Re: [ovs-dev] [PATCH v4 9/9] Documentation: OVN RBAC and IPsec tutorial

Thu, 02 Aug 2018 11:46:23 -0700 

On Tue, Jul 31, 2018 at 02:08:54PM -0700, Qiuyu Xiao wrote:
> This patch adds step-by-step guide for configuring OVN Role-Based Access
> Control and IPsec.
> 
> Signed-off-by: Qiuyu Xiao <qiuyu.xiao....@gmail.com>

Here are my suggestions for this patch (really for this one, this time).

I'll look forward to v5 of this series!

Thanks,

Ben.

--8<--------------------------cut here-------------------------->8--

diff --git a/Documentation/index.rst b/Documentation/index.rst
index bab5ba1f1a98..46261235c732 100644
--- a/Documentation/index.rst
+++ b/Documentation/index.rst
@@ -66,7 +66,9 @@ vSwitch? Start here.
   :doc:`tutorials/ovn-sandbox` |
   :doc:`tutorials/ovn-openstack` |
   :doc:`tutorials/ovs-conntrack` |
-  :doc:`tutorials/ipsec`
+  :doc:`tutorials/ipsec` |
+  :doc:`tutorials/ovn-ipsec` |
+  :doc:`tutorials/ovn-rbac`
 
 Deeper Dive
 -----------
diff --git a/Documentation/tutorials/ovn-ipsec.rst 
b/Documentation/tutorials/ovn-ipsec.rst
index 76269c46a784..5a8701905fa1 100644
--- a/Documentation/tutorials/ovn-ipsec.rst
+++ b/Documentation/tutorials/ovn-ipsec.rst
@@ -43,15 +43,17 @@ Generating Certificates and Keys
 OVN chassis uses CA-signed certificate to authenticate peer chassis for
 building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) in
 OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or you
-can generate seperate certificates and keys with ``ovs-pki`` (refer to
+can generate separate certificates and keys with ``ovs-pki`` (refer to
 :ref:`gen-certs-keys`).
 
 .. note::
 
    OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS
    field setting the same string as the common name (CN) field. CN should be
-   set as the chassis name.  Please generate compatible certificates if you use
-   another PKI tool to manage certificates.
+   set as the chassis name.  ``ovs-pki`` in Open vSwitch 2.10.90 and later
+   generates such certificates.  Please generate compatible certificates if you
+   use another PKI tool, or an older version of ``ovs-pki``, to manage
+   certificates.
 
 Configuring OVN IPsec
 ---------------------
@@ -67,27 +69,27 @@ each chassis. Use the following command::
 Enabling OVN IPsec
 ------------------
 
-To enable OVN IPsec, set `ipsec` column in `NB_Global` table of the northbound
-database to be true::
+To enable OVN IPsec, set ``ipsec`` column in ``NB_Global`` table of the
+northbound database to true::
 
     $ ovn-nbctl set nb_global . ipsec=true
 
 With OVN IPsec enabled, all tunnel traffic in OVN will be encrypted with IPsec.
-To disable it, set `ipsec` column in `NB_Global` table of the northbound
-database to be false::
+To disable it, set ``ipsec`` column in ``NB_Global`` table of the northbound
+database to false::
 
     $ ovn-nbctl set nb_global . ipsec=false
 
 Troubleshooting
 ---------------
 
-ovs-monitor-ipsec daemon in each chassis manages and monitors the IPsec tunnel
-state. Use the following ovs-apptcl command to get ovs-monitor-ipsec internal
-representation of tunnel configuration::
+The ``ovs-monitor-ipsec`` daemon in each chassis manages and monitors the IPsec
+tunnel state. Use the following ``ovs-appctl`` command to view
+``ovs-monitor-ipsec`` internal representation of tunnel configuration::
 
     $ ovs-appctl -t ovs-monitor-ipsec tunnels/show
 
-If there is misconfiguration then ovs-appctl should indicate why.
+If there is a misconfiguration, then ``ovs-appctl`` should indicate why.
 For example::
 
    Interface name: ovn-host_2-0 v1 (CONFIGURED) <--- Should be set to 
CONFIGURED.
@@ -119,13 +121,13 @@ For example::
                                      tunnel
 
 If you don't see any active connections, try to run the following command to
-refresh the ovs-monitor-ipsec daemon::
+refresh the ``ovs-monitor-ipsec`` daemon::
 
     $ ovs-appctl -t ovs-monitor-ipsec refresh
 
-You can also check the logs of the ovs-monitor-ipsec daemon and the IKE daemon
-to locate issues. The logs of the ovs-monitor-ipsec is in
-/var/log/openvswitch/ovs-monitor-ipsec.log.
+You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE
+daemon to locate issues.  ``ovs-monitor-ipsec`` outputs log messages to
+``/var/log/openvswitch/ovs-monitor-ipsec.log``.
 
 Bug Reporting
 -------------
diff --git a/Documentation/tutorials/ovn-rbac.rst 
b/Documentation/tutorials/ovn-rbac.rst
index ff93ba54bdc6..ec163e2df369 100644
--- a/Documentation/tutorials/ovn-rbac.rst
+++ b/Documentation/tutorials/ovn-rbac.rst
@@ -81,7 +81,7 @@ address `machine_3-ip`. `machine_3` also hosts public key 
infrastructure (PKI).
 
    .. note::
 
-     chassis_1 must be the same string as the external_ids:system-id in the
+     chassis_1 must be the same string as ``external_ids:system-id`` in the
      Open_vSwitch table (the chassis name) of machine_1. Same applies for
      chassis_2.
 
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to