ovsdb-server: Add the ability to push peer-cert.

In OVN, ovsdb-server is the daemon that manages the databases
and can be called as the central controller. So it would be
nice for ovsdb-server to be able to push its self-signed
certificate to all the other nodes where ovn-controller runs.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

diff --git a/lib/automake.mk b/lib/automake.mk
index 15a9373..20bf7c8 100644 (file)
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -436,6 +436,7 @@ MAN_FRAGMENTS += \
        lib/ssl-bootstrap.man \
        lib/ssl-bootstrap-syn.man \
        lib/ssl-peer-ca-cert.man \
+       lib/ssl-peer-ca-cert-syn.man \
        lib/ssl.man \
        lib/ssl-syn.man \
        lib/table.man \

diff --git a/lib/jsonrpc.c b/lib/jsonrpc.c
index ae51b42..1e312a2 100644 (file)
--- a/lib/jsonrpc.c
+++ b/lib/jsonrpc.c
@@ -948,6 +948,7 @@ jsonrpc_session_run(struct jsonrpc_session *s)
             reconnect_connect_failed(s->reconnect, time_msec(), error);
             stream_close(s->stream);
             s->stream = NULL;
+            s->last_error = error;
         }
     }
 

diff --git a/lib/ssl-bootstrap-syn.man b/lib/ssl-bootstrap-syn.man
index 9425321..c503645 100644 (file)
--- a/lib/ssl-bootstrap-syn.man
+++ b/lib/ssl-bootstrap-syn.man
@@ -1,2 +1,2 @@
 .br
-[\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem]
+[\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem\fR]

diff --git a/lib/ssl-peer-ca-cert-syn.man b/lib/ssl-peer-ca-cert-syn.man
new file mode 100644 (file)
index 0000000..4a558ee
--- /dev/null
+++ b/lib/ssl-peer-ca-cert-syn.man
@@ -0,0 +1,2 @@
+.br
+[\fB\-\-peer\-ca\-cert=\fIpeer-cacert.pem\fR]

diff --git a/manpages.mk b/manpages.mk
index 6e2853b..6141242 100644 (file)
--- a/manpages.mk
+++ b/manpages.mk
@@ -54,6 +54,8 @@ ovsdb/ovsdb-server.1: \
        lib/service.man \
        lib/ssl-bootstrap-syn.man \
        lib/ssl-bootstrap.man \
+       lib/ssl-peer-ca-cert-syn.man \
+       lib/ssl-peer-ca-cert.man \
        lib/ssl-syn.man \
        lib/ssl.man \
        lib/unixctl-syn.man \
@@ -74,6 +76,8 @@ lib/service-syn.man:
 lib/service.man:
 lib/ssl-bootstrap-syn.man:
 lib/ssl-bootstrap.man:
+lib/ssl-peer-ca-cert-syn.man:
+lib/ssl-peer-ca-cert.man:
 lib/ssl-syn.man:
 lib/ssl.man:
 lib/unixctl-syn.man:

diff --git a/ovsdb/ovsdb-server.1.in b/ovsdb/ovsdb-server.1.in
index e33d718..e340993 100644 (file)
--- a/ovsdb/ovsdb-server.1.in
+++ b/ovsdb/ovsdb-server.1.in
@@ -21,6 +21,7 @@ ovsdb\-server \- Open vSwitch database server
 .so lib/vlog-syn.man
 .so lib/ssl-syn.man
 .so lib/ssl-bootstrap-syn.man
+.so lib/ssl-peer-ca-cert-syn.man
 .so lib/unixctl-syn.man
 .so lib/common-syn.man
 .
@@ -111,6 +112,7 @@ as the file name.  (This means that ordinarily there should be at most
 one row in \fItable\fR.)
 .so lib/ssl.man
 .so lib/ssl-bootstrap.man
+.so lib/ssl-peer-ca-cert.man
 .SS "Other Options"
 .so lib/unixctl.man
 .so lib/common.man

diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c
index cd13b0d..4088d85 100644 (file)
--- a/ovsdb/ovsdb-server.c
+++ b/ovsdb/ovsdb-server.c
@@ -1252,6 +1252,7 @@ parse_options(int *argcp, char **argvp[],
         OPT_UNIXCTL,
         OPT_RUN,
         OPT_BOOTSTRAP_CA_CERT,
+        OPT_PEER_CA_CERT,
         VLOG_OPTION_ENUMS,
         DAEMON_OPTION_ENUMS
     };
@@ -1266,6 +1267,7 @@ parse_options(int *argcp, char **argvp[],
         DAEMON_LONG_OPTIONS,
         VLOG_LONG_OPTIONS,
         {"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT},
+        {"peer-ca-cert", required_argument, NULL, OPT_PEER_CA_CERT},
         {"private-key", required_argument, NULL, 'p'},
         {"certificate", required_argument, NULL, 'c'},
         {"ca-cert",     required_argument, NULL, 'C'},
@@ -1325,6 +1327,10 @@ parse_options(int *argcp, char **argvp[],
             bootstrap_ca_cert = true;
             break;
 
+        case OPT_PEER_CA_CERT:
+            stream_ssl_set_peer_ca_cert_file(optarg);
+            break;
+
         case '?':
             exit(EXIT_FAILURE);
 

diff --git a/tests/ovs-vsctl.at b/tests/ovs-vsctl.at
index 435116a..fef7b88 100644 (file)
--- a/tests/ovs-vsctl.at
+++ b/tests/ovs-vsctl.at
@@ -1309,3 +1309,27 @@ AT_CHECK([RUN_OVS_VSCTL([get interface 0fcd11a1-2ba8-4b38-a358-4bccf2bf3057 type
 
 OVS_VSCTL_CLEANUP
 AT_CLEANUP
+
+AT_SETUP([peer ca cert])
+AT_KEYWORDS([ovs-vsctl ssl])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR=`pwd`
+OVS_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$PKIDIR/pki --log=$PKIDIR/ovs-pki.log"
+$OVS_PKI -B 1024 init && \
+$OVS_PKI -B 1024 req+sign vsctl switch && \
+$OVS_PKI -B 1024 req ovsdbserver && $OVS_PKI self-sign ovsdbserver
+
+dnl Create database.
+touch .conf.db.~lock~
+AT_CHECK([ovsdb-tool create conf.db $abs_top_srcdir/vswitchd/vswitch.ovsschema])
+AT_CHECK([ovsdb-server --detach --no-chdir --pidfile="`pwd`"/pid --private-key=$PKIDIR/ovsdbserver-privkey.pem --certificate=$PKIDIR/ovsdbserver-cert.pem --ca-cert=$PKIDIR/pki/switchca/cacert.pem --peer-ca-cert=$PKIDIR/ovsdbserver-cert.pem --remote=pssl:0:127.0.0.1 --unixctl="`pwd`"/unixctl --log-file="`pwd`"/ovsdb-server.log conf.db], [0], [ignore], [ignore])
+ON_EXIT_UNQUOTED([kill `cat pid`])
+SSL_PORT=`parse_listening_port < ovsdb-server.log`
+
+# During bootstrap, the connection gets torn down. So the o/p of ovs-vsctl is error.
+AT_CHECK([ovs-vsctl -t 5 --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem show], [1], [ignore], [ignore])
+
+# If the bootstrap was successful, the following file should exist.
+OVS_WAIT_UNTIL([test -e $PKIDIR/cacert.pem])
+OVSDB_SERVER_SHUTDOWN
+AT_CLEANUP