Russell and Numan, are you happy with this? In the manpage, I see that some command-line options are shown with == instead of =; please fix.
Acked-by: Ben Pfaff <b...@ovn.org> On Thu, Dec 22, 2016 at 11:34:46AM -0500, Lance Richardson wrote: > Add support for SSL connections to OVN northbound and/or > southbound databases. > > To improve security, the NB and SB ovsdb daemons no longer > have open ptcp connections by default. This is a change in > behavior from previous versions, users wishing to use TCP > connections to the NB/SB daemons can either request that > a passive TCP connection be used via ovn-ctl command-line > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > scripts): > > --db-sb-create-insecure-remote=yes > --db-nb-create-insecure-remote=yes > > Or configure a connection after the NB/SB daemons have been > started, e.g.: > > ovn-sbctl set-connection ptcp:6642 > ovn-nbctl set-connection ptcp:6641 > > Users desiring SSL database connections will need to generate certificates > and private key as described in INSTALL.SSL.rst and perform the following > one-time configuration steps: > > ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> > ovn-sbctl set-connection pssl:6642 > ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> > ovn-nbctl set-connection pssl:6641 > > On the ovn-controller and ovn-controller-vtep side, SSL configuration > must be provided on the command-line when the daemons are started, this > should be provided via the following command-line options (e.g. via > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): > > --ovn-controller-ssl-key=<private-key> > --ovn-controller-ssl-cert=<certificate> > --ovn-controller-ssl-ca-cert=<ca-cert> > > The SB database connection should also be configured to use SSL, e.g.: > > ovs-vsctl set Open_vSwitch . \ > external-ids:ovn-remote=ssl:w.x.y.z:6642 > > Signed-off-by: Lance Richardson <lrich...@redhat.com> > --- > v4: - reverted to v1 scheme for creating default (insecure), dropping > feedback from Russell at http://patchwork.ozlabs.org/patch/701571/. > - changed --db-?b-create-remote to --db-?b-create-insecure-remote > > v3: - rebased > - s/db-sb-default-remote/db-sb-create-remote/ in man page > - s/db-nb-default-remote/db-nb-create-remote/ in man page > > v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE. > - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE. > - Create default remote configuration in db instead of > via command-line options. > > Testing Notes: > - Verified tcp connections operational with /etc/sysconfig/ovn-northd: > OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes > --db-nb-create-insecure-remote=yes" > > - Verified tcp connections operational without /etc/sysconfig/ovn-northd > and: > ovn-sbctl set-connection ptcp:6642 > ovn-nbctl set-connection ptcp:6641 > > - Verified SSL connection to sb db with (on central node): > ovn-sbctl set-ssl /ctl-privkey.pem /ctl-cert.pem /cacert.pem > ovn-sbctl set-connection pssl:6642 > > And (on compute nodes): > In /etc/sysconfig/ovn-controller: > OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \ > --ovn-controller-ssl-cert=/ctl-cert.pem \ > --ovn-controller-ssl-ca-cert=/cacert.pem" > ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl:xx.xx.xx.xx:6642 > > NEWS | 6 ++++ > manpages.mk | 4 +++ > ovn/utilities/ovn-ctl | 72 > ++++++++++++++++++++++++++++++++++----------- > ovn/utilities/ovn-ctl.8.xml | 7 +++++ > 4 files changed, 72 insertions(+), 17 deletions(-) > > diff --git a/NEWS b/NEWS > index 882f611..ec44dd5 100644 > --- a/NEWS > +++ b/NEWS > @@ -10,6 +10,12 @@ Post-v2.6.0 > * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 actions. > * Support for managing SSL and remote connection configuration in > northbound and southbound databases. > + * TCP connections to northbound and southbound databases are no > + longer enabled by default and must be explicitly configured. > + See documentation for ovn-sbctl/ovn-nbctl "set-connection" > + command or the ovn-ctl "--db-sb-create-insecure-remote" and > + "--db-nb-create-insecure-remote" command-line options for > + information regarding remote connection configuration. > - Fixed regression in table stats maintenance introduced in OVS > 2.3.0, wherein the number of OpenFlow table hits and misses was > not accurate. > diff --git a/manpages.mk b/manpages.mk > index 742bd66..825e2bc 100644 > --- a/manpages.mk > +++ b/manpages.mk > @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \ > lib/vlog-syn.man \ > lib/vlog.man \ > ovsdb/remote-active.man \ > + ovsdb/remote-active.man \ > + ovsdb/remote-passive.man \ > ovsdb/remote-passive.man > ovsdb/ovsdb-client.1.in: > lib/common-syn.man: > @@ -58,6 +60,8 @@ lib/table.man: > lib/vlog-syn.man: > lib/vlog.man: > ovsdb/remote-active.man: > +ovsdb/remote-active.man: > +ovsdb/remote-passive.man: > ovsdb/remote-passive.man: > > ovsdb/ovsdb-server.1: \ > diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl > index 73e78e5..a696d5e 100755 > --- a/ovn/utilities/ovn-ctl > +++ b/ovn/utilities/ovn-ctl > @@ -50,7 +50,7 @@ stop_ovsdb () { > > demote_ovnnb() { > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > $ovnnb_active_conf_file > + echo > "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > $ovnnb_active_conf_file > fi > > if test -e $ovnnb_active_conf_file; then > @@ -64,7 +64,7 @@ demote_ovnnb() { > > demote_ovnsb() { > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > $ovnsb_active_conf_file > + echo > "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > $ovnsb_active_conf_file > fi > > if test -e $ovnsb_active_conf_file; then > @@ -93,15 +93,21 @@ start_ovsdb () { > > set ovsdb-server > > - set "$@" --detach --monitor $OVN_NB_LOG \ > - --log-file=$OVN_NB_LOGFILE \ > - --remote=punix:$DB_NB_SOCK \ > - --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ > - --pidfile=$DB_NB_PID \ > - --unixctl=ovnnb_db.ctl > + set "$@" --detach --monitor > + set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE > + set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID > + set "$@" --remote=db:OVN_Northbound,NB_Global,connections > + set "$@" --unixctl=ovnnb_db.ctl > + set "$@" --private-key=db:OVN_Northbound,SSL,private_key > + set "$@" --certificate=db:OVN_Northbound,SSL,certificate > + set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert > + > + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then > + set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR > + fi > > if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > $ovnnb_active_conf_file > + echo > "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > > $ovnnb_active_conf_file > fi > > if test -e $ovnnb_active_conf_file; then > @@ -118,15 +124,21 @@ start_ovsdb () { > > set ovsdb-server > > - set "$@" --detach --monitor $OVN_SB_LOG \ > - --log-file=$OVN_SB_LOGFILE \ > - --remote=punix:$DB_SB_SOCK \ > - --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ > - --pidfile=$DB_SB_PID \ > - --unixctl=ovnsb_db.ctl > + set "$@" --detach --monitor > + set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE > + set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID > + set "$@" --remote=db:OVN_Southbound,SB_Global,connections > + set "$@" --unixctl=ovnsb_db.ctl > + set "$@" --private-key=db:OVN_Southbound,SSL,private_key > + set "$@" --certificate=db:OVN_Southbound,SSL,certificate > + set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert > + > + if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then > + set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR > + fi > > if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then > - echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > $ovnsb_active_conf_file > + echo > "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > > $ovnsb_active_conf_file > fi > > if test -e $ovnsb_active_conf_file; then > @@ -208,12 +220,22 @@ start_northd () { > start_controller () { > set ovn-controller "unix:$DB_SOCK" > set "$@" $OVN_CONTROLLER_LOG > + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then > + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY > + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT > + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT > + fi > OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" > "$OVN_CONTROLLER_WRAPPER" "$@" > } > > start_controller_vtep () { > set ovn-controller-vtep "unix:$DB_SOCK" > set "$@" -vconsole:emer -vsyslog:err -vfile:info > + if test X"$OVN_CONTROLLER_SSL_CERT" != X; then > + set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY > + set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT > + set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT > + fi > OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" > "$OVN_CONTROLLER_WRAPPER" "$@" > } > > @@ -275,6 +297,7 @@ set_defaults () { > DB_NB_FILE=$dbdir/ovnnb_db.db > DB_NB_ADDR=0.0.0.0 > DB_NB_PORT=6641 > + DB_NB_SYNC_FROM_PROTO=tcp > DB_NB_SYNC_FROM_ADDR= > DB_NB_SYNC_FROM_PORT=6641 > > @@ -283,6 +306,7 @@ set_defaults () { > DB_SB_FILE=$dbdir/ovnsb_db.db > DB_SB_ADDR=0.0.0.0 > DB_SB_PORT=6642 > + DB_SB_SYNC_FROM_PROTO=tcp > DB_SB_SYNC_FROM_ADDR= > DB_SB_SYNC_FROM_PORT=6642 > > @@ -307,6 +331,13 @@ set_defaults () { > OVN_SB_LOG="-vconsole:off" > OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log" > OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log" > + > + OVN_CONTROLLER_SSL_KEY="" > + OVN_CONTROLLER_SSL_CERT="" > + OVN_CONTROLLER_SSL_CA_CERT="" > + > + DB_SB_CREATE_INSECURE_REMOTE="no" > + DB_NB_CREATE_INSECURE_REMOTE="no" > } > > set_option () { > @@ -350,6 +381,9 @@ Options: > --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for > debugging > --ovn-controller-priority=NICE set ovn-northd's niceness (default: > $OVN_CONTROLLER_PRIORITY) > --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind for > debugging > + --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file > + --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file > + --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file > --ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be > automatically started and stopped along > with ovn-northd. The default is "yes". If > @@ -376,9 +410,13 @@ File location options: > --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE) > --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE) > --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address (default: > $DB_NB_SYNC_FROM_ADDR) > - --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port (default: > $DB_NB_SYNC_FROM_PORT) > + --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default: > $DB_NB_SYNC_FROM_PORT) > + --db-nb-sync-from-proto=PROTO OVN Northbound active db transport (default: > $DB_NB_SYNC_FROM_PROTO) > + --db-nb-create-insecure-remote=yes|no Create ptcp OVN Northbound remote > (default: $DB_NB_CREATE_INSECURE_REMOTE) > --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address (default: > $DB_SB_SYNC_FROM_ADDR) > --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: > $DB_SB_SYNC_FROM_PORT) > + --db-sb-sync-from-proto=PROTO OVN Southbound active db transport (default: > $DB_SB_SYNC_FROM_PROTO) > + --db-sb-create-insecure-remote=yes|no Create ptcp OVN Southbound remote > (default: $DB_SB_CREATE_INSECURE_REMOTE) > > Default directories with "configure" option and environment variable > override: > logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR) > diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml > index ff7366c..da10efd 100644 > --- a/ovn/utilities/ovn-ctl.8.xml > +++ b/ovn/utilities/ovn-ctl.8.xml > @@ -43,12 +43,19 @@ > <p><code>--db-sb-file==<var>FILE</var></code></p> > <p><code>--db-nb-schema==<var>FILE</var></code></p> > <p><code>--db-sb-schema==<var>FILE</var></code></p> > + <p><code>--db-sb-create-insecure-remote==<var>yes|no</var></code></p> > + <p><code>--db-nb-create-insecure-remote==<var>yes|no</var></code></p> > + <p><code>--ovn-controller-ssl-key==<var>KEY</var></code></p> > + <p><code>--ovn-controller-ssl-cert==<var>CERT</var></code></p> > + <p><code>--ovn-controller-ssl-ca-cert==<var>CERT</var></code></p> > > <h1>Address and port options</h1> > <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> > <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p> > + <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p> > <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p> > <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p> > + <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p> > > <h1>Configuration files</h1> > <p>Following are the optional configuration files. If present, it should > be located in the etc dir</p> > -- > 2.5.5 > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev