neutron

Unable to use SSL URI for OVSDB connection

Bug #1745038 reported by Tim Rozet on 2018-01-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Ihar Hrachyshka	neutron queens-rc1

Bug Description

When specifying an ssl connection to use with neutron.conf/ovsdb_connection, such as:
ovsdb_connection=ssl:127.0.0.1:6639

The connection will fail because there is missing SSL configuration for key, cert, and ca cert that is required when creating an SSL stream connection to OVSDB. This configuration is not part of ovsdbapp and must be setup before invoking the IDL helper function that asks ovsdbapp to open the connection.

Tags:

Revision history for this message

Tim Rozet (trozet) wrote on 2018-01-23:

It is possible to re-use the oslo sslutils settings for ca_file, cert_file, and key_file in order to specify which files to use when configuring the client side for the OVSDB connection with neutron.

Changed in neutron:
assignee:	nobody → Tim Rozet (trozet)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-23: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/536983

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2018-01-30:

It is worth fixed, but in case of ovs-agent the connection of ovsdb would be local to a host. I think it is medium.

Changed in neutron:
importance:	Undecided → Medium
tags:	added: ovs

Revision history for this message

Tim Rozet (trozet) wrote on 2018-02-01:

This has a higher impact on the TripleO project. The goal in TripleO is to provide a deployment of OpenStack with SSL/TLS everywhere (all public facing endpoints, all internal API communication):
https://blueprints.launchpad.net/tripleo/+spec/tls-via-certmonger
https://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/ssl.html (TLS Everywhere for overcloud)

Recently I integrated OpenDaylight into TripleO with TLS support. This means Neutron -> ODL communication uses TLS, and then ODL <-> OVS uses TLS. However, we still use the Neutron DHCP agent with ODL. In a non-secure environment, OVS will run a ptcp listener and accept a connection from anyone to become a manager of the dataplane. This is not acceptable for SSL/TLS deployment as it exposes a vulnerability to the network dataplane. In the deployment we set OVS to listen using pssl so that encryption and identity can be ensured. In order for Neutron agents to be able to manage OVS, they also need to use SSL, hence the need for this fix.

Ihar Hrachyshka (ihar-hrachyshka) on 2018-02-09

Changed in neutron:
milestone:	none → queens-rc1

OpenStack Infra (hudson-openstack) on 2018-02-09

Changed in neutron:
assignee:	Tim Rozet (trozet) → Ihar Hrachyshka (ihar-hrachyshka)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-09: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/536983
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8806477abfdac68c409056e22f5e0c50791b8a27
Submitter: Zuul
Branch: master

commit 8806477abfdac68c409056e22f5e0c50791b8a27
Author: Tim Rozet <email address hidden>
Date: Tue Jan 23 16:47:23 2018 -0500

Fixes using SSL OVSDB connection

    When creating SSL OVSDB connection it is required to set the private
    key, certificate, and the CA certificate in order to communicate with
    OVSDB. This patch configures these when an SSL connection URI is used.
    The settings must be provided as part of neutron.conf under [ovs]
    section.

Closes-Bug: 1745038

Change-Id: I19fd9dd0c72260835eb91e557a6029ec9d652179
Signed-off-by: Tim Rozet <email address hidden>