Message ID | 20240229224003.83740-1-amginwal@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,v4] ovn-ctl: Add ssl-ciphers and protocols support. | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | success | apply and check: success |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
ovsrobot/github-robot-_ovn-kubernetes | success | github build: passed |
Thanks! Acked-by: Mark Michelson <mmichels@redhat.com> I went ahead and pushed this to main. On 2/29/24 17:40, amginwal@gmail.com wrote: > From: Aliasgar Ginwala <aginwala@ebay.com> > > Setting up OVN on new kernel bumps openssl version. > Since OVS PKI infrastructure that generated older ssl certs based on > old openssl version, raft fails with error > > 2024-02-27T19:28:39.673Z|00022|stream_ssl|WARN|SSL_connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed > > For running ovn-controller in container, we can still pin ssl-ciphers directly. > This was missed to set via ovn-ctl utility and hence setting the same. > > e.g. pin ciphers to 'HIGH:!aNULL:!MD5:@SECLEVEL=1' > for raft/ovn-controllers, etc. > > Also update options to show up ssl-ciphers and ssl-protocols for each > components in help. > > Signed-off-by: Aliasgar Ginwala <aginwala@ebay.com> > --- > utilities/ovn-ctl | 69 +++++++++++++++++++++++++++++++++++++++-- > utilities/ovn-ctl.8.xml | 16 ++++++++++ > 2 files changed, 83 insertions(+), 2 deletions(-) > > diff --git a/utilities/ovn-ctl b/utilities/ovn-ctl > index 50d588358..700efe35a 100755 > --- a/utilities/ovn-ctl > +++ b/utilities/ovn-ctl > @@ -185,6 +185,8 @@ start_ovsdb__() { > local ovn_db_election_timer > local relay_mode > local cluster_db_upgrade > + local ovn_db_ssl_protocols > + local ovn_db_ssl_ciphers > eval db_pid_file=\$DB_${DB}_PIDFILE > eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR > eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT > @@ -214,6 +216,8 @@ start_ovsdb__() { > eval relay_mode=\$RELAY_MODE > eval relay_remote=\$DB_${DB}_REMOTE > eval cluster_db_upgrade=\$DB_CLUSTER_SCHEMA_UPGRADE > + eval ovn_db_ssl_protocols=\$OVN_${DB}_DB_SSL_PROTOCOLS > + eval ovn_db_ssl_ciphers=\$OVN_${DB}_DB_SSL_CIPHERS > > ovn_install_dir "$OVN_RUNDIR" > ovn_install_dir "$ovn_logdir" > @@ -313,8 +317,17 @@ $cluster_remote_port > set "$@" --ca-cert=db:$schema_name,SSL,ca_cert > fi > > - set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols > - set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers > + if test X"$ovn_db_ssl_protocols" != X; then > + set "$@" --ssl-protocols=$ovn_db_ssl_protocols > + else > + set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols > + fi > + > + if test X"$ovn_db_ssl_ciphers" != X; then > + set "$@" --ssl-ciphers=$ovn_db_ssl_ciphers > + else > + set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers > + fi > > if test X"$create_insecure_remote" = Xyes; then > set "$@" --remote=ptcp:$port:$addr > @@ -523,6 +536,12 @@ start_northd () { > if test "$OVN_NORTHD_N_THREADS" != 1; then > set "$@" --n-threads=$OVN_NORTHD_N_THREADS > fi > + if test X"$OVN_NORTHD_SSL_PROTOCOLS" != X; then > + set "$@" --ssl-protocols=$OVN_NORTHD_SSL_PROTOCOLS > + fi > + if test X"$OVN_NORTHD_SSL_CIPHERS" != X; then > + set "$@" --ssl-ciphers=$OVN_NORTHD_SSL_CIPHERS > + fi > > [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" > > @@ -558,6 +577,12 @@ start_ic () { > if test X"$OVN_IC_SSL_CA_CERT" != X; then > set "$@" --ca-cert=$OVN_IC_SSL_CA_CERT > fi > + if test X"$OVN_IC_SSL_PROTOCOLS" != X; then > + set "$@" --ssl-protocols=$OVN_IC_SSL_PROTOCOLS > + fi > + if test X"$OVN_IC_SSL_CIPHERS" != X; then > + set "$@" --ssl-ciphers=$OVN_IC_SSL_CIPHERS > + fi > > [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" > > @@ -586,6 +611,12 @@ start_controller () { > if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then > set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT > fi > + if test X"$OVN_CONTROLLER_SSL_PROTOCOLS" != X; then > + set "$@" --ssl-protocols=$OVN_CONTROLLER_SSL_PROTOCOLS > + fi > + if test X"$OVN_CONTROLLER_SSL_CIPHERS" != X; then > + set "$@" --ssl-ciphers=$OVN_CONTROLLER_SSL_CIPHERS > + fi > > [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" > > @@ -611,6 +642,12 @@ start_controller_vtep () { > if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then > set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT > fi > + if test X"$OVN_CONTROLLER_SSL_PROTOCOLS" != X; then > + set "$@" --ssl-protocols=$OVN_CONTROLLER_SSL_PROTOCOLS > + fi > + if test X"$OVN_CONTROLLER_SSL_CIPHERS" != X; then > + set "$@" --ssl-ciphers=$OVN_CONTROLLER_SSL_CIPHERS > + fi > if test X"$DB_SOCK" != X; then > set "$@" --vtep-db=$DB_SOCK > fi > @@ -814,14 +851,20 @@ set_defaults () { > OVN_CONTROLLER_SSL_CERT="" > OVN_CONTROLLER_SSL_CA_CERT="" > OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT="" > + OVN_CONTROLLER_SSL_PROTOCOLS="" > + OVN_CONTROLLER_SSL_CIPHERS="" > > OVN_NORTHD_SSL_KEY="" > OVN_NORTHD_SSL_CERT="" > OVN_NORTHD_SSL_CA_CERT="" > + OVN_NORTHD_SSL_PROTOCOLS="" > + OVN_NORTHD_SSL_CIPHERS="" > > OVN_IC_SSL_KEY="" > OVN_IC_SSL_CERT="" > OVN_IC_SSL_CA_CERT="" > + OVN_IC_SSL_PROTOCOLS="" > + OVN_IC_SSL_CIPHERS="" > > DB_SB_CREATE_INSECURE_REMOTE="no" > DB_NB_CREATE_INSECURE_REMOTE="no" > @@ -878,18 +921,26 @@ set_defaults () { > OVN_NB_DB_SSL_KEY="" > OVN_NB_DB_SSL_CERT="" > OVN_NB_DB_SSL_CA_CERT="" > + OVN_NB_DB_SSL_PROTOCOLS="" > + OVN_NB_DB_SSL_CIPHERS="" > > OVN_SB_DB_SSL_KEY="" > OVN_SB_DB_SSL_CERT="" > OVN_SB_DB_SSL_CA_CERT="" > + OVN_SB_DB_SSL_PROTOCOLS="" > + OVN_SB_DB_SSL_CIPHERS="" > > OVN_IC_NB_DB_SSL_KEY="" > OVN_IC_NB_DB_SSL_CERT="" > OVN_IC_NB_DB_SSL_CA_CERT="" > + OVN_IC_NB_DB_SSL_PROTOCOLS="" > + OVN_IC_NB_DB_SSL_CIPHERS="" > > OVN_IC_SB_DB_SSL_KEY="" > OVN_IC_SB_DB_SSL_CERT="" > OVN_IC_SB_DB_SSL_CA_CERT="" > + OVN_IC_SB_DB_SSL_PROTOCOLS="" > + OVN_IC_SB_DB_SSL_CIPHERS="" > > RELAY_MODE=no > DB_SB_RELAY_REMOTE= > @@ -988,15 +1039,23 @@ Options: > --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file > --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file > --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file > + --ovn-controller-ssl-protocols=PROTOCOLS OVN Southbound SSL protocols > + --ovn-controller-ssl-ciphers=CIPHERS OVN Southbound SSL cipher list > --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file > --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file > --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file > + --ovn-nb-db-ssl-protocols=PROTOCOLS OVN Northbound DB SSL protocols > + --ovn-nb-db-ssl-ciphers=CIPHERS OVN Northbound DB SSL cipher list > --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file > --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file > --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file > + --ovn-sb-db-ssl-protocols=PROTOCOLS OVN Southbound DB SSL protocols > + --ovn-sb-db-ssl-ciphers=CIPHERS OVN Southbound DB SSL cipher list > --ovn-northd-ssl-key=KEY OVN Northd SSL private key file > --ovn-northd-ssl-cert=CERT OVN Northd SSL certificate file > --ovn-northd-ssl-ca-cert=CERT OVN Northd SSL CA certificate file > + --ovn-northd-ssl-protocols=PROTOCOLS OVN Northd SSL protocols > + --ovn-northd-ssl-ciphers=CIPHERS OVN Northd SSL cipher list > --ovn-manage-ovsdb=yes|no Whether or not the OVN NB/SB databases should be > automatically started and stopped along > with ovn-northd. The default is "yes". If > @@ -1014,14 +1073,20 @@ Options: > --ovn-ic-ssl-key=KEY OVN IC SSL private key file > --ovn-ic-ssl-cert=CERT OVN IC SSL certificate file > --ovn-ic-ssl-ca-cert=CERT OVN IC SSL CA certificate file > + --ovn-ic-ssl-protocols=PROTOCOLS OVN IC SSL protocols > + --ovn-ic-ssl-ciphers=CIPHERS OVN IC SSL cipher list > --ovn-ic-log=STRING ovn-ic process logging params (default: $OVN_IC_LOG) > --ovn-ic-logfile=STRING ovn-ic process log file (default: $OVN_IC_LOGFILE) > --ovn-ic-nb-db-ssl-key=KEY OVN IC Northbound DB SSL private key file > --ovn-ic-nb-db-ssl-cert=CERT OVN IC Northbound DB SSL certificate file > --ovn-ic-nb-db-ssl-ca-cert=CERT OVN IC Northbound DB SSL CA certificate file > + --ovn-ic-nb-db-ssl-protocols=PROTOCOLS OVN IC Northbound DB SSL protocols > + --ovn-ic-nb-db-ssl-ciphers=CIPHERS OVN IC Northbound DB SSL cipher list > --ovn-ic-sb-db-ssl-key=KEY OVN IC Southbound DB SSL private key file > --ovn-ic-sb-db-ssl-cert=CERT OVN IC Southbound DB SSL certificate file > --ovn-ic-sb-db-ssl-ca-cert=CERT OVN IC Southbound DB SSL CA certificate file > + --ovn-ic-sb-db-ssl-protocols=PROTOCOLS OVN IC Southbound DB SSL protocols > + --ovn-ic-sb-db-ssl-ciphers=CIPHERS OVN IC Southbound DB SSL cipher list > --ovn-user="user[:group]" pass the --user flag to the ovn daemons > --ovs-user="user[:group]" pass the --user flag to ovs daemons > --ovsdb-nb-wrapper=WRAPPER run with a wrapper like valgrind for debugging > diff --git a/utilities/ovn-ctl.8.xml b/utilities/ovn-ctl.8.xml > index 3bab055e4..57712bfdc 100644 > --- a/utilities/ovn-ctl.8.xml > +++ b/utilities/ovn-ctl.8.xml > @@ -92,6 +92,22 @@ > <p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p> > <p><code>--ovn-controller-ssl-bootstrap-ca-cert=<var>CERT</var></code></p> > > + <h1>Protocol and Cipher options</h1> > + <p><code>--ovn-controller-ssl-protocols=<var>PROTOCOLS</var></code></p> > + <p><code>--ovn-ic-ssl-protocols=<var>PROTOCOLS</var></code></p> > + <p><code>--ovn-northd-ssl-protocols=<var>PROTOCOLS</var></code></p> > + <p><code>--ovn-nb-db-ssl-protocols=<var>PROTOCOLS</var></code></p> > + <p><code>--ovn-sb-db-ssl-protocols=<var>PROTOCOLS</var></code></p> > + <p><code>--ovn-ic-nb-db-ssl-protocols=<var>PROTOCOLS</var></code></p> > + <p><code>--ovn-ic-sb-db-ssl-protocols=<var>PROTOCOLS</var></code></p> > + <p><code>--ovn-controller-ssl-ciphers=<var>CIPHERS</var></code></p> > + <p><code>--ovn-ic-ssl-ciphers=<var>CIPHERS</var></code></p> > + <p><code>--ovn-northd-ssl-ciphers=<var>CIPHERS</var></code></p> > + <p><code>--ovn-nb-db-ssl-ciphers=<var>CIPHERS</var></code></p> > + <p><code>--ovn-sb-db-ssl-ciphers=<var>CIPHERS</var></code></p> > + <p><code>--ovn-ic-nb-db-ssl-ciphers=<var>CIPHERS</var></code></p> > + <p><code>--ovn-ic-sb-db-ssl-ciphers=<var>CIPHERS</var></code></p> > + > <h1>Address and port options</h1> > <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> > <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p>
diff --git a/utilities/ovn-ctl b/utilities/ovn-ctl index 50d588358..700efe35a 100755 --- a/utilities/ovn-ctl +++ b/utilities/ovn-ctl @@ -185,6 +185,8 @@ start_ovsdb__() { local ovn_db_election_timer local relay_mode local cluster_db_upgrade + local ovn_db_ssl_protocols + local ovn_db_ssl_ciphers eval db_pid_file=\$DB_${DB}_PIDFILE eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT @@ -214,6 +216,8 @@ start_ovsdb__() { eval relay_mode=\$RELAY_MODE eval relay_remote=\$DB_${DB}_REMOTE eval cluster_db_upgrade=\$DB_CLUSTER_SCHEMA_UPGRADE + eval ovn_db_ssl_protocols=\$OVN_${DB}_DB_SSL_PROTOCOLS + eval ovn_db_ssl_ciphers=\$OVN_${DB}_DB_SSL_CIPHERS ovn_install_dir "$OVN_RUNDIR" ovn_install_dir "$ovn_logdir" @@ -313,8 +317,17 @@ $cluster_remote_port set "$@" --ca-cert=db:$schema_name,SSL,ca_cert fi - set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols - set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers + if test X"$ovn_db_ssl_protocols" != X; then + set "$@" --ssl-protocols=$ovn_db_ssl_protocols + else + set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols + fi + + if test X"$ovn_db_ssl_ciphers" != X; then + set "$@" --ssl-ciphers=$ovn_db_ssl_ciphers + else + set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers + fi if test X"$create_insecure_remote" = Xyes; then set "$@" --remote=ptcp:$port:$addr @@ -523,6 +536,12 @@ start_northd () { if test "$OVN_NORTHD_N_THREADS" != 1; then set "$@" --n-threads=$OVN_NORTHD_N_THREADS fi + if test X"$OVN_NORTHD_SSL_PROTOCOLS" != X; then + set "$@" --ssl-protocols=$OVN_NORTHD_SSL_PROTOCOLS + fi + if test X"$OVN_NORTHD_SSL_CIPHERS" != X; then + set "$@" --ssl-ciphers=$OVN_NORTHD_SSL_CIPHERS + fi [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" @@ -558,6 +577,12 @@ start_ic () { if test X"$OVN_IC_SSL_CA_CERT" != X; then set "$@" --ca-cert=$OVN_IC_SSL_CA_CERT fi + if test X"$OVN_IC_SSL_PROTOCOLS" != X; then + set "$@" --ssl-protocols=$OVN_IC_SSL_PROTOCOLS + fi + if test X"$OVN_IC_SSL_CIPHERS" != X; then + set "$@" --ssl-ciphers=$OVN_IC_SSL_CIPHERS + fi [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" @@ -586,6 +611,12 @@ start_controller () { if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT fi + if test X"$OVN_CONTROLLER_SSL_PROTOCOLS" != X; then + set "$@" --ssl-protocols=$OVN_CONTROLLER_SSL_PROTOCOLS + fi + if test X"$OVN_CONTROLLER_SSL_CIPHERS" != X; then + set "$@" --ssl-ciphers=$OVN_CONTROLLER_SSL_CIPHERS + fi [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" @@ -611,6 +642,12 @@ start_controller_vtep () { if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT fi + if test X"$OVN_CONTROLLER_SSL_PROTOCOLS" != X; then + set "$@" --ssl-protocols=$OVN_CONTROLLER_SSL_PROTOCOLS + fi + if test X"$OVN_CONTROLLER_SSL_CIPHERS" != X; then + set "$@" --ssl-ciphers=$OVN_CONTROLLER_SSL_CIPHERS + fi if test X"$DB_SOCK" != X; then set "$@" --vtep-db=$DB_SOCK fi @@ -814,14 +851,20 @@ set_defaults () { OVN_CONTROLLER_SSL_CERT="" OVN_CONTROLLER_SSL_CA_CERT="" OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT="" + OVN_CONTROLLER_SSL_PROTOCOLS="" + OVN_CONTROLLER_SSL_CIPHERS="" OVN_NORTHD_SSL_KEY="" OVN_NORTHD_SSL_CERT="" OVN_NORTHD_SSL_CA_CERT="" + OVN_NORTHD_SSL_PROTOCOLS="" + OVN_NORTHD_SSL_CIPHERS="" OVN_IC_SSL_KEY="" OVN_IC_SSL_CERT="" OVN_IC_SSL_CA_CERT="" + OVN_IC_SSL_PROTOCOLS="" + OVN_IC_SSL_CIPHERS="" DB_SB_CREATE_INSECURE_REMOTE="no" DB_NB_CREATE_INSECURE_REMOTE="no" @@ -878,18 +921,26 @@ set_defaults () { OVN_NB_DB_SSL_KEY="" OVN_NB_DB_SSL_CERT="" OVN_NB_DB_SSL_CA_CERT="" + OVN_NB_DB_SSL_PROTOCOLS="" + OVN_NB_DB_SSL_CIPHERS="" OVN_SB_DB_SSL_KEY="" OVN_SB_DB_SSL_CERT="" OVN_SB_DB_SSL_CA_CERT="" + OVN_SB_DB_SSL_PROTOCOLS="" + OVN_SB_DB_SSL_CIPHERS="" OVN_IC_NB_DB_SSL_KEY="" OVN_IC_NB_DB_SSL_CERT="" OVN_IC_NB_DB_SSL_CA_CERT="" + OVN_IC_NB_DB_SSL_PROTOCOLS="" + OVN_IC_NB_DB_SSL_CIPHERS="" OVN_IC_SB_DB_SSL_KEY="" OVN_IC_SB_DB_SSL_CERT="" OVN_IC_SB_DB_SSL_CA_CERT="" + OVN_IC_SB_DB_SSL_PROTOCOLS="" + OVN_IC_SB_DB_SSL_CIPHERS="" RELAY_MODE=no DB_SB_RELAY_REMOTE= @@ -988,15 +1039,23 @@ Options: --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file + --ovn-controller-ssl-protocols=PROTOCOLS OVN Southbound SSL protocols + --ovn-controller-ssl-ciphers=CIPHERS OVN Southbound SSL cipher list --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file + --ovn-nb-db-ssl-protocols=PROTOCOLS OVN Northbound DB SSL protocols + --ovn-nb-db-ssl-ciphers=CIPHERS OVN Northbound DB SSL cipher list --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file + --ovn-sb-db-ssl-protocols=PROTOCOLS OVN Southbound DB SSL protocols + --ovn-sb-db-ssl-ciphers=CIPHERS OVN Southbound DB SSL cipher list --ovn-northd-ssl-key=KEY OVN Northd SSL private key file --ovn-northd-ssl-cert=CERT OVN Northd SSL certificate file --ovn-northd-ssl-ca-cert=CERT OVN Northd SSL CA certificate file + --ovn-northd-ssl-protocols=PROTOCOLS OVN Northd SSL protocols + --ovn-northd-ssl-ciphers=CIPHERS OVN Northd SSL cipher list --ovn-manage-ovsdb=yes|no Whether or not the OVN NB/SB databases should be automatically started and stopped along with ovn-northd. The default is "yes". If @@ -1014,14 +1073,20 @@ Options: --ovn-ic-ssl-key=KEY OVN IC SSL private key file --ovn-ic-ssl-cert=CERT OVN IC SSL certificate file --ovn-ic-ssl-ca-cert=CERT OVN IC SSL CA certificate file + --ovn-ic-ssl-protocols=PROTOCOLS OVN IC SSL protocols + --ovn-ic-ssl-ciphers=CIPHERS OVN IC SSL cipher list --ovn-ic-log=STRING ovn-ic process logging params (default: $OVN_IC_LOG) --ovn-ic-logfile=STRING ovn-ic process log file (default: $OVN_IC_LOGFILE) --ovn-ic-nb-db-ssl-key=KEY OVN IC Northbound DB SSL private key file --ovn-ic-nb-db-ssl-cert=CERT OVN IC Northbound DB SSL certificate file --ovn-ic-nb-db-ssl-ca-cert=CERT OVN IC Northbound DB SSL CA certificate file + --ovn-ic-nb-db-ssl-protocols=PROTOCOLS OVN IC Northbound DB SSL protocols + --ovn-ic-nb-db-ssl-ciphers=CIPHERS OVN IC Northbound DB SSL cipher list --ovn-ic-sb-db-ssl-key=KEY OVN IC Southbound DB SSL private key file --ovn-ic-sb-db-ssl-cert=CERT OVN IC Southbound DB SSL certificate file --ovn-ic-sb-db-ssl-ca-cert=CERT OVN IC Southbound DB SSL CA certificate file + --ovn-ic-sb-db-ssl-protocols=PROTOCOLS OVN IC Southbound DB SSL protocols + --ovn-ic-sb-db-ssl-ciphers=CIPHERS OVN IC Southbound DB SSL cipher list --ovn-user="user[:group]" pass the --user flag to the ovn daemons --ovs-user="user[:group]" pass the --user flag to ovs daemons --ovsdb-nb-wrapper=WRAPPER run with a wrapper like valgrind for debugging diff --git a/utilities/ovn-ctl.8.xml b/utilities/ovn-ctl.8.xml index 3bab055e4..57712bfdc 100644 --- a/utilities/ovn-ctl.8.xml +++ b/utilities/ovn-ctl.8.xml @@ -92,6 +92,22 @@ <p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p> <p><code>--ovn-controller-ssl-bootstrap-ca-cert=<var>CERT</var></code></p> + <h1>Protocol and Cipher options</h1> + <p><code>--ovn-controller-ssl-protocols=<var>PROTOCOLS</var></code></p> + <p><code>--ovn-ic-ssl-protocols=<var>PROTOCOLS</var></code></p> + <p><code>--ovn-northd-ssl-protocols=<var>PROTOCOLS</var></code></p> + <p><code>--ovn-nb-db-ssl-protocols=<var>PROTOCOLS</var></code></p> + <p><code>--ovn-sb-db-ssl-protocols=<var>PROTOCOLS</var></code></p> + <p><code>--ovn-ic-nb-db-ssl-protocols=<var>PROTOCOLS</var></code></p> + <p><code>--ovn-ic-sb-db-ssl-protocols=<var>PROTOCOLS</var></code></p> + <p><code>--ovn-controller-ssl-ciphers=<var>CIPHERS</var></code></p> + <p><code>--ovn-ic-ssl-ciphers=<var>CIPHERS</var></code></p> + <p><code>--ovn-northd-ssl-ciphers=<var>CIPHERS</var></code></p> + <p><code>--ovn-nb-db-ssl-ciphers=<var>CIPHERS</var></code></p> + <p><code>--ovn-sb-db-ssl-ciphers=<var>CIPHERS</var></code></p> + <p><code>--ovn-ic-nb-db-ssl-ciphers=<var>CIPHERS</var></code></p> + <p><code>--ovn-ic-sb-db-ssl-ciphers=<var>CIPHERS</var></code></p> + <h1>Address and port options</h1> <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p> <p><code>--db-nb-sync-from-port=<var>PORT NUMBER</var></code></p>