Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Thanks Numan for review. Just to update that V3 will only have changes for ovn-ctl as per Han's suggestion to add details in help section there. ocf script will remain unchanged. That is why I have added acked-by on this patch. :) On Mon, Oct 8, 2018 at 11:59 PM Numan Siddique wrote: > > > On Tue, Oct 9, 2018 at 6:11 AM Han Zhou wrote: > >> >> >> >> Giving a second thought, it seems there is still a problem. >> >> >> >> There should be two sets of SSL related parameters we should consider >> in >> the active-standby scenario. >> >> - One set of parameters is for the server side. For ipaddr2 use case, >> both active and standby nodes will need them. For LB use case, where only >> the active node should listen on the port, only the active node should >> need >> these parameters. >> >> - Another set of parameters is for the client side, together with the >> --sync-from parameter, so that the standby node can connect to the active >> node as a client using SSL. These parameters are needed in standby node >> only. >> >> >> >> I didn't see how is this addressed. Did I miss anything? >> >> >> >> For the server side SSL parameters, it should be valid to use DB >> settings instead of command line options. (For client side, it may not be >> possible to use DB settings since the standby nodes need to get the SSL >> parameters before connecting to the (active) DB). >> > >> > >> Just to clarify, for active-standby scenario, since we dont know who >> will became active server any time, it is safe to use same certs on all >> central nodes irrespective of which node is client or server. >> >> Ok, thanks. It is clarified after discussion that we are combining the >> server side and client side ssl keys/certs to the same value for all >> central nodes in the active-standby setup. I didn't know that same >> settings >> actually work for both server and client, so it sounds good for me. >> > > From the pacemaker Resource script perspective, it looks good to me. I > will take > another look when you post v3. > > Thanks > Numan > > ___ >> dev mailing list >> d...@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Tue, Oct 9, 2018 at 6:11 AM Han Zhou wrote: > >> > >> Giving a second thought, it seems there is still a problem. > >> > >> There should be two sets of SSL related parameters we should consider in > the active-standby scenario. > >> - One set of parameters is for the server side. For ipaddr2 use case, > both active and standby nodes will need them. For LB use case, where only > the active node should listen on the port, only the active node should need > these parameters. > >> - Another set of parameters is for the client side, together with the > --sync-from parameter, so that the standby node can connect to the active > node as a client using SSL. These parameters are needed in standby node > only. > >> > >> I didn't see how is this addressed. Did I miss anything? > >> > >> For the server side SSL parameters, it should be valid to use DB > settings instead of command line options. (For client side, it may not be > possible to use DB settings since the standby nodes need to get the SSL > parameters before connecting to the (active) DB). > > > > >> Just to clarify, for active-standby scenario, since we dont know who > will became active server any time, it is safe to use same certs on all > central nodes irrespective of which node is client or server. > > Ok, thanks. It is clarified after discussion that we are combining the > server side and client side ssl keys/certs to the same value for all > central nodes in the active-standby setup. I didn't know that same settings > actually work for both server and client, so it sounds good for me. > >From the pacemaker Resource script perspective, it looks good to me. I will take another look when you post v3. Thanks Numan ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Mon, Oct 8, 2018 at 2:17 PM Han Zhou wrote: > > > On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala > wrote: > > > > Yes, that's right. I will send out v2 in a bit with Han's ack. > > > > > > Regards, > > Aliasgar > > > > On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff wrote: > >> > >> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote: > >> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala > wrote: > >> > > > >> > > Thanks for the review Han. Please find the comments inline below: > >> > > > >> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote: > >> > >> > >> > >> Thanks Ali, please see my comm > >> > >> > >> > >> On Fri, Sep 21, 2018 at 5:38 PM wrote: > >> > >> > > >> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need > to pass > >> > ssl > >> > >> > certs for starting standby DBs. Hence, we need this change. > >> > >> > > >> > >> > Signed-off-by: aginwala > >> > >> > --- > >> > >> > ovn/utilities/ovndb-servers.ocf | 74 > >> > - > >> > >> > 1 file changed, 73 insertions(+), 1 deletion(-) > >> > >> > > >> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf > >> > b/ovn/utilities/ovndb-servers.ocf > >> > >> > index 52141c7..80f81ae 100755 > >> > >> > --- a/ovn/utilities/ovndb-servers.ocf > >> > >> > +++ b/ovn/utilities/ovndb-servers.ocf > >> > >> > @@ -10,6 +10,12 @@ > >> > >> > : ${MANAGE_NORTHD_DEFAULT="no"} > >> > >> > : ${INACTIVE_PROBE_DEFAULT="5000"} > >> > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > >> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > >> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > >> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > >> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > >> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > >> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > >> > >> > > >> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > >> > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type > crm_config > >> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > >> > >> > @@ -21,6 +27,13 @@ > >> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > >> > >> > > >> > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > >> > >> > > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > >> > >> > > >> > > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > >> > >> > > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > >> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > >> > >> > > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > >> > >> > > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > >> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > >> > >> > > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > >> > >> > + > >> > >> > > >> > >> > # In order for pacemaker to work with LB, we can set > >> > LISTEN_ON_MASTER_IP_ONLY > >> > >> > # to false and pass LB vip IP while creating pcs resource. > >> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > >> > >> > > >> > >> > > >> > >> > > >> > >> > + > >> > >> > + > >> > >> > + OVN NB DB private key absolute path for ssl setup. > >> > >> > + > >> > >> > + OVN NB DB private key file > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + OVN NB DB certificate absolute path for ssl setup. > >> > >> > + > >> > >> > + OVN NB DB cert file > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + OVN NB DB CA certificate absolute path for ssl setup. > >> > >> > + > >> > >> > + OVN NB DB cacert file > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + OVN SB DB private key absolute path for ssl setup. > >> > >> > + > >> > >> > + OVN SB DB private key file > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + OVN SB DB certificate absolute path for ssl setup. > >> > >> > + > >> > >> > + OVN SB DB cert file > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > + OVN SB DB CA certificate absolute path for ssl setup. > >> > >> > + > >> > >> > + OVN SB DB cacert file > >> > >> > + > >> > >> > + > >> > >> > + > >> > >> > > >> > >> > > >> > >> > > >> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { > >> > >> > set $@ --db-sb-addr=${MASTER_IP} > --db-sb-port=${SB_MASTER_PORT} > >> > >> > fi > >> > >> > > >> > >> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then > >> > >> > +set $@ --db-nb-create-insecure-remote=no > >> > >> "no" is the default value, so this line is not needed. > >> > > > >> > > >> Sure. This makes sense. Will check out the
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala wrote: > > Yes, that's right. I will send out v2 in a bit with Han's ack. > > > Regards, > Aliasgar > > On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff wrote: >> >> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote: >> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala wrote: >> > > >> > > Thanks for the review Han. Please find the comments inline below: >> > > >> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote: >> > >> >> > >> Thanks Ali, please see my comm >> > >> >> > >> On Fri, Sep 21, 2018 at 5:38 PM wrote: >> > >> > >> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to pass >> > ssl >> > >> > certs for starting standby DBs. Hence, we need this change. >> > >> > >> > >> > Signed-off-by: aginwala >> > >> > --- >> > >> > ovn/utilities/ovndb-servers.ocf | 74 >> > - >> > >> > 1 file changed, 73 insertions(+), 1 deletion(-) >> > >> > >> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf >> > b/ovn/utilities/ovndb-servers.ocf >> > >> > index 52141c7..80f81ae 100755 >> > >> > --- a/ovn/utilities/ovndb-servers.ocf >> > >> > +++ b/ovn/utilities/ovndb-servers.ocf >> > >> > @@ -10,6 +10,12 @@ >> > >> > : ${MANAGE_NORTHD_DEFAULT="no"} >> > >> > : ${INACTIVE_PROBE_DEFAULT="5000"} >> > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} >> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} >> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} >> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} >> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} >> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} >> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} >> > >> > >> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" >> > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config >> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" >> > >> > @@ -21,6 +27,13 @@ >> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} >> > >> > >> > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} >> > >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} >> > >> > >> > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} >> > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} >> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} >> > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} >> > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} >> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} >> > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} >> > >> > + >> > >> > >> > >> > # In order for pacemaker to work with LB, we can set >> > LISTEN_ON_MASTER_IP_ONLY >> > >> > # to false and pass LB vip IP while creating pcs resource. >> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { >> > >> > >> > >> > >> > >> > >> > >> > + >> > >> > + >> > >> > + OVN NB DB private key absolute path for ssl setup. >> > >> > + >> > >> > + OVN NB DB private key file >> > >> > + >> > >> > + >> > >> > + >> > >> > + >> > >> > + >> > >> > + OVN NB DB certificate absolute path for ssl setup. >> > >> > + >> > >> > + OVN NB DB cert file >> > >> > + >> > >> > + >> > >> > + >> > >> > + >> > >> > + >> > >> > + OVN NB DB CA certificate absolute path for ssl setup. >> > >> > + >> > >> > + OVN NB DB cacert file >> > >> > + >> > >> > + >> > >> > + >> > >> > + >> > >> > + >> > >> > + OVN SB DB private key absolute path for ssl setup. >> > >> > + >> > >> > + OVN SB DB private key file >> > >> > + >> > >> > + >> > >> > + >> > >> > + >> > >> > + >> > >> > + OVN SB DB certificate absolute path for ssl setup. >> > >> > + >> > >> > + OVN SB DB cert file >> > >> > + >> > >> > + >> > >> > + >> > >> > + >> > >> > + >> > >> > + OVN SB DB CA certificate absolute path for ssl setup. >> > >> > + >> > >> > + OVN SB DB cacert file >> > >> > + >> > >> > + >> > >> > + >> > >> > >> > >> > >> > >> > >> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { >> > >> > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} >> > >> > fi >> > >> > >> > >> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then >> > >> > +set $@ --db-nb-create-insecure-remote=no >> > >> "no" is the default value, so this line is not needed. >> > > >> > > >> Sure. This makes sense. Will check out the default behavior and update >> > it the revised patch! >> > >> >> > >> >> > >> > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} >> > >> > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT} >> > >> > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} >> > >> This should be needed only for standby which sets >> >
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Yes, that's right. I will send out v2 in a bit with Han's ack. Regards, Aliasgar On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff wrote: > On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote: > > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala > wrote: > > > > > > Thanks for the review Han. Please find the comments inline below: > > > > > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote: > > >> > > >> Thanks Ali, please see my comm > > >> > > >> On Fri, Sep 21, 2018 at 5:38 PM wrote: > > >> > > > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to > pass > > ssl > > >> > certs for starting standby DBs. Hence, we need this change. > > >> > > > >> > Signed-off-by: aginwala > > >> > --- > > >> > ovn/utilities/ovndb-servers.ocf | 74 > > - > > >> > 1 file changed, 73 insertions(+), 1 deletion(-) > > >> > > > >> > diff --git a/ovn/utilities/ovndb-servers.ocf > > b/ovn/utilities/ovndb-servers.ocf > > >> > index 52141c7..80f81ae 100755 > > >> > --- a/ovn/utilities/ovndb-servers.ocf > > >> > +++ b/ovn/utilities/ovndb-servers.ocf > > >> > @@ -10,6 +10,12 @@ > > >> > : ${MANAGE_NORTHD_DEFAULT="no"} > > >> > : ${INACTIVE_PROBE_DEFAULT="5000"} > > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > >> > > > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config > > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > > >> > @@ -21,6 +27,13 @@ > > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > > >> > > > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > > >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > > >> > > > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > > >> > + > > >> > > > >> > # In order for pacemaker to work with LB, we can set > > LISTEN_ON_MASTER_IP_ONLY > > >> > # to false and pass LB vip IP while creating pcs resource. > > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > > >> > > > >> > > > >> > > > >> > + > > >> > + > > >> > + OVN NB DB private key absolute path for ssl setup. > > >> > + > > >> > + OVN NB DB private key file > > >> > + > > >> > + > > >> > + > > >> > + > > >> > + > > >> > + OVN NB DB certificate absolute path for ssl setup. > > >> > + > > >> > + OVN NB DB cert file > > >> > + > > >> > + > > >> > + > > >> > + > > >> > + > > >> > + OVN NB DB CA certificate absolute path for ssl setup. > > >> > + > > >> > + OVN NB DB cacert file > > >> > + > > >> > + > > >> > + > > >> > + > > >> > + > > >> > + OVN SB DB private key absolute path for ssl setup. > > >> > + > > >> > + OVN SB DB private key file > > >> > + > > >> > + > > >> > + > > >> > + > > >> > + > > >> > + OVN SB DB certificate absolute path for ssl setup. > > >> > + > > >> > + OVN SB DB cert file > > >> > + > > >> > + > > >> > + > > >> > + > > >> > + > > >> > + OVN SB DB CA certificate absolute path for ssl setup. > > >> > + > > >> > + OVN SB DB cacert file > > >> > + > > >> > + > > >> > + > > >> > > > >> > > > >> > > > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { > > >> > set $@ --db-sb-addr=${MASTER_IP} > --db-sb-port=${SB_MASTER_PORT} > > >> > fi > > >> > > > >> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then > > >> > +set $@ --db-nb-create-insecure-remote=no > > >> "no" is the default value, so this line is not needed. > > > > > > >> Sure. This makes sense. Will check out the default behavior and > update > > it the revised patch! > > >> > > >> > > >> > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > > >> > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > > >> > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > > >> This should be needed only for standby which sets > > --db-sb-use-remote-in-db=no. > > > > > > > As discussed, for each of the modes either ssl or tcp, all the nodes > > should have this option set. > > > > Agree. Since this script is for active-standby only, we can
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote: > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala wrote: > > > > Thanks for the review Han. Please find the comments inline below: > > > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote: > >> > >> Thanks Ali, please see my comm > >> > >> On Fri, Sep 21, 2018 at 5:38 PM wrote: > >> > > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to pass > ssl > >> > certs for starting standby DBs. Hence, we need this change. > >> > > >> > Signed-off-by: aginwala > >> > --- > >> > ovn/utilities/ovndb-servers.ocf | 74 > - > >> > 1 file changed, 73 insertions(+), 1 deletion(-) > >> > > >> > diff --git a/ovn/utilities/ovndb-servers.ocf > b/ovn/utilities/ovndb-servers.ocf > >> > index 52141c7..80f81ae 100755 > >> > --- a/ovn/utilities/ovndb-servers.ocf > >> > +++ b/ovn/utilities/ovndb-servers.ocf > >> > @@ -10,6 +10,12 @@ > >> > : ${MANAGE_NORTHD_DEFAULT="no"} > >> > : ${INACTIVE_PROBE_DEFAULT="5000"} > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > >> > > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > >> > @@ -21,6 +27,13 @@ > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > >> > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > >> > > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > >> > + > >> > > >> > # In order for pacemaker to work with LB, we can set > LISTEN_ON_MASTER_IP_ONLY > >> > # to false and pass LB vip IP while creating pcs resource. > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > >> > > >> > > >> > > >> > + > >> > + > >> > + OVN NB DB private key absolute path for ssl setup. > >> > + > >> > + OVN NB DB private key file > >> > + > >> > + > >> > + > >> > + > >> > + > >> > + OVN NB DB certificate absolute path for ssl setup. > >> > + > >> > + OVN NB DB cert file > >> > + > >> > + > >> > + > >> > + > >> > + > >> > + OVN NB DB CA certificate absolute path for ssl setup. > >> > + > >> > + OVN NB DB cacert file > >> > + > >> > + > >> > + > >> > + > >> > + > >> > + OVN SB DB private key absolute path for ssl setup. > >> > + > >> > + OVN SB DB private key file > >> > + > >> > + > >> > + > >> > + > >> > + > >> > + OVN SB DB certificate absolute path for ssl setup. > >> > + > >> > + OVN SB DB cert file > >> > + > >> > + > >> > + > >> > + > >> > + > >> > + OVN SB DB CA certificate absolute path for ssl setup. > >> > + > >> > + OVN SB DB cacert file > >> > + > >> > + > >> > + > >> > > >> > > >> > > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { > >> > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} > >> > fi > >> > > >> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then > >> > +set $@ --db-nb-create-insecure-remote=no > >> "no" is the default value, so this line is not needed. > > > > >> Sure. This makes sense. Will check out the default behavior and update > it the revised patch! > >> > >> > >> > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > >> > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > >> > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > >> This should be needed only for standby which sets > --db-sb-use-remote-in-db=no. > > > > > As discussed, for each of the modes either ssl or tcp, all the nodes > should have this option set. > > Agree. Since this script is for active-standby only, we can assume > active-standby mode always use command line option instead of DB settings. > > Acked-by: Han Zhou I haven't followed the discussion here so I'm going to assume that Ali will post a v2 with Han's ack. Thanks, Ben. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala wrote: > > Thanks for the review Han. Please find the comments inline below: > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote: >> >> Thanks Ali, please see my comm >> >> On Fri, Sep 21, 2018 at 5:38 PM wrote: >> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl >> > certs for starting standby DBs. Hence, we need this change. >> > >> > Signed-off-by: aginwala >> > --- >> > ovn/utilities/ovndb-servers.ocf | 74 - >> > 1 file changed, 73 insertions(+), 1 deletion(-) >> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf >> > index 52141c7..80f81ae 100755 >> > --- a/ovn/utilities/ovndb-servers.ocf >> > +++ b/ovn/utilities/ovndb-servers.ocf >> > @@ -10,6 +10,12 @@ >> > : ${MANAGE_NORTHD_DEFAULT="no"} >> > : ${INACTIVE_PROBE_DEFAULT="5000"} >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} >> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server" >> > @@ -21,6 +27,13 @@ SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} >> > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} >> > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} >> > + >> > >> > # In order for pacemaker to work with LB, we can set LISTEN_ON_MASTER_IP_ONLY >> > # to false and pass LB vip IP while creating pcs resource. >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { >> > >> > >> > >> > + >> > + >> > + OVN NB DB private key absolute path for ssl setup. >> > + >> > + OVN NB DB private key file >> > + >> > + >> > + >> > + >> > + >> > + OVN NB DB certificate absolute path for ssl setup. >> > + >> > + OVN NB DB cert file >> > + >> > + >> > + >> > + >> > + >> > + OVN NB DB CA certificate absolute path for ssl setup. >> > + >> > + OVN NB DB cacert file >> > + >> > + >> > + >> > + >> > + >> > + OVN SB DB private key absolute path for ssl setup. >> > + >> > + OVN SB DB private key file >> > + >> > + >> > + >> > + >> > + >> > + OVN SB DB certificate absolute path for ssl setup. >> > + >> > + OVN SB DB cert file >> > + >> > + >> > + >> > + >> > + >> > + OVN SB DB CA certificate absolute path for ssl setup. >> > + >> > + OVN SB DB cacert file >> > + >> > + >> > + >> > >> > >> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() { >> > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} >> > fi >> > >> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then >> > +set $@ --db-nb-create-insecure-remote=no >> "no" is the default value, so this line is not needed. > > >> Sure. This makes sense. Will check out the default behavior and update it the revised patch! >> >> >> > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} >> > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT} >> > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} >> This should be needed only for standby which sets --db-sb-use-remote-in-db=no. > > > As discussed, for each of the modes either ssl or tcp, all the nodes should have this option set. Agree. Since this script is for active-standby only, we can assume active-standby mode always use command line option instead of DB settings. Acked-by: Han Zhou ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Thanks for the review Han. Please find the comments inline below: On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote: > Thanks Ali, please see my comm > > On Fri, Sep 21, 2018 at 5:38 PM wrote: > > > > When starting OVN DBs in HA using pacemaker with ssl, we need to pass > ssl > > certs for starting standby DBs. Hence, we need this change. > > > > Signed-off-by: aginwala > > --- > > ovn/utilities/ovndb-servers.ocf | 74 > - > > 1 file changed, 73 insertions(+), 1 deletion(-) > > > > diff --git a/ovn/utilities/ovndb-servers.ocf > b/ovn/utilities/ovndb-servers.ocf > > index 52141c7..80f81ae 100755 > > --- a/ovn/utilities/ovndb-servers.ocf > > +++ b/ovn/utilities/ovndb-servers.ocf > > @@ -10,6 +10,12 @@ > > : ${MANAGE_NORTHD_DEFAULT="no"} > > : ${INACTIVE_PROBE_DEFAULT="5000"} > > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > > > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config > --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > > @@ -21,6 +27,13 @@ > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > > > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > > + > > > > # In order for pacemaker to work with LB, we can set > LISTEN_ON_MASTER_IP_ONLY > > # to false and pass LB vip IP while creating pcs resource. > > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > > > > > > > > + > > + > > + OVN NB DB private key absolute path for ssl setup. > > + > > + OVN NB DB private key file > > + > > + > > + > > + > > + > > + OVN NB DB certificate absolute path for ssl setup. > > + > > + OVN NB DB cert file > > + > > + > > + > > + > > + > > + OVN NB DB CA certificate absolute path for ssl setup. > > + > > + OVN NB DB cacert file > > + > > + > > + > > + > > + > > + OVN SB DB private key absolute path for ssl setup. > > + > > + OVN SB DB private key file > > + > > + > > + > > + > > + > > + OVN SB DB certificate absolute path for ssl setup. > > + > > + OVN SB DB cert file > > + > > + > > + > > + > > + > > + OVN SB DB CA certificate absolute path for ssl setup. > > + > > + OVN SB DB cacert file > > + > > + > > + > > > > > > > > @@ -326,6 +387,18 @@ ovsdb_server_start() { > > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} > > fi > > > > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then > > +set $@ --db-nb-create-insecure-remote=no > "no" is the default value, so this line is not needed. > >> Sure. This makes sense. Will check out the default behavior and update it the revised patch! > > > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > This should be needed only for standby which sets > --db-sb-use-remote-in-db=no. > > As discussed, for each of the modes either ssl or tcp, all the nodes should have this option set. > > > +fi > > +if [ "x${SB_MASTER_PROTO}" = xssl ]; then > > +set $@ --db-sb-create-insecure-remote=no > > +set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY} > > +set $@ --ovn-sb-db-ssl-cert=${SB_CERT} > > +set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT} > > +fi > > if [ "x${present_master}" = x ]; then > > # No master detected, or the previous master is not among the > > # set starting. > > @@ -343,7 +416,6 @@ ovsdb_server_start() { > > set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} > --db-sb-sync-from-addr=${INVALID_IP_ADDRESS} > > > > elif [ ${present_master} != ${host_name} ]; then > > -# TODO: for using LB vip, need to test for ssl. > > if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then > > if [ "x${NB_MASTER_PROTO}" = xtcp ]; then > > set $@ --db-nb-create-insecure-remote=yes > > -- > > 1.9.1 > > > >
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Thanks Ali, please see my comm On Fri, Sep 21, 2018 at 5:38 PM wrote: > > When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl > certs for starting standby DBs. Hence, we need this change. > > Signed-off-by: aginwala > --- > ovn/utilities/ovndb-servers.ocf | 74 - > 1 file changed, 73 insertions(+), 1 deletion(-) > > diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf > index 52141c7..80f81ae 100755 > --- a/ovn/utilities/ovndb-servers.ocf > +++ b/ovn/utilities/ovndb-servers.ocf > @@ -10,6 +10,12 @@ > : ${MANAGE_NORTHD_DEFAULT="no"} > : ${INACTIVE_PROBE_DEFAULT="5000"} > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server" > @@ -21,6 +27,13 @@ SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > + > > # In order for pacemaker to work with LB, we can set LISTEN_ON_MASTER_IP_ONLY > # to false and pass LB vip IP while creating pcs resource. > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > > > > + > + > + OVN NB DB private key absolute path for ssl setup. > + > + OVN NB DB private key file > + > + > + > + > + > + OVN NB DB certificate absolute path for ssl setup. > + > + OVN NB DB cert file > + > + > + > + > + > + OVN NB DB CA certificate absolute path for ssl setup. > + > + OVN NB DB cacert file > + > + > + > + > + > + OVN SB DB private key absolute path for ssl setup. > + > + OVN SB DB private key file > + > + > + > + > + > + OVN SB DB certificate absolute path for ssl setup. > + > + OVN SB DB cert file > + > + > + > + > + > + OVN SB DB CA certificate absolute path for ssl setup. > + > + OVN SB DB cacert file > + > + > + > > > > @@ -326,6 +387,18 @@ ovsdb_server_start() { > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} > fi > > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then > +set $@ --db-nb-create-insecure-remote=no "no" is the default value, so this line is not needed. > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} This