 AM Han Zhou wrote:
>> >> >>
>> >> >> Thanks Ali, please see my comments below
>> >> >>
>> >> >> On Fri, Sep 21, 2018 at 5:34 PM wrote:
>> >> >> >
>> >> >> > For OVN DBs to work with SSL in HA, we need to have capability to
>> >> >> > pass ssl certs when starting OVN DBs. Say when starting OVN DBs
>> in active
>> >> >> > passive mode, in order for the standby DBs to sync from master
>> node, it
>> >> >> > cannot sync because the required ssl certs are not passed when
>> standby DBs
>> >> >> > are initialized. Hence, we need to have this option.
>> >> >> >
>> >> >> > e.g. start nb db with ssl certs as below:
>> >> >> > /usr/share/openvswitch/scripts/ovn-ctl
>> --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
>> >> >> > --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
>> >> >> > --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
>> >> >> > --db-nb-create-insecure-remote=no start_nb_ovsdb
>> >> >> >
>> >> >> > Certs can be generated based on ovs ssl docs:
>> >> >> > http://docs.openvswitch.org/en/latest/howto/ssl/
>> >> >> >
>> >> >> > Signed-off-by: aginwala
>> >> >> > ---
>> >> >> > ovn/utilities/ovn-ctl | 50
>> +++---
>> >> >> > 1 file changed, 43 insertions(+), 7 deletions(-)
>> >> >> >
>> >> >> > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
>> >> >> > index 3ff0df6..4f45f3d 100755
>> >> >> > --- a/ovn/utilities/ovn-ctl
>> >> >> > +++ b/ovn/utilities/ovn-ctl
>> >> >> > @@ -116,6 +116,9 @@ start_ovsdb__() {
>> >> >> > local addr
>> >> >> > local active_conf_file
>> >> >> > local use_remote_in_db
>> >> >> > +local ovn_db_ssl_key
>> >> >> > +local ovn_db_ssl_cert
>> >> >> > +local ovn_db_ssl_cacert
>> >> >> > eval pid=\$DB_${DB}_PID
>> >> >> > eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
>> >> >> > eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
>> >> >> > @@ -137,6 +140,9 @@ start_ovsdb__() {
>> >> >> > eval addr=\$DB_${DB}_ADDR
>> >> >> > eval active_conf_file=\$ovn${db}_active_conf_file
>> >> >> > eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
>> >> >> > +eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
>> >> >> > +eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
>> >> >> > +eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
>> >> >> >
>> >> >> > # Check and eventually start ovsdb-server for DB
>> >> >> > if pidfile_is_running $pid; then
>> >> >> > @@ -182,17 +188,32 @@ $cluster_remote_port
>> >> >> >
>> >> >> > if test X"$use_remote_in_db" != Xno; then
>> >> >> > set "$@" --remote=db:$schema_name,$table_name,connections
>> >> >> > +if test X"$create_insecure_remote" = Xno; then
>> >> >> > +set "$@" --remote=pssl:$port:$addr
>> >> >> > +elif test X"$create_insecure_remote" = Xyes; then
>> >> >> > +set "$@" --remote=ptcp:$port:$ad
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Thanks Numan for review. Just to update that V3 will only have changes for ovn-ctl as per Han's suggestion to add details in help section there. ocf script will remain unchanged. That is why I have added acked-by on this patch. :) On Mon, Oct 8, 2018 at 11:59 PM Numan Siddique wrote: > > > On Tue, Oct 9, 2018 at 6:11 AM Han Zhou wrote: > >> >> >> >> Giving a second thought, it seems there is still a problem. >> >> >> >> There should be two sets of SSL related parameters we should consider >> in >> the active-standby scenario. >> >> - One set of parameters is for the server side. For ipaddr2 use case, >> both active and standby nodes will need them. For LB use case, where only >> the active node should listen on the port, only the active node should >> need >> these parameters. >> >> - Another set of parameters is for the client side, together with the >> --sync-from parameter, so that the standby node can connect to the active >> node as a client using SSL. These parameters are needed in standby node >> only. >> >> >> >> I didn't see how is this addressed. Did I miss anything? >> >> >> >> For the server side SSL parameters, it should be valid to use DB >> settings instead of command line options. (For client side, it may not be >> possible to use DB settings since the standby nodes need to get the SSL >> parameters before connecting to the (active) DB). >> > >> > >> Just to clarify, for active-standby scenario, since we dont know who >> will became active server any time, it is safe to use same certs on all >> central nodes irrespective of which node is client or server. >> >> Ok, thanks. It is clarified after discussion that we are combining the >> server side and client side ssl keys/certs to the same value for all >> central nodes in the active-standby setup. I didn't know that same >> settings >> actually work for both server and client, so it sounds good for me. >> > > From the pacemaker Resource script perspective, it looks good to me. I > will take > another look when you post v3. > > Thanks > Numan > > ___ >> dev mailing list >> d...@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode.
Sure. I will add ssl usage example with some brief in the ovn-ctl.8.xml and
send v3 for this patch . Does that sound good?
On Mon, Oct 8, 2018 at 5:32 PM Han Zhou wrote:
>
>
> On Mon, Oct 8, 2018 at 4:55 PM aginwala aginwala
> wrote:
> >
> >
> >
> > On Mon, Oct 8, 2018 at 10:47 AM Han Zhou wrote:
> >>
> >>
> >>
> >> On Fri, Oct 5, 2018 at 6:48 PM aginwala aginwala
> wrote:
> >> >
> >> > Thanks for the review Han. Please find the comments inline below:
> >> > On Thu, Oct 4, 2018 at 9:58 AM Han Zhou wrote:
> >> >>
> >> >> Thanks Ali, please see my comments below
> >> >>
> >> >> On Fri, Sep 21, 2018 at 5:34 PM wrote:
> >> >> >
> >> >> > For OVN DBs to work with SSL in HA, we need to have capability to
> >> >> > pass ssl certs when starting OVN DBs. Say when starting OVN DBs
> in active
> >> >> > passive mode, in order for the standby DBs to sync from master
> node, it
> >> >> > cannot sync because the required ssl certs are not passed when
> standby DBs
> >> >> > are initialized. Hence, we need to have this option.
> >> >> >
> >> >> > e.g. start nb db with ssl certs as below:
> >> >> > /usr/share/openvswitch/scripts/ovn-ctl
> --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
> >> >> > --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
> >> >> > --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
> >> >> > --db-nb-create-insecure-remote=no start_nb_ovsdb
> >> >> >
> >> >> > Certs can be generated based on ovs ssl docs:
> >> >> > http://docs.openvswitch.org/en/latest/howto/ssl/
> >> >> >
> >> >> > Signed-off-by: aginwala
> >> >> > ---
> >> >> > ovn/utilities/ovn-ctl | 50
> +++---
> >> >> > 1 file changed, 43 insertions(+), 7 deletions(-)
> >> >> >
> >> >> > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> >> >> > index 3ff0df6..4f45f3d 100755
> >> >> > --- a/ovn/utilities/ovn-ctl
> >> >> > +++ b/ovn/utilities/ovn-ctl
> >> >> > @@ -116,6 +116,9 @@ start_ovsdb__() {
> >> >> > local addr
> >> >> > local active_conf_file
> >> >> > local use_remote_in_db
> >> >> > +local ovn_db_ssl_key
> >> >> > +local ovn_db_ssl_cert
> >> >> > +local ovn_db_ssl_cacert
> >> >> > eval pid=\$DB_${DB}_PID
> >> >> > eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
> >> >> > eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
> >> >> > @@ -137,6 +140,9 @@ start_ovsdb__() {
> >> >> > eval addr=\$DB_${DB}_ADDR
> >> >> > eval active_conf_file=\$ovn${db}_active_conf_file
> >> >> > eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
> >> >> > +eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
> >> >> > +eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
> >> >> > +eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
> >> >> >
> >> >> > # Check and eventually start ovsdb-server for DB
> >> >> > if pidfile_is_running $pid; then
> >> >> > @@ -182,17 +188,32 @@ $cluster_remote_port
> >> >> >
> >> >> > if test X"$use_remote_in_db" != Xno; then
> >> >> > set "$@" --remote=db:$schema_name,$table_name,connections
> >> >> > +if test X"$create_insecure_remote" = Xno; then
> >> >> > +set "$@" --remote=pssl:$port:$addr
> >> >> > +elif test X"$create_insecure_remote" = Xyes; then
> >> >> > +set "$@" --remote=ptcp:$port:$addr
> >> >> > +fi
> >> >> Why moving the logic here? This if block only says if the connection
> settings in DB table should be used. Whether insecure mode is allowed was
> supposed to be independent with this condition. Could you explain the
> reason behind the change?
> >> >> >> I moved it because remote=db is needed if ovsdb is running as a
> standalone node or an active ovsd
Re: [ovs-dev] [PATCH 1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode.
On Mon, Oct 8, 2018 at 10:47 AM Han Zhou wrote:
>
>
> On Fri, Oct 5, 2018 at 6:48 PM aginwala aginwala
> wrote:
> >
> > Thanks for the review Han. Please find the comments inline below:
> > On Thu, Oct 4, 2018 at 9:58 AM Han Zhou wrote:
> >>
> >> Thanks Ali, please see my comments below
> >>
> >> On Fri, Sep 21, 2018 at 5:34 PM wrote:
> >> >
> >> > For OVN DBs to work with SSL in HA, we need to have capability to
> >> > pass ssl certs when starting OVN DBs. Say when starting OVN DBs in
> active
> >> > passive mode, in order for the standby DBs to sync from master node,
> it
> >> > cannot sync because the required ssl certs are not passed when
> standby DBs
> >> > are initialized. Hence, we need to have this option.
> >> >
> >> > e.g. start nb db with ssl certs as below:
> >> > /usr/share/openvswitch/scripts/ovn-ctl
> --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
> >> > --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
> >> > --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
> >> > --db-nb-create-insecure-remote=no start_nb_ovsdb
> >> >
> >> > Certs can be generated based on ovs ssl docs:
> >> > http://docs.openvswitch.org/en/latest/howto/ssl/
> >> >
> >> > Signed-off-by: aginwala
> >> > ---
> >> > ovn/utilities/ovn-ctl | 50
> +++---
> >> > 1 file changed, 43 insertions(+), 7 deletions(-)
> >> >
> >> > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> >> > index 3ff0df6..4f45f3d 100755
> >> > --- a/ovn/utilities/ovn-ctl
> >> > +++ b/ovn/utilities/ovn-ctl
> >> > @@ -116,6 +116,9 @@ start_ovsdb__() {
> >> > local addr
> >> > local active_conf_file
> >> > local use_remote_in_db
> >> > +local ovn_db_ssl_key
> >> > +local ovn_db_ssl_cert
> >> > +local ovn_db_ssl_cacert
> >> > eval pid=\$DB_${DB}_PID
> >> > eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
> >> > eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
> >> > @@ -137,6 +140,9 @@ start_ovsdb__() {
> >> > eval addr=\$DB_${DB}_ADDR
> >> > eval active_conf_file=\$ovn${db}_active_conf_file
> >> > eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
> >> > +eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
> >> > +eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
> >> > +eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
> >> >
> >> > # Check and eventually start ovsdb-server for DB
> >> > if pidfile_is_running $pid; then
> >> > @@ -182,17 +188,32 @@ $cluster_remote_port
> >> >
> >> > if test X"$use_remote_in_db" != Xno; then
> >> > set "$@" --remote=db:$schema_name,$table_name,connections
> >> > +if test X"$create_insecure_remote" = Xno; then
> >> > +set "$@" --remote=pssl:$port:$addr
> >> > +elif test X"$create_insecure_remote" = Xyes; then
> >> > +set "$@" --remote=ptcp:$port:$addr
> >> > +fi
> >> Why moving the logic here? This if block only says if the connection
> settings in DB table should be used. Whether insecure mode is allowed was
> supposed to be independent with this condition. Could you explain the
> reason behind the change?
> >> >> I moved it because remote=db is needed if ovsdb is running as a
> standalone node or an active ovsdb server node. For standby nodes in case
> of active_passive mode, remote=db will not be there because it uses
> --sync-from. Hope its clear.
>
> As discussed, $use_remote_in_db and $create_insecure_remote were
> independent. Moving $create_insecure_remote logic here make it useful only
> when $use_remote_in_db is "yes", which is not how it was supposed to be.
>
> I understand that for standby node, we will set $use_remote_in_db as "no".
> Is this a problem?
>
> >> Just verified and have kept the logic intact as even for ssl, we have
connection table set for 0.0.0.0 for LB use case and it works fine. Hence,
have updated it in v2. Please take a look and let me know.
> --sync-from has nothing to do with "remote".
