Set OVSDB Connection.probe_interval

With ovn_cluster, connections were set with --remote on the CLI by ovn-ctl (except for a workaround for TLS connections). Via this method, there is no way to set the inactivity probe interval which is a regression from using non-clustered OVSDB. To achieve setting this value, the connection must be defined in the OVN Connection table. For RAFT, since each server shares the same DB, this means using a single Connection entry that all servers use, which necessitates listening on 0.0.0.0. To make this safe, the firewall_rules are adjusted to only allow OVSDB traffic from the proper subnet. A subsequent patch will be made to tripleo-ansible that removes passing the --create-insecure-remote options to ovn-ctl which, for non-TLS, set ovsdb-server to listen on its specific address. Resolves: rhbz#2110550 Related-Bug: rhbz#2099805 Related-Bug: rhbz#2101588 Related-Bug: rhbz#1952038 Change-Id: I7d8d0530c367708215437c9ac11a6fc17235e784
2022-07-28 18:18:40 +00:00 · 2022-07-28 18:18:40 +00:00 · e2c0b83913
parent d0d98aa2fe
commit e2c0b83913
2 changed files with 34 additions and 11 deletions
--- a/deployment/ovn/ovn-dbs-cluster-ansible.yaml
+++ b/deployment/ovn/ovn-dbs-cluster-ansible.yaml
@ -42,6 +42,10 @@ parameters:
    default: {}
    description: Parameters specific to the role
    type: json
+  OVNOvsdbProbeInterval:
+    description: Probe interval in ms for the OVSDB session
+    type: number
+    default: 60000
  OVNNorthboundServerPort:
    description: Port of the OVN Northbound DB server
    type: number
@ -107,13 +111,23 @@ outputs:
    value:
      service_name: ovn_dbs
      firewall_rules:
-        '121 OVN DB server and cluster ports':