diff options
author | Lance Richardson <lrichard@redhat.com> | 2017-01-03 13:29:10 -0500 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2017-01-05 07:49:08 -0800 |
commit | 84d0ca5d00fe01b29163236d48fa0f9105687149 (patch) | |
tree | 4d89e3126e3d967ff27e72e749e2d4504c789ef9 /NEWS | |
parent | c2269819c3b7f03b31113eb2881b87da5fbfaf2f (diff) | |
download | openvswitch-84d0ca5d00fe01b29163236d48fa0f9105687149.tar.gz |
ovn-ctl: add support for SSL nb/sb db connections
Add support for SSL connections to OVN northbound and/or
southbound databases.
To improve security, the NB and SB ovsdb daemons no longer
have open ptcp connections by default. This is a change in
behavior from previous versions, users wishing to use TCP
connections to the NB/SB daemons can either request that
a passive TCP connection be used via ovn-ctl command-line
options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
scripts):
--db-sb-create-insecure-remote=yes
--db-nb-create-insecure-remote=yes
Or configure a connection after the NB/SB daemons have been
started, e.g.:
ovn-sbctl set-connection ptcp:6642
ovn-nbctl set-connection ptcp:6641
Users desiring SSL database connections will need to generate certificates
and private key as described in INSTALL.SSL.rst and perform the following
one-time configuration steps:
ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
ovn-sbctl set-connection pssl:6642
ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
ovn-nbctl set-connection pssl:6641
On the ovn-controller and ovn-controller-vtep side, SSL configuration
must be provided on the command-line when the daemons are started, this
should be provided via the following command-line options (e.g. via
OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
--ovn-controller-ssl-key=<private-key>
--ovn-controller-ssl-cert=<certificate>
--ovn-controller-ssl-ca-cert=<ca-cert>
The SB database connection should also be configured to use SSL, e.g.:
ovs-vsctl set Open_vSwitch . \
external-ids:ovn-remote=ssl:w.x.y.z:6642
Acked-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -12,6 +12,12 @@ Post-v2.6.0 - put_dhcp_opts and put_dhcp_optsv6 actions may now be traced. * Support for managing SSL and remote connection configuration in northbound and southbound databases. + * TCP connections to northbound and southbound databases are no + longer enabled by default and must be explicitly configured. + See documentation for ovn-sbctl/ovn-nbctl "set-connection" + command or the ovn-ctl "--db-sb-create-insecure-remote" and + "--db-nb-create-insecure-remote" command-line options for + information regarding remote connection configuration. - Fixed regression in table stats maintenance introduced in OVS 2.3.0, wherein the number of OpenFlow table hits and misses was not accurate. |