Add support for SSL connections to OVN northbound and/or southbound databases.
To improve security, the NB and SB ovsdb daemons no longer have open ptcp connections by default. This is a change in behavior from previous versions, users wishing to use TCP connections to the NB/SB daemons can either request that a passive TCP connection be used via ovn-ctl command-line options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup scripts): --db-sb-create-remote=yes --db-nb-create-remote=yes Or configure a connection after the NB/SB daemons have been started, e.g.: ovn-sbctl set-connection ptcp:6642 ovn-nbctl set-connection ptcp:6641 Users desiring SSL database connections will need to generate certificates and private key as described in INSTALL.SSL.rst and perform the following one-time configuration steps: ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> ovn-sbctl set-connection pssl:6642 ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> ovn-nbctl set-connection pssl:6641 On the ovn-controller and ovn-controller-vtep side, SSL configuration must be provided on the command-line when the daemons are started, this should be provided via the following command-line options (e.g. via OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): --ovn-controller-ssl-key=<private-key> --ovn-controller-ssl-cert=<certificate> --ovn-controller-ssl-ca-cert=<ca-cert> The SB database connection should also be configured to use SSL, e.g.: ovs-vsctl set Open_vSwitch . \ external-ids:ovn-remote=ssl:w.x.y.z:6642 Co-authored-by: Numan Siddique <nusid...@redhat.com> Signed-off-by: Numan Siddique <nusid...@redhat.com> Signed-off-by: Lance Richardson <lrich...@redhat.com> --- v3: - rebased - s/db-sb-default-remote/db-sb-create-remote/ in man page - s/db-nb-default-remote/db-nb-create-remote/ in man page v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE. - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE. - Create default remote configuration in db instead of via command-line options. NEWS | 5 +++ manpages.mk | 4 ++ ovn/utilities/ovn-ctl | 106 +++++++++++++++++++++++++++++++++++++------- ovn/utilities/ovn-ctl.8.xml | 7 +++ 4 files changed, 105 insertions(+), 17 deletions(-) diff --git a/NEWS b/NEWS index 882f611..e30273a 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,11 @@ Post-v2.6.0 * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 actions. * Support for managing SSL and remote connection configuration in northbound and southbound databases. + * TCP connections to northbound and southbound databases are no + longer enabled by default and must be explicitly configured. + See documentation for ovn-sbctl/ovn-nbctl "set-connection" command + or ovn-ctl "--db-sb-create-remote"/"--db-nb-create-remote" + options for information regarding enabling TCP connections. - Fixed regression in table stats maintenance introduced in OVS 2.3.0, wherein the number of OpenFlow table hits and misses was not accurate. diff --git a/manpages.mk b/manpages.mk index 742bd66..825e2bc 100644 --- a/manpages.mk +++ b/manpages.mk @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \ lib/vlog-syn.man \ lib/vlog.man \ ovsdb/remote-active.man \ + ovsdb/remote-active.man \ + ovsdb/remote-passive.man \ ovsdb/remote-passive.man ovsdb/ovsdb-client.1.in: lib/common-syn.man: @@ -58,6 +60,8 @@ lib/table.man: lib/vlog-syn.man: lib/vlog.man: ovsdb/remote-active.man: +ovsdb/remote-active.man: +ovsdb/remote-passive.man: ovsdb/remote-passive.man: ovsdb/ovsdb-server.1: \ diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl index 73e78e5..f4526fd 100755 --- a/ovn/utilities/ovn-ctl +++ b/ovn/utilities/ovn-ctl @@ -50,7 +50,7 @@ stop_ovsdb () { demote_ovnnb() { if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file fi if test -e $ovnnb_active_conf_file; then @@ -64,7 +64,7 @@ demote_ovnnb() { demote_ovnsb() { if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file fi if test -e $ovnsb_active_conf_file; then @@ -93,15 +93,17 @@ start_ovsdb () { set ovsdb-server - set "$@" --detach --monitor $OVN_NB_LOG \ - --log-file=$OVN_NB_LOGFILE \ - --remote=punix:$DB_NB_SOCK \ - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ - --pidfile=$DB_NB_PID \ - --unixctl=ovnnb_db.ctl + set "$@" --detach --monitor + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID + set "$@" --remote=db:OVN_Northbound,NB_Global,connections + set "$@" --unixctl=ovnnb_db.ctl + set "$@" --private-key=db:OVN_Northbound,SSL,private_key + set "$@" --certificate=db:OVN_Northbound,SSL,certificate + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file + echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file fi if test -e $ovnnb_active_conf_file; then @@ -110,6 +112,25 @@ start_ovsdb () { $@ $DB_NB_FILE ovn-nbctl init + + if test X"$DB_NB_CREATE_REMOTE" = Xyes; then + conn_info=$(ovn-nbctl find Connection target="ptcp\:$DB_NB_PORT\:$DB_NB_ADDR") + conn_uuid=$(echo $conn_info | awk '{print $3'}) + + # Create remote with default configuration if requested. Note that + # this configuration is persistent and will not be removed + # automatically if the value of DB_NB_CREATE_REMOTE is changed to + # "no". + if test X"$conn_uuid" = X; then + ovn-nbctl set-connection "ptcp:$DB_NB_PORT:$DB_NB_ADDR" + conn_info=$(ovn-nbctl find Connection target="ptcp\:$DB_NB_PORT\:$DB_NB_ADDR") + conn_uuid=$(echo $conn_info | awk '{print $3'}) + fi + + if test X"$DB_NB_INACTIVITY_PROBE" != X; then + ovn-nbctl set Connection $conn_uuid inactivity_probe=$DB_NB_INACTIVITY_PROBE + fi + fi fi # Check and eventually start ovsdb-server for Southbound DB @@ -118,15 +139,17 @@ start_ovsdb () { set ovsdb-server - set "$@" --detach --monitor $OVN_SB_LOG \ - --log-file=$OVN_SB_LOGFILE \ - --remote=punix:$DB_SB_SOCK \ - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ - --pidfile=$DB_SB_PID \ - --unixctl=ovnsb_db.ctl + set "$@" --detach --monitor + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID + set "$@" --remote=db:OVN_Southbound,SB_Global,connections + set "$@" --unixctl=ovnsb_db.ctl + set "$@" --private-key=db:OVN_Southbound,SSL,private_key + set "$@" --certificate=db:OVN_Southbound,SSL,certificate + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file + echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file fi if test -e $ovnsb_active_conf_file; then @@ -135,6 +158,25 @@ start_ovsdb () { $@ $DB_SB_FILE ovn-sbctl init + + if test X"$DB_SB_CREATE_REMOTE" = Xyes; then + conn_info=$(ovn-sbctl find Connection target="ptcp\:$DB_SB_PORT\:$DB_SB_ADDR") + conn_uuid=$(echo $conn_info | awk '{print $3'}) + + # Create remote with default configuration if requested. Note that + # this configuration is persistent and will not be removed + # automatically if the value of DB_SB_CREATE_REMOTE is changed to + # "no". + if test X"$conn_uuid" = X; then + ovn-sbctl set-connection "ptcp:$DB_SB_PORT:$DB_SB_ADDR" + conn_info=$(ovn-sbctl find Connection target="ptcp\:$DB_SB_PORT\:$DB_SB_ADDR") + conn_uuid=$(echo $conn_info | awk '{print $3'}) + fi + + if test X"$DB_SB_INACTIVITY_PROBE" != X; then + ovn-sbctl set Connection $conn_uuid inactivity_probe=$DB_SB_INACTIVITY_PROBE + fi + fi fi } @@ -208,12 +250,22 @@ start_northd () { start_controller () { set ovn-controller "unix:$DB_SOCK" set "$@" $OVN_CONTROLLER_LOG + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT + fi OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" } start_controller_vtep () { set ovn-controller-vtep "unix:$DB_SOCK" set "$@" -vconsole:emer -vsyslog:err -vfile:info + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT + fi OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" } @@ -275,6 +327,7 @@ set_defaults () { DB_NB_FILE=$dbdir/ovnnb_db.db DB_NB_ADDR=0.0.0.0 DB_NB_PORT=6641 + DB_NB_SYNC_FROM_PROTO=tcp DB_NB_SYNC_FROM_ADDR= DB_NB_SYNC_FROM_PORT=6641 @@ -283,6 +336,7 @@ set_defaults () { DB_SB_FILE=$dbdir/ovnsb_db.db DB_SB_ADDR=0.0.0.0 DB_SB_PORT=6642 + DB_SB_SYNC_FROM_PROTO=tcp DB_SB_SYNC_FROM_ADDR= DB_SB_SYNC_FROM_PORT=6642 @@ -307,6 +361,15 @@ set_defaults () { OVN_SB_LOG="-vconsole:off" OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log" OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log" + + OVN_CONTROLLER_SSL_KEY="" + OVN_CONTROLLER_SSL_CERT="" + OVN_CONTROLLER_SSL_CA_CERT="" + + DB_SB_CREATE_REMOTE="no" + DB_NB_CREATE_REMOTE="no" + DB_NB_INACTIVITY_PROBE="" + DB_SB_INACTIVITY_PROBE="" } set_option () { @@ -350,6 +413,9 @@ Options: --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for debugging --ovn-controller-priority=NICE set ovn-northd's niceness (default: $OVN_CONTROLLER_PRIORITY) --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind for debugging + --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file + --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file + --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file --ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be automatically started and stopped along with ovn-northd. The default is "yes". If @@ -376,9 +442,15 @@ File location options: --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE) --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE) --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address (default: $DB_NB_SYNC_FROM_ADDR) - --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) + --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) + --db-nb-sync-from-proto=PROTO OVN Northbound active db transport (default: $DB_NB_SYNC_FROM_PROTO) + --db-nb-create-remote=yes|no Create OVN Northbound remote (default: $DB_NB_CREATE_REMOTE) + --db-nb-inactivity-probe=TIME Set inactivity probe (in msec) for NB remote (default:$DB_NB_INACTIVITY_PROBE) --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address (default: $DB_SB_SYNC_FROM_ADDR) --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: $DB_SB_SYNC_FROM_PORT) + --db-sb-sync-from-proto=PROTO OVN Southbound active db transport (default: $DB_SB_SYNC_FROM_PROTO) + --db-sb-create-remote=yes|no Create OVN Southbound remote (default: $DB_SB_CREATE_REMOTE) + --db-sb-inactivity-probe=TIME Set inactivity probe (in msec) for SB remote (default: $DB_SB_INACTIVITY_PROBE) Default directories with "configure" option and environment variable override: logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR) diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml index ff7366c..31c3eeb 100644 --- a/ovn/utilities/ovn-ctl.8.xml +++ b/ovn/utilities/ovn-ctl.8.xml @@ -43,12 +43,19 @@ <p><code>--db-sb-file==<var>FILE</var></code></p> <p><code>--db-nb-schema==<var>FILE</var></code></p> <p><code>--db-sb-schema==<var>FILE</var></code></p> + <p><code>--db-sb-create-remote==<var>yes|no</var></code></p> + <p><code>--db-nb-create-remote==<var>yes|no</var></code></p> + <p><code>--ovn-controller-ssl-key==<var>KEY</var></code></p> + <p><code>--ovn-controller-ssl-cert==<var>CERT</var></code></p> + <p><code>--ovn-controller-ssl-ca-cert==<var>CERT</var></code></p> <h1>Address and port options</h1> <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p> + <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p> <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p> + <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p> <h1>Configuration files</h1> <p>Following are the optional configuration files. If present, it should be located in the etc dir</p> -- 2.5.5 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev