On Wed, Mar 30, 2016 at 08:23:23PM -0400, Russell Bryant wrote: > On Wed, Mar 30, 2016 at 8:15 PM, Ben Pfaff <b...@ovn.org> wrote: > > > On Wed, Mar 30, 2016 at 07:56:51PM -0400, Russell Bryant wrote: > > > On Wed, Mar 30, 2016 at 2:40 PM, Ben Pfaff <b...@ovn.org> wrote: > > > > I'm starting to get really disturbed that ssl isn't the default here. > > > > > > We need to add SSL config to these tables. > > > > I'm not sure that it makes sense to have SSL configuration in > > OVN_Northbound or OVN_Southbound, because the clients would need to > > connect to the databases before they could obtain the configuration. > > I'd guess that SSL configuration would have to be populated to each > > hypervisor as a separate step before it joins OVN for the first time. > > > > Or maybe I misunderstand your point. > > > > I honestly haven't thought through this in enough detail, but: > > I was talking about the server side config. ovsdb-server for OVS is > started with: > > set "$@" --private-key=db:Open_vSwitch,SSL,private_key > set "$@" --certificate=db:Open_vSwitch,SSL,certificate > set "$@" --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert > > I assumed we might add the same SSL table to the OVN dbs. Then again, it > seems kind of awkward to me to have this in the DB. I'd expect it to be > something only configured locally.
Right, it's a little different because the Open_vSwitch schema that ovs-vswitchd uses is for a single machine only and primarily (though not exclusively) accessed from that machine. > Anyway, I'd love to see this get sorted out and have SSL everywhere the > default. I agree. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