> >
> >
> >>
> >> > fi
> >> > -set "$@"
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Mon, Oct 8, 2018 at 2:17 PM Han Zhou wrote:
>
>
> On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala
> wrote:
> >
> > Yes, that's right. I will send out v2 in a bit with Han's ack.
> >
> >
> > Regards,
> > Aliasgar
> >
> > On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff wrote:
> >>
> >> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
> >> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala
> wrote:
> >> > >
> >> > > Thanks for the review Han. Please find the comments inline below:
> >> > >
> >> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote:
> >> > >>
> >> > >> Thanks Ali, please see my comm
> >> > >>
> >> > >> On Fri, Sep 21, 2018 at 5:38 PM wrote:
> >> > >> >
> >> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need
> to pass
> >> > ssl
> >> > >> > certs for starting standby DBs. Hence, we need this change.
> >> > >> >
> >> > >> > Signed-off-by: aginwala
> >> > >> > ---
> >> > >> > ovn/utilities/ovndb-servers.ocf | 74
> >> > -
> >> > >> > 1 file changed, 73 insertions(+), 1 deletion(-)
> >> > >> >
> >> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
> >> > b/ovn/utilities/ovndb-servers.ocf
> >> > >> > index 52141c7..80f81ae 100755
> >> > >> > --- a/ovn/utilities/ovndb-servers.ocf
> >> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
> >> > >> > @@ -10,6 +10,12 @@
> >> > >> > : ${MANAGE_NORTHD_DEFAULT="no"}
> >> > >> > : ${INACTIVE_PROBE_DEFAULT="5000"}
> >> > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> >> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> >> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> >> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> >> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> >> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> > >> >
> >> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> >> > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type
> crm_config
> >> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> >> > >> > @@ -21,6 +27,13 @@
> >> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> >> > >> >
> >> >
> SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> >> > >> >
> MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> >> > >> >
> >> >
>
> INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> >> > >> >
> +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> >> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> >> > >> >
> +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> >> > >> >
> +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> >> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> >> > >> >
> +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> >> > >> > +
> >> > >> >
> >> > >> > # In order for pacemaker to work with LB, we can set
> >> > LISTEN_ON_MASTER_IP_ONLY
> >> > >> > # to false and pass LB vip IP while creating pcs resource.
> >> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> >> > >> >
> >> > >> >
> >> > >> >
> >> > >> > +
> >> > >> > +
> >> > >> > + OVN NB DB private key absolute path for ssl setup.
> >> > >> > +
> >> > >> > + OVN NB DB private key file
> >> &
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Yes, that's right. I will send out v2 in a bit with Han's ack.
Regards,
Aliasgar
On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff wrote:
> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala
> wrote:
> > >
> > > Thanks for the review Han. Please find the comments inline below:
> > >
> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote:
> > >>
> > >> Thanks Ali, please see my comm
> > >>
> > >> On Fri, Sep 21, 2018 at 5:38 PM wrote:
> > >> >
> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to
> pass
> > ssl
> > >> > certs for starting standby DBs. Hence, we need this change.
> > >> >
> > >> > Signed-off-by: aginwala
> > >> > ---
> > >> > ovn/utilities/ovndb-servers.ocf | 74
> > -
> > >> > 1 file changed, 73 insertions(+), 1 deletion(-)
> > >> >
> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
> > b/ovn/utilities/ovndb-servers.ocf
> > >> > index 52141c7..80f81ae 100755
> > >> > --- a/ovn/utilities/ovndb-servers.ocf
> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
> > >> > @@ -10,6 +10,12 @@
> > >> > : ${MANAGE_NORTHD_DEFAULT="no"}
> > >> > : ${INACTIVE_PROBE_DEFAULT="5000"}
> > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > >> >
> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> > >> > @@ -21,6 +27,13 @@
> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> > >> >
> >
> SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> > >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> > >> >
> >
> INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> > >> > +
> > >> >
> > >> > # In order for pacemaker to work with LB, we can set
> > LISTEN_ON_MASTER_IP_ONLY
> > >> > # to false and pass LB vip IP while creating pcs resource.
> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> > >> >
> > >> >
> > >> >
> > >> > +
> > >> > +
> > >> > + OVN NB DB private key absolute path for ssl setup.
> > >> > +
> > >> > + OVN NB DB private key file
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > + OVN NB DB certificate absolute path for ssl setup.
> > >> > +
> > >> > + OVN NB DB cert file
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > + OVN NB DB CA certificate absolute path for ssl setup.
> > >> > +
> > >> > + OVN NB DB cacert file
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > + OVN SB DB private key absolute path for ssl setup.
> > >> > +
> > >> > + OVN SB DB private key
Re: [ovs-dev] [PATCH 1/2] ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode.
Thanks for the review Han. Please find the comments inline below:
On Thu, Oct 4, 2018 at 9:58 AM Han Zhou wrote:
> Thanks Ali, please see my comments below
>
> On Fri, Sep 21, 2018 at 5:34 PM wrote:
> >
> > For OVN DBs to work with SSL in HA, we need to have capability to
> > pass ssl certs when starting OVN DBs. Say when starting OVN DBs in
> active
> > passive mode, in order for the standby DBs to sync from master node, it
> > cannot sync because the required ssl certs are not passed when standby
> DBs
> > are initialized. Hence, we need to have this option.
> >
> > e.g. start nb db with ssl certs as below:
> > /usr/share/openvswitch/scripts/ovn-ctl
> --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
> > --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
> > --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
> > --db-nb-create-insecure-remote=no start_nb_ovsdb
> >
> > Certs can be generated based on ovs ssl docs:
> > http://docs.openvswitch.org/en/latest/howto/ssl/
> >
> > Signed-off-by: aginwala
> > ---
> > ovn/utilities/ovn-ctl | 50
> +++---
> > 1 file changed, 43 insertions(+), 7 deletions(-)
> >
> > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
> > index 3ff0df6..4f45f3d 100755
> > --- a/ovn/utilities/ovn-ctl
> > +++ b/ovn/utilities/ovn-ctl
> > @@ -116,6 +116,9 @@ start_ovsdb__() {
> > local addr
> > local active_conf_file
> > local use_remote_in_db
> > +local ovn_db_ssl_key
> > +local ovn_db_ssl_cert
> > +local ovn_db_ssl_cacert
> > eval pid=\$DB_${DB}_PID
> > eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
> > eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
> > @@ -137,6 +140,9 @@ start_ovsdb__() {
> > eval addr=\$DB_${DB}_ADDR
> > eval active_conf_file=\$ovn${db}_active_conf_file
> > eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
> > +eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
> > +eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
> > +eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
> >
> > # Check and eventually start ovsdb-server for DB
> > if pidfile_is_running $pid; then
> > @@ -182,17 +188,32 @@ $cluster_remote_port
> >
> > if test X"$use_remote_in_db" != Xno; then
> > set "$@" --remote=db:$schema_name,$table_name,connections
> > +if test X"$create_insecure_remote" = Xno; then
> > +set "$@" --remote=pssl:$port:$addr
> > +elif test X"$create_insecure_remote" = Xyes; then
> > +set "$@" --remote=ptcp:$port:$addr
> > +fi
> Why moving the logic here? This if block only says if the connection
> settings in DB table should be used. Whether insecure mode is allowed was
> supposed to be independent with this condition. Could you explain the
> reason behind the change?
> >> I moved it because remote=db is needed if ovsdb is running as a
> standalone node or an active ovsdb server node. For standby nodes in case
> of active_passive mode, remote=db will not be there because it uses
> --sync-from. Hope its clear.
>
> > fi
> > -set "$@" --private-key=db:$schema_name,SSL,private_key
> > -set "$@" --certificate=db:$schema_name,SSL,certificate
> > -set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> > -set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
> > -set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
>
> So it will not use the settings in DB any more? It seems this change
> removed support for "--use-remote-in-db=yes", which is the default behavior
> that should be kept. The DB settings should not be used only if
> "--use-remote-in-db=no"
>
>> As discussed, this is similar support that we have for ovn-controller
with ssl. If the key is passed from cli, it will use the key else fall back
to default setters for ssl.
