From: Gurucharan Shetty Date: Wed, 19 Aug 2015 22:42:07 +0000 (-0700) Subject: ovsdb-server: Add the ability to push peer-cert. X-Git-Tag: v2.5.0~707 X-Git-Url: http://git.cascardo.eti.br/?p=cascardo%2Fovs.git;a=commitdiff_plain;h=5bf6cbd6961f22a99df799ea0f3e816792ba42c3 ovsdb-server: Add the ability to push peer-cert. In OVN, ovsdb-server is the daemon that manages the databases and can be called as the central controller. So it would be nice for ovsdb-server to be able to push its self-signed certificate to all the other nodes where ovn-controller runs. Signed-off-by: Gurucharan Shetty Acked-by: Ben Pfaff --- diff --git a/lib/automake.mk b/lib/automake.mk index 15a9373bb..20bf7c8f1 100644 --- a/lib/automake.mk +++ b/lib/automake.mk @@ -436,6 +436,7 @@ MAN_FRAGMENTS += \ lib/ssl-bootstrap.man \ lib/ssl-bootstrap-syn.man \ lib/ssl-peer-ca-cert.man \ + lib/ssl-peer-ca-cert-syn.man \ lib/ssl.man \ lib/ssl-syn.man \ lib/table.man \ diff --git a/lib/jsonrpc.c b/lib/jsonrpc.c index ae51b4299..1e312a278 100644 --- a/lib/jsonrpc.c +++ b/lib/jsonrpc.c @@ -948,6 +948,7 @@ jsonrpc_session_run(struct jsonrpc_session *s) reconnect_connect_failed(s->reconnect, time_msec(), error); stream_close(s->stream); s->stream = NULL; + s->last_error = error; } } diff --git a/lib/ssl-bootstrap-syn.man b/lib/ssl-bootstrap-syn.man index 9425321f5..c503645a9 100644 --- a/lib/ssl-bootstrap-syn.man +++ b/lib/ssl-bootstrap-syn.man @@ -1,2 +1,2 @@ .br -[\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem] +[\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem\fR] diff --git a/lib/ssl-peer-ca-cert-syn.man b/lib/ssl-peer-ca-cert-syn.man new file mode 100644 index 000000000..4a558eeb8 --- /dev/null +++ b/lib/ssl-peer-ca-cert-syn.man @@ -0,0 +1,2 @@ +.br +[\fB\-\-peer\-ca\-cert=\fIpeer-cacert.pem\fR] diff --git a/manpages.mk b/manpages.mk index 6e2853b63..614124294 100644 --- a/manpages.mk +++ b/manpages.mk @@ -54,6 +54,8 @@ ovsdb/ovsdb-server.1: \ lib/service.man \ lib/ssl-bootstrap-syn.man \ lib/ssl-bootstrap.man \ + lib/ssl-peer-ca-cert-syn.man \ + lib/ssl-peer-ca-cert.man \ lib/ssl-syn.man \ lib/ssl.man \ lib/unixctl-syn.man \ @@ -74,6 +76,8 @@ lib/service-syn.man: lib/service.man: lib/ssl-bootstrap-syn.man: lib/ssl-bootstrap.man: +lib/ssl-peer-ca-cert-syn.man: +lib/ssl-peer-ca-cert.man: lib/ssl-syn.man: lib/ssl.man: lib/unixctl-syn.man: diff --git a/ovsdb/ovsdb-server.1.in b/ovsdb/ovsdb-server.1.in index e33d718cb..e340993f7 100644 --- a/ovsdb/ovsdb-server.1.in +++ b/ovsdb/ovsdb-server.1.in @@ -21,6 +21,7 @@ ovsdb\-server \- Open vSwitch database server .so lib/vlog-syn.man .so lib/ssl-syn.man .so lib/ssl-bootstrap-syn.man +.so lib/ssl-peer-ca-cert-syn.man .so lib/unixctl-syn.man .so lib/common-syn.man . @@ -111,6 +112,7 @@ as the file name. (This means that ordinarily there should be at most one row in \fItable\fR.) .so lib/ssl.man .so lib/ssl-bootstrap.man +.so lib/ssl-peer-ca-cert.man .SS "Other Options" .so lib/unixctl.man .so lib/common.man diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c index cd13b0de1..4088d8544 100644 --- a/ovsdb/ovsdb-server.c +++ b/ovsdb/ovsdb-server.c @@ -1252,6 +1252,7 @@ parse_options(int *argcp, char **argvp[], OPT_UNIXCTL, OPT_RUN, OPT_BOOTSTRAP_CA_CERT, + OPT_PEER_CA_CERT, VLOG_OPTION_ENUMS, DAEMON_OPTION_ENUMS }; @@ -1266,6 +1267,7 @@ parse_options(int *argcp, char **argvp[], DAEMON_LONG_OPTIONS, VLOG_LONG_OPTIONS, {"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT}, + {"peer-ca-cert", required_argument, NULL, OPT_PEER_CA_CERT}, {"private-key", required_argument, NULL, 'p'}, {"certificate", required_argument, NULL, 'c'}, {"ca-cert", required_argument, NULL, 'C'}, @@ -1325,6 +1327,10 @@ parse_options(int *argcp, char **argvp[], bootstrap_ca_cert = true; break; + case OPT_PEER_CA_CERT: + stream_ssl_set_peer_ca_cert_file(optarg); + break; + case '?': exit(EXIT_FAILURE); diff --git a/tests/ovs-vsctl.at b/tests/ovs-vsctl.at index 435116a0d..fef7b8856 100644 --- a/tests/ovs-vsctl.at +++ b/tests/ovs-vsctl.at @@ -1309,3 +1309,27 @@ AT_CHECK([RUN_OVS_VSCTL([get interface 0fcd11a1-2ba8-4b38-a358-4bccf2bf3057 type OVS_VSCTL_CLEANUP AT_CLEANUP + +AT_SETUP([peer ca cert]) +AT_KEYWORDS([ovs-vsctl ssl]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR=`pwd` +OVS_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$PKIDIR/pki --log=$PKIDIR/ovs-pki.log" +$OVS_PKI -B 1024 init && \ +$OVS_PKI -B 1024 req+sign vsctl switch && \ +$OVS_PKI -B 1024 req ovsdbserver && $OVS_PKI self-sign ovsdbserver + +dnl Create database. +touch .conf.db.~lock~ +AT_CHECK([ovsdb-tool create conf.db $abs_top_srcdir/vswitchd/vswitch.ovsschema]) +AT_CHECK([ovsdb-server --detach --no-chdir --pidfile="`pwd`"/pid --private-key=$PKIDIR/ovsdbserver-privkey.pem --certificate=$PKIDIR/ovsdbserver-cert.pem --ca-cert=$PKIDIR/pki/switchca/cacert.pem --peer-ca-cert=$PKIDIR/ovsdbserver-cert.pem --remote=pssl:0:127.0.0.1 --unixctl="`pwd`"/unixctl --log-file="`pwd`"/ovsdb-server.log conf.db], [0], [ignore], [ignore]) +ON_EXIT_UNQUOTED([kill `cat pid`]) +SSL_PORT=`parse_listening_port < ovsdb-server.log` + +# During bootstrap, the connection gets torn down. So the o/p of ovs-vsctl is error. +AT_CHECK([ovs-vsctl -t 5 --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem show], [1], [ignore], [ignore]) + +# If the bootstrap was successful, the following file should exist. +OVS_WAIT_UNTIL([test -e $PKIDIR/cacert.pem]) +OVSDB_SERVER_SHUTDOWN +AT_CLEANUP