Ben Pfaff <b...@ovn.org> wrote on 03/30/2016 10:03:35 PM: > From: Ben Pfaff <b...@ovn.org> > To: Russell Bryant <russ...@ovn.org> > Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org> > Date: 03/30/2016 10:03 PM > Subject: Re: [ovs-dev] [PATCH 1/1] Rationalize ovn-ctl arguments. > > On Wed, Mar 30, 2016 at 08:23:23PM -0400, Russell Bryant wrote: > > On Wed, Mar 30, 2016 at 8:15 PM, Ben Pfaff <b...@ovn.org> wrote: > > > > > On Wed, Mar 30, 2016 at 07:56:51PM -0400, Russell Bryant wrote: > > > > On Wed, Mar 30, 2016 at 2:40 PM, Ben Pfaff <b...@ovn.org> wrote: > > > > > I'm starting to get really disturbed that ssl isn't the default here. > > > > > > > > We need to add SSL config to these tables. > > > > > > I'm not sure that it makes sense to have SSL configuration in > > > OVN_Northbound or OVN_Southbound, because the clients would need to > > > connect to the databases before they could obtain the configuration. > > > I'd guess that SSL configuration would have to be populated to each > > > hypervisor as a separate step before it joins OVN for the first time. > > > > > > Or maybe I misunderstand your point. > > > > > > > I honestly haven't thought through this in enough detail, but: > > > > I was talking about the server side config. ovsdb-server for OVS is > > started with: > > > > set "$@" --private-key=db:Open_vSwitch,SSL,private_key > > set "$@" --certificate=db:Open_vSwitch,SSL,certificate > > set "$@" --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert > > > > I assumed we might add the same SSL table to the OVN dbs. Then again, it > > seems kind of awkward to me to have this in the DB. I'd expect it to be > > something only configured locally. > > Right, it's a little different because the Open_vSwitch schema that > ovs-vswitchd uses is for a single machine only and primarily (though not > exclusively) accessed from that machine. > > > Anyway, I'd love to see this get sorted out and have SSL everywhere the > > default. > > I agree.
Yes, SSL everywhere is a Good Thing (TM), however, that is a bit orthogonal to where the original patch was going, which is that there will be times where the ovsdb server processes should only listen to connections being made to a single IP address. Ryan _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
