Re: [ovs-dev] [PATCH v4] ovn-ctl: add support for SSL nb/sb db connections
On Thu, Dec 22, 2016 at 11:32 PM, Ben Pfaffwrote: > Russell and Numan, are you happy with this? > > I am happy with this. Thanks Numan > In the manpage, I see that some command-line options are shown with == > instead of =; please fix. > > Acked-by: Ben Pfaff > > On Thu, Dec 22, 2016 at 11:34:46AM -0500, Lance Richardson wrote: > > Add support for SSL connections to OVN northbound and/or > > southbound databases. > > > > To improve security, the NB and SB ovsdb daemons no longer > > have open ptcp connections by default. This is a change in > > behavior from previous versions, users wishing to use TCP > > connections to the NB/SB daemons can either request that > > a passive TCP connection be used via ovn-ctl command-line > > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > > scripts): > > > > --db-sb-create-insecure-remote=yes > > --db-nb-create-insecure-remote=yes > > > > Or configure a connection after the NB/SB daemons have been > > started, e.g.: > > > > ovn-sbctl set-connection ptcp:6642 > > ovn-nbctl set-connection ptcp:6641 > > > > Users desiring SSL database connections will need to generate > certificates > > and private key as described in INSTALL.SSL.rst and perform the following > > one-time configuration steps: > > > >ovn-sbctl set-ssl > >ovn-sbctl set-connection pssl:6642 > >ovn-nbctl set-ssl > >ovn-nbctl set-connection pssl:6641 > > > > On the ovn-controller and ovn-controller-vtep side, SSL configuration > > must be provided on the command-line when the daemons are started, this > > should be provided via the following command-line options (e.g. via > > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): > > > >--ovn-controller-ssl-key= > >--ovn-controller-ssl-cert= > >--ovn-controller-ssl-ca-cert= > > > > The SB database connection should also be configured to use SSL, e.g.: > > > > ovs-vsctl set Open_vSwitch . \ > > external-ids:ovn-remote=ssl:w.x.y.z:6642 > > > > Signed-off-by: Lance Richardson > > --- > > v4: - reverted to v1 scheme for creating default (insecure), dropping > > feedback from Russell at http://patchwork.ozlabs.org/patch/701571/ > . > > - changed --db-?b-create-remote to --db-?b-create-insecure-remote > > > > v3: - rebased > > - s/db-sb-default-remote/db-sb-create-remote/ in man page > > - s/db-nb-default-remote/db-nb-create-remote/ in man page > > > > v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE. > > - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE. > > - Create default remote configuration in db instead of > > via command-line options. > > > > Testing Notes: > >- Verified tcp connections operational with /etc/sysconfig/ovn-northd: > > OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes > --db-nb-create-insecure-remote=yes" > > > >- Verified tcp connections operational without > /etc/sysconfig/ovn-northd and: > > ovn-sbctl set-connection ptcp:6642 > > ovn-nbctl set-connection ptcp:6641 > > > >- Verified SSL connection to sb db with (on central node): > > ovn-sbctl set-ssl /ctl-privkey.pem /ctl-cert.pem /cacert.pem > > ovn-sbctl set-connection pssl:6642 > > > > And (on compute nodes): > > In /etc/sysconfig/ovn-controller: > > OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \ > > --ovn-controller-ssl-cert=/ctl-cert.pem \ > > --ovn-controller-ssl-ca-cert=/cacert.pem" > > ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl: > xx.xx.xx.xx:6642 > > > > NEWS| 6 > > manpages.mk | 4 +++ > > ovn/utilities/ovn-ctl | 72 ++ > --- > > ovn/utilities/ovn-ctl.8.xml | 7 + > > 4 files changed, 72 insertions(+), 17 deletions(-) > > > > diff --git a/NEWS b/NEWS > > index 882f611..ec44dd5 100644 > > --- a/NEWS > > +++ b/NEWS > > @@ -10,6 +10,12 @@ Post-v2.6.0 > > * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 > actions. > > * Support for managing SSL and remote connection configuration in > > northbound and southbound databases. > > + * TCP connections to northbound and southbound databases are no > > + longer enabled by default and must be explicitly configured. > > + See documentation for ovn-sbctl/ovn-nbctl "set-connection" > > + command or the ovn-ctl "--db-sb-create-insecure-remote" and > > + "--db-nb-create-insecure-remote" command-line options for > > + information regarding remote connection configuration. > > - Fixed regression in table stats maintenance introduced in OVS > > 2.3.0, wherein the number of OpenFlow table hits and misses was > > not accurate. > > diff --git a/manpages.mk b/manpages.mk > > index 742bd66..825e2bc 100644 > > --- a/manpages.mk > > +++ b/manpages.mk > > @@
Re: [ovs-dev] [PATCH v4] ovn-ctl: add support for SSL nb/sb db connections
Russell and Numan, are you happy with this? In the manpage, I see that some command-line options are shown with == instead of =; please fix. Acked-by: Ben PfaffOn Thu, Dec 22, 2016 at 11:34:46AM -0500, Lance Richardson wrote: > Add support for SSL connections to OVN northbound and/or > southbound databases. > > To improve security, the NB and SB ovsdb daemons no longer > have open ptcp connections by default. This is a change in > behavior from previous versions, users wishing to use TCP > connections to the NB/SB daemons can either request that > a passive TCP connection be used via ovn-ctl command-line > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup > scripts): > > --db-sb-create-insecure-remote=yes > --db-nb-create-insecure-remote=yes > > Or configure a connection after the NB/SB daemons have been > started, e.g.: > > ovn-sbctl set-connection ptcp:6642 > ovn-nbctl set-connection ptcp:6641 > > Users desiring SSL database connections will need to generate certificates > and private key as described in INSTALL.SSL.rst and perform the following > one-time configuration steps: > >ovn-sbctl set-ssl >ovn-sbctl set-connection pssl:6642 >ovn-nbctl set-ssl >ovn-nbctl set-connection pssl:6641 > > On the ovn-controller and ovn-controller-vtep side, SSL configuration > must be provided on the command-line when the daemons are started, this > should be provided via the following command-line options (e.g. via > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): > >--ovn-controller-ssl-key= >--ovn-controller-ssl-cert= >--ovn-controller-ssl-ca-cert= > > The SB database connection should also be configured to use SSL, e.g.: > > ovs-vsctl set Open_vSwitch . \ > external-ids:ovn-remote=ssl:w.x.y.z:6642 > > Signed-off-by: Lance Richardson > --- > v4: - reverted to v1 scheme for creating default (insecure), dropping > feedback from Russell at http://patchwork.ozlabs.org/patch/701571/. > - changed --db-?b-create-remote to --db-?b-create-insecure-remote > > v3: - rebased > - s/db-sb-default-remote/db-sb-create-remote/ in man page > - s/db-nb-default-remote/db-nb-create-remote/ in man page > > v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE. > - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE. > - Create default remote configuration in db instead of > via command-line options. > > Testing Notes: >- Verified tcp connections operational with /etc/sysconfig/ovn-northd: > OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes > --db-nb-create-insecure-remote=yes" > >- Verified tcp connections operational without /etc/sysconfig/ovn-northd > and: > ovn-sbctl set-connection ptcp:6642 > ovn-nbctl set-connection ptcp:6641 > >- Verified SSL connection to sb db with (on central node): > ovn-sbctl set-ssl /ctl-privkey.pem /ctl-cert.pem /cacert.pem > ovn-sbctl set-connection pssl:6642 > > And (on compute nodes): > In /etc/sysconfig/ovn-controller: > OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \ > --ovn-controller-ssl-cert=/ctl-cert.pem \ > --ovn-controller-ssl-ca-cert=/cacert.pem" > ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl:xx.xx.xx.xx:6642 > > NEWS| 6 > manpages.mk | 4 +++ > ovn/utilities/ovn-ctl | 72 > ++--- > ovn/utilities/ovn-ctl.8.xml | 7 + > 4 files changed, 72 insertions(+), 17 deletions(-) > > diff --git a/NEWS b/NEWS > index 882f611..ec44dd5 100644 > --- a/NEWS > +++ b/NEWS > @@ -10,6 +10,12 @@ Post-v2.6.0 > * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 actions. > * Support for managing SSL and remote connection configuration in > northbound and southbound databases. > + * TCP connections to northbound and southbound databases are no > + longer enabled by default and must be explicitly configured. > + See documentation for ovn-sbctl/ovn-nbctl "set-connection" > + command or the ovn-ctl "--db-sb-create-insecure-remote" and > + "--db-nb-create-insecure-remote" command-line options for > + information regarding remote connection configuration. > - Fixed regression in table stats maintenance introduced in OVS > 2.3.0, wherein the number of OpenFlow table hits and misses was > not accurate. > diff --git a/manpages.mk b/manpages.mk > index 742bd66..825e2bc 100644 > --- a/manpages.mk > +++ b/manpages.mk > @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \ > lib/vlog-syn.man \ > lib/vlog.man \ > ovsdb/remote-active.man \ > + ovsdb/remote-active.man \ > + ovsdb/remote-passive.man \ > ovsdb/remote-passive.man > ovsdb/ovsdb-client.1.in: > lib/common-syn.man: > @@ -58,6 +60,8 @@ lib/table.man: >