ovn-ctl: add support for SSL nb/sb db connections

Add support for SSL connections to OVN northbound and/or southbound databases. To improve security, the NB and SB ovsdb daemons no longer have open ptcp connections by default. This is a change in behavior from previous versions, users wishing to use TCP connections to the NB/SB daemons can either request that a passive TCP connection be used via ovn-ctl command-line options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup scripts): --db-sb-create-insecure-remote=yes --db-nb-create-insecure-remote=yes Or configure a connection after the NB/SB daemons have been started, e.g.: ovn-sbctl set-connection ptcp:6642 ovn-nbctl set-connection ptcp:6641 Users desiring SSL database connections will need to generate certificates and private key as described in INSTALL.SSL.rst and perform the following one-time configuration steps: ovn-sbctl set-ssl <private-key> <certificate> <ca-cert> ovn-sbctl set-connection pssl:6642 ovn-nbctl set-ssl <private-key> <certificate> <ca-cert> ovn-nbctl set-connection pssl:6641 On the ovn-controller and ovn-controller-vtep side, SSL configuration must be provided on the command-line when the daemons are started, this should be provided via the following command-line options (e.g. via OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts): --ovn-controller-ssl-key=<private-key> --ovn-controller-ssl-cert=<certificate> --ovn-controller-ssl-ca-cert=<ca-cert> The SB database connection should also be configured to use SSL, e.g.: ovs-vsctl set Open_vSwitch . \ external-ids:ovn-remote=ssl:w.x.y.z:6642 Acked-by: Ben Pfaff <[email protected]> Signed-off-by: Lance Richardson <[email protected]> Signed-off-by: Ben Pfaff <[email protected]>
nicboul · Jan 5, 2017 · 84d0ca5 · 84d0ca5
1 parent c226981
commit 84d0ca5
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 22 deletions.
diff --git a/NEWS b/NEWS
@@ -12,6 +12,12 @@ Post-v2.6.0
        - put_dhcp_opts and put_dhcp_optsv6 actions may now be traced.
      * Support for managing SSL and remote connection configuration in
        northbound and southbound databases.
+     * TCP connections to northbound and southbound databases are no
+       longer enabled by default and must be explicitly configured.
+       See documentation for ovn-sbctl/ovn-nbctl "set-connection"
+       command or the ovn-ctl "--db-sb-create-insecure-remote" and
+       "--db-nb-create-insecure-remote" command-line options for
+       information regarding remote connection configuration.
    - Fixed regression in table stats maintenance introduced in OVS
      2.3.0, wherein the number of OpenFlow table hits and misses was
      not accurate.

diff --git a/manpages.mk b/manpages.mk
@@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \
 	lib/vlog-syn.man \
 	lib/vlog.man \
 	ovsdb/remote-active.man \
+	ovsdb/remote-active.man \
+	ovsdb/remote-passive.man \
 	ovsdb/remote-passive.man
 ovsdb/ovsdb-client.1.in:
 lib/common-syn.man:
@@ -58,6 +60,8 @@ lib/table.man:
 lib/vlog-syn.man:
 lib/vlog.man:
 ovsdb/remote-active.man:
+ovsdb/remote-active.man:
+ovsdb/remote-passive.man:
 ovsdb/remote-passive.man:
 
 ovsdb/ovsdb-server.1: \

diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
@@ -50,7 +50,7 @@ stop_ovsdb () {
 
 demote_ovnnb() {
     if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
-        echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
+        echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
     fi
 
     if test -e $ovnnb_active_conf_file; then
@@ -64,7 +64,7 @@ demote_ovnnb() {
 
 demote_ovnsb() {
     if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
-        echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
+        echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
     fi
 
     if test -e $ovnsb_active_conf_file; then
@@ -93,15 +93,21 @@ start_ovsdb () {
 
         set ovsdb-server
 
-        set "$@" --detach --monitor $OVN_NB_LOG \
-            --log-file=$OVN_NB_LOGFILE \
-            --remote=punix:$DB_NB_SOCK \
-            --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR \
-            --pidfile=$DB_NB_PID \
-            --unixctl=ovnnb_db.ctl
+        set "$@" --detach --monitor
+        set "$@" $OVN_NB_LOG --log-file=$OVN_NB_LOGFILE
+        set "$@" --remote=punix:$DB_NB_SOCK --pidfile=$DB_NB_PID
+        set "$@" --remote=db:OVN_Northbound,NB_Global,connections
+        set "$@" --unixctl=ovnnb_db.ctl
+        set "$@" --private-key=db:OVN_Northbound,SSL,private_key
+        set "$@" --certificate=db:OVN_Northbound,SSL,certificate
+        set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
+
+        if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then
+            set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
+        fi
 
         if test ! -z "$DB_NB_SYNC_FROM_ADDR"; then
-            echo "tcp:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
+            echo "$DB_NB_SYNC_FROM_PROTO:$DB_NB_SYNC_FROM_ADDR:$DB_NB_SYNC_FROM_PORT" > $ovnnb_active_conf_file
         fi
 
         if test -e $ovnnb_active_conf_file; then
@@ -118,15 +124,21 @@ start_ovsdb () {
 
         set ovsdb-server
 
-        set "$@" --detach --monitor $OVN_SB_LOG \
-            --log-file=$OVN_SB_LOGFILE \
-            --remote=punix:$DB_SB_SOCK \
-            --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR \
-            --pidfile=$DB_SB_PID \
-            --unixctl=ovnsb_db.ctl
+        set "$@" --detach --monitor
+        set "$@" $OVN_SB_LOG --log-file=$OVN_SB_LOGFILE
+        set "$@" --remote=punix:$DB_SB_SOCK --pidfile=$DB_SB_PID
+        set "$@" --remote=db:OVN_Southbound,SB_Global,connections
+        set "$@" --unixctl=ovnsb_db.ctl
+        set "$@" --private-key=db:OVN_Southbound,SSL,private_key
+        set "$@" --certificate=db:OVN_Southbound,SSL,certificate
+        set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert
+
+        if test X"$DB_SB_CREATE_INSECURE_REMOTE" = Xyes; then
+            set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR
+        fi
 
         if test ! -z "$DB_SB_SYNC_FROM_ADDR"; then
-            echo "tcp:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
+            echo "$DB_SB_SYNC_FROM_PROTO:$DB_SB_SYNC_FROM_ADDR:$DB_SB_SYNC_FROM_PORT" > $ovnsb_active_conf_file
         fi
 
         if test -e $ovnsb_active_conf_file; then
@@ -208,12 +220,22 @@ start_northd () {
 start_controller () {
     set ovn-controller "unix:$DB_SOCK"
     set "$@" $OVN_CONTROLLER_LOG
+    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
+        set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
+        set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
+        set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
+    fi
     OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@"
 }
 
 start_controller_vtep () {
     set ovn-controller-vtep "unix:$DB_SOCK"
     set "$@" -vconsole:emer -vsyslog:err -vfile:info
+    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
+        set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
+        set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
+        set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
+    fi
     OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@"
 }
 
@@ -275,6 +297,7 @@ set_defaults () {
     DB_NB_FILE=$dbdir/ovnnb_db.db
     DB_NB_ADDR=0.0.0.0
     DB_NB_PORT=6641
+    DB_NB_SYNC_FROM_PROTO=tcp
     DB_NB_SYNC_FROM_ADDR=
     DB_NB_SYNC_FROM_PORT=6641
 
@@ -283,6 +306,7 @@ set_defaults () {
     DB_SB_FILE=$dbdir/ovnsb_db.db
     DB_SB_ADDR=0.0.0.0
     DB_SB_PORT=6642
+    DB_SB_SYNC_FROM_PROTO=tcp
     DB_SB_SYNC_FROM_ADDR=
     DB_SB_SYNC_FROM_PORT=6642
 
@@ -307,6 +331,13 @@ set_defaults () {
     OVN_SB_LOG="-vconsole:off"
     OVN_NB_LOGFILE="$logdir/ovsdb-server-nb.log"
     OVN_SB_LOGFILE="$logdir/ovsdb-server-sb.log"
+
+    OVN_CONTROLLER_SSL_KEY=""
+    OVN_CONTROLLER_SSL_CERT=""
+    OVN_CONTROLLER_SSL_CA_CERT=""
+
+    DB_SB_CREATE_INSECURE_REMOTE="no"
+    DB_NB_CREATE_INSECURE_REMOTE="no"
 }
 
 set_option () {
@@ -350,6 +381,9 @@ Options:
   --ovn-northd-wrapper=WRAPPER   run with a wrapper like valgrind for debugging
   --ovn-controller-priority=NICE     set ovn-northd's niceness (default: $OVN_CONTROLLER_PRIORITY)
   --ovn-controller-wrapper=WRAPPER   run with a wrapper like valgrind for debugging
+  --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file
+  --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
+  --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file
   --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases should be
                                    automatically started and stopped along
                                    with ovn-northd. The default is "yes". If
@@ -376,9 +410,13 @@ File location options:
   --ovn-nb-logfile=FILE OVN Northbound log file (default: $OVN_NB_LOGFILE)
   --ovn-sb-logfile=FILE OVN Southbound log file (default: $OVN_SB_LOGFILE)
   --db-nb-sync-from-addr=ADDR OVN Northbound active db tcp address (default: $DB_NB_SYNC_FROM_ADDR)
-  --db-nb-sync-from-port=PORT OVN Northdbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT)
+  --db-nb-sync-from-port=PORT OVN Northbound active db tcp port (default: $DB_NB_SYNC_FROM_PORT)
+  --db-nb-sync-from-proto=PROTO OVN Northbound active db transport (default: $DB_NB_SYNC_FROM_PROTO)
+  --db-nb-create-insecure-remote=yes|no Create ptcp OVN Northbound remote (default: $DB_NB_CREATE_INSECURE_REMOTE)
   --db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address (default: $DB_SB_SYNC_FROM_ADDR)
   --db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default: $DB_SB_SYNC_FROM_PORT)
+  --db-sb-sync-from-proto=PROTO OVN Southbound active db transport (default: $DB_SB_SYNC_FROM_PROTO)
+  --db-sb-create-insecure-remote=yes|no Create ptcp OVN Southbound remote (default: $DB_SB_CREATE_INSECURE_REMOTE)
 
 Default directories with "configure" option and environment variable override:
   logs: /usr/local/var/log/openvswitch (--with-logdir, OVS_LOGDIR)

diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
@@ -38,17 +38,24 @@
     <p><code>-h</code> | <code>--help</code></p>
 
     <h1>File location options</h1>
-    <p><code>--db-sock==<var>SOCKET</var></code></p>
-    <p><code>--db-nb-file==<var>FILE</var></code></p>
-    <p><code>--db-sb-file==<var>FILE</var></code></p>
-    <p><code>--db-nb-schema==<var>FILE</var></code></p>
-    <p><code>--db-sb-schema==<var>FILE</var></code></p>
+    <p><code>--db-sock=<var>SOCKET</var></code></p>
+    <p><code>--db-nb-file=<var>FILE</var></code></p>
+    <p><code>--db-sb-file=<var>FILE</var></code></p>
+    <p><code>--db-nb-schema=<var>FILE</var></code></p>
+    <p><code>--db-sb-schema=<var>FILE</var></code></p>
+    <p><code>--db-sb-create-insecure-remote=<var>yes|no</var></code></p>
+    <p><code>--db-nb-create-insecure-remote=<var>yes|no</var></code></p>
+    <p><code>--ovn-controller-ssl-key=<var>KEY</var></code></p>
+    <p><code>--ovn-controller-ssl-cert=<var>CERT</var></code></p>
+    <p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p>
 
     <h1>Address and port options</h1>
     <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p>
     <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p>
+    <p><code>--db-nb-sync-from-proto=<var>PROTO</var></code></p>
     <p><code>--db-sb-sync-from-addr=<var>IP ADDRESS</var></code></p>
     <p><code>--db-sb-sync-from-port=<var>PORT NUMBER</var></code></p>
+    <p><code>--db-sb-sync-from-proto=<var>PROTO</var></code></p>
 
     <h1>Configuration files</h1>
     <p>Following are the optional configuration files. If present, it should be located in the etc dir</p>