mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-31 06:15:47 +00:00
Code Issues Releases Wiki Activity

ovn-ctl: add support for SSL nb/sb db connections

Browse Source 
Add support for SSL connections to OVN northbound and/or
southbound databases.

To improve security, the NB and SB ovsdb daemons no longer
have open ptcp connections by default.  This is a change in
behavior from previous versions, users wishing to use TCP
connections to the NB/SB daemons can either request that
a passive TCP connection be used via ovn-ctl command-line
options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
scripts):

    --db-sb-create-insecure-remote=yes
    --db-nb-create-insecure-remote=yes

Or configure a connection after the NB/SB daemons have been
started, e.g.:

    ovn-sbctl set-connection ptcp:6642
    ovn-nbctl set-connection ptcp:6641

Users desiring SSL database connections will need to generate certificates
and private key as described in INSTALL.SSL.rst and perform the following
one-time configuration steps:

   ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
   ovn-sbctl set-connection pssl:6642
   ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
   ovn-nbctl set-connection pssl:6641

On the ovn-controller and ovn-controller-vtep side, SSL configuration
must be provided on the command-line when the daemons are started, this
should be provided via the following command-line options (e.g. via
OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):

   --ovn-controller-ssl-key=<private-key>
   --ovn-controller-ssl-cert=<certificate>
   --ovn-controller-ssl-ca-cert=<ca-cert>

The SB database connection should also be configured to use SSL, e.g.:

    ovs-vsctl set Open_vSwitch . \
              external-ids:ovn-remote=ssl:w.x.y.z:6642

Acked-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This commit is contained in:
Lance Richardson
2017-01-03 13:29:10 -05:00
committed by Ben Pfaff
parent c2269819c3
commit 84d0ca5d00
4 changed files with 77 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
NEWS
View File

@@ -12,6 +12,12 @@ Post-v2.6.0
- put_dhcp_opts and put_dhcp_optsv6 actions may now be traced. - put_dhcp_opts and put_dhcp_optsv6 actions may now be traced.
* Support for managing SSL and remote connection configuration in * Support for managing SSL and remote connection configuration in
northbound and southbound databases. northbound and southbound databases.
* TCP connections to northbound and southbound databases are no
longer enabled by default and must be explicitly configured.
See documentation for ovn-sbctl/ovn-nbctl "set-connection"
command or the ovn-ctl "--db-sb-create-insecure-remote" and
"--db-nb-create-insecure-remote" command-line options for
information regarding remote connection configuration.
- Fixed regression in table stats maintenance introduced in OVS - Fixed regression in table stats maintenance introduced in OVS
2.3.0, wherein the number of OpenFlow table hits and misses was 2.3.0, wherein the number of OpenFlow table hits and misses was
not accurate. not accurate.

4
manpages.mk
View File

@@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \
lib/vlog-syn.man \ lib/vlog-syn.man \
lib/vlog.man \ lib/vlog.man \
ovsdb/remote-active.man \ ovsdb/remote-active.man \
ovsdb/remote-active.man \
ovsdb/remote-passive.man \
ovsdb/remote-passive.man ovsdb/remote-passive.man
ovsdb/ovsdb-client.1.in: ovsdb/ovsdb-client.1.in:
lib/common-syn.man: lib/common-syn.man:
@@ -58,6 +60,8 @@ lib/table.man:
lib/vlog-syn.man: lib/vlog-syn.man:
lib/vlog.man: lib/vlog.man:
ovsdb/remote-active.man: ovsdb/remote-active.man:
ovsdb/remote-active.man:
ovsdb/remote-passive.man:
ovsdb/remote-passive.man: ovsdb/remote-passive.man:
ovsdb/ovsdb-server.1: \ ovsdb/ovsdb-server.1: \

72
ovn/utilities/ovn-ctl
View File

@@ -50,7 +50,7 @@ stop_ovsdb () {
demote_ovnnb() { demote_ovnnb() {
if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
fi fi
if test -e $ovnnb_active_conf_file; then if test -e $ovnnb_active_conf_file; then
@@ -64,7 +64,7 @@ demote_ovnnb() {
demote_ovnsb() { demote_ovnsb() {
if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
fi fi
if test -e $ovnsb_active_conf_file; then if test -e $ovnsb_active_conf_file; then
@@ -93,15 +93,21 @@ start_ovsdb () {
set ovsdb-server set ovsdb-server
set "$@" --detach --monitor $OVN_NB_LOG \ set "$@" --detach --monitor
--log-file=$OVN_NB_LOGFILE \ set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE
--remote=punix:$DB_NB_SOCK \ set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID
--remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \ set "$@" --remote=db:OVN_Northbound,NB_Global,connections
--pidfile=$DB_NB_PID \ set "$@" --unixctl=ovnnb_db.ctl
--unixctl=ovnnb_db.ctl set "$@" --private-key=db:OVN_Northbound,SSL,private_key
set "$@" --certificate=db:OVN_Northbound,SSL,certificate
set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then
set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
fi
if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
fi fi
if test -e $ovnnb_active_conf_file; then if test -e $ovnnb_active_conf_file; then
@@ -118,15 +124,21 @@ start_ovsdb () {
set ovsdb-server set ovsdb-server
set "$@" --detach --monitor $OVN_SB_LOG \ set "$@" --detach --monitor
--log-file=$OVN_SB_LOGFILE \ set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE
--remote=punix:$DB_SB_SOCK \ set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID
--remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \ set "$@" --remote=db:OVN_Southbound,SB_Global,connections
--pidfile=$DB_SB_PID \ set "$@" --unixctl=ovnsb_db.ctl
--unixctl=ovnsb_db.ctl set "$@" --private-key=db:OVN_Southbound,SSL,private_key
set "$@" --certificate=db:OVN_Southbound,SSL,certificate
set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert
if test X"$DB_SB_CREATE_INSECURE_REMOTE" = Xyes; then
set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR
fi
if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
fi fi
if test -e $ovnsb_active_conf_file; then if test -e $ovnsb_active_conf_file; then
@@ -208,12 +220,22 @@ start_northd () {
start_controller () { start_controller () {
set ovn-controller "unix:$DB_SOCK" set ovn-controller "unix:$DB_SOCK"
set "$@" $OVN_CONTROLLER_LOG set "$@" $OVN_CONTROLLER_LOG
if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
fi
OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@"
} }
start_controller_vtep () { start_controller_vtep () {
set ovn-controller-vtep "unix:$DB_SOCK" set ovn-controller-vtep "unix:$DB_SOCK"
set "$@" -vconsole:emer -vsyslog:err -vfile:info set "$@" -vconsole:emer -vsyslog:err -vfile:info
if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
fi
OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@" OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@"
} }
@@ -275,6 +297,7 @@ set_defaults () {
DB_NB_FILE=$dbdir/ovnnb_db.db DB_NB_FILE=$dbdir/ovnnb_db.db
DB_NB_ADDR=0.0.0.0 DB_NB_ADDR=0.0.0.0
DB_NB_PORT=6641 DB_NB_PORT=6641
DB_NB_SYNC_FROM_PROTO=tcp
DB_NB_SYNC_FROM_ADDR= DB_NB_SYNC_FROM_ADDR=
DB_NB_SYNC_FROM_PORT=6641 DB_NB_SYNC_FROM_PORT=6641
@@ -283,6 +306,7 @@ set_defaults () {
DB_SB_FILE=$dbdir/ovnsb_db.db DB_SB_FILE=$dbdir/ovnsb_db.db
DB_SB_ADDR=0.0.0.0 DB_SB_ADDR=0.0.0.0
DB_SB_PORT=6642 DB_SB_PORT=6642
DB_SB_SYNC_FROM_PROTO=tcp
DB_SB_SYNC_FROM_ADDR= DB_SB_SYNC_FROM_ADDR=
DB_SB_SYNC_FROM_PORT=6642 DB_SB_SYNC_FROM_PORT=6642
@@ -307,6 +331,13 @@ set_defaults () {
OVN_SB_LOG="-vconsole:off" OVN_SB_LOG="-vconsole:off"
OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log" OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log"
OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log" OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log"
OVN_CONTROLLER_SSL_KEY=""
OVN_CONTROLLER_SSL_CERT=""
OVN_CONTROLLER_SSL_CA_CERT=""
DB_SB_CREATE_INSECURE_REMOTE="no"
DB_NB_CREATE_INSECURE_REMOTE="no"
} }
set_option () { set_option () {
@@ -350,6 +381,9 @@ Options:
--ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for debugging --ovn-northd-wrapper=WRAPPER run with a wrapper like valgrind for debugging
--ovn-controller-priority=NICE set ovn-northd's niceness (default: $OVN_CONTROLLER_PRIORITY) --ovn-controller-priority=NICE set ovn-northd's niceness (default: $OVN_CONTROLLER_PRIORITY)
--ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind for debugging --ovn-controller-wrapper=WRAPPER run with a wrapper like valgrind for debugging
--ovn-controller-ssl-key=KEY OVN Southbound SSL private key file
--ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
--ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file
--ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be --ovn-manage-ovsdb=yes|no Whether or not the OVN databases should be
automatically started and stopped along automatically started and stopped along
with ovn-northd. The default is "yes". If with ovn-northd. The default is "yes". If
@@ -376,9 +410,13 @@ File location options:
--ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE) --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE)
--ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE) --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE)
--db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address (default: $DB_NB_SYNC_FROM_ADDR) --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address (default: $DB_NB_SYNC_FROM_ADDR)
--db-nb-sync-from-port=PORT OVN Northdbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT) --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT)
--db-nb-sync-from-proto=PROTO OVN Northbound active db transport (default: $DB_NB_SYNC_FROM_PROTO)
--db-nb-create-insecure-remote=yes|no Create ptcp OVN Northbound remote (default: $DB_NB_CREATE_INSECURE_REMOTE)
--db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address (default: $DB_SB_SYNC_FROM_ADDR) --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address (default: $DB_SB_SYNC_FROM_ADDR)
--db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: $DB_SB_SYNC_FROM_PORT) --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: $DB_SB_SYNC_FROM_PORT)
--db-sb-sync-from-proto=PROTO OVN Southbound active db transport (default: $DB_SB_SYNC_FROM_PROTO)
--db-sb-create-insecure-remote=yes|no Create ptcp OVN Southbound remote (default: $DB_SB_CREATE_INSECURE_REMOTE)
Default directories with "configure" option and environment variable override: Default directories with "configure" option and environment variable override:
logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR) logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR)

17
ovn/utilities/ovn-ctl.8.xml
View File

@@ -38,17 +38,24 @@
<p><code>-h</code> | <code>--help</code></p> <p><code>-h</code> | <code>--help</code></p>
<h1>File location options</h1> <h1>File location options</h1>
<p><code>--db-sock==<var>SOCKET</var></code></p> <p><code>--db-sock=<var>SOCKET</var></code></p>
<p><code>--db-nb-file==<var>FILE</var></code></p> <p><code>--db-nb-file=<var>FILE</var></code></p>
<p><code>--db-sb-file==<var>FILE</var></code></p> <p><code>--db-sb-file=<var>FILE</var></code></p>
<p><code>--db-nb-schema==<var>FILE</var></code></p> <p><code>--db-nb-schema=<var>FILE</var></code></p>
<p><code>--db-sb-schema==<var>FILE</var></code></p> <p><code>--db-sb-schema=<var>FILE</var></code></p>
<p><code>--db-sb-create-insecure-remote=<var>yes|no</var></code></p>
<p><code>--db-nb-create-insecure-remote=<var>yes|no</var></code></p>
<p><code>--ovn-controller-ssl-key=<var>KEY</var></code></p>
<p><code>--ovn-controller-ssl-cert=<var>CERT</var></code></p>
<p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p>
<h1>Address and port options</h1> <h1>Address and port options</h1>
<p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p>
<p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p> <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p>
<p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p>
<p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p>
<p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p> <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p>
<p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p>
<h1>Configuration files</h1> <h1>Configuration files</h1>
<p>Following are the optional configuration files. If present, it should be located in the etc dir</p> <p>Following are the optional configuration files. If present, it should be located in the etc dir</p>