Right, Nicira controller needs manual OVS certificate addition. <div>From my earlier mail<div><i>"Nicira approach today is to add ovs certificates onto ovs controller manually."</i><br><br>Hence, I like Srini's proposal. I suggest to write extensions to your custom plugin. Once accepted it can be part of the core.</div>
<div><br></div><div>Thanks,</div><div>-Ravi.<br><br><br><div class="gmail_quote">On Wed, Aug 7, 2013 at 8:15 AM, Somanchi Trinath-B39208 <span dir="ltr"><<a href="mailto:B39208@freescale.com" target="_blank">B39208@freescale.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi Ravi-<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We want achieve the same from Quantum Client through Quantum OVS Agent.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Is there any such implementation available for the same with openstack.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I think, the below manual mentions the manual configuration using ovs cli.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanking you.<u></u><u></u></span></p><div class="im">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">--<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Trinath Somanchi - B39208<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#548dd4">trinath.somanchi@</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#548dd4">freescale</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#548dd4">.com</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
| extn: 4048<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
</div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Ravi Chunduru [mailto:<a href="mailto:ravivsn@gmail.com" target="_blank">ravivsn@gmail.com</a>]
<br>
<b>Sent:</b> Wednesday, August 07, 2013 8:04 PM</span></p><div><div class="h5"><br>
<b>To:</b> OpenStack Development Mailing List<br>
<b>Subject:</b> Re: [openstack-dev] [Neutron] Configuration of Openflow controller reachability information in OVS from Openstack<u></u><u></u></div></div><p></p>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Hi Trinath,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">I could get this information from<a href="https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide/blob/Nicira_SingleNode/OpenStack_Grizzly_Install_Guide.rst" target="_blank"> Grizzly installation guide </a><u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p style="margin-right:0in;margin-bottom:11.25pt;margin-left:0in;line-height:18.75pt;background:white">
<u></u><span style="font-size:10.0pt;font-family:Symbol;color:#333333"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#333333">Register this Hypervisor Transport Node (Open vSwitch) with Nicira NVP:<u></u><u></u></span></p>
<div style="border:solid #dddddd 1.0pt;padding:5.0pt 8.0pt 5.0pt 8.0pt;background:#f8f8f8;margin-right:0in">
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:.25in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;overflow:auto">
<u></u><span style="font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-family:Consolas"><u></u> <u></u></span></pre>
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:.25in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in"><u></u><span style="font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-family:Consolas"><u></u> <u></u></span></pre>
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:.25in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in"><u></u><span style="font-family:Symbol;color:#333333"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-family:Consolas;color:#333333"># Set the open vswitch manager address<u></u><u></u></span></pre>
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:.25in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in"><u></u><span style="font-family:Symbol;color:#333333"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-family:Consolas;color:#333333">ovs-vsctl set-manager ssl:<IP Address of one of your Nicira NVP controllers><u></u><u></u></span></pre>
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:.25in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in"><u></u><span style="font-family:Symbol;color:#333333"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-family:Consolas;color:#333333"><u></u> <u></u></span></pre>
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:.25in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in"><u></u><span style="font-family:Symbol;color:#333333"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-family:Consolas;color:#333333"># Get the client pki cert<u></u><u></u></span></pre>
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:.25in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in"><u></u><span style="font-family:Symbol;color:#333333"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-family:Consolas;color:#333333">cat /etc/openvswitch/ovsclient-cert.pem<u></u><u></u></span></pre>
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:.25in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in"><u></u><span style="font-family:Symbol;color:#333333"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-family:Consolas;color:#333333"><u></u> <u></u></span></pre>
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:.25in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in"><u></u><span style="font-family:Symbol;color:#3333ff"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-family:Consolas;color:#3333ff"># Copy the contents of the output including the BEGIN and END CERTIFICATE lines and be prepared to paste this into NVP manager<u></u><u></u></span></pre>
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:.25in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in"><u></u><span style="font-family:Symbol;color:#3333ff"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-family:Consolas;color:#3333ff"># In NVP Manager add a new Hypervisor, follow the prompts and paste the client certificate when prompted<u></u><u></u></span></pre>
</div>
<div style="border:solid #dddddd 1.0pt;padding:5.0pt 8.0pt 5.0pt 8.0pt;background:#f8f8f8">
<pre style="margin-right:0in;margin-bottom:11.25pt;margin-left:0in;line-height:14.25pt;background:#f8f8f8;border:none;padding:0in"><span style="font-family:Consolas;color:#3333ff"># Please review the NVP User Guide for details on adding Hypervisor transport nodes to NVP for more information on this step</span><span style="font-family:Consolas"><u></u><u></u></span></pre>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">-Ravi.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Wed, Aug 7, 2013 at 2:58 AM, Somanchi Trinath-B39208 <<a href="mailto:B39208@freescale.com" target="_blank">B39208@freescale.com</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi Ravi-</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">With respect to NICIRA NVP Plugin in Quantum, All the processing is done with respect to Nicira NVP.