should be needed only for standby which sets --db-sb-use-remote-in-db=no. > +fi > +if [ "x${SB_MASTER_PROTO}" = xssl ]; then > +set $@ --db-sb-create-insecure-remote=no > +set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY} > +set $@ --ovn-sb-db-ssl-cert=${SB_CERT} > +set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT} > +fi > if [ "x${present_master}" = x ]; then > # No master detected, or the previous master is not among the > # set starting. > @@ -343,7 +416,6 @@ ovsdb_server_start() { > set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} --db-sb-sync-from-addr=${INVALID_IP_ADDRESS} > > elif [ ${present_master} != ${host_name} ]; then > -# TODO: for using LB vip, need to test for ssl. > if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then > if [ "x${NB_MASTER_PROTO}" = xtcp ]; then > set $@ --db-nb-create-insecure-remote=yes > -- > 1.9.1 > > ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Sat, Sep 22, 2018 at 6:08 AM wrote: > When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl > certs for starting standby DBs. Hence, we need this change. > > Signed-off-by: aginwala > Hi Aliasgar, I will try this out and get back to you with any comments. Thanks Numan > --- > ovn/utilities/ovndb-servers.ocf | 74 > - > 1 file changed, 73 insertions(+), 1 deletion(-) > > diff --git a/ovn/utilities/ovndb-servers.ocf > b/ovn/utilities/ovndb-servers.ocf > index 52141c7..80f81ae 100755 > --- a/ovn/utilities/ovndb-servers.ocf > +++ b/ovn/utilities/ovndb-servers.ocf > @@ -10,6 +10,12 @@ > : ${MANAGE_NORTHD_DEFAULT="no"} > : ${INACTIVE_PROBE_DEFAULT="5000"} > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"} > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"} > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"} > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"} > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"} > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"} > > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot" > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name > OVN_REPL_INFO -s ovn_ovsdb_master_server" > @@ -21,6 +27,13 @@ > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}} > > SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}} > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}} > > > INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}} > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}} > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}} > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}} > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}} > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}} > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}} > + > > # In order for pacemaker to work with LB, we can set > LISTEN_ON_MASTER_IP_ONLY > # to false and pass LB vip IP while creating pcs resource. > @@ -132,6 +145,54 @@ ovsdb_server_metadata() { > > > > + > + > + OVN NB DB private key absolute path for ssl setup. > + > + OVN NB DB private key file > + > + > + > + > + > + OVN NB DB certificate absolute path for ssl setup. > + > + OVN NB DB cert file > + > + > + > + > + > + OVN NB DB CA certificate absolute path for ssl setup. > + > + OVN NB DB cacert file > + > + > + > + > + > + OVN SB DB private key absolute path for ssl setup. > + > + OVN SB DB private key file > + > + > + > + > + > + OVN SB DB certificate absolute path for ssl setup. > + > + OVN SB DB cert file > + > + > + > + > + > + OVN SB DB CA certificate absolute path for ssl setup. > + > + OVN SB DB cacert file > + > + > + > > > > @@ -326,6 +387,18 @@ ovsdb_server_start() { > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT} > fi > > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then > +set $@ --db-nb-create-insecure-remote=no > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY} > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT} > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT} > +fi > +if [ "x${SB_MASTER_PROTO}" = xssl ]; then > +set $@ --db-sb-create-insecure-remote=no > +set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY} > +set $@ --ovn-sb-db-ssl-cert=${SB_CERT} > +set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT} > +fi > if [ "x${present_master}" = x ]; then > # No master detected, or the previous master is not among the > # set starting. > @@ -343,7 +416,6 @@ ovsdb_server_start() { > set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} > --db-sb-sync-from-addr=${INVALID_IP_ADDRESS} > > elif [ ${present_master} != ${host_name} ]; then > -# TODO: for using LB vip, need to test for ssl. > if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then > if [ "x${NB_MASTER_PROTO}" = xtcp ]; then > set $@ --db-nb-create-insecure-remote=yes > -- > 1.9.1 > > ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev