From patchwork Thu Feb 29 22:40:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: aginwala aginwala X-Patchwork-Id: 1906488 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=kiIFCvOJ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Tm5lT1zTMz23l2 for ; Fri, 1 Mar 2024 09:40:19 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 13BCB4051B; Thu, 29 Feb 2024 22:40:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KA2ENlb5oY7z; Thu, 29 Feb 2024 22:40:14 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3A3C7400F1 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=kiIFCvOJ Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 3A3C7400F1; Thu, 29 Feb 2024 22:40:14 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id E8B33C0077; Thu, 29 Feb 2024 22:40:13 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id C2B69C0037 for ; Thu, 29 Feb 2024 22:40:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id B740A400F1 for ; Thu, 29 Feb 2024 22:40:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npoT1ttgPY-T for ; Thu, 29 Feb 2024 22:40:09 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::133; helo=mail-il1-x133.google.com; envelope-from=amginwal@gmail.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 4AA57403F8 Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=none dis=none) header.from=gmail.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4AA57403F8 Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) by smtp2.osuosl.org (Postfix) with ESMTPS id 4AA57403F8 for ; Thu, 29 Feb 2024 22:40:09 +0000 (UTC) Received: by mail-il1-x133.google.com with SMTP id e9e14a558f8ab-365ab9e9e31so6854965ab.1 for ; Thu, 29 Feb 2024 14:40:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709246408; x=1709851208; darn=openvswitch.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=PEwq6lXVy0IVHDEYpGestrmNUUnQgpohUnbsv/QjG+4=; b=kiIFCvOJ6QNa1AwHeyEwcvOOL540bp80nAQy6DMCuppPxLXMkuYA0X5nzdpuQC9bym S1Mf6Kat0oF51wLqzvoICgowNdjR6FxXI89+ZSq9HIJECC7uvw+FY2xEstJYxrOenow7 G6LIJ5o/XtCEQarowm7BzVEzJPdkoyqTC148VubRNoG+WGmNBNA5gMaUTe/ABZlrzWcy yAE4Dp5w0eHutibbQI3IQgLA6yg7RLCpFAbVlF/8XwLuSHs9Sq7I8KRdaac4VtgYc/HT dPSLaEHxmdXhQiUE1Un5KittlKxqZu2AiqkieuBo9q96v8Qf64CnM0d1BFiqUwnJ+UJR jplA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709246408; x=1709851208; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PEwq6lXVy0IVHDEYpGestrmNUUnQgpohUnbsv/QjG+4=; b=GsiqLPe+tu9BLvHnImWgKu00mXisibbH1HrvzM4IwDTyTqpg/DxM5cJDHANUBGcgAL oVHeKnB/kYlG6XuCW8ZFNxUGnZiPoI3AZKtxcx2e08cgmTe2DpaJaNuyaen8FXepf7fa EsnR2wn3u7j54+yqiIPjwzQtYPSRIO2Hv6quQlsq7+7Cmd5GzbbHARFOFtJTmhCqqY09 Bi2wvuN+jQSvmI+r7oGJPxUsOXIvm8Yz3IuHsnsE7RIy80NMIGPET6IV3xepzcZf/QeG SviYu7Px6+3UdET+nLUzM2u4fV+i+TVjxmYU40dfOGce35Op77gHdP15ClPDX0wB6XMO IPbw== X-Gm-Message-State: AOJu0YxTA9b9jXQNGqyllxaBV4ilpCWz4z1Gj4Gelcmf4Mhq8SqGoeHp TzRvNVQ9xR15meNFsyMGCYSS91c9OzOIRLCBCfZnUDl9sGcLJlsTD0ZpjiX/ X-Google-Smtp-Source: AGHT+IHopaT+oH8fmOZU6ghq1WiYh+l28YQo2slBju+XEX+I4yLlhVB1SjTRyrmcbfj1NJEetIWZeg== X-Received: by 2002:a05:6e02:2147:b0:364:2406:992e with SMTP id d7-20020a056e02214700b003642406992emr29111ilv.23.1709246407683; Thu, 29 Feb 2024 14:40:07 -0800 (PST) Received: from T92R2DP9Q1.corp.ebay.com ([216.113.160.77]) by smtp.gmail.com with ESMTPSA id p20-20020a62ab14000000b006e47e57d976sm1758047pff.166.2024.02.29.14.40.07 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 29 Feb 2024 14:40:07 -0800 (PST) From: amginwal@gmail.com To: dev@openvswitch.org Date: Thu, 29 Feb 2024 14:40:03 -0800 Message-Id: <20240229224003.83740-1-amginwal@gmail.com> X-Mailer: git-send-email 2.39.3 (Apple Git-145) MIME-Version: 1.0 Cc: Aliasgar Ginwala Subject: [ovs-dev] [PATCH ovn v4] ovn-ctl: Add ssl-ciphers and protocols support. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Aliasgar Ginwala Setting up OVN on new kernel bumps openssl version. Since OVS PKI infrastructure that generated older ssl certs based on old openssl version, raft fails with error 2024-02-27T19:28:39.673Z|00022|stream_ssl|WARN|SSL_connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed For running ovn-controller in container, we can still pin ssl-ciphers directly. This was missed to set via ovn-ctl utility and hence setting the same. e.g. pin ciphers to 'HIGH:!aNULL:!MD5:@SECLEVEL=1' for raft/ovn-controllers, etc. Also update options to show up ssl-ciphers and ssl-protocols for each components in help. Signed-off-by: Aliasgar Ginwala Acked-by: Mark Michelson --- utilities/ovn-ctl | 69 +++++++++++++++++++++++++++++++++++++++-- utilities/ovn-ctl.8.xml | 16 ++++++++++ 2 files changed, 83 insertions(+), 2 deletions(-) diff --git a/utilities/ovn-ctl b/utilities/ovn-ctl index 50d588358..700efe35a 100755 --- a/utilities/ovn-ctl +++ b/utilities/ovn-ctl @@ -185,6 +185,8 @@ start_ovsdb__() { local ovn_db_election_timer local relay_mode local cluster_db_upgrade + local ovn_db_ssl_protocols + local ovn_db_ssl_ciphers eval db_pid_file=\$DB_${DB}_PIDFILE eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT @@ -214,6 +216,8 @@ start_ovsdb__() { eval relay_mode=\$RELAY_MODE eval relay_remote=\$DB_${DB}_REMOTE eval cluster_db_upgrade=\$DB_CLUSTER_SCHEMA_UPGRADE + eval ovn_db_ssl_protocols=\$OVN_${DB}_DB_SSL_PROTOCOLS + eval ovn_db_ssl_ciphers=\$OVN_${DB}_DB_SSL_CIPHERS ovn_install_dir "$OVN_RUNDIR" ovn_install_dir "$ovn_logdir" @@ -313,8 +317,17 @@ $cluster_remote_port set "$@" --ca-cert=db:$schema_name,SSL,ca_cert fi - set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols - set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers + if test X"$ovn_db_ssl_protocols" != X; then + set "$@" --ssl-protocols=$ovn_db_ssl_protocols + else + set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols + fi + + if test X"$ovn_db_ssl_ciphers" != X; then + set "$@" --ssl-ciphers=$ovn_db_ssl_ciphers + else + set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers + fi if test X"$create_insecure_remote" = Xyes; then set "$@" --remote=ptcp:$port:$addr @@ -523,6 +536,12 @@ start_northd () { if test "$OVN_NORTHD_N_THREADS" != 1; then set "$@" --n-threads=$OVN_NORTHD_N_THREADS fi + if test X"$OVN_NORTHD_SSL_PROTOCOLS" != X; then + set "$@" --ssl-protocols=$OVN_NORTHD_SSL_PROTOCOLS + fi + if test X"$OVN_NORTHD_SSL_CIPHERS" != X; then + set "$@" --ssl-ciphers=$OVN_NORTHD_SSL_CIPHERS + fi [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" @@ -558,6 +577,12 @@ start_ic () { if test X"$OVN_IC_SSL_CA_CERT" != X; then set "$@" --ca-cert=$OVN_IC_SSL_CA_CERT fi + if test X"$OVN_IC_SSL_PROTOCOLS" != X; then + set "$@" --ssl-protocols=$OVN_IC_SSL_PROTOCOLS + fi + if test X"$OVN_IC_SSL_CIPHERS" != X; then + set "$@" --ssl-ciphers=$OVN_IC_SSL_CIPHERS + fi [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" @@ -586,6 +611,12 @@ start_controller () { if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT fi + if test X"$OVN_CONTROLLER_SSL_PROTOCOLS" != X; then + set "$@" --ssl-protocols=$OVN_CONTROLLER_SSL_PROTOCOLS + fi + if test X"$OVN_CONTROLLER_SSL_CIPHERS" != X; then + set "$@" --ssl-ciphers=$OVN_CONTROLLER_SSL_CIPHERS + fi [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" @@ -611,6 +642,12 @@ start_controller_vtep () { if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT fi + if test X"$OVN_CONTROLLER_SSL_PROTOCOLS" != X; then + set "$@" --ssl-protocols=$OVN_CONTROLLER_SSL_PROTOCOLS + fi + if test X"$OVN_CONTROLLER_SSL_CIPHERS" != X; then + set "$@" --ssl-ciphers=$OVN_CONTROLLER_SSL_CIPHERS + fi if test X"$DB_SOCK" != X; then set "$@" --vtep-db=$DB_SOCK fi @@ -814,14 +851,20 @@ set_defaults () { OVN_CONTROLLER_SSL_CERT="" OVN_CONTROLLER_SSL_CA_CERT="" OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT="" + OVN_CONTROLLER_SSL_PROTOCOLS="" + OVN_CONTROLLER_SSL_CIPHERS="" OVN_NORTHD_SSL_KEY="" OVN_NORTHD_SSL_CERT="" OVN_NORTHD_SSL_CA_CERT="" + OVN_NORTHD_SSL_PROTOCOLS="" + OVN_NORTHD_SSL_CIPHERS="" OVN_IC_SSL_KEY="" OVN_IC_SSL_CERT="" OVN_IC_SSL_CA_CERT="" + OVN_IC_SSL_PROTOCOLS="" + OVN_IC_SSL_CIPHERS="" DB_SB_CREATE_INSECURE_REMOTE="no" DB_NB_CREATE_INSECURE_REMOTE="no" @@ -878,18 +921,26 @@ set_defaults () { OVN_NB_DB_SSL_KEY="" OVN_NB_DB_SSL_CERT="" OVN_NB_DB_SSL_CA_CERT="" + OVN_NB_DB_SSL_PROTOCOLS="" + OVN_NB_DB_SSL_CIPHERS="" OVN_SB_DB_SSL_KEY="" OVN_SB_DB_SSL_CERT="" OVN_SB_DB_SSL_CA_CERT="" + OVN_SB_DB_SSL_PROTOCOLS="" + OVN_SB_DB_SSL_CIPHERS="" OVN_IC_NB_DB_SSL_KEY="" OVN_IC_NB_DB_SSL_CERT="" OVN_IC_NB_DB_SSL_CA_CERT="" + OVN_IC_NB_DB_SSL_PROTOCOLS="" + OVN_IC_NB_DB_SSL_CIPHERS="" OVN_IC_SB_DB_SSL_KEY="" OVN_IC_SB_DB_SSL_CERT="" OVN_IC_SB_DB_SSL_CA_CERT="" + OVN_IC_SB_DB_SSL_PROTOCOLS="" + OVN_IC_SB_DB_SSL_CIPHERS="" RELAY_MODE=no DB_SB_RELAY_REMOTE= @@ -988,15 +1039,23 @@ Options: --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file + --ovn-controller-ssl-protocols=PROTOCOLS OVN Southbound SSL protocols + --ovn-controller-ssl-ciphers=CIPHERS OVN Southbound SSL cipher list --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file + --ovn-nb-db-ssl-protocols=PROTOCOLS OVN Northbound DB SSL protocols + --ovn-nb-db-ssl-ciphers=CIPHERS OVN Northbound DB SSL cipher list --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file + --ovn-sb-db-ssl-protocols=PROTOCOLS OVN Southbound DB SSL protocols + --ovn-sb-db-ssl-ciphers=CIPHERS OVN Southbound DB SSL cipher list --ovn-northd-ssl-key=KEY OVN Northd SSL private key file --ovn-northd-ssl-cert=CERT OVN Northd SSL certificate file --ovn-northd-ssl-ca-cert=CERT OVN Northd SSL CA certificate file + --ovn-northd-ssl-protocols=PROTOCOLS OVN Northd SSL protocols + --ovn-northd-ssl-ciphers=CIPHERS OVN Northd SSL cipher list --ovn-manage-ovsdb=yes|no Whether or not the OVN NB/SB databases should be automatically started and stopped along with ovn-northd. The default is "yes". If @@ -1014,14 +1073,20 @@ Options: --ovn-ic-ssl-key=KEY OVN IC SSL private key file --ovn-ic-ssl-cert=CERT OVN IC SSL certificate file --ovn-ic-ssl-ca-cert=CERT OVN IC SSL CA certificate file + --ovn-ic-ssl-protocols=PROTOCOLS OVN IC SSL protocols + --ovn-ic-ssl-ciphers=CIPHERS OVN IC SSL cipher list --ovn-ic-log=STRING ovn-ic process logging params (default: $OVN_IC_LOG) --ovn-ic-logfile=STRING ovn-ic process log file (default: $OVN_IC_LOGFILE) --ovn-ic-nb-db-ssl-key=KEY OVN IC Northbound DB SSL private key file --ovn-ic-nb-db-ssl-cert=CERT OVN IC Northbound DB SSL certificate file --ovn-ic-nb-db-ssl-ca-cert=CERT OVN IC Northbound DB SSL CA certificate file + --ovn-ic-nb-db-ssl-protocols=PROTOCOLS OVN IC Northbound DB SSL protocols + --ovn-ic-nb-db-ssl-ciphers=CIPHERS OVN IC Northbound DB SSL cipher list --ovn-ic-sb-db-ssl-key=KEY OVN IC Southbound DB SSL private key file --ovn-ic-sb-db-ssl-cert=CERT OVN IC Southbound DB SSL certificate file --ovn-ic-sb-db-ssl-ca-cert=CERT OVN IC Southbound DB SSL CA certificate file + --ovn-ic-sb-db-ssl-protocols=PROTOCOLS OVN IC Southbound DB SSL protocols + --ovn-ic-sb-db-ssl-ciphers=CIPHERS OVN IC Southbound DB SSL cipher list --ovn-user="user[:group]" pass the --user flag to the ovn daemons --ovs-user="user[:group]" pass the --user flag to ovs daemons --ovsdb-nb-wrapper=WRAPPER run with a wrapper like valgrind for debugging diff --git a/utilities/ovn-ctl.8.xml b/utilities/ovn-ctl.8.xml index 3bab055e4..57712bfdc 100644 --- a/utilities/ovn-ctl.8.xml +++ b/utilities/ovn-ctl.8.xml @@ -92,6 +92,22 @@

--ovn-controller-ssl-ca-cert=CERT

--ovn-controller-ssl-bootstrap-ca-cert=CERT

+

Protocol and Cipher options

+

--ovn-controller-ssl-protocols=PROTOCOLS

+

--ovn-ic-ssl-protocols=PROTOCOLS

+

--ovn-northd-ssl-protocols=PROTOCOLS

+

--ovn-nb-db-ssl-protocols=PROTOCOLS

+

--ovn-sb-db-ssl-protocols=PROTOCOLS

+

--ovn-ic-nb-db-ssl-protocols=PROTOCOLS

+

--ovn-ic-sb-db-ssl-protocols=PROTOCOLS

+

--ovn-controller-ssl-ciphers=CIPHERS

+

--ovn-ic-ssl-ciphers=CIPHERS

+

--ovn-northd-ssl-ciphers=CIPHERS

+

--ovn-nb-db-ssl-ciphers=CIPHERS

+

--ovn-sb-db-ssl-ciphers=CIPHERS

+

--ovn-ic-nb-db-ssl-ciphers=CIPHERS

+

--ovn-ic-sb-db-ssl-ciphers=CIPHERS

+

Address and port options

--db-nb-sync-from-addr=IP ADDRESS

--db-nb-sync-from-port=PORT NUMBER