ovn-sb: remote connection management in sb db

Add support for managing remote connections, including
SSL configuration, to southbound db schema, and add necessary
commands to ovn-sbctl.

Signed-off-by: Lance Richardson <[email protected]>
Signed-off-by: Ben Pfaff <[email protected]>

NEWS

@@ -9,7 +9,7 @@ Post-v2.6.0
      * Support for source IP address based routing.
      * ovn-trace can now trace put_dhcp_opts and put_dhcp_optsv6 actions.
      * Support for managing SSL and remote connection configuration in
-       northbound database.
+       northbound and southbound databases.
    - Fixed regression in table stats maintenance introduced in OVS
      2.3.0, wherein the number of OpenFlow table hits and misses was
      not accurate.

manpages.mk

@@ -4,16 +4,26 @@ ovn/utilities/ovn-sbctl.8: \
 	ovn/utilities/ovn-sbctl.8.in \
 	lib/common.man \
 	lib/db-ctl-base.man \
+	lib/ssl-bootstrap.man \
+	lib/ssl-peer-ca-cert.man \
+	lib/ssl.man \
 	lib/table.man \
 	lib/vlog.man \
 	ovsdb/remote-active.man \
+	ovsdb/remote-active.man \
+	ovsdb/remote-passive.man \
 	ovsdb/remote-passive.man
 ovn/utilities/ovn-sbctl.8.in:
 lib/common.man:
 lib/db-ctl-base.man:
+lib/ssl-bootstrap.man:
+lib/ssl-peer-ca-cert.man:
+lib/ssl.man:
 lib/table.man:
 lib/vlog.man:
 ovsdb/remote-active.man:
+ovsdb/remote-active.man:
+ovsdb/remote-passive.man:
 ovsdb/remote-passive.man:
 
 ovsdb/ovsdb-client.1: \

ovn/ovn-sb.ovsschema

@@ -1,7 +1,7 @@
 {
     "name": "OVN_Southbound",
     "version": "1.9.0",
-    "cksum": "239060528 9012",
+    "cksum": "2240045372 9719",
     "tables": {
         "SB_Global": {
             "columns": {
@@ -13,7 +13,11 @@
                     "type": {"key": {"type": "uuid",
                                      "refTable": "Connection"},
                                      "min": 0,
-                                     "max": "unlimited"}}},
+                                     "max": "unlimited"}},
+                "ssl": {
+                    "type": {"key": {"type": "uuid",
+                                     "refTable": "SSL"},
+                                     "min": 0, "max": 1}}},
             "maxRows": 1,
             "isRoot": true},
         "Chassis": {
@@ -183,4 +187,15 @@
                                     "min": 0,
                                     "max": "unlimited"},
                                     "ephemeral": true}},
-            "indexes": [["target"]]}}}
+            "indexes": [["target"]]},
+        "SSL": {
+            "columns": {
+                "private_key": {"type": "string"},
+                "certificate": {"type": "string"},
+                "ca_cert": {"type": "string"},
+                "bootstrap_ca_cert": {"type": "boolean"},
+                "external_ids": {"type": {"key": "string",
+                                          "value": "string",
+                                          "min": 0,
+                                          "max": "unlimited"}}},
+            "maxRows": 1}}}

ovn/ovn-sb.xml

@@ -169,6 +169,9 @@
         connections should be configured.  See the <ref table="Connection"/>
         table for more information.
       </column>
+      <column name="ssl">
+        Global SSL configuration.
+      </column>
     </group>
   </table>
 
@@ -2311,7 +2314,9 @@ tcp.flags = RST;
             <p>
               The specified SSL <var>port</var> on the host at the given
               <var>ip</var>, which must be expressed as an IP address
-              (not a DNS name).
+              (not a DNS name). A valid SSL configuration must be provided
+              when this form is used, this configuration can be specified
+              via command-line options or the <ref table="SSL"/> table.
             </p>
             <p>
               If <var>port</var> is not specified, it defaults to 6640.
@@ -2347,6 +2352,9 @@ tcp.flags = RST;
               address, wrap in square brackets,
               e.g. <code>pssl:6640:[::1]</code>.  If <var>ip</var> is not
               specified then it listens only on IPv4 (but not IPv6) addresses.
+              A valid SSL configuration must be provided when this form is used,
+             this can be specified either via command-line options or the
+             <ref table="SSL"/> table.
             </p>
             <p>
               If <var>port</var> is not specified, it defaults to 6640.
@@ -2519,4 +2527,42 @@ tcp.flags = RST;
       <column name="other_config"/>
     </group>
   </table>
+  <table name="SSL">
+    SSL configuration for ovn-sb database access.
+
+    <column name="private_key">
+      Name of a PEM file containing the private key used as the switch's
+      identity for SSL connections to the controller.
+    </column>
+
+    <column name="certificate">
+      Name of a PEM file containing a certificate, signed by the
+      certificate authority (CA) used by the controller and manager,
+      that certifies the switch's private key, identifying a trustworthy
+      switch.
+    </column>
+
+    <column name="ca_cert">
+      Name of a PEM file containing the CA certificate used to verify
+      that the switch is connected to a trustworthy controller.
+    </column>
+
+    <column name="bootstrap_ca_cert">
+      If set to <code>true</code>, then Open vSwitch will attempt to
+      obtain the CA certificate from the controller on its first SSL
+      connection and save it to the named PEM file. If it is successful,
+      it will immediately drop the connection and reconnect, and from then
+      on all SSL connections must be authenticated by a certificate signed
+      by the CA certificate thus obtained.  <em>This option exposes the
+      SSL connection to a man-in-the-middle attack obtaining the initial
+      CA certificate.</em>  It may still be useful for bootstrapping.
+    </column>
+
+    <group title="Common Columns">
+      The overall purpose of these columns is described under <code>Common
+      Columns</code> at the beginning of this document.
+
+      <column name="external_ids"/>
+    </group>
+  </table>
 </database>

ovn/utilities/ovn-sbctl.8.in

@@ -22,10 +22,6 @@ ovn\-sbctl \- utility for querying and configuring \fBOVN_Southbound\fR database
 \fR[\fIargs\fR] [\fB\-\-\fR [\fIoptions\fR] \fIcommand \fR[\fIargs\fR]]...
 .
 .SH DESCRIPTION
-The command should only be used for advanced debugging and troubleshooting
-of the \fBOVN_Southbound\fR database; and should never be used in normal
-operation.
-.PP
 The \fBovn\-sbctl\fR program configures the \fBOVN_Southbound\fR database
 by providing a high\-level interface to its configuration database.  See
 \fBovn\-sb\fR(5) for comprehensive documentation of the database schema.
@@ -105,6 +101,11 @@ These options control the format of output from the \fBlist\fR and
 \fBfind\fR commands.
 .so lib/table.man
 .
+.SS "Public Key Infrastructure Options"
+.so lib/ssl.man
+.so lib/ssl-bootstrap.man
+.so lib/ssl-peer-ca-cert.man
+.
 .SH COMMANDS
 The commands implemented by \fBovn\-sbctl\fR are described in the
 sections below.
@@ -166,6 +167,82 @@ flows for that logical datapath.
 .IP "\fBdump\-flows\fR [\fIlogical-datapath\fR]"
 Alias for \fBlflow\-list\fB.
 .
+.SS "Remote Connectivity Commands"
+.
+These commands manipulate the \fBconnections\fR column in the \fBSB_Global\fR
+table and rows in the \fBConnection\fR table.  When \fBovsdb\-server\fR
+is configured to use the \fBconnections\fR column for OVSDB connections,
+this allows the administrator to use \fBovn\-sbctl\fR to configure database
+connections.
+.
+.IP "\fBget\-connection\fR"
+Prints the configured connection(s).
+.
+.IP "\fBdel\-connection\fR"
+Deletes the configured connection(s).
+.
+.IP "\fBset\-connection\fR [\fIaccess\-specifier\fR] \fItarget\fR\&..."
+Sets the configured manager target or targets.  Each \fItarget\fR may
+be preceded by an optional access-specifier (\fBread\-only\fR or
+\fBread\-write\fR) and may use any of the following forms:
+.
+.RS
+.so ovsdb/remote-active.man
+.so ovsdb/remote-passive.man
+.RE
+
+If provided, the effect of the access specifier persists for subsequent
+targets until changed by another access specifier.
+.
+.SS "SSL Configuration"
+When \fBovsdb\-server\fR is configured to connect using SSL, the
+following parameters are required:
+.TP
+\fIprivate-key\fR
+Specifies a PEM file containing the private key used for SSL connections.
+.TP
+\fIcertificate\fR
+Specifies a PEM file containing a certificate, signed by the
+certificate authority (CA) used by the connection peers, that
+certifies the private key, identifying a trustworthy peer.
+.TP
+\fIca-cert\fR
+Specifies a PEM file containing the CA certificate used to verify that
+the connection peers are trustworthy.
+.PP
+These SSL settings apply to all SSL connections made by the southbound
+database server.
+.
+.IP "\fBget\-ssl\fR"
+Prints the SSL configuration.
+.
+.IP "\fBdel\-ssl\fR"
+Deletes the current SSL configuration.
+.
+.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
+Sets the SSL configuration.  The \fB\-\-bootstrap\fR option is described
+below.
+.
+.ST "CA Certificate Bootstrap"
+.PP
+Ordinarily, all of the files named in the SSL configuration must exist
+before SSL connectivity can be used.  However, if the \fIca-cert\fR file
+does not exist and the \fB\-\-bootstrap\fR
+option is given, then \fBovsdb\-server\fR will attempt to obtain the
+CA certificate from the target on its first SSL connection and
+save it to the named PEM file.  If it is successful, it will
+immediately drop the connection and reconnect, and from then on all
+SSL connections must be authenticated by a certificate signed by the
+CA certificate thus obtained.
+.PP
+\fBThis option exposes the SSL connection to a man-in-the-middle
+attack obtaining the initial CA certificate\fR, but it may be useful
+for bootstrapping.
+.PP
+This option is only useful if the SSL peer sends its CA certificate
+as part of the SSL certificate chain.  The SSL protocol does not
+require the controller to send the CA certificate.
+.
 .so lib/db-ctl-base.man
 .SH "EXIT STATUS"
 .IP "0"