Update SSL in the server_loop so that updated pki files can be reapplied. Signed-off-by: Han Zhou <hz...@ovn.org> --- tests/ovn-nbctl.at | 40 ++++++++++++++++++++++++++++++++++++++++ utilities/ovn-nbctl.c | 32 +++++++++++++++++++++++++++++++- 2 files changed, 71 insertions(+), 1 deletion(-)
diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 8af55161f..c5c07f738 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -2016,3 +2016,43 @@ AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file --remote=punix:$ AT_CHECK([ovn-nbctl show], [0], [ignore]) OVN_NBCTL_TEST_STOP "/terminating with signal 15/d" AT_CLEANUP + +AT_SETUP([ovn-nbctl - daemon ssl files change]) +dnl Create ovn-nb database. +AT_CHECK([ovsdb-tool create ovn-nb.db $abs_top_srcdir/ovn-nb.ovsschema]) + +dnl Start ovsdb-server. + +key=testpki-hv1-privkey.pem +cert=testpki-hv1-cert.pem + +key_server=$PKIDIR/testpki-test-privkey.pem +cert_server=$PKIDIR/testpki-test-cert.pem +cacert=$PKIDIR/testpki-cacert.pem + +key2=testpki-hv2-privkey.pem +cert3=testpki-hv3-cert.pem + +ssl_options="--remote=pssl:0:127.0.0.1 ovn-nb.db -p $key_server -c $cert_server -C $cacert" +AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file $ssl_options], [0], [], [stderr]) +on_exit "kill `cat ovsdb-server.pid`" +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + +cp $PKIDIR/$key $key +cp $PKIDIR/$cert $cert + +start_daemon ovn-nbctl --pidfile=ovn-nbctl.pid --db=ssl:127.0.0.1:$TCP_PORT \ + -p $key -c $cert -C $cacert + +check ovn-appctl -t ovn-nbctl run init + +# Overwrite with mismatched key and cert +cp $PKIDIR/$key2 $key +cp $PKIDIR/$cert3 $cert +OVS_WAIT_UNTIL([grep mismatch ovn-nbctl.log]) + +cp $PKIDIR/$key $key +cp $PKIDIR/$cert $cert +OVS_WAIT_UNTIL([ovn-appctl -t ovn-nbctl run show]) + +AT_CLEANUP diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 84e228f02..65c61f799 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -57,6 +57,11 @@ static bool oneline; /* --dry-run: Do not commit any changes. */ static bool dry_run; +/* SSL options */ +static const char *ssl_private_key_file; +static const char *ssl_certificate_file; +static const char *ssl_ca_cert_file; + /* --wait=TYPE: Wait for configuration change to take effect? */ enum nbctl_wait_type { NBCTL_WAIT_NONE, /* Do not wait. */ @@ -549,6 +554,18 @@ add_local_option(const char *name, const char *arg, return NULL; } +static void +update_ssl_config(void) +{ + if (ssl_private_key_file && ssl_certificate_file) { + stream_ssl_set_key_and_cert(ssl_private_key_file, + ssl_certificate_file); + } + if (ssl_ca_cert_file) { + stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false); + } +} + static void apply_options_direct(const struct ovs_cmdl_parsed_option *parsed_options, size_t n, struct shash *local_options) @@ -621,7 +638,18 @@ apply_options_direct(const struct ovs_cmdl_parsed_option *parsed_options, OVN_DAEMON_OPTION_HANDLERS VLOG_OPTION_HANDLERS TABLE_OPTION_HANDLERS(&table_style) - STREAM_SSL_OPTION_HANDLERS + + case 'p': + ssl_private_key_file = optarg; + break; + + case 'c': + ssl_certificate_file = optarg; + break; + + case 'C': + ssl_ca_cert_file = optarg; + break; case OPT_BOOTSTRAP_CA_CERT: stream_ssl_set_ca_cert_file(po->arg, true); @@ -641,6 +669,7 @@ apply_options_direct(const struct ovs_cmdl_parsed_option *parsed_options, if (!db) { db = default_nb_db(); } + update_ssl_config(); } static void @@ -6958,6 +6987,7 @@ server_loop(struct ovsdb_idl *idl, int argc, char *argv[]) server_cmd_init(idl, &exiting); for (;;) { + update_ssl_config(); memory_run(); if (memory_should_report()) { struct simap usage = SIMAP_INITIALIZER(&usage); -- 2.30.2 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev