diff --git a/rally_ovs/plugins/ovs/deployment/engines/ovn_sandbox_controller.py b/rally_ovs/plugins/ovs/deployment/engines/ovn_sandbox_controller.py index 4f0ffba..d1d1ce0 100644 --- a/rally_ovs/plugins/ovs/deployment/engines/ovn_sandbox_controller.py +++ b/rally_ovs/plugins/ovs/deployment/engines/ovn_sandbox_controller.py @@ -98,13 +98,18 @@ def deploy(self): ovs_user = self.config.get("ovs_user", OVS_USER) ovs_controller_cidr = self.config.get("controller_cidr") net_dev = self.config.get("net_dev", "eth0") + ssl = self.config.get("enable_ssl", False) # start ovn controller with non-root user ovs_server = get_updated_server(server, user=ovs_user) - - cmd = "./ovs-sandbox.sh --controller --ovn \ - --controller-ip %s --device %s;" % \ - (ovs_controller_cidr, net_dev) + if ssl: + cmd = "./ovs-sandbox.sh --controller --ovn \ + --controller-ip %s --device %s --ssl;" % \ + (ovs_controller_cidr, net_dev) + else: + cmd = "./ovs-sandbox.sh --controller --ovn \ + --controller-ip %s --device %s;" % \ + (ovs_controller_cidr, net_dev) if install_method == "docker": LOG.info("Do not run ssh; deployed by ansible-docker") diff --git a/rally_ovs/plugins/ovs/deployment/engines/ovs/certs.tar.gz b/rally_ovs/plugins/ovs/deployment/engines/ovs/certs.tar.gz new file mode 100755 index 0000000..04f96c0 Binary files /dev/null and b/rally_ovs/plugins/ovs/deployment/engines/ovs/certs.tar.gz differ diff --git a/rally_ovs/plugins/ovs/deployment/engines/ovs/ovs-sandbox.sh b/rally_ovs/plugins/ovs/deployment/engines/ovs/ovs-sandbox.sh index e4c731e..3a3afe9 100755 --- a/rally_ovs/plugins/ovs/deployment/engines/ovs/ovs-sandbox.sh +++ b/rally_ovs/plugins/ovs/deployment/engines/ovs/ovs-sandbox.sh @@ -105,6 +105,8 @@ Other options: --cleanup=SANDBOX Cleanup the sandbox --cleanup-all Cleanup all sandboxes --graceful Graceful cleanup/stop sandbox + --ssl Enable ssl + EOF exit 0 ;; @@ -169,6 +171,9 @@ EOF -D|--device) prev=device ;; + --ssl) + enable_ssl=true + ;; -*) echo "unrecognized option $option (use --help for help)" >&2 exit 1 @@ -650,31 +655,67 @@ OVN_SB_DB=unix:$sandbox/db-sb.sock; export OVN_SB_DB EOF . $sandbox_name/sandbox.rc - # Northbound db server - prog_name='ovsdb-server-nb' - run_service $prog_name ovsdb-server --detach --no-chdir \ - --pidfile=$prog_name.pid \ - --unixctl=$prog_name.ctl \ - -vconsole:off -vsyslog:off -vfile:info \ - --log-file=$prog_name.log \ - --remote=p$OVN_NB_DB \ - conf-nb.db ovnnb.db - pid=`cat $sandbox_name/$prog_name.pid` - mv $sandbox_name/$prog_name.ctl $sandbox_name/$prog_name.$pid.ctl - - # Southbound db server - prog_name='ovsdb-server-sb' - run_service $prog_name ovsdb-server --detach --no-chdir \ - --pidfile=$prog_name.pid \ - --unixctl=$prog_name.ctl \ - -vconsole:off -vsyslog:off -vfile:info \ - --log-file=$prog_name.log \ - --remote="p$OVN_SB_DB" \ - --remote=db:Open_vSwitch,Open_vSwitch,manager_options \ - conf-sb.db ovnsb.db - pid=`cat $sandbox_name/$prog_name.pid` - mv $sandbox_name/$prog_name.ctl $sandbox_name/$prog_name.$pid.ctl + if $enable_ssl ; then + # Northbound db server + prog_name='ovsdb-server-nb' + run_service $prog_name ovsdb-server --detach --no-chdir \ + --pidfile=$prog_name.pid \ + --unixctl=$prog_name.ctl \ + -vconsole:off -vsyslog:off -vfile:info \ + --log-file=$prog_name.log \ + --remote=db:OVN_Northbound,NB_Global,connections \ + --private-key=db:OVN_Northbound,SSL,private_key \ + --certificate=db:OVN_Northbound,SSL,certificate \ + --ca-cert=db:OVN_Northbound,SSL,ca_cert \ + --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols \ + --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers \ + --remote=p$OVN_NB_DB ovnnb.db + pid=`cat $sandbox_name/$prog_name.pid` + mv $sandbox_name/$prog_name.ctl $sandbox_name/$prog_name.$pid.ctl + + # Southbound db server + prog_name='ovsdb-server-sb' + run_service $prog_name ovsdb-server --detach --no-chdir \ + --pidfile=$prog_name.pid \ + --unixctl=$prog_name.ctl \ + -vconsole:off -vsyslog:off -vfile:info \ + --log-file=$prog_name.log \ + --remote=db:OVN_Southbound,SB_Global,connections \ + --private-key=db:OVN_Southbound,SSL,private_key \ + --certificate=db:OVN_Southbound,SSL,certificate \ + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ + --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols \ + --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers \ + --remote=p$OVN_SB_DB ovnsb.db + pid=`cat $sandbox_name/$prog_name.pid` + mv $sandbox_name/$prog_name.ctl $sandbox_name/$prog_name.$pid.ctl + else + # Northbound db server + prog_name='ovsdb-server-nb' + run_service $prog_name ovsdb-server --detach --no-chdir \ + --pidfile=$prog_name.pid \ + --unixctl=$prog_name.ctl \ + -vconsole:off -vsyslog:off -vfile:info \ + --log-file=$prog_name.log \ + --remote=p$OVN_NB_DB \ + conf-nb.db ovnnb.db + pid=`cat $sandbox_name/$prog_name.pid` + mv $sandbox_name/$prog_name.ctl $sandbox_name/$prog_name.$pid.ctl + + # Southbound db server + prog_name='ovsdb-server-sb' + run_service $prog_name ovsdb-server --detach --no-chdir \ + --pidfile=$prog_name.pid \ + --unixctl=$prog_name.ctl \ + -vconsole:off -vsyslog:off -vfile:info \ + --log-file=$prog_name.log \ + --remote="p$OVN_SB_DB" \ + --remote=db:Open_vSwitch,Open_vSwitch,manager_options \ + conf-sb.db ovnsb.db + pid=`cat $sandbox_name/$prog_name.pid` + mv $sandbox_name/$prog_name.ctl $sandbox_name/$prog_name.$pid.ctl + fi fi else touch "$sandbox"/.conf.db.~lock~ @@ -694,19 +735,35 @@ EOF # Initialize database. if $controller ; then - init_ovsdb_server "ovsdb-server-nb" $OVN_NB_DB - init_ovsdb_server "ovsdb-server-sb" $OVN_SB_DB + if $enable_ssl ; then + tar -xzvf certs.tar.gz + abs_path=`pwd`/certs + ovn-nbctl set-ssl $abs_path/ovnnb-privkey.pem $abs_path/ovnnb-cert.pem \ + $abs_path/cacert.pem + ovn-nbctl set-connection pssl:6641:127.0.0.1 + ovn-sbctl set-ssl $abs_path/ovnsb-privkey.pem $abs_path/ovnsb-cert.pem \ + $abs_path/cacert.pem + ovn-sbctl set-connection pssl:6642:$CON_IP + ovn-sbctl set conn . inactivity_probe=0 + else + init_ovsdb_server "ovsdb-server-nb" $OVN_NB_DB + init_ovsdb_server "ovsdb-server-sb" $OVN_SB_DB - ovs-vsctl --db=$OVN_SB_DB --no-wait \ - -- set open_vswitch . manager_options=@uuid \ - -- --id=@uuid create Manager target="$OVSDB_REMOTE" inactivity_probe=0 + ovs-vsctl --db=$OVN_SB_DB --no-wait \ + -- set open_vswitch . manager_options=@uuid \ + -- --id=@uuid create Manager target="$OVSDB_REMOTE" inactivity_probe=0 + fi else init_ovsdb_server "ovsdb-server" unix:"$sandbox"/db.sock run ovs-vsctl --no-wait set open_vswitch . system-type="sandbox" if $ovn ; then - OVN_REMOTE="tcp:$CON_IP:6640" + if $enable_ssl ; then + OVN_REMOTE="ssl:$CON_IP:6642" + else + OVN_REMOTE="tcp:$CON_IP:6640" + fi ip_addr_add $host_ip $device SANDBOX_BIND_IP=$host_ip @@ -756,9 +813,19 @@ function start_ovn { --ovnsb-db=$OVN_SB_DB else if $ovn ; then - run_service ovn-controller ovn-controller --detach --no-chdir \ - --pidfile \ - -vconsole:off -vsyslog:off -vfile:info --log-file + if [$enable_ssl = true]; then + tar -xzvf certs.tar.gz + abs_path=`pwd`/certs + run_service ovn-controller ovn-controller \ + --private-key=$abs_path/ovn-controller-privkey.pem \ + --certificate=$abs_path/ovn-controller-cert.pem \ + --ca-cert=$abs_path/cacert.pem --detach --no-chdir \ + --pidfile -vconsole:off -vsyslog:off -vfile:info --log-file + else + run_service ovn-controller ovn-controller --detach --no-chdir \ + --pidfile \ + -vconsole:off -vsyslog:off -vfile:info --log-file + fi fi fi } diff --git a/rally_ovs/plugins/ovs/deployment/sandbox.py b/rally_ovs/plugins/ovs/deployment/sandbox.py index 08f9969..db2a8e1 100644 --- a/rally_ovs/plugins/ovs/deployment/sandbox.py +++ b/rally_ovs/plugins/ovs/deployment/sandbox.py @@ -73,6 +73,7 @@ def _install_ovs(self, server): ovs_server = get_updated_server(server, user=ovs_user) self._put_file(ovs_server, "install.sh") self._put_file(ovs_server, "ovs-sandbox.sh") + self._put_file(ovs_server, "certs.tar.gz") cmds = [] diff --git a/rally_ovs/plugins/ovs/scenarios/sandbox.py b/rally_ovs/plugins/ovs/scenarios/sandbox.py index 40851a5..cb1155d 100644 --- a/rally_ovs/plugins/ovs/scenarios/sandbox.py +++ b/rally_ovs/plugins/ovs/scenarios/sandbox.py @@ -126,6 +126,7 @@ def _create_sandbox(self, sandbox_create_args): start_cidr = sandbox_create_args.get("start_cidr") net_dev = sandbox_create_args.get("net_dev", "eth0") tag = sandbox_create_args.get("tag", "") + ssl = sandbox_create_args.get("enable_ssl", False) LOG.info("-------> Create sandbox method: %s" % self.install_method) install_method = self.install_method @@ -159,10 +160,16 @@ def _create_sandbox(self, sandbox_create_args): cmds = [] for host_ip in host_ip_list: - cmd = "./ovs-sandbox.sh --ovn --controller-ip %s \ - --host-ip %s/%d --device %s" % \ - (controller_ip, host_ip, sandbox_cidr.prefixlen, - net_dev) + if ssl: + cmd = "./ovs-sandbox.sh --ovn --controller-ip %s \ + --host-ip %s/%d --device %s --ssl" % \ + (controller_ip, host_ip, sandbox_cidr.prefixlen, + net_dev) + else: + cmd = "./ovs-sandbox.sh --ovn --controller-ip %s \ + --host-ip %s/%d --device %s" % \ + (controller_ip, host_ip, sandbox_cidr.prefixlen, + net_dev) cmds.append(cmd) sandboxes["sandbox-%s" % host_ip] = tag