On Wed, Mar 22, 2017 at 1:19 PM, Lance Richardson <lrich...@redhat.com> wrote: > When SSL support is available, use SSL for the ovn-controller > to southbound database connection. When configured without > SSL, unix socket connections are used. > > Signed-off-by: Lance Richardson <lrich...@redhat.com> > --- > tutorial/automake.mk | 3 ++- > tutorial/ovs-sandbox | 42 ++++++++++++++++++++++++++++++++++++------ > 2 files changed, 38 insertions(+), 7 deletions(-)
I imagine you're using this to help with development and manual testing of the ovsdb-server ACL work for OVN? I can see how it'd be helpful for that so I'm OK with it. I guess we're fairly confident that SSL is at least part of the solution (either with generic ovsdb ACLs or a trusted daemon), so I think we could merge this now. I haven't tested it myself yet. I'll give it a shot if you decide to post the non-RFC version. > > diff --git a/tutorial/automake.mk b/tutorial/automake.mk > index ce8415e..b7ea10c 100644 > --- a/tutorial/automake.mk > +++ b/tutorial/automake.mk > @@ -8,4 +8,5 @@ EXTRA_DIST += \ > tutorial/t-stage4 \ > tutorial/ovn-setup.sh > sandbox: all > - cd $(srcdir)/tutorial && MAKE=$(MAKE) ./ovs-sandbox -b > $(abs_builddir) $(SANDBOXFLAGS) > + cd $(srcdir)/tutorial && MAKE=$(MAKE) HAVE_OPENSSL=$(HAVE_OPENSSL) \ > + ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS) > diff --git a/tutorial/ovs-sandbox b/tutorial/ovs-sandbox > index a28dcbf..3da1c48 100755 > --- a/tutorial/ovs-sandbox > +++ b/tutorial/ovs-sandbox > @@ -331,6 +331,14 @@ if $ovn; then > ovsdb_sb_server_args="ovnsb.db" > ovsdb_sb_backup_server_args="ovnsb2.db" > ovsdb_nb_server_args="ovnnb.db" > + > + if [ "$HAVE_OPENSSL" = yes ]; then > + OVS_PKI="run ovs-pki --dir=$sandbox/pki --log=$sandbox/ovs-pki.log" > + $OVS_PKI -B 1024 init > + $OVS_PKI -B 1024 req+sign ovnsb switch > + $OVS_PKI -B 1024 req+sign ovnnb switch > + $OVS_PKI -B 1024 req+sign ovn-controller switch > + fi > fi > rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir --pidfile > -vconsole:off --log-file \ > --remote=punix:"$sandbox"/db.sock $ovsdb_server_args > @@ -338,15 +346,27 @@ if $ovn; then > rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ > --pidfile="$sandbox"/ovnnb_db.pid -vconsole:off \ > --log-file="$sandbox"/ovnnb_db.log \ > + --remote=db:OVN_Northbound,NB_Global,connections \ > + --private-key=db:OVN_Northbound,SSL,private_key \ > + --certificate=db:OVN_Northbound,SSL,certificate \ > + --ca-cert=db:OVN_Northbound,SSL,ca_cert \ > --remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args > rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ > --pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \ > --log-file="$sandbox"/ovnsb_db.log \ > + --remote=db:OVN_Southbound,SB_Global,connections \ > + --private-key=db:OVN_Southbound,SSL,private_key \ > + --certificate=db:OVN_Southbound,SSL,certificate \ > + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ > --remote=punix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_server_args > # Start SB back up server > rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ > --pidfile="$sandbox"/ovnsb_db2.pid -vconsole:off \ > --log-file="$sandbox"/ovnsb_db2.log \ > + --remote=db:OVN_Southbound,SB_Global,connections \ > + --private-key=db:OVN_Southbound,SSL,private_key \ > + --certificate=db:OVN_Southbound,SSL,certificate \ > + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ > --remote=punix:"$sandbox"/ovnsb_db2.sock \ > --unixctl="$sandbox"/sb_backup_unixctl \ > --sync-from=unix:"$sandbox"/ovnsb_db.sock > $ovsdb_sb_backup_server_args > @@ -372,24 +392,34 @@ rungdb $gdb_vswitchd $gdb_vswitchd_ex ovs-vswitchd > --detach --no-chdir --pidfile > --enable-dummy=$dummy -vvconn -vnetdev_dummy > > if $ovn; then > + ovn-nbctl init > + ovn-sbctl init > + > ovs-vsctl set open . > external-ids:system-id=56b18105-5706-46ef-80c4-ff20979ab068 > ovs-vsctl set open . external-ids:hostname=sandbox > - ovs-vsctl set open . > external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock > ovs-vsctl set open . external-ids:ovn-encap-type=geneve > ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1 > > - ovn-nbctl init > - ovn-sbctl init > - > + if [ "$HAVE_OPENSSL" = yes ]; then > + ovn-nbctl set-ssl $sandbox/ovnnb-privkey.pem > $sandbox/ovnnb-cert.pem $sandbox/pki/switchca/cacert.pem > + ovn-nbctl set-connection pssl:6641 > + ovn-sbctl set-ssl $sandbox/ovnsb-privkey.pem > $sandbox/ovnsb-cert.pem $sandbox/pki/switchca/cacert.pem > + ovn-sbctl set-connection pssl:6642 > + ovs-vsctl set open . external-ids:ovn-remote=ssl:127.0.0.1:6642 > + OVN_CTRLR_PKI="-p $sandbox/ovn-controller-privkey.pem -c > $sandbox/ovn-controller-cert.pem -C $sandbox/pki/switchca/cacert.pem" > + else > + ovs-vsctl set open . > external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock > + OVN_CTRLR_PKI="" > + fi > rungdb $gdb_ovn_northd $gdb_ovn_northd_ex ovn-northd --detach \ > --no-chdir --pidfile -vconsole:off --log-file \ > --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock \ > --ovnnb-db=unix:"$sandbox"/ovnnb_db.sock > rungdb $gdb_ovn_controller $gdb_ovn_controller_ex ovn-controller \ > - --detach --no-chdir --pidfile -vconsole:off --log-file > + $OVN_CTRLR_PKI --detach --no-chdir --pidfile -vconsole:off --log-file > rungdb $gdb_ovn_controller_vtep $gdb_ovn_controller_vtep_ex \ > ovn-controller-vtep --detach --no-chdir --pidfile -vconsole:off \ > - --log-file --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock > + $OVN_CTRLR_PKI --log-file --ovnsb-db=unix:"$sandbox"/ovnsb_db.sock > fi > > cat <<EOF > -- > 2.7.4 > > _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev -- Russell Bryant _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev