Skip to content

Commit

Permalink
ovn-ctl: Add ssl-ciphers and protocols support.
Browse files Browse the repository at this point in the history 
Setting up OVN on new kernel bumps openssl version.
Since OVS PKI infrastructure that generated older ssl certs based on
old openssl version, raft fails with error

2024-02-27T19:28:39.673Z|00022|stream_ssl|WARN|SSL_connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

For running ovn-controller in container, we can still pin ssl-ciphers directly.
This was missed to set via ovn-ctl utility and hence setting the same.

e.g. pin ciphers to 'HIGH:!aNULL:!MD5:@SECLEVEL=1'
for raft/ovn-controllers, etc.

Also update options to show up ssl-ciphers and ssl-protocols for each
components in help.

Signed-off-by: Aliasgar Ginwala <aginwala@ebay.com>
Signed-off-by: Mark Michelson <mmichels@redhat.com>
  • Loading branch information
@noah8713 @putnopvut
noah8713 authored and putnopvut committed Mar 18, 2024
1 parent 82d8ea6 commit 6fcf898
Show file tree
Hide file tree
Showing 2 changed files with 83 additions and 2 deletions.
69 changes: 67 additions & 2 deletions utilities/ovn-ctl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,8 @@ start_ovsdb__() {
local ovn_db_election_timer
local relay_mode
local cluster_db_upgrade
local ovn_db_ssl_protocols
local ovn_db_ssl_ciphers
eval db_pid_file=\$DB_${DB}_PIDFILE
eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
Expand Down Expand Up @@ -214,6 +216,8 @@ start_ovsdb__() {
eval relay_mode=\$RELAY_MODE
eval relay_remote=\$DB_${DB}_REMOTE
eval cluster_db_upgrade=\$DB_CLUSTER_SCHEMA_UPGRADE
eval ovn_db_ssl_protocols=\$OVN_${DB}_DB_SSL_PROTOCOLS
eval ovn_db_ssl_ciphers=\$OVN_${DB}_DB_SSL_CIPHERS

ovn_install_dir "$OVN_RUNDIR"
ovn_install_dir "$ovn_logdir"
Expand Down Expand Up @@ -313,8 +317,17 @@ $cluster_remote_port
set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
fi

set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
if test X"$ovn_db_ssl_protocols" != X; then
set "$@" --ssl-protocols=$ovn_db_ssl_protocols
else
set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
fi

if test X"$ovn_db_ssl_ciphers" != X; then
set "$@" --ssl-ciphers=$ovn_db_ssl_ciphers
else
set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
fi

if test X"$create_insecure_remote" = Xyes; then
set "$@" --remote=ptcp:$port:$addr
Expand Down Expand Up @@ -523,6 +536,12 @@ start_northd () {
if test "$OVN_NORTHD_N_THREADS" != 1; then
set "$@" --n-threads=$OVN_NORTHD_N_THREADS
fi
if test X"$OVN_NORTHD_SSL_PROTOCOLS" != X; then
set "$@" --ssl-protocols=$OVN_NORTHD_SSL_PROTOCOLS
fi
if test X"$OVN_NORTHD_SSL_CIPHERS" != X; then
set "$@" --ssl-ciphers=$OVN_NORTHD_SSL_CIPHERS
fi

[ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER"

Expand Down Expand Up @@ -558,6 +577,12 @@ start_ic () {
if test X"$OVN_IC_SSL_CA_CERT" != X; then
set "$@" --ca-cert=$OVN_IC_SSL_CA_CERT
fi
if test X"$OVN_IC_SSL_PROTOCOLS" != X; then
set "$@" --ssl-protocols=$OVN_IC_SSL_PROTOCOLS
fi
if test X"$OVN_IC_SSL_CIPHERS" != X; then
set "$@" --ssl-ciphers=$OVN_IC_SSL_CIPHERS
fi

[ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER"

Expand Down Expand Up @@ -586,6 +611,12 @@ start_controller () {
if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then
set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT
fi
if test X"$OVN_CONTROLLER_SSL_PROTOCOLS" != X; then
set "$@" --ssl-protocols=$OVN_CONTROLLER_SSL_PROTOCOLS
fi
if test X"$OVN_CONTROLLER_SSL_CIPHERS" != X; then
set "$@" --ssl-ciphers=$OVN_CONTROLLER_SSL_CIPHERS
fi

[ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER"

Expand All @@ -611,6 +642,12 @@ start_controller_vtep () {
if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then
set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT
fi
if test X"$OVN_CONTROLLER_SSL_PROTOCOLS" != X; then
set "$@" --ssl-protocols=$OVN_CONTROLLER_SSL_PROTOCOLS
fi
if test X"$OVN_CONTROLLER_SSL_CIPHERS" != X; then
set "$@" --ssl-ciphers=$OVN_CONTROLLER_SSL_CIPHERS
fi
if test X"$DB_SOCK" != X; then
set "$@" --vtep-db=$DB_SOCK
fi
Expand Down Expand Up @@ -814,14 +851,20 @@ set_defaults () {
OVN_CONTROLLER_SSL_CERT=""
OVN_CONTROLLER_SSL_CA_CERT=""
OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT=""
OVN_CONTROLLER_SSL_PROTOCOLS=""
OVN_CONTROLLER_SSL_CIPHERS=""

OVN_NORTHD_SSL_KEY=""
OVN_NORTHD_SSL_CERT=""
OVN_NORTHD_SSL_CA_CERT=""
OVN_NORTHD_SSL_PROTOCOLS=""
OVN_NORTHD_SSL_CIPHERS=""

OVN_IC_SSL_KEY=""
OVN_IC_SSL_CERT=""
OVN_IC_SSL_CA_CERT=""
OVN_IC_SSL_PROTOCOLS=""
OVN_IC_SSL_CIPHERS=""

DB_SB_CREATE_INSECURE_REMOTE="no"
DB_NB_CREATE_INSECURE_REMOTE="no"
Expand Down Expand Up @@ -878,18 +921,26 @@ set_defaults () {
OVN_NB_DB_SSL_KEY=""
OVN_NB_DB_SSL_CERT=""
OVN_NB_DB_SSL_CA_CERT=""
OVN_NB_DB_SSL_PROTOCOLS=""
OVN_NB_DB_SSL_CIPHERS=""

OVN_SB_DB_SSL_KEY=""
OVN_SB_DB_SSL_CERT=""
OVN_SB_DB_SSL_CA_CERT=""
OVN_SB_DB_SSL_PROTOCOLS=""
OVN_SB_DB_SSL_CIPHERS=""

OVN_IC_NB_DB_SSL_KEY=""
OVN_IC_NB_DB_SSL_CERT=""
OVN_IC_NB_DB_SSL_CA_CERT=""
OVN_IC_NB_DB_SSL_PROTOCOLS=""
OVN_IC_NB_DB_SSL_CIPHERS=""

OVN_IC_SB_DB_SSL_KEY=""
OVN_IC_SB_DB_SSL_CERT=""
OVN_IC_SB_DB_SSL_CA_CERT=""
OVN_IC_SB_DB_SSL_PROTOCOLS=""
OVN_IC_SB_DB_SSL_CIPHERS=""

RELAY_MODE=no
DB_SB_RELAY_REMOTE=
Expand Down Expand Up @@ -988,15 +1039,23 @@ Options:
--ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
--ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file
--ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file
--ovn-controller-ssl-protocols=PROTOCOLS OVN Southbound SSL protocols
--ovn-controller-ssl-ciphers=CIPHERS OVN Southbound SSL cipher list
--ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file
--ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file
--ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file
--ovn-nb-db-ssl-protocols=PROTOCOLS OVN Northbound DB SSL protocols
--ovn-nb-db-ssl-ciphers=CIPHERS OVN Northbound DB SSL cipher list
--ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file
--ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file
--ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file
--ovn-sb-db-ssl-protocols=PROTOCOLS OVN Southbound DB SSL protocols
--ovn-sb-db-ssl-ciphers=CIPHERS OVN Southbound DB SSL cipher list
--ovn-northd-ssl-key=KEY OVN Northd SSL private key file
--ovn-northd-ssl-cert=CERT OVN Northd SSL certificate file
--ovn-northd-ssl-ca-cert=CERT OVN Northd SSL CA certificate file
--ovn-northd-ssl-protocols=PROTOCOLS OVN Northd SSL protocols
--ovn-northd-ssl-ciphers=CIPHERS OVN Northd SSL cipher list
--ovn-manage-ovsdb=yes|no Whether or not the OVN NB/SB databases should be
automatically started and stopped along
with ovn-northd. The default is "yes". If
Expand All @@ -1014,14 +1073,20 @@ Options:
--ovn-ic-ssl-key=KEY OVN IC SSL private key file
--ovn-ic-ssl-cert=CERT OVN IC SSL certificate file
--ovn-ic-ssl-ca-cert=CERT OVN IC SSL CA certificate file
--ovn-ic-ssl-protocols=PROTOCOLS OVN IC SSL protocols
--ovn-ic-ssl-ciphers=CIPHERS OVN IC SSL cipher list
--ovn-ic-log=STRING ovn-ic process logging params (default: $OVN_IC_LOG)
--ovn-ic-logfile=STRING ovn-ic process log file (default: $OVN_IC_LOGFILE)
--ovn-ic-nb-db-ssl-key=KEY OVN IC Northbound DB SSL private key file
--ovn-ic-nb-db-ssl-cert=CERT OVN IC Northbound DB SSL certificate file
--ovn-ic-nb-db-ssl-ca-cert=CERT OVN IC Northbound DB SSL CA certificate file
--ovn-ic-nb-db-ssl-protocols=PROTOCOLS OVN IC Northbound DB SSL protocols
--ovn-ic-nb-db-ssl-ciphers=CIPHERS OVN IC Northbound DB SSL cipher list
--ovn-ic-sb-db-ssl-key=KEY OVN IC Southbound DB SSL private key file
--ovn-ic-sb-db-ssl-cert=CERT OVN IC Southbound DB SSL certificate file
--ovn-ic-sb-db-ssl-ca-cert=CERT OVN IC Southbound DB SSL CA certificate file
--ovn-ic-sb-db-ssl-protocols=PROTOCOLS OVN IC Southbound DB SSL protocols
--ovn-ic-sb-db-ssl-ciphers=CIPHERS OVN IC Southbound DB SSL cipher list
--ovn-user="user[:group]" pass the --user flag to the ovn daemons
--ovs-user="user[:group]" pass the --user flag to ovs daemons
--ovsdb-nb-wrapper=WRAPPER run with a wrapper like valgrind for debugging
Expand Down
16 changes: 16 additions & 0 deletions utilities/ovn-ctl.8.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,22 @@
<p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p>
<p><code>--ovn-controller-ssl-bootstrap-ca-cert=<var>CERT</var></code></p>

<h1>Protocol and Cipher options</h1>
<p><code>--ovn-controller-ssl-protocols=<var>PROTOCOLS</var></code></p>
<p><code>--ovn-ic-ssl-protocols=<var>PROTOCOLS</var></code></p>
<p><code>--ovn-northd-ssl-protocols=<var>PROTOCOLS</var></code></p>
<p><code>--ovn-nb-db-ssl-protocols=<var>PROTOCOLS</var></code></p>
<p><code>--ovn-sb-db-ssl-protocols=<var>PROTOCOLS</var></code></p>
<p><code>--ovn-ic-nb-db-ssl-protocols=<var>PROTOCOLS</var></code></p>
<p><code>--ovn-ic-sb-db-ssl-protocols=<var>PROTOCOLS</var></code></p>
<p><code>--ovn-controller-ssl-ciphers=<var>CIPHERS</var></code></p>
<p><code>--ovn-ic-ssl-ciphers=<var>CIPHERS</var></code></p>
<p><code>--ovn-northd-ssl-ciphers=<var>CIPHERS</var></code></p>
<p><code>--ovn-nb-db-ssl-ciphers=<var>CIPHERS</var></code></p>
<p><code>--ovn-sb-db-ssl-ciphers=<var>CIPHERS</var></code></p>
<p><code>--ovn-ic-nb-db-ssl-ciphers=<var>CIPHERS</var></code></p>
<p><code>--ovn-ic-sb-db-ssl-ciphers=<var>CIPHERS</var></code></p>

<h1>Address and port options</h1>
<p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p>
<p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p>
Expand Down

0 comments on commit 6fcf898

Please sign in to comment.