On Tue, Jul 31, 2018 at 02:08:54PM -0700, Qiuyu Xiao wrote: > This patch adds step-by-step guide for configuring OVN Role-Based Access > Control and IPsec. > > Signed-off-by: Qiuyu Xiao <qiuyu.xiao....@gmail.com>
Here are my suggestions for this patch (really for this one, this time). I'll look forward to v5 of this series! Thanks, Ben. --8<--------------------------cut here-------------------------->8-- diff --git a/Documentation/index.rst b/Documentation/index.rst index bab5ba1f1a98..46261235c732 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -66,7 +66,9 @@ vSwitch? Start here. :doc:`tutorials/ovn-sandbox` | :doc:`tutorials/ovn-openstack` | :doc:`tutorials/ovs-conntrack` | - :doc:`tutorials/ipsec` + :doc:`tutorials/ipsec` | + :doc:`tutorials/ovn-ipsec` | + :doc:`tutorials/ovn-rbac` Deeper Dive ----------- diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst index 76269c46a784..5a8701905fa1 100644 --- a/Documentation/tutorials/ovn-ipsec.rst +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -43,15 +43,17 @@ Generating Certificates and Keys OVN chassis uses CA-signed certificate to authenticate peer chassis for building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) in OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or you -can generate seperate certificates and keys with ``ovs-pki`` (refer to +can generate separate certificates and keys with ``ovs-pki`` (refer to :ref:`gen-certs-keys`). .. note:: OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS field setting the same string as the common name (CN) field. CN should be - set as the chassis name. Please generate compatible certificates if you use - another PKI tool to manage certificates. + set as the chassis name. ``ovs-pki`` in Open vSwitch 2.10.90 and later + generates such certificates. Please generate compatible certificates if you + use another PKI tool, or an older version of ``ovs-pki``, to manage + certificates. Configuring OVN IPsec --------------------- @@ -67,27 +69,27 @@ each chassis. Use the following command:: Enabling OVN IPsec ------------------ -To enable OVN IPsec, set `ipsec` column in `NB_Global` table of the northbound -database to be true:: +To enable OVN IPsec, set ``ipsec`` column in ``NB_Global`` table of the +northbound database to true:: $ ovn-nbctl set nb_global . ipsec=true With OVN IPsec enabled, all tunnel traffic in OVN will be encrypted with IPsec. -To disable it, set `ipsec` column in `NB_Global` table of the northbound -database to be false:: +To disable it, set ``ipsec`` column in ``NB_Global`` table of the northbound +database to false:: $ ovn-nbctl set nb_global . ipsec=false Troubleshooting --------------- -ovs-monitor-ipsec daemon in each chassis manages and monitors the IPsec tunnel -state. Use the following ovs-apptcl command to get ovs-monitor-ipsec internal -representation of tunnel configuration:: +The ``ovs-monitor-ipsec`` daemon in each chassis manages and monitors the IPsec +tunnel state. Use the following ``ovs-appctl`` command to view +``ovs-monitor-ipsec`` internal representation of tunnel configuration:: $ ovs-appctl -t ovs-monitor-ipsec tunnels/show -If there is misconfiguration then ovs-appctl should indicate why. +If there is a misconfiguration, then ``ovs-appctl`` should indicate why. For example:: Interface name: ovn-host_2-0 v1 (CONFIGURED) <--- Should be set to CONFIGURED. @@ -119,13 +121,13 @@ For example:: tunnel If you don't see any active connections, try to run the following command to -refresh the ovs-monitor-ipsec daemon:: +refresh the ``ovs-monitor-ipsec`` daemon:: $ ovs-appctl -t ovs-monitor-ipsec refresh -You can also check the logs of the ovs-monitor-ipsec daemon and the IKE daemon -to locate issues. The logs of the ovs-monitor-ipsec is in -/var/log/openvswitch/ovs-monitor-ipsec.log. +You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE +daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to +``/var/log/openvswitch/ovs-monitor-ipsec.log``. Bug Reporting ------------- diff --git a/Documentation/tutorials/ovn-rbac.rst b/Documentation/tutorials/ovn-rbac.rst index ff93ba54bdc6..ec163e2df369 100644 --- a/Documentation/tutorials/ovn-rbac.rst +++ b/Documentation/tutorials/ovn-rbac.rst @@ -81,7 +81,7 @@ address `machine_3-ip`. `machine_3` also hosts public key infrastructure (PKI). .. note:: - chassis_1 must be the same string as the external_ids:system-id in the + chassis_1 must be the same string as ``external_ids:system-id`` in the Open_vSwitch table (the chassis name) of machine_1. Same applies for chassis_2. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev