Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Thanks Numan for review. Just to update that V3 will only have changes for ovn-ctl as per Han's suggestion to add details in help section there. ocf script will remain unchanged. That is why I have added acked-by on this patch. :) On Mon, Oct 8, 2018 at 11:59 PM Numan Siddique wrote: > > > On Tue, Oct 9, 2018 at 6:11 AM Han Zhou wrote: > >> >> >> >> Giving a second thought, it seems there is still a problem. >> >> >> >> There should be two sets of SSL related parameters we should consider >> in >> the active-standby scenario. >> >> - One set of parameters is for the server side. For ipaddr2 use case, >> both active and standby nodes will need them. For LB use case, where only >> the active node should listen on the port, only the active node should >> need >> these parameters. >> >> - Another set of parameters is for the client side, together with the >> --sync-from parameter, so that the standby node can connect to the active >> node as a client using SSL. These parameters are needed in standby node >> only. >> >> >> >> I didn't see how is this addressed. Did I miss anything? >> >> >> >> For the server side SSL parameters, it should be valid to use DB >> settings instead of command line options. (For client side, it may not be >> possible to use DB settings since the standby nodes need to get the SSL >> parameters before connecting to the (active) DB). >> > >> > >> Just to clarify, for active-standby scenario, since we dont know who >> will became active server any time, it is safe to use same certs on all >> central nodes irrespective of which node is client or server. >> >> Ok, thanks. It is clarified after discussion that we are combining the >> server side and client side ssl keys/certs to the same value for all >> central nodes in the active-standby setup. I didn't know that same >> settings >> actually work for both server and client, so it sounds good for me. >> > > From the pacemaker Resource script perspective, it looks good to me. I > will take > another look when you post v3. > > Thanks > Numan > > ___ >> dev mailing list >> d...@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Tue, Oct 9, 2018 at 6:11 AM Han Zhou wrote: > >> > >> Giving a second thought, it seems there is still a problem. > >> > >> There should be two sets of SSL related parameters we should consider in > the active-standby scenario. > >> - One set of parameters is for the server side. For ipaddr2 use case, > both active and standby nodes will need them. For LB use case, where only > the active node should listen on the port, only the active node should need > these parameters. > >> - Another set of parameters is for the client side, together with the > --sync-from parameter, so that the standby node can connect to the active > node as a client using SSL. These parameters are needed in standby node > only. > >> > >> I didn't see how is this addressed. Did I miss anything? > >> > >> For the server side SSL parameters, it should be valid to use DB > settings instead of command line options. (For client side, it may not be > possible to use DB settings since the standby nodes need to get the SSL > parameters before connecting to the (active) DB). > > > > >> Just to clarify, for active-standby scenario, since we dont know who > will became active server any time, it is safe to use same certs on all > central nodes irrespective of which node is client or server. > > Ok, thanks. It is clarified after discussion that we are combining the > server side and client side ssl keys/certs to the same value for all > central nodes in the active-standby setup. I didn't know that same settings > actually work for both server and client, so it sounds good for me. > >From the pacemaker Resource script perspective, it looks good to me. I will take another look when you post v3. Thanks Numan ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Mon, Oct 8, 2018 at 2:17 PM Han Zhou wrote:
>
>
> On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala
> wrote:
> >
> > Yes, that's right. I will send out v2 in a bit with Han's ack.
> >
> >
> > Regards,
> > Aliasgar
> >
> > On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff wrote:
> >>
> >> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
> >> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala
> wrote:
> >> > >
> >> > > Thanks for the review Han. Please find the comments inline below:
> >> > >
> >> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote:
> >> > >>
> >> > >> Thanks Ali, please see my comm
> >> > >>
> >> > >> On Fri, Sep 21, 2018 at 5:38 PM wrote:
> >> > >> >
> >> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need
> to pass
> >> > ssl
> >> > >> > certs for starting standby DBs. Hence, we need this change.
> >> > >> >
> >> > >> > Signed-off-by: aginwala
> >> > >> > ---
> >> > >> > ovn/utilities/ovndb-servers.ocf | 74
> >> > -
> >> > >> > 1 file changed, 73 insertions(+), 1 deletion(-)
> >> > >> >
> >> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
> >> > b/ovn/utilities/ovndb-servers.ocf
> >> > >> > index 52141c7..80f81ae 100755
> >> > >> > --- a/ovn/utilities/ovndb-servers.ocf
> >> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
> >> > >> > @@ -10,6 +10,12 @@
> >> > >> > : ${MANAGE_NORTHD_DEFAULT="no"}
> >> > >> > : ${INACTIVE_PROBE_DEFAULT="5000"}
> >> > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> >> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> >> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> >> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> >> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> >> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> > >> >
> >> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> >> > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type
> crm_config
> >> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> >> > >> > @@ -21,6 +27,13 @@
> >> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> >> > >> >
> >> >
> SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> >> > >> >
> MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> >> > >> >
> >> >
>
> INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> >> > >> >
> +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> >> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> >> > >> >
> +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> >> > >> >
> +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> >> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> >> > >> >
> +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> >> > >> > +
> >> > >> >
> >> > >> > # In order for pacemaker to work with LB, we can set
> >> > LISTEN_ON_MASTER_IP_ONLY
> >> > >> > # to false and pass LB vip IP while creating pcs resource.
> >> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> >> > >> >
> >> > >> >
> >> > >> >
> >> > >> > +
> >> > >> > +
> >> > >> > + OVN NB DB private key absolute path for ssl setup.
> >> > >> > +
> >> > >> > + OVN NB DB private key file
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > + OVN NB DB certificate absolute path for ssl setup.
> >> > >> > +
> >> > >> > + OVN NB DB cert file
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > + OVN NB DB CA certificate absolute path for ssl setup.
> >> > >> > +
> >> > >> > + OVN NB DB cacert file
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > + OVN SB DB private key absolute path for ssl setup.
> >> > >> > +
> >> > >> > + OVN SB DB private key file
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > + OVN SB DB certificate absolute path for ssl setup.
> >> > >> > +
> >> > >> > + OVN SB DB cert file
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> > + OVN SB DB CA certificate absolute path for ssl setup.
> >> > >> > +
> >> > >> > + OVN SB DB cacert file
> >> > >> > +
> >> > >> > +
> >> > >> > +
> >> > >> >
> >> > >> >
> >> > >> >
> >> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> >> > >> > set $@ --db-sb-addr=${MASTER_IP}
> --db-sb-port=${SB_MASTER_PORT}
> >> > >> > fi
> >> > >> >
> >> > >> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> >> > >> > +set $@ --db-nb-create-insecure-remote=no
> >> > >> "no" is the default value, so this line is not needed.
> >> > >
> >> > > >> Sure. This makes sense. Will check out the
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Mon, Oct 8, 2018 at 11:55 AM aginwala aginwala
wrote:
>
> Yes, that's right. I will send out v2 in a bit with Han's ack.
>
>
> Regards,
> Aliasgar
>
> On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff wrote:
>>
>> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
>> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala
wrote:
>> > >
>> > > Thanks for the review Han. Please find the comments inline below:
>> > >
>> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote:
>> > >>
>> > >> Thanks Ali, please see my comm
>> > >>
>> > >> On Fri, Sep 21, 2018 at 5:38 PM wrote:
>> > >> >
>> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to
pass
>> > ssl
>> > >> > certs for starting standby DBs. Hence, we need this change.
>> > >> >
>> > >> > Signed-off-by: aginwala
>> > >> > ---
>> > >> > ovn/utilities/ovndb-servers.ocf | 74
>> > -
>> > >> > 1 file changed, 73 insertions(+), 1 deletion(-)
>> > >> >
>> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
>> > b/ovn/utilities/ovndb-servers.ocf
>> > >> > index 52141c7..80f81ae 100755
>> > >> > --- a/ovn/utilities/ovndb-servers.ocf
>> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
>> > >> > @@ -10,6 +10,12 @@
>> > >> > : ${MANAGE_NORTHD_DEFAULT="no"}
>> > >> > : ${INACTIVE_PROBE_DEFAULT="5000"}
>> > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
>> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
>> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
>> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
>> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
>> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>> > >> >
>> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
>> > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type
crm_config
>> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
>> > >> > @@ -21,6 +27,13 @@
>> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
>> > >> >
>> >
SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
>> > >> >
MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
>> > >> >
>> >
INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
>> > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
>> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
>> > >> >
+NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
>> > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
>> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
>> > >> >
+SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
>> > >> > +
>> > >> >
>> > >> > # In order for pacemaker to work with LB, we can set
>> > LISTEN_ON_MASTER_IP_ONLY
>> > >> > # to false and pass LB vip IP while creating pcs resource.
>> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
>> > >> >
>> > >> >
>> > >> >
>> > >> > +
>> > >> > +
>> > >> > + OVN NB DB private key absolute path for ssl setup.
>> > >> > +
>> > >> > + OVN NB DB private key file
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > + OVN NB DB certificate absolute path for ssl setup.
>> > >> > +
>> > >> > + OVN NB DB cert file
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > + OVN NB DB CA certificate absolute path for ssl setup.
>> > >> > +
>> > >> > + OVN NB DB cacert file
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > + OVN SB DB private key absolute path for ssl setup.
>> > >> > +
>> > >> > + OVN SB DB private key file
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > + OVN SB DB certificate absolute path for ssl setup.
>> > >> > +
>> > >> > + OVN SB DB cert file
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> > + OVN SB DB CA certificate absolute path for ssl setup.
>> > >> > +
>> > >> > + OVN SB DB cacert file
>> > >> > +
>> > >> > +
>> > >> > +
>> > >> >
>> > >> >
>> > >> >
>> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
>> > >> > set $@ --db-sb-addr=${MASTER_IP}
--db-sb-port=${SB_MASTER_PORT}
>> > >> > fi
>> > >> >
>> > >> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then
>> > >> > +set $@ --db-nb-create-insecure-remote=no
>> > >> "no" is the default value, so this line is not needed.
>> > >
>> > > >> Sure. This makes sense. Will check out the default behavior and
update
>> > it the revised patch!
>> > >>
>> > >>
>> > >> > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
>> > >> > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
>> > >> > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
>> > >> This should be needed only for standby which sets
>> >
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Yes, that's right. I will send out v2 in a bit with Han's ack.
Regards,
Aliasgar
On Mon, Oct 8, 2018 at 11:04 AM Ben Pfaff wrote:
> On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
> > On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala
> wrote:
> > >
> > > Thanks for the review Han. Please find the comments inline below:
> > >
> > > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote:
> > >>
> > >> Thanks Ali, please see my comm
> > >>
> > >> On Fri, Sep 21, 2018 at 5:38 PM wrote:
> > >> >
> > >> > When starting OVN DBs in HA using pacemaker with ssl, we need to
> pass
> > ssl
> > >> > certs for starting standby DBs. Hence, we need this change.
> > >> >
> > >> > Signed-off-by: aginwala
> > >> > ---
> > >> > ovn/utilities/ovndb-servers.ocf | 74
> > -
> > >> > 1 file changed, 73 insertions(+), 1 deletion(-)
> > >> >
> > >> > diff --git a/ovn/utilities/ovndb-servers.ocf
> > b/ovn/utilities/ovndb-servers.ocf
> > >> > index 52141c7..80f81ae 100755
> > >> > --- a/ovn/utilities/ovndb-servers.ocf
> > >> > +++ b/ovn/utilities/ovndb-servers.ocf
> > >> > @@ -10,6 +10,12 @@
> > >> > : ${MANAGE_NORTHD_DEFAULT="no"}
> > >> > : ${INACTIVE_PROBE_DEFAULT="5000"}
> > >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> > >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> > >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> > >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> > >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> > >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > >> >
> > >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> > >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
> > --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> > >> > @@ -21,6 +27,13 @@
> > SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> > >> >
> >
> SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> > >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> > >> >
> >
> INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> > >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> > >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> > >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> > >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> > >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> > >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> > >> > +
> > >> >
> > >> > # In order for pacemaker to work with LB, we can set
> > LISTEN_ON_MASTER_IP_ONLY
> > >> > # to false and pass LB vip IP while creating pcs resource.
> > >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> > >> >
> > >> >
> > >> >
> > >> > +
> > >> > +
> > >> > + OVN NB DB private key absolute path for ssl setup.
> > >> > +
> > >> > + OVN NB DB private key file
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > + OVN NB DB certificate absolute path for ssl setup.
> > >> > +
> > >> > + OVN NB DB cert file
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > + OVN NB DB CA certificate absolute path for ssl setup.
> > >> > +
> > >> > + OVN NB DB cacert file
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > + OVN SB DB private key absolute path for ssl setup.
> > >> > +
> > >> > + OVN SB DB private key file
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > + OVN SB DB certificate absolute path for ssl setup.
> > >> > +
> > >> > + OVN SB DB cert file
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > +
> > >> > + OVN SB DB CA certificate absolute path for ssl setup.
> > >> > +
> > >> > + OVN SB DB cacert file
> > >> > +
> > >> > +
> > >> > +
> > >> >
> > >> >
> > >> >
> > >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> > >> > set $@ --db-sb-addr=${MASTER_IP}
> --db-sb-port=${SB_MASTER_PORT}
> > >> > fi
> > >> >
> > >> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> > >> > +set $@ --db-nb-create-insecure-remote=no
> > >> "no" is the default value, so this line is not needed.
> > >
> > > >> Sure. This makes sense. Will check out the default behavior and
> update
> > it the revised patch!
> > >>
> > >>
> > >> > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> > >> > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> > >> > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> > >> This should be needed only for standby which sets
> > --db-sb-use-remote-in-db=no.
> > >
> > > > As discussed, for each of the modes either ssl or tcp, all the nodes
> > should have this option set.
> >
> > Agree. Since this script is for active-standby only, we can
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Mon, Oct 08, 2018 at 10:58:49AM -0700, Han Zhou wrote:
> On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala wrote:
> >
> > Thanks for the review Han. Please find the comments inline below:
> >
> > On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote:
> >>
> >> Thanks Ali, please see my comm
> >>
> >> On Fri, Sep 21, 2018 at 5:38 PM wrote:
> >> >
> >> > When starting OVN DBs in HA using pacemaker with ssl, we need to pass
> ssl
> >> > certs for starting standby DBs. Hence, we need this change.
> >> >
> >> > Signed-off-by: aginwala
> >> > ---
> >> > ovn/utilities/ovndb-servers.ocf | 74
> -
> >> > 1 file changed, 73 insertions(+), 1 deletion(-)
> >> >
> >> > diff --git a/ovn/utilities/ovndb-servers.ocf
> b/ovn/utilities/ovndb-servers.ocf
> >> > index 52141c7..80f81ae 100755
> >> > --- a/ovn/utilities/ovndb-servers.ocf
> >> > +++ b/ovn/utilities/ovndb-servers.ocf
> >> > @@ -10,6 +10,12 @@
> >> > : ${MANAGE_NORTHD_DEFAULT="no"}
> >> > : ${INACTIVE_PROBE_DEFAULT="5000"}
> >> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> >> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> >> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> >> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> >> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> >> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >> >
> >> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> >> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
> --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> >> > @@ -21,6 +27,13 @@
> SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> >> >
> SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> >> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> >> >
>
> INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> >> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> >> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> >> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> >> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> >> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> >> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> >> > +
> >> >
> >> > # In order for pacemaker to work with LB, we can set
> LISTEN_ON_MASTER_IP_ONLY
> >> > # to false and pass LB vip IP while creating pcs resource.
> >> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> >> >
> >> >
> >> >
> >> > +
> >> > +
> >> > + OVN NB DB private key absolute path for ssl setup.
> >> > +
> >> > + OVN NB DB private key file
> >> > +
> >> > +
> >> > +
> >> > +
> >> > +
> >> > + OVN NB DB certificate absolute path for ssl setup.
> >> > +
> >> > + OVN NB DB cert file
> >> > +
> >> > +
> >> > +
> >> > +
> >> > +
> >> > + OVN NB DB CA certificate absolute path for ssl setup.
> >> > +
> >> > + OVN NB DB cacert file
> >> > +
> >> > +
> >> > +
> >> > +
> >> > +
> >> > + OVN SB DB private key absolute path for ssl setup.
> >> > +
> >> > + OVN SB DB private key file
> >> > +
> >> > +
> >> > +
> >> > +
> >> > +
> >> > + OVN SB DB certificate absolute path for ssl setup.
> >> > +
> >> > + OVN SB DB cert file
> >> > +
> >> > +
> >> > +
> >> > +
> >> > +
> >> > + OVN SB DB CA certificate absolute path for ssl setup.
> >> > +
> >> > + OVN SB DB cacert file
> >> > +
> >> > +
> >> > +
> >> >
> >> >
> >> >
> >> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> >> > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
> >> > fi
> >> >
> >> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> >> > +set $@ --db-nb-create-insecure-remote=no
> >> "no" is the default value, so this line is not needed.
> >
> > >> Sure. This makes sense. Will check out the default behavior and update
> it the revised patch!
> >>
> >>
> >> > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> >> > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> >> > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> >> This should be needed only for standby which sets
> --db-sb-use-remote-in-db=no.
> >
> > > As discussed, for each of the modes either ssl or tcp, all the nodes
> should have this option set.
>
> Agree. Since this script is for active-standby only, we can assume
> active-standby mode always use command line option instead of DB settings.
>
> Acked-by: Han Zhou
I haven't followed the discussion here so I'm going to assume that Ali
will post a v2 with Han's ack.
Thanks,
Ben.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Fri, Oct 5, 2018 at 6:34 PM aginwala aginwala wrote:
>
> Thanks for the review Han. Please find the comments inline below:
>
> On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote:
>>
>> Thanks Ali, please see my comm
>>
>> On Fri, Sep 21, 2018 at 5:38 PM wrote:
>> >
>> > When starting OVN DBs in HA using pacemaker with ssl, we need to pass
ssl
>> > certs for starting standby DBs. Hence, we need this change.
>> >
>> > Signed-off-by: aginwala
>> > ---
>> > ovn/utilities/ovndb-servers.ocf | 74
-
>> > 1 file changed, 73 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/ovn/utilities/ovndb-servers.ocf
b/ovn/utilities/ovndb-servers.ocf
>> > index 52141c7..80f81ae 100755
>> > --- a/ovn/utilities/ovndb-servers.ocf
>> > +++ b/ovn/utilities/ovndb-servers.ocf
>> > @@ -10,6 +10,12 @@
>> > : ${MANAGE_NORTHD_DEFAULT="no"}
>> > : ${INACTIVE_PROBE_DEFAULT="5000"}
>> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
>> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
>> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
>> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
>> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
>> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>> >
>> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
>> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
--name OVN_REPL_INFO -s ovn_ovsdb_master_server"
>> > @@ -21,6 +27,13 @@
SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
>> >
SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
>> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
>> >
INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
>> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
>> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
>> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
>> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
>> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
>> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
>> > +
>> >
>> > # In order for pacemaker to work with LB, we can set
LISTEN_ON_MASTER_IP_ONLY
>> > # to false and pass LB vip IP while creating pcs resource.
>> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
>> >
>> >
>> >
>> > +
>> > +
>> > + OVN NB DB private key absolute path for ssl setup.
>> > +
>> > + OVN NB DB private key file
>> > +
>> > +
>> > +
>> > +
>> > +
>> > + OVN NB DB certificate absolute path for ssl setup.
>> > +
>> > + OVN NB DB cert file
>> > +
>> > +
>> > +
>> > +
>> > +
>> > + OVN NB DB CA certificate absolute path for ssl setup.
>> > +
>> > + OVN NB DB cacert file
>> > +
>> > +
>> > +
>> > +
>> > +
>> > + OVN SB DB private key absolute path for ssl setup.
>> > +
>> > + OVN SB DB private key file
>> > +
>> > +
>> > +
>> > +
>> > +
>> > + OVN SB DB certificate absolute path for ssl setup.
>> > +
>> > + OVN SB DB cert file
>> > +
>> > +
>> > +
>> > +
>> > +
>> > + OVN SB DB CA certificate absolute path for ssl setup.
>> > +
>> > + OVN SB DB cacert file
>> > +
>> > +
>> > +
>> >
>> >
>> >
>> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
>> > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
>> > fi
>> >
>> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then
>> > +set $@ --db-nb-create-insecure-remote=no
>> "no" is the default value, so this line is not needed.
>
> >> Sure. This makes sense. Will check out the default behavior and update
it the revised patch!
>>
>>
>> > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
>> > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
>> > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
>> This should be needed only for standby which sets
--db-sb-use-remote-in-db=no.
>
> > As discussed, for each of the modes either ssl or tcp, all the nodes
should have this option set.
Agree. Since this script is for active-standby only, we can assume
active-standby mode always use command line option instead of DB settings.
Acked-by: Han Zhou
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Thanks for the review Han. Please find the comments inline below:
On Thu, Oct 4, 2018 at 10:16 AM Han Zhou wrote:
> Thanks Ali, please see my comm
>
> On Fri, Sep 21, 2018 at 5:38 PM wrote:
> >
> > When starting OVN DBs in HA using pacemaker with ssl, we need to pass
> ssl
> > certs for starting standby DBs. Hence, we need this change.
> >
> > Signed-off-by: aginwala
> > ---
> > ovn/utilities/ovndb-servers.ocf | 74
> -
> > 1 file changed, 73 insertions(+), 1 deletion(-)
> >
> > diff --git a/ovn/utilities/ovndb-servers.ocf
> b/ovn/utilities/ovndb-servers.ocf
> > index 52141c7..80f81ae 100755
> > --- a/ovn/utilities/ovndb-servers.ocf
> > +++ b/ovn/utilities/ovndb-servers.ocf
> > @@ -10,6 +10,12 @@
> > : ${MANAGE_NORTHD_DEFAULT="no"}
> > : ${INACTIVE_PROBE_DEFAULT="5000"}
> > : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> > +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> > +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> > +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> > +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> > +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> > +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> >
> > CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> > CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
> --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> > @@ -21,6 +27,13 @@
> SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
> >
> SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> > MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
> >
>
> INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> > +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> > +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> > +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> > +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> > +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> > +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> > +
> >
> > # In order for pacemaker to work with LB, we can set
> LISTEN_ON_MASTER_IP_ONLY
> > # to false and pass LB vip IP while creating pcs resource.
> > @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
> >
> >
> >
> > +
> > +
> > + OVN NB DB private key absolute path for ssl setup.
> > +
> > + OVN NB DB private key file
> > +
> > +
> > +
> > +
> > +
> > + OVN NB DB certificate absolute path for ssl setup.
> > +
> > + OVN NB DB cert file
> > +
> > +
> > +
> > +
> > +
> > + OVN NB DB CA certificate absolute path for ssl setup.
> > +
> > + OVN NB DB cacert file
> > +
> > +
> > +
> > +
> > +
> > + OVN SB DB private key absolute path for ssl setup.
> > +
> > + OVN SB DB private key file
> > +
> > +
> > +
> > +
> > +
> > + OVN SB DB certificate absolute path for ssl setup.
> > +
> > + OVN SB DB cert file
> > +
> > +
> > +
> > +
> > +
> > + OVN SB DB CA certificate absolute path for ssl setup.
> > +
> > + OVN SB DB cacert file
> > +
> > +
> > +
> >
> >
> >
> > @@ -326,6 +387,18 @@ ovsdb_server_start() {
> > set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
> > fi
> >
> > +if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> > +set $@ --db-nb-create-insecure-remote=no
> "no" is the default value, so this line is not needed.
>
>> Sure. This makes sense. Will check out the default behavior and update
it the revised patch!
>
> > +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> > +set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> > +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> This should be needed only for standby which sets
> --db-sb-use-remote-in-db=no.
>
> As discussed, for each of the modes either ssl or tcp, all the nodes
should have this option set.
>
> > +fi
> > +if [ "x${SB_MASTER_PROTO}" = xssl ]; then
> > +set $@ --db-sb-create-insecure-remote=no
> > +set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY}
> > +set $@ --ovn-sb-db-ssl-cert=${SB_CERT}
> > +set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT}
> > +fi
> > if [ "x${present_master}" = x ]; then
> > # No master detected, or the previous master is not among the
> > # set starting.
> > @@ -343,7 +416,6 @@ ovsdb_server_start() {
> > set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS}
> --db-sb-sync-from-addr=${INVALID_IP_ADDRESS}
> >
> > elif [ ${present_master} != ${host_name} ]; then
> > -# TODO: for using LB vip, need to test for ssl.
> > if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then
> > if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
> > set $@ --db-nb-create-insecure-remote=yes
> > --
> > 1.9.1
> >
> >
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
Thanks Ali, please see my comm
On Fri, Sep 21, 2018 at 5:38 PM wrote:
>
> When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl
> certs for starting standby DBs. Hence, we need this change.
>
> Signed-off-by: aginwala
> ---
> ovn/utilities/ovndb-servers.ocf | 74
-
> 1 file changed, 73 insertions(+), 1 deletion(-)
>
> diff --git a/ovn/utilities/ovndb-servers.ocf
b/ovn/utilities/ovndb-servers.ocf
> index 52141c7..80f81ae 100755
> --- a/ovn/utilities/ovndb-servers.ocf
> +++ b/ovn/utilities/ovndb-servers.ocf
> @@ -10,6 +10,12 @@
> : ${MANAGE_NORTHD_DEFAULT="no"}
> : ${INACTIVE_PROBE_DEFAULT="5000"}
> : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>
> CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config
--name OVN_REPL_INFO -s ovn_ovsdb_master_server"
> @@ -21,6 +27,13 @@
SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
>
SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
>
INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> +
>
> # In order for pacemaker to work with LB, we can set
LISTEN_ON_MASTER_IP_ONLY
> # to false and pass LB vip IP while creating pcs resource.
> @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
>
>
>
> +
> +
> + OVN NB DB private key absolute path for ssl setup.
> +
> + OVN NB DB private key file
> +
> +
> +
> +
> +
> + OVN NB DB certificate absolute path for ssl setup.
> +
> + OVN NB DB cert file
> +
> +
> +
> +
> +
> + OVN NB DB CA certificate absolute path for ssl setup.
> +
> + OVN NB DB cacert file
> +
> +
> +
> +
> +
> + OVN SB DB private key absolute path for ssl setup.
> +
> + OVN SB DB private key file
> +
> +
> +
> +
> +
> + OVN SB DB certificate absolute path for ssl setup.
> +
> + OVN SB DB cert file
> +
> +
> +
> +
> +
> + OVN SB DB CA certificate absolute path for ssl setup.
> +
> + OVN SB DB cacert file
> +
> +
> +
>
>
>
> @@ -326,6 +387,18 @@ ovsdb_server_start() {
> set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
> fi
>
> +if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> +set $@ --db-nb-create-insecure-remote=no
"no" is the default value, so this line is not needed.
> +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> +set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
This should be needed only for standby which sets
--db-sb-use-remote-in-db=no.
> +fi
> +if [ "x${SB_MASTER_PROTO}" = xssl ]; then
> +set $@ --db-sb-create-insecure-remote=no
> +set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY}
> +set $@ --ovn-sb-db-ssl-cert=${SB_CERT}
> +set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT}
> +fi
> if [ "x${present_master}" = x ]; then
> # No master detected, or the previous master is not among the
> # set starting.