> >
> > -if test X"$create_insecure_remote" = Xyes; then
> > -set "$@" --remote=ptcp:$port:$addr
> > +if test X"$ovn_db_ssl_key" != X; then
> > +set "$@" --private-key=$ovn_db_ssl_key
> > +else
> > +set "$@" --private-key=db:$schema_name,SSL,private_key
> > +fi
> > +if test X"$ovn_db_ssl_cert" != X; then
> > +set "$@" --certificate=$ovn_db_ssl_cert
> > +else
> > +set "$@" --certificate=db:$schema_name,SSL,certificate
> > +fi
> > +if test X"$ovn_db_ssl_cacert" != X; then
> > +set "$@" --ca-cert=$ovn_db_ssl_cacert
> > +else
> > +set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
> > fi
> >
> > +set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
> > +set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
> > +
> > if test $mode = active_passive; then
> > set "$@" --sync-from=`cat $active_conf_file`
> > fi
> > @@ -481,6 +502,15 @@ set_defaults () {
> > OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK"
> > DB_NB_USE_REMOTE_IN_DB="yes"
> > DB_SB_USE_REMOTE_IN_DB="yes"
> > +
> > +OVN_NB_DB_SSL_KEY=""
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Thanks for the review Han. Please find the comments inline below:
On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote:
> Thanks Ali, please see my comm
>
> On Fri, Sep 21, 2018 at 5:38 PM wrote:
> >
> > When starting OVN DBs in HA using pacemaker with ssl, we need to pass
> ssl
> > certs for starting standby DBs. Hence, we need this change.
> >
> > Signed-off-by: aginwala
> > ---
> > ovn/utilities/ovndb-servers.ocf | 74
> -
> > 1 file changed, 73 insertions(+), 1 deletion(-)
> >
> > diff --git a/ovn/utilities/ovndb-servers.ocf
> b/ovn/utilities/ovndb-servers.ocf
> > index 52141c7..80f81ae 100755
> > --- a/ovn/utilities/ovndb-servers.ocf
> > +++ b/ovn/utilities/ovndb-servers.ocf
> > @@ -10,6 +10,12 @@
> > : ${MANAGE_NORTHD_DEFAULT="no"}
> > : ${INACTIVE_PROBE_DEFAULT="5000"}
> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >
> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
> --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> > @@ -21,6 +27,13 @@
> SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> >
> SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> >
>
> INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> > +
> >
> > # In order for pacemaker to work with LB, we can set
> LISTEN_ON_MASTER_IP_ONLY
> > # to false and pass LB vip IP while creating pcs resource.
> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> >
> >
> >
> > +
> > +
> > + OVN NB DB private key absolute path for ssl setup.
> > +
> > + OVN NB DB private key file
> > +
> > +
> > +
> > +
> > +
> > + OVN NB DB certificate absolute path for ssl setup.
> > +
> > + OVN NB DB cert file
> > +
> > +
> > +
> > +
> > +
> > + OVN NB DB CA certificate absolute path for ssl setup.
> > +
> > + OVN NB DB cacert file
> > +
> > +
> > +
> > +
> > +
> > + OVN SB DB private key absolute path for ssl setup.
> > +
> > + OVN SB DB private key file
> > +
> > +
> > +
> > +
> > +
> > + OVN SB DB certificate absolute path for ssl setup.
> > +
> > + OVN SB DB cert file
> > +
> > +
> > +
> > +
> > +
> > + OVN SB DB CA certificate absolute path for ssl setup.
> > +
> > + OVN SB DB cacert file
> > +
> > +
> > +
> >
> >
> >
> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
> > fi
> >
> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> > +set $@ --db-nb-create-insecure-remote=no
> "no" is the default value, so this line is not needed.
>
>> Sure. This makes sense. Will check out the default behavior and update
it the revised patch!
>
> > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> This should be needed only for standby which sets
> --db-sb-use-remote-in-db=no.
>
> As discussed, for each of the modes either ssl or tcp, all the nodes
should have this option set.
>
> > +fi
> > +if [ "x${SB_MASTER_PROTO}" = xssl ]; then
> > +set $@ --db-sb-create-insecure-remote=no
> > +set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY}
> > +set $@ --ovn-sb-db-ssl-cert=${SB_CERT}
> > +set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT}
> > +fi
> > if [ "x${present_master}" = x ]; then
> > # No master detected, or the previous master is not among the
> > # set starting.
> > @@ -343,7 +416,6 @@ ovsdb_server_start() {
> > set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS}
> --db-sb-sync-from-addr=${INVALID_IP_ADDRESS}
> >
> > elif [ ${present_master} != ${host_name} ]; then
> > -# TODO: for using LB vip, need to test for ssl.
> > if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then
> > if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
> > set $@ --db-nb-create-insecure-remote=yes
> > --
> > 1.9.1
> >
> >
