Re: [ovs-discuss] [External] : Re: ovsdb-server --private-key=db:OVN_Northbound, SSL, private_key etc

Tue, 20 Jul 2021 12:21:00 -0700 



On 20/07/2021 19:21, Ben Pfaff wrote:

On Tue, Jul 20, 2021 at 10:27:30AM +0100, Brendan Doyle wrote:


On 19/07/2021 17:32, Ben Pfaff wrote:

On Mon, Jul 19, 2021 at 04: 29:07PM +0100, Brendan Doyle wrote:


When I start OVN/OVs using ovn-ctl /ovs-ctl the ovsdb-server processes have
SSL credentials of the form:

--private-key=db:Open_vSwitch,SSL,private_key
--certificate=db:Open_vSwitch,SSL,certificate
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert

--private-key=db:OVN_Northbound,SSL,private_key
--certificate=db:OVN_Northbound,SSL,certificate
--ca-cert=db:OVN_Northbound,SSL,ca_cert
--ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols
--ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers

--private-key=db:OVN_Southbound,SSL,private_key
--certificate=db:OVN_Southbound,SSL,certificate
--ca-cert=db:OVN_Southbound,SSL,ca_cert
--ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols
--ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers

  From what I gather this means it gets these values from the database, OVS,
OVN North/South?

But does that mean that SSL is enabled by default and use a default set of
credentials/cipers?

Or does it mean If these values (Open_vSwitch,SSL,certificate e,g) are not
set in the OVS, or OVN North/South bound data base
then the connections are not SSL.

And if the later is the case how are these set?

It means that SSL/TLS connections will use these values.  Whether SSL is
in use is separately configured.  If you see "pssl:..." in a remote,
that's an SSL one; "ptcp:..." is for non-SSL TCP.


OK not used if SSL not configured. If SSL configured uses the credentials
pointed to by
--private-key etc, which can be in the Open_vSwitch, OVN_Northbound or
OVN_Southbound
databases in the specified table or else where. So wondering are there
helper tools
(ovn-ctl /ovs-ctl ?) to set these DB tables or are they created/manipulated
by modifying the
DB directly. Guess read the manual.

ovs-vsctl, ovn-nbctl, and ovn-sbctl have commands to manipulate these
tables.

Thanks
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss






















					Reply via email to