Skip to content

Commit

Permalink
ovsdb-server: Add the ability to push peer-cert.
Browse files Browse the repository at this point in the history 
In OVN, ovsdb-server is the daemon that manages the databases
and can be called as the central controller. So it would be
nice for ovsdb-server to be able to push its self-signed
certificate to all the other nodes where ovn-controller runs.

Signed-off-by: Gurucharan Shetty <[email protected]>
Acked-by: Ben Pfaff <[email protected]>
  • Loading branch information
@shettyg
shettyg committed Aug 21, 2015
1 parent 3656109 commit 5bf6cbd
Show file tree
Hide file tree
Showing 8 changed files with 41 additions and 1 deletion.
1 change: 1 addition & 0 deletions lib/automake.mk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -436,6 +436,7 @@ MAN_FRAGMENTS += \
lib/ssl-bootstrap.man \
lib/ssl-bootstrap-syn.man \
lib/ssl-peer-ca-cert.man \
lib/ssl-peer-ca-cert-syn.man \
lib/ssl.man \
lib/ssl-syn.man \
lib/table.man \
Expand Down
1 change: 1 addition & 0 deletions lib/jsonrpc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -948,6 +948,7 @@ jsonrpc_session_run(struct jsonrpc_session *s)
reconnect_connect_failed(s->reconnect, time_msec(), error);
stream_close(s->stream);
s->stream = NULL;
s->last_error = error;
}
}

Expand Down
2 changes: 1 addition & 1 deletion lib/ssl-bootstrap-syn.man
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
.br
[\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem]
[\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem\fR]
2 changes: 2 additions & 0 deletions lib/ssl-peer-ca-cert-syn.man
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
.br
[\fB\-\-peer\-ca\-cert=\fIpeer-cacert.pem\fR]
4 changes: 4 additions & 0 deletions manpages.mk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ ovsdb/ovsdb-server.1: \
lib/service.man \
lib/ssl-bootstrap-syn.man \
lib/ssl-bootstrap.man \
lib/ssl-peer-ca-cert-syn.man \
lib/ssl-peer-ca-cert.man \
lib/ssl-syn.man \
lib/ssl.man \
lib/unixctl-syn.man \
Expand All @@ -74,6 +76,8 @@ lib/service-syn.man:
lib/service.man:
lib/ssl-bootstrap-syn.man:
lib/ssl-bootstrap.man:
lib/ssl-peer-ca-cert-syn.man:
lib/ssl-peer-ca-cert.man:
lib/ssl-syn.man:
lib/ssl.man:
lib/unixctl-syn.man:
Expand Down
2 changes: 2 additions & 0 deletions ovsdb/ovsdb-server.1.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ ovsdb\-server \- Open vSwitch database server
.so lib/vlog-syn.man
.so lib/ssl-syn.man
.so lib/ssl-bootstrap-syn.man
.so lib/ssl-peer-ca-cert-syn.man
.so lib/unixctl-syn.man
.so lib/common-syn.man
.
Expand Down Expand Up @@ -111,6 +112,7 @@ as the file name. (This means that ordinarily there should be at most
one row in \fItable\fR.)
.so lib/ssl.man
.so lib/ssl-bootstrap.man
.so lib/ssl-peer-ca-cert.man
.SS "Other Options"
.so lib/unixctl.man
.so lib/common.man
Expand Down
6 changes: 6 additions & 0 deletions ovsdb/ovsdb-server.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1252,6 +1252,7 @@ parse_options(int *argcp, char **argvp[],
OPT_UNIXCTL,
OPT_RUN,
OPT_BOOTSTRAP_CA_CERT,
OPT_PEER_CA_CERT,
VLOG_OPTION_ENUMS,
DAEMON_OPTION_ENUMS
};
Expand All @@ -1266,6 +1267,7 @@ parse_options(int *argcp, char **argvp[],
DAEMON_LONG_OPTIONS,
VLOG_LONG_OPTIONS,
{"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT},
{"peer-ca-cert", required_argument, NULL, OPT_PEER_CA_CERT},
{"private-key", required_argument, NULL, 'p'},
{"certificate", required_argument, NULL, 'c'},
{"ca-cert", required_argument, NULL, 'C'},
Expand Down Expand Up @@ -1325,6 +1327,10 @@ parse_options(int *argcp, char **argvp[],
bootstrap_ca_cert = true;
break;

case OPT_PEER_CA_CERT:
stream_ssl_set_peer_ca_cert_file(optarg);
break;

case '?':
exit(EXIT_FAILURE);

Expand Down
24 changes: 24 additions & 0 deletions tests/ovs-vsctl.at
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1309,3 +1309,27 @@ AT_CHECK([RUN_OVS_VSCTL([get interface 0fcd11a1-2ba8-4b38-a358-4bccf2bf3057 type

OVS_VSCTL_CLEANUP
AT_CLEANUP

AT_SETUP([peer ca cert])
AT_KEYWORDS([ovs-vsctl ssl])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
PKIDIR=`pwd`
OVS_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$PKIDIR/pki --log=$PKIDIR/ovs-pki.log"
$OVS_PKI -B 1024 init && \
$OVS_PKI -B 1024 req+sign vsctl switch && \
$OVS_PKI -B 1024 req ovsdbserver && $OVS_PKI self-sign ovsdbserver

dnl Create database.
touch .conf.db.~lock~
AT_CHECK([ovsdb-tool create conf.db $abs_top_srcdir/vswitchd/vswitch.ovsschema])
AT_CHECK([ovsdb-server --detach --no-chdir --pidfile="`pwd`"/pid --private-key=$PKIDIR/ovsdbserver-privkey.pem --certificate=$PKIDIR/ovsdbserver-cert.pem --ca-cert=$PKIDIR/pki/switchca/cacert.pem --peer-ca-cert=$PKIDIR/ovsdbserver-cert.pem --remote=pssl:0:127.0.0.1 --unixctl="`pwd`"/unixctl --log-file="`pwd`"/ovsdb-server.log conf.db], [0], [ignore], [ignore])
ON_EXIT_UNQUOTED([kill `cat pid`])
SSL_PORT=`parse_listening_port < ovsdb-server.log`

# During bootstrap, the connection gets torn down. So the o/p of ovs-vsctl is error.
AT_CHECK([ovs-vsctl -t 5 --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem show], [1], [ignore], [ignore])

# If the bootstrap was successful, the following file should exist.
OVS_WAIT_UNTIL([test -e $PKIDIR/cacert.pem])
OVSDB_SERVER_SHUTDOWN
AT_CLEANUP

0 comments on commit 5bf6cbd

Please sign in to comment.