subject:"Re\: \[ovs\-dev\] \[PATCH v4\] ovn\-ctl\: add support for SSL nb\/sb db connections"

Re: [ovs-dev] [PATCH v4] ovn-ctl: add support for SSL nb/sb db connections

2016-12-22 Thread Numan Siddique

On Thu, Dec 22, 2016 at 11:32 PM, Ben Pfaff  wrote:

> Russell and Numan, are you happy with this?
>
>
I am happy with this.

Thanks
Numan



> In the manpage, I see that some command-line options are shown with ==
> instead of =; please fix.
>
> Acked-by: Ben Pfaff 
>
> On Thu, Dec 22, 2016 at 11:34:46AM -0500, Lance Richardson wrote:
> > Add support for SSL connections to OVN northbound and/or
> > southbound databases.
> >
> > To improve security, the NB and SB ovsdb daemons no longer
> > have open ptcp connections by default.  This is a change in
> > behavior from previous versions, users wishing to use TCP
> > connections to the NB/SB daemons can either request that
> > a passive TCP connection be used via ovn-ctl command-line
> > options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
> > scripts):
> >
> > --db-sb-create-insecure-remote=yes
> > --db-nb-create-insecure-remote=yes
> >
> > Or configure a connection after the NB/SB daemons have been
> > started, e.g.:
> >
> > ovn-sbctl set-connection ptcp:6642
> > ovn-nbctl set-connection ptcp:6641
> >
> > Users desiring SSL database connections will need to generate
> certificates
> > and private key as described in INSTALL.SSL.rst and perform the following
> > one-time configuration steps:
> >
> >ovn-sbctl set-ssl   
> >ovn-sbctl set-connection pssl:6642
> >ovn-nbctl set-ssl   
> >ovn-nbctl set-connection pssl:6641
> >
> > On the ovn-controller and ovn-controller-vtep side, SSL configuration
> > must be provided on the command-line when the daemons are started, this
> > should be provided via the following command-line options (e.g. via
> > OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
> >
> >--ovn-controller-ssl-key=
> >--ovn-controller-ssl-cert=
> >--ovn-controller-ssl-ca-cert=
> >
> > The SB database connection should also be configured to use SSL, e.g.:
> >
> > ovs-vsctl set Open_vSwitch . \
> >   external-ids:ovn-remote=ssl:w.x.y.z:6642
> >
> > Signed-off-by: Lance Richardson 
> > ---
> > v4: - reverted to v1 scheme for creating default (insecure), dropping
> >   feedback from Russell at http://patchwork.ozlabs.org/patch/701571/
> .
> > - changed --db-?b-create-remote to --db-?b-create-insecure-remote
> >
> > v3: - rebased
> > - s/db-sb-default-remote/db-sb-create-remote/ in man page
> > - s/db-nb-default-remote/db-nb-create-remote/ in man page
> >
> > v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE.
> > - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE.
> > - Create default remote configuration in db instead of
> >   via command-line options.
> >
> > Testing Notes:
> >- Verified tcp connections operational with /etc/sysconfig/ovn-northd:
> >  OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes
> --db-nb-create-insecure-remote=yes"
> >
> >- Verified tcp connections operational without
> /etc/sysconfig/ovn-northd and:
> >  ovn-sbctl set-connection ptcp:6642
> >  ovn-nbctl set-connection ptcp:6641
> >
> >- Verified SSL connection to sb db with (on central node):
> >  ovn-sbctl set-ssl /ctl-privkey.pem  /ctl-cert.pem /cacert.pem
> >  ovn-sbctl set-connection pssl:6642
> >
> >  And (on compute nodes):
> >  In /etc/sysconfig/ovn-controller:
> >  OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \
> >   --ovn-controller-ssl-cert=/ctl-cert.pem \
> >   --ovn-controller-ssl-ca-cert=/cacert.pem"
> >  ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl:
> xx.xx.xx.xx:6642
> >
> >  NEWS|  6 
> >  manpages.mk |  4 +++
> >  ovn/utilities/ovn-ctl   | 72 ++
> ---
> >  ovn/utilities/ovn-ctl.8.xml |  7 +
> >  4 files changed, 72 insertions(+), 17 deletions(-)
> >
> > diff --git a/NEWS b/NEWS
> > index 882f611..ec44dd5 100644
> > --- a/NEWS
> > +++ b/NEWS
> > @@ -10,6 +10,12 @@ Post-v2.6.0
> >   * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6
> actions.
> >   * Support for managing SSL and remote connection configuration in
> > northbound and southbound databases.
> > + * TCP connections to northbound and southbound databases are no
> > +   longer enabled by default and must be explicitly configured.
> > +   See documentation for ovn-sbctl/ovn-nbctl "set-connection"
> > +   command or the ovn-ctl "--db-sb-create-insecure-remote" and
> > +   "--db-nb-create-insecure-remote" command-line options for
> > +   information regarding remote connection configuration.
> > - Fixed regression in table stats maintenance introduced in OVS
> >   2.3.0, wherein the number of OpenFlow table hits and misses was
> >   not accurate.
> > diff --git a/manpages.mk b/manpages.mk
> > index 742bd66..825e2bc 100644
> > --- a/manpages.mk
> > +++ b/manpages.mk
> > @@

Re: [ovs-dev] [PATCH v4] ovn-ctl: add support for SSL nb/sb db connections

2016-12-22 Thread Ben Pfaff

Russell and Numan, are you happy with this?

In the manpage, I see that some command-line options are shown with ==
instead of =; please fix.

Acked-by: Ben Pfaff 

On Thu, Dec 22, 2016 at 11:34:46AM -0500, Lance Richardson wrote:
> Add support for SSL connections to OVN northbound and/or
> southbound databases.
> 
> To improve security, the NB and SB ovsdb daemons no longer
> have open ptcp connections by default.  This is a change in
> behavior from previous versions, users wishing to use TCP
> connections to the NB/SB daemons can either request that
> a passive TCP connection be used via ovn-ctl command-line
> options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
> scripts):
> 
> --db-sb-create-insecure-remote=yes
> --db-nb-create-insecure-remote=yes
> 
> Or configure a connection after the NB/SB daemons have been
> started, e.g.:
> 
> ovn-sbctl set-connection ptcp:6642
> ovn-nbctl set-connection ptcp:6641
> 
> Users desiring SSL database connections will need to generate certificates
> and private key as described in INSTALL.SSL.rst and perform the following
> one-time configuration steps:
> 
>ovn-sbctl set-ssl   
>ovn-sbctl set-connection pssl:6642
>ovn-nbctl set-ssl   
>ovn-nbctl set-connection pssl:6641
> 
> On the ovn-controller and ovn-controller-vtep side, SSL configuration
> must be provided on the command-line when the daemons are started, this
> should be provided via the following command-line options (e.g. via
> OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
> 
>--ovn-controller-ssl-key=
>--ovn-controller-ssl-cert=
>--ovn-controller-ssl-ca-cert=
> 
> The SB database connection should also be configured to use SSL, e.g.:
> 
> ovs-vsctl set Open_vSwitch . \
>   external-ids:ovn-remote=ssl:w.x.y.z:6642
> 
> Signed-off-by: Lance Richardson 
> ---
> v4: - reverted to v1 scheme for creating default (insecure), dropping
>   feedback from Russell at http://patchwork.ozlabs.org/patch/701571/.
> - changed --db-?b-create-remote to --db-?b-create-insecure-remote
> 
> v3: - rebased
> - s/db-sb-default-remote/db-sb-create-remote/ in man page
> - s/db-nb-default-remote/db-nb-create-remote/ in man page
> 
> v2: - Changed DB_NB_DEFAULT_REMOTE to DB_NB_CREATE_REMOTE.
> - Changed DB_SB_DEFAULT_REMOTE to DB_SB_CREATE_REMOTE.
> - Create default remote configuration in db instead of
>   via command-line options.
> 
> Testing Notes:
>- Verified tcp connections operational with /etc/sysconfig/ovn-northd:
>  OVN_NORTHD_OPTS="--db-sb-create-insecure-remote=yes 
> --db-nb-create-insecure-remote=yes"
> 
>- Verified tcp connections operational without /etc/sysconfig/ovn-northd 
> and:
>  ovn-sbctl set-connection ptcp:6642
>  ovn-nbctl set-connection ptcp:6641
> 
>- Verified SSL connection to sb db with (on central node):
>  ovn-sbctl set-ssl /ctl-privkey.pem  /ctl-cert.pem /cacert.pem
>  ovn-sbctl set-connection pssl:6642
> 
>  And (on compute nodes):
>  In /etc/sysconfig/ovn-controller:
>  OVN_CONTROLLER_OPTS="--ovn-controller-ssl-key=/ctl-privkey.pem \
>   --ovn-controller-ssl-cert=/ctl-cert.pem \
>   --ovn-controller-ssl-ca-cert=/cacert.pem"
>  ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl:xx.xx.xx.xx:6642
> 
>  NEWS|  6 
>  manpages.mk |  4 +++
>  ovn/utilities/ovn-ctl   | 72 
> ++---
>  ovn/utilities/ovn-ctl.8.xml |  7 +
>  4 files changed, 72 insertions(+), 17 deletions(-)
> 
> diff --git a/NEWS b/NEWS
> index 882f611..ec44dd5 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -10,6 +10,12 @@ Post-v2.6.0
>   * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 actions.
>   * Support for managing SSL and remote connection configuration in
> northbound and southbound databases.
> + * TCP connections to northbound and southbound databases are no
> +   longer enabled by default and must be explicitly configured.
> +   See documentation for ovn-sbctl/ovn-nbctl "set-connection"
> +   command or the ovn-ctl "--db-sb-create-insecure-remote" and
> +   "--db-nb-create-insecure-remote" command-line options for
> +   information regarding remote connection configuration.
> - Fixed regression in table stats maintenance introduced in OVS
>   2.3.0, wherein the number of OpenFlow table hits and misses was
>   not accurate.
> diff --git a/manpages.mk b/manpages.mk
> index 742bd66..825e2bc 100644
> --- a/manpages.mk
> +++ b/manpages.mk
> @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \
>   lib/vlog-syn.man \
>   lib/vlog.man \
>   ovsdb/remote-active.man \
> + ovsdb/remote-active.man \
> + ovsdb/remote-passive.man \
>   ovsdb/remote-passive.man
>  ovsdb/ovsdb-client.1.in:
>  lib/common-syn.man:
> @@ -58,6 +60,8 @@ lib/table.man:
>

Re: [ovs-dev] [PATCH v4] ovn-ctl: add support for SSL nb/sb db connections

Re: [ovs-dev] [PATCH v4] ovn-ctl: add support for SSL nb/sb db connections

2 matches

Site Navigation

Mail list logo

Footer information