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Also, the Controller cluster arguments are provided from ini file.
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Can you point me to where the OVS certificates are handled in Nicira code base for quantum.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">--</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Trinath Somanchi - B39208</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#548dd4"><a href="mailto:trinath.somanchi@freescale.com" target="_blank">trinath.somanchi@freescale.com</a></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
| extn: 4048</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Ravi Chunduru [mailto:<a href="mailto:ravivsn@gmail.com" target="_blank">ravivsn@gmail.com</a>]
<br>
<b>Sent:</b> Wednesday, August 07, 2013 11:32 AM<br>
<b>To:</b> OpenStack Development Mailing List<br>
<b>Subject:</b> Re: [openstack-dev] [Neutron] Configuration of Openflow controller reachability information in OVS from Openstack</span><u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<p>look into nicira neutrón plugin. <br>
I like the idea of ovs controller config driven through neutrón api. Nicira approach today is to add ovs certificates onto ovs controller manually.<u></u><u></u></p>
<p>On Aug 6, 2013 9:09 PM, "Addepalli Srini-B22160" <<a href="mailto:B22160@freescale.com" target="_blank">B22160@freescale.com</a>> wrote:<br>
><br>
> Hi,<br>
> <br>
> Using OVS Quantum Plugin and agent, it is possible to configure OVS with<br>
> <br>
> Openflow logical switches.<br>
> Tables<br>
> Ports to the logical switches (VLAN, VXLAN, GRE etc..)<br>
> <br>
> OVS Agent in each compute node uses local ovs-vsctl command to configure above.<br>
> <br>
> But, there is no simple way for Openstack quantum to configure OVS in compute nodes with OF controller IP address, TCP Port, SSL Certificates etc..<br>
> Also, there is no mechanism today to get hold of DPID of the OVS logical switches by Openstack controller.<br>
> <br>
> Do you think that it is good to enhance Openstack OVS Quantum Plugin and agent to pass above information?<br>
> <br>
> At very high level, we are thinking to introduce following:<br>
> <br>
> <br>
> Configuration of OF Controller reachability information<br>
> Quantum extension API though which is used to set following:<br>
> Set of Openflow controllers - For each OF controller<br>
> IP address, Port<br>
> SSL Enabled Yes/No.<br>
> If SSL enabled<br>
> CA certificate chain to validate OF controller identification by the OVS.<br>
> Zone/Cell for which this OF controller is applicable for.<br>
> Changes to QuantumClient to configure above.<br>
> OVS Quantum Plugin to store above information in the database.<br>
> OVS Quantum Agent to Plugin communication to get hold of OF controller information.<br>
> OVS Quantum Agent to add the information in OVS using ovs-vsctl.<br>
> Generation of logical switch certificates<br>
> OVS Quantum agent requests the plugin to generate local certificate and private key for each one of the logical switches<br>
> Agent to send DPID<br>
> Plugin to generate certificate & private key pair and sending them as response.<br>
> Plugin configuration file to have CA certificate to use to sign the logical switch certificates.<br>
> <br>
> <br>
> Does that make sense? Is this work going on somewhere else?<br>
> <br>
> Thanks<br>
> Srini<br>
> <br>
> <br>
> <br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><u></u><u></u></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <br>
Ravi<u></u><u></u></p>
</div>
</div></div></div>
</div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Ravi<br>
</div></div>