Update SSL in the main loop so that updated pki files can be reapplied. Signed-off-by: Han Zhou <hz...@ovn.org> --- ic/ovn-ic.c | 31 ++++++++++++++++++++++++++++++- northd/ovn-northd-ddlog.c | 31 ++++++++++++++++++++++++++++++- northd/ovn-northd.c | 31 ++++++++++++++++++++++++++++++- tests/ovn-northd.at | 38 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 128 insertions(+), 3 deletions(-)
diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 18e37a31f..d69583956 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -80,6 +80,11 @@ static const char *ovn_ic_nb_db; static const char *ovn_ic_sb_db; static const char *unixctl_path; +/* SSL options */ +static const char *ssl_private_key_file; +static const char *ssl_certificate_file; +static const char *ssl_ca_cert_file; + static void usage(void) @@ -1519,7 +1524,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) switch (c) { OVN_DAEMON_OPTION_HANDLERS; VLOG_OPTION_HANDLERS; - STREAM_SSL_OPTION_HANDLERS; + + case 'p': + ssl_private_key_file = optarg; + break; + + case 'c': + ssl_certificate_file = optarg; + break; + + case 'C': + ssl_ca_cert_file = optarg; + break; case 'd': ovnsb_db = optarg; @@ -1585,6 +1601,18 @@ add_column_noalert(struct ovsdb_idl *idl, ovsdb_idl_omit_alert(idl, column); } +static void +update_ssl_config(void) +{ + if (ssl_private_key_file && ssl_certificate_file) { + stream_ssl_set_key_and_cert(ssl_private_key_file, + ssl_certificate_file); + } + if (ssl_ca_cert_file) { + stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false); + } +} + int main(int argc, char *argv[]) { @@ -1655,6 +1683,7 @@ main(int argc, char *argv[]) state.had_lock = false; state.paused = false; while (!exiting) { + update_ssl_config(); memory_run(); if (memory_should_report()) { struct simap usage = SIMAP_INITIALIZER(&usage); diff --git a/northd/ovn-northd-ddlog.c b/northd/ovn-northd-ddlog.c index b7d2c8a5e..73f50e049 100644 --- a/northd/ovn-northd-ddlog.c +++ b/northd/ovn-northd-ddlog.c @@ -74,6 +74,11 @@ static const char *ovnnb_db; static const char *ovnsb_db; static const char *unixctl_path; +/* SSL options */ +static const char *ssl_private_key_file; +static const char *ssl_certificate_file; +static const char *ssl_ca_cert_file; + /* Frequently used table ids. */ static table_id WARNING_TABLE_ID; static table_id NB_CFG_TIMESTAMP_ID; @@ -1094,7 +1099,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) switch (c) { OVN_DAEMON_OPTION_HANDLERS; VLOG_OPTION_HANDLERS; - STREAM_SSL_OPTION_HANDLERS; + + case 'p': + ssl_private_key_file = optarg; + break; + + case 'c': + ssl_certificate_file = optarg; + break; + + case 'C': + ssl_ca_cert_file = optarg; + break; case OPT_DDLOG_RECORD: record_file = optarg; @@ -1140,6 +1156,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) free(short_options); } +static void +update_ssl_config(void) +{ + if (ssl_private_key_file && ssl_certificate_file) { + stream_ssl_set_key_and_cert(ssl_private_key_file, + ssl_certificate_file); + } + if (ssl_ca_cert_file) { + stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false); + } +} + int main(int argc, char *argv[]) { @@ -1219,6 +1247,7 @@ main(int argc, char *argv[]) /* Main loop. */ exiting = false; while (!exiting) { + update_ssl_config(); memory_run(); if (memory_should_report()) { struct simap usage = SIMAP_INITIALIZER(&usage); diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a87..04965dd6e 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -107,6 +107,11 @@ static bool use_ct_inv_match = true; static int northd_probe_interval_nb = 0; static int northd_probe_interval_sb = 0; +/* SSL options */ +static const char *ssl_private_key_file; +static const char *ssl_certificate_file; +static const char *ssl_ca_cert_file; + #define MAX_OVN_TAGS 4096 /* Pipeline stages. */ @@ -14009,7 +14014,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) switch (c) { OVN_DAEMON_OPTION_HANDLERS; VLOG_OPTION_HANDLERS; - STREAM_SSL_OPTION_HANDLERS; + + case 'p': + ssl_private_key_file = optarg; + break; + + case 'c': + ssl_certificate_file = optarg; + break; + + case 'C': + ssl_ca_cert_file = optarg; + break; case 'd': ovnsb_db = optarg; @@ -14059,6 +14075,18 @@ add_column_noalert(struct ovsdb_idl *idl, ovsdb_idl_omit_alert(idl, column); } +static void +update_ssl_config(void) +{ + if (ssl_private_key_file && ssl_certificate_file) { + stream_ssl_set_key_and_cert(ssl_private_key_file, + ssl_certificate_file); + } + if (ssl_ca_cert_file) { + stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false); + } +} + int main(int argc, char *argv[]) { @@ -14375,6 +14403,7 @@ main(int argc, char *argv[]) state.paused = false; while (!exiting) { + update_ssl_config(); memory_run(); if (memory_should_report()) { struct simap usage = SIMAP_INITIALIZER(&usage); diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index bff2ade43..3c2aef4b0 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -3556,3 +3556,41 @@ AT_CHECK([grep -c "ct.inv" sw0flows], [0], [dnl AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- northd ssl file change]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[ '\" +\\]"]) +ovn_start --no-backup-northd + +as northd +OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE]) + +key=testpki-hv1-privkey.pem +cert=testpki-hv1-cert.pem +cacert=testpki-cacert.pem + +key2=testpki-hv2-privkey.pem +cert3=testpki-hv3-cert.pem + +# Use mismatched key and cert when restarting using SSL options +cp $PKIDIR/$key2 $key +cp $PKIDIR/$cert3 $cert +cp $PKIDIR/$cacert $cacert +start_daemon ovn$NORTHD_TYPE -vjsonrpc \ + --ovnnb-db=$OVN_NB_DB --ovnsb-db=$SSL_OVN_SB_DB \ + -p $key -c $cert -C $cacert + +# SSL should not connect because of key and cert mismatch +AT_FAIL_IF([ovn-nbctl --timeout=3 --wait=sb sync]) + +# Modify the files with the correct key and cert, and reconnect should succeed +cp $PKIDIR/$key $key +cp $PKIDIR/$cert $cert +check ovn-nbctl --wait=sb sync + +OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE]) +AT_CLEANUP +]) -- 2.30.2 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev