mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-29 13:27:59 +00:00
Code Issues Releases Wiki Activity

ovn: ssl proto/cipher configuration in nb/sb db

Browse Source 
Add SSL protocol and cipher columns to SSL tables in northbound
and southbound databases. Start nb/sb ovsdb-server with command-
line options to use these columns. Add support to ovn-nbctl
and ovn-sbctl "set-ssl" commands for user-friendly management
of these settings.

Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This commit is contained in:
Lance Richardson 2017-06-07 13:35:20 -04:00 committed by Ben Pfaff
parent 6cf5c52147
commit 51af591bd3
10 changed files with 64 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ovn/ovn-nb.ovsschema
View File

@ -1,7 +1,7 @@
{ {
"name": "OVN_Northbound", "name": "OVN_Northbound",
"version": "5.6.0", "version": "5.6.0",
"cksum": "1358108512 15019", "cksum": "2552205612 15123",
"tables": { "tables": {
"NB_Global": { "NB_Global": {
"columns": { "columns": {
@ -287,6 +287,8 @@
"certificate": {"type": "string"}, "certificate": {"type": "string"},
"ca_cert": {"type": "string"}, "ca_cert": {"type": "string"},
"bootstrap_ca_cert": {"type": "boolean"}, "bootstrap_ca_cert": {"type": "boolean"},
"ssl_protocols": {"type": "string"},
"ssl_ciphers": {"type": "string"},
"external_ids": {"type": {"key": "string", "external_ids": {"type": {"key": "string",
"value": "string", "value": "string",
"min": 0, "min": 0,

11
ovn/ovn-nb.xml
View File

@ -2084,6 +2084,17 @@
CA certificate.</em> It may still be useful for bootstrapping. CA certificate.</em> It may still be useful for bootstrapping.
</column> </column>
<column name="ssl_protocols">
List of SSL protocols to be enabled for SSL connections. The default
when this option is omitted is <code>TLSv1,TLSv1.1,TLSv1.2</code>.
</column>
<column name="ssl_ciphers">
List of ciphers (in OpenSSL cipher string format) to be supported
for SSL connections. The default when this option is omitted is
<code>HIGH:!aNULL:!MD5</code>.
</column>
<group title="Common Columns"> <group title="Common Columns">
The overall purpose of these columns is described under <code>Common The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document. Columns</code> at the beginning of this document.

4
ovn/ovn-sb.ovsschema
View File

@ -1,7 +1,7 @@
{ {
"name": "OVN_Southbound", "name": "OVN_Southbound",
"version": "1.12.1", "version": "1.12.1",
"cksum": "1914140659 10905", "cksum": "761192506 11009",
"tables": { "tables": {
"SB_Global": { "SB_Global": {
"columns": { "columns": {
@ -201,6 +201,8 @@
"certificate": {"type": "string"}, "certificate": {"type": "string"},
"ca_cert": {"type": "string"}, "ca_cert": {"type": "string"},
"bootstrap_ca_cert": {"type": "boolean"}, "bootstrap_ca_cert": {"type": "boolean"},
"ssl_protocols": {"type": "string"},
"ssl_ciphers": {"type": "string"},
"external_ids": {"type": {"key": "string", "external_ids": {"type": {"key": "string",
"value": "string", "value": "string",
"min": 0, "min": 0,

11
ovn/ovn-sb.xml
View File

@ -2779,6 +2779,17 @@ tcp.flags = RST;
CA certificate.</em> It may still be useful for bootstrapping. CA certificate.</em> It may still be useful for bootstrapping.
</column> </column>
<column name="ssl_protocols">
List of SSL protocols to be enabled for SSL connections. The default
when this option is omitted is <code>TLSv1,TLSv1.1,TLSv1.2</code>.
</column>
<column name="ssl_ciphers">
List of ciphers (in OpenSSL cipher string format) to be supported
for SSL connections. The default when this option is omitted is
<code>HIGH:!aNULL:!MD5</code>.
</column>
<group title="Common Columns"> <group title="Common Columns">
The overall purpose of these columns is described under <code>Common The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document. Columns</code> at the beginning of this document.

4
ovn/utilities/ovn-ctl
View File

@ -108,6 +108,8 @@ start_nb_ovsdb() {
set "$@" --private-key=db:OVN_Northbound,SSL,private_key set "$@" --private-key=db:OVN_Northbound,SSL,private_key
set "$@" --certificate=db:OVN_Northbound,SSL,certificate set "$@" --certificate=db:OVN_Northbound,SSL,certificate
set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
set "$@" --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols
set "$@" --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers
if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then
set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
@ -141,6 +143,8 @@ start_sb_ovsdb() {
set "$@" --private-key=db:OVN_Southbound,SSL,private_key set "$@" --private-key=db:OVN_Southbound,SSL,private_key
set "$@" --certificate=db:OVN_Southbound,SSL,certificate set "$@" --certificate=db:OVN_Southbound,SSL,certificate
set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert
set "$@" --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols
set "$@" --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers
if test X"$DB_SB_CREATE_INSECURE_REMOTE" = Xyes; then if test X"$DB_SB_CREATE_INSECURE_REMOTE" = Xyes; then
set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR

4
ovn/utilities/ovn-nbctl.8.xml
View File

@ -796,7 +796,9 @@
Deletes the current SSL configuration. Deletes the current SSL configuration.
</dd> </dd>
<dt>[<code>--bootstrap</code>] <code>set-ssl</code> <var>private-key</var> <var>certificate</var> <var>ca-cert</var></dt> <dt>[<code>--bootstrap</code>] <code>set-ssl</code>
<var>private-key</var> <var>certificate</var> <var>ca-cert</var>
[<var>ssl-protocol-list</var> [<var>ssl-cipher-list</var>]]</dt>
<dd> <dd>
Sets the SSL configuration. Sets the SSL configuration.
</dd> </dd>

15
ovn/utilities/ovn-nbctl.c
View File

@ -430,7 +430,8 @@ Connection commands:\n\
SSL commands:\n\ SSL commands:\n\
get-ssl print the SSL configuration\n\ get-ssl print the SSL configuration\n\
del-ssl delete the SSL configuration\n\ del-ssl delete the SSL configuration\n\
set-ssl PRIV-KEY CERT CA-CERT set the SSL configuration\n\ set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \
set the SSL configuration\n\
\n\ \n\
%s\ %s\
\n\ \n\
@ -3069,6 +3070,13 @@ cmd_set_ssl(struct ctl_context *ctx)
nbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap); nbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap);
if (ctx->argc == 5) {
nbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
} else if (ctx->argc == 6) {
nbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
nbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]);
}
nbrec_nb_global_set_ssl(nb_global, ssl); nbrec_nb_global_set_ssl(nb_global, ssl);
} }
@ -3463,8 +3471,9 @@ static const struct ctl_command_syntax nbctl_commands[] = {
/* SSL commands. */ /* SSL commands. */
{"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO}, {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO},
{"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW}, {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW},
{"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl, {"set-ssl", 3, 5,
cmd_set_ssl, NULL, "--bootstrap", RW}, "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]",
pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW},
{NULL, 0, 0, NULL, NULL, NULL, NULL, "", RO}, {NULL, 0, 0, NULL, NULL, NULL, NULL, "", RO},
}; };

2
ovn/utilities/ovn-sbctl.8.in
View File

@ -246,7 +246,7 @@ Prints the SSL configuration.
.IP "\fBdel\-ssl\fR" .IP "\fBdel\-ssl\fR"
Deletes the current SSL configuration. Deletes the current SSL configuration.
. .
.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR" .IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR [\fIssl-protocol-list\fR [\fIssl-cipher-list\fR]]"
Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described
below. below.
. .

15
ovn/utilities/ovn-sbctl.c
View File

@ -319,7 +319,8 @@ Connection commands:\n\
SSL commands:\n\ SSL commands:\n\
get-ssl print the SSL configuration\n\ get-ssl print the SSL configuration\n\
del-ssl delete the SSL configuration\n\ del-ssl delete the SSL configuration\n\
set-ssl PRIV-KEY CERT CA-CERT set the SSL configuration\n\ set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \
set the SSL configuration\n\
\n\ \n\
%s\ %s\
\n\ \n\
@ -1114,6 +1115,13 @@ cmd_set_ssl(struct ctl_context *ctx)
sbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap); sbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap);
if (ctx->argc == 5) {
sbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
} else if (ctx->argc == 6) {
sbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
sbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]);
}
sbrec_sb_global_set_ssl(sb_global, ssl); sbrec_sb_global_set_ssl(sb_global, ssl);
} }
@ -1407,8 +1415,9 @@ static const struct ctl_command_syntax sbctl_commands[] = {
/* SSL commands. */ /* SSL commands. */
{"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO}, {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO},
{"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW}, {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW},
{"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl, {"set-ssl", 3, 5,
cmd_set_ssl, NULL, "--bootstrap", RW}, "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]",
pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW},
{NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, RO}, {NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, RO},
}; };

4
tutorial/ovs-sandbox
View File

@ -350,6 +350,8 @@ if $ovn; then
--private-key=db:OVN_Northbound,SSL,private_key \ --private-key=db:OVN_Northbound,SSL,private_key \
--certificate=db:OVN_Northbound,SSL,certificate \ --certificate=db:OVN_Northbound,SSL,certificate \
--ca-cert=db:OVN_Northbound,SSL,ca_cert \ --ca-cert=db:OVN_Northbound,SSL,ca_cert \
--ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols \
--ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers \
--remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args --remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args
rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \
--pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \ --pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \
@ -358,6 +360,8 @@ if $ovn; then
--private-key=db:OVN_Southbound,SSL,private_key \ --private-key=db:OVN_Southbound,SSL,private_key \
--certificate=db:OVN_Southbound,SSL,certificate \ --certificate=db:OVN_Southbound,SSL,certificate \
--ca-cert=db:OVN_Southbound,SSL,ca_cert \ --ca-cert=db:OVN_Southbound,SSL,ca_cert \
--ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols \
--ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers \
--remote=punix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_server_args --remote=punix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_server_args
# Start SB back up server # Start SB back up server
rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \