diff options
author | Lance Richardson <lrichard@redhat.com> | 2017-01-03 13:29:10 -0500 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2017-01-05 07:49:08 -0800 |
commit | 84d0ca5d00fe01b29163236d48fa0f9105687149 (patch) | |
tree | 4d89e3126e3d967ff27e72e749e2d4504c789ef9 /manpages.mk | |
parent | c2269819c3b7f03b31113eb2881b87da5fbfaf2f (diff) | |
download | openvswitch-84d0ca5d00fe01b29163236d48fa0f9105687149.tar.gz |
ovn-ctl: add support for SSL nb/sb db connections
Add support for SSL connections to OVN northbound and/or
southbound databases.
To improve security, the NB and SB ovsdb daemons no longer
have open ptcp connections by default. This is a change in
behavior from previous versions, users wishing to use TCP
connections to the NB/SB daemons can either request that
a passive TCP connection be used via ovn-ctl command-line
options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
scripts):
--db-sb-create-insecure-remote=yes
--db-nb-create-insecure-remote=yes
Or configure a connection after the NB/SB daemons have been
started, e.g.:
ovn-sbctl set-connection ptcp:6642
ovn-nbctl set-connection ptcp:6641
Users desiring SSL database connections will need to generate certificates
and private key as described in INSTALL.SSL.rst and perform the following
one-time configuration steps:
ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
ovn-sbctl set-connection pssl:6642
ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
ovn-nbctl set-connection pssl:6641
On the ovn-controller and ovn-controller-vtep side, SSL configuration
must be provided on the command-line when the daemons are started, this
should be provided via the following command-line options (e.g. via
OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):
--ovn-controller-ssl-key=<private-key>
--ovn-controller-ssl-cert=<certificate>
--ovn-controller-ssl-ca-cert=<ca-cert>
The SB database connection should also be configured to use SSL, e.g.:
ovs-vsctl set Open_vSwitch . \
external-ids:ovn-remote=ssl:w.x.y.z:6642
Acked-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'manpages.mk')
-rw-r--r-- | manpages.mk | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/manpages.mk b/manpages.mk index 742bd66cd..825e2bc4d 100644 --- a/manpages.mk +++ b/manpages.mk @@ -42,6 +42,8 @@ ovsdb/ovsdb-client.1: \ lib/vlog-syn.man \ lib/vlog.man \ ovsdb/remote-active.man \ + ovsdb/remote-active.man \ + ovsdb/remote-passive.man \ ovsdb/remote-passive.man ovsdb/ovsdb-client.1.in: lib/common-syn.man: @@ -58,6 +60,8 @@ lib/table.man: lib/vlog-syn.man: lib/vlog.man: ovsdb/remote-active.man: +ovsdb/remote-active.man: +ovsdb/remote-passive.man: ovsdb/remote-passive.man: ovsdb/ovsdb-server.1: \ |