1853716 – [OVN] ovn-detrace doesn't support SSL connections to the NB/SB/OVS DBs

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1853716 - [OVN] ovn-detrace doesn't support SSL connections to the NB/SB/OVS DBs

Summary: [OVN] ovn-detrace doesn't support SSL connections to the NB/SB/OVS DBs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	ovn2.13
Sub Component:
Version:	FDP 20.E
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Dumitru Ceara
QA Contact:	Zhiqiang Fang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-03 15:56 UTC by Dumitru Ceara
Modified:	2020-09-16 16:01 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-16 16:01:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:3769	0	None	None	None	2020-09-16 16:01:39 UTC

Description Dumitru Ceara 2020-07-03 15:56:08 UTC

$ ovn-detrace --help
/home/dceara/local-builds/bin/ovn-detrace:
usage: /home/dceara/local-builds/bin/ovn-detrace < FILE
where FILE is output from ovs-appctl ofproto/trace.

The following options are also available:
  -h, --help                  display this help message
  -V, --version               display version information
  --ovnsb=DATABASE            use DATABASE as southbound DB
  --ovnnb=DATABASE            use DATABASE as northbound DB
  --ovsdb=DATABASE            use DATABASE as OVS DB

We need a way to pass the certs/keys to ovn-detrace.

Comment 1 Dumitru Ceara 2020-07-07 15:54:55 UTC

Fix posted upstream for review: https://patchwork.ozlabs.org/project/openvswitch/patch/20200707155348.25156.23207.stgit@dceara.remote.csb/

Comment 5 Zhiqiang Fang 2020-09-04 02:26:04 UTC

On old ovn version, ovn-detrace has no ssl option. 

# rpm -qa | egrep "openvs|ovn"
python3-openvswitch2.13-2.13.0-38.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch
ovn2.13-2.13.0-37.el8fdp.x86_64
ovn2.13-central-2.13.0-37.el8fdp.x86_64
openvswitch2.13-2.13.0-38.el8fdp.x86_64
ovn2.13-host-2.13.0-37.el8fdp.x86_64

# ovn-detrace -h
/usr/bin/ovn-detrace:
usage: /usr/bin/ovn-detrace < FILE
where FILE is output from ovs-appctl ofproto/trace.

The following options are also available:
  -h, --help                  display this help message
  -V, --version               display version information
  --ovnsb=DATABASE            use DATABASE as southbound DB
  --ovnnb=DATABASE            use DATABASE as northbound DB
  --ovsdb=DATABASE            use DATABASE as OVS DB


On newer version, 

# rpm -qa | egrep "openv|ovn"
ovn2.13-20.06.2-2.el8fdp.x86_64
openvswitch2.13-2.13.0-49.el8fdp.x86_64
ovn2.13-central-20.06.2-2.el8fdp.x86_64
python3-openvswitch2.13-2.13.0-49.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch
ovn2.13-host-20.06.2-2.el8fdp.x86_64

We see ssl related new parameters.

# ovn-detrace -h
/usr/bin/ovn-detrace:
usage: /usr/bin/ovn-detrace < FILE
where FILE is output from ovs-appctl ofproto/trace.

The following options are also available:
  -h, --help                  display this help message
  -V, --version               display version information
  --ovnsb=DATABASE            use DATABASE as southbound DB
  --ovnnb=DATABASE            use DATABASE as northbound DB
  --ovsdb=DATABASE            use DATABASE as OVS DB
  -p, --private-key=FILE      file with private key
  -c, --certificate=FILE      file with certificate for private key
  -C, --ca-cert=FILE          file with peer CA certificate

If ovn-detrace uses ssl connection without new parameters, in below case, connect to southbound DB, it reports error.

# ovn-detrace --ovnsb=ssl:127.0.0.1:6642 <tmp1
/usr/bin/ovn-detrace: SSL connection requires private key, certificate for private key, and peer CA certificate as arguments.

If ssl keys/certificate are added by using new parameters, the ovn-detrace tool can use them to setup ssl connection successfully.

# ovn-detrace -p /etc/openvswitch/sdb-privkey.pem -c /etc/openvswitch/sdb-cert.pem -C /var/lib/openvswitch/pki/controllerca/cacert.pem --ovnsb=ssl:127.0.0.1:6642 <tmp1
Flow: icmp,in_port=2,vlan_tci=0x0000,dl_src=00:01:02:03:01:01,dl_dst=00:01:03:0d:ff:01,nw_src=192.168.1.1,nw_dst=192.168.2.1,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0

bridge("br-int")
----------------
0. in_port=2, priority 100, cookie 0x2df51247
set_field:0x4->reg13
set_field:0x6->reg11
set_field:0x5->reg12
set_field:0x2->metadata
set_field:0x2->reg14
resubmit(,8)
  *  Logical datapath: "ls1" (904dec4f-04dc-40e3-b61f-f07228e75b00)
  *  Port Binding: logical_port "ls1p1", tunnel_key 2, 
8. reg14=0x2,metadata=0x2, priority 50, cookie 0x204c88dc
resubmit(,9)
<...omitted...>

64. priority 0
resubmit(,65)
65. reg15=0x2,metadata=0x1, priority 100, cookie 0x215e018d
output:1
pop:NXM_OF_IN_PORT[]
-> NXM_OF_IN_PORT[] is now 2
  *  Logical datapath: "ls2" (c05e2f22-c73d-4fd2-95e5-a3b184bffbca)
  *  Port Binding: logical_port "ls2p1", tunnel_key 2, 

Final flow: icmp,reg11=0x6,reg12=0x5,reg13=0x4,reg14=0x2,reg15=0x1,metadata=0x2,in_port=2,vlan_tci=0x0000,dl_src=00:01:02:03:01:01,dl_dst=00:01:03:0d:ff:01,nw_src=192.168.1.1,nw_dst=192.168.2.1,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0
Megaflow: recirc_id=0,eth,ip,in_port=2,dl_src=00:01:02:03:01:01,dl_dst=00:01:03:0d:ff:01,nw_src=192.168.1.0/25,nw_dst=192.168.2.1,nw_ttl=64,nw_frag=no
Datapath actions: ct_clear,ct_clear,set(eth(src=00:01:03:0d:ff:02,dst=00:01:02:03:02:01)),set(ipv4(ttl=63)),2


So, with this new feature, ovn-detrace can use ssl connection.

Comment 7 errata-xmlrpc 2020-09-16 16:01:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3769

Note You need to log in before you can comment on or make changes to this bug.