> @@ -343,7 +416,6 @@ ovsdb_server_start() {
> set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS}
--db-sb-sync-from-addr=${INVALID_IP_ADDRESS}
>
> elif [ ${present_master} != ${host_name} ]; then
> -# TODO: for using LB vip, need to test for ssl.
> if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then
> if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
> set $@ --db-nb-create-insecure-remote=yes
> --
> 1.9.1
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/2] ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP.
On Sat, Sep 22, 2018 at 6:08 AM wrote:
> When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl
> certs for starting standby DBs. Hence, we need this change.
>
> Signed-off-by: aginwala
>
Hi Aliasgar,
I will try this out and get back to you with any comments.
Thanks
Numan
> ---
> ovn/utilities/ovndb-servers.ocf | 74
> -
> 1 file changed, 73 insertions(+), 1 deletion(-)
>
> diff --git a/ovn/utilities/ovndb-servers.ocf
> b/ovn/utilities/ovndb-servers.ocf
> index 52141c7..80f81ae 100755
> --- a/ovn/utilities/ovndb-servers.ocf
> +++ b/ovn/utilities/ovndb-servers.ocf
> @@ -10,6 +10,12 @@
> : ${MANAGE_NORTHD_DEFAULT="no"}
> : ${INACTIVE_PROBE_DEFAULT="5000"}
> : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
> +: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
> +: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
> +: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
> +: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
> +: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
> +: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
>
> CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
> CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name
> OVN_REPL_INFO -s ovn_ovsdb_master_server"
> @@ -21,6 +27,13 @@
> SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
>
> SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
> MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
>
>
> INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
> +NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
> +NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
> +NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
> +SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
> +SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
> +SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
> +
>
> # In order for pacemaker to work with LB, we can set
> LISTEN_ON_MASTER_IP_ONLY
> # to false and pass LB vip IP while creating pcs resource.
> @@ -132,6 +145,54 @@ ovsdb_server_metadata() {
>
>
>
> +
> +
> + OVN NB DB private key absolute path for ssl setup.
> +
> + OVN NB DB private key file
> +
> +
> +
> +
> +
> + OVN NB DB certificate absolute path for ssl setup.
> +
> + OVN NB DB cert file
> +
> +
> +
> +
> +
> + OVN NB DB CA certificate absolute path for ssl setup.
> +
> + OVN NB DB cacert file
> +
> +
> +
> +
> +
> + OVN SB DB private key absolute path for ssl setup.
> +
> + OVN SB DB private key file
> +
> +
> +
> +
> +
> + OVN SB DB certificate absolute path for ssl setup.
> +
> + OVN SB DB cert file
> +
> +
> +
> +
> +
> + OVN SB DB CA certificate absolute path for ssl setup.
> +
> + OVN SB DB cacert file
> +
> +
> +
>
>
>
> @@ -326,6 +387,18 @@ ovsdb_server_start() {
> set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
> fi
>
> +if [ "x${NB_MASTER_PROTO}" = xssl ]; then
> +set $@ --db-nb-create-insecure-remote=no
> +set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
> +set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
> +set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
> +fi
> +if [ "x${SB_MASTER_PROTO}" = xssl ]; then
> +set $@ --db-sb-create-insecure-remote=no
> +set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY}
> +set $@ --ovn-sb-db-ssl-cert=${SB_CERT}
> +set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT}
> +fi
> if [ "x${present_master}" = x ]; then
> # No master detected, or the previous master is not among the
> # set starting.
> @@ -343,7 +416,6 @@ ovsdb_server_start() {
> set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS}
> --db-sb-sync-from-addr=${INVALID_IP_ADDRESS}
>
> elif [ ${present_master} != ${host_name} ]; then
> -# TODO: for using LB vip, need to test for ssl.
> if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then
> if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
> set $@ --db-nb-create-insecure-remote=yes
> --
> 1.9.1
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
