$ ovn-detrace --help /home/dceara/local-builds/bin/ovn-detrace: usage: /home/dceara/local-builds/bin/ovn-detrace < FILE where FILE is output from ovs-appctl ofproto/trace. The following options are also available: -h, --help display this help message -V, --version display version information --ovnsb=DATABASE use DATABASE as southbound DB --ovnnb=DATABASE use DATABASE as northbound DB --ovsdb=DATABASE use DATABASE as OVS DB We need a way to pass the certs/keys to ovn-detrace.
Fix posted upstream for review: https://patchwork.ozlabs.org/project/openvswitch/patch/20200707155348.25156.23207.stgit@dceara.remote.csb/
On old ovn version, ovn-detrace has no ssl option. # rpm -qa | egrep "openvs|ovn" python3-openvswitch2.13-2.13.0-38.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch ovn2.13-2.13.0-37.el8fdp.x86_64 ovn2.13-central-2.13.0-37.el8fdp.x86_64 openvswitch2.13-2.13.0-38.el8fdp.x86_64 ovn2.13-host-2.13.0-37.el8fdp.x86_64 # ovn-detrace -h /usr/bin/ovn-detrace: usage: /usr/bin/ovn-detrace < FILE where FILE is output from ovs-appctl ofproto/trace. The following options are also available: -h, --help display this help message -V, --version display version information --ovnsb=DATABASE use DATABASE as southbound DB --ovnnb=DATABASE use DATABASE as northbound DB --ovsdb=DATABASE use DATABASE as OVS DB On newer version, # rpm -qa | egrep "openv|ovn" ovn2.13-20.06.2-2.el8fdp.x86_64 openvswitch2.13-2.13.0-49.el8fdp.x86_64 ovn2.13-central-20.06.2-2.el8fdp.x86_64 python3-openvswitch2.13-2.13.0-49.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch ovn2.13-host-20.06.2-2.el8fdp.x86_64 We see ssl related new parameters. # ovn-detrace -h /usr/bin/ovn-detrace: usage: /usr/bin/ovn-detrace < FILE where FILE is output from ovs-appctl ofproto/trace. The following options are also available: -h, --help display this help message -V, --version display version information --ovnsb=DATABASE use DATABASE as southbound DB --ovnnb=DATABASE use DATABASE as northbound DB --ovsdb=DATABASE use DATABASE as OVS DB -p, --private-key=FILE file with private key -c, --certificate=FILE file with certificate for private key -C, --ca-cert=FILE file with peer CA certificate If ovn-detrace uses ssl connection without new parameters, in below case, connect to southbound DB, it reports error. # ovn-detrace --ovnsb=ssl:127.0.0.1:6642 <tmp1 /usr/bin/ovn-detrace: SSL connection requires private key, certificate for private key, and peer CA certificate as arguments. If ssl keys/certificate are added by using new parameters, the ovn-detrace tool can use them to setup ssl connection successfully. # ovn-detrace -p /etc/openvswitch/sdb-privkey.pem -c /etc/openvswitch/sdb-cert.pem -C /var/lib/openvswitch/pki/controllerca/cacert.pem --ovnsb=ssl:127.0.0.1:6642 <tmp1 Flow: icmp,in_port=2,vlan_tci=0x0000,dl_src=00:01:02:03:01:01,dl_dst=00:01:03:0d:ff:01,nw_src=192.168.1.1,nw_dst=192.168.2.1,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 bridge("br-int") ---------------- 0. in_port=2, priority 100, cookie 0x2df51247 set_field:0x4->reg13 set_field:0x6->reg11 set_field:0x5->reg12 set_field:0x2->metadata set_field:0x2->reg14 resubmit(,8) * Logical datapath: "ls1" (904dec4f-04dc-40e3-b61f-f07228e75b00) * Port Binding: logical_port "ls1p1", tunnel_key 2, 8. reg14=0x2,metadata=0x2, priority 50, cookie 0x204c88dc resubmit(,9) <...omitted...> 64. priority 0 resubmit(,65) 65. reg15=0x2,metadata=0x1, priority 100, cookie 0x215e018d output:1 pop:NXM_OF_IN_PORT[] -> NXM_OF_IN_PORT[] is now 2 * Logical datapath: "ls2" (c05e2f22-c73d-4fd2-95e5-a3b184bffbca) * Port Binding: logical_port "ls2p1", tunnel_key 2, Final flow: icmp,reg11=0x6,reg12=0x5,reg13=0x4,reg14=0x2,reg15=0x1,metadata=0x2,in_port=2,vlan_tci=0x0000,dl_src=00:01:02:03:01:01,dl_dst=00:01:03:0d:ff:01,nw_src=192.168.1.1,nw_dst=192.168.2.1,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 Megaflow: recirc_id=0,eth,ip,in_port=2,dl_src=00:01:02:03:01:01,dl_dst=00:01:03:0d:ff:01,nw_src=192.168.1.0/25,nw_dst=192.168.2.1,nw_ttl=64,nw_frag=no Datapath actions: ct_clear,ct_clear,set(eth(src=00:01:03:0d:ff:02,dst=00:01:02:03:02:01)),set(ipv4(ttl=63)),2 So, with this new feature, ovn-detrace can use ssl connection.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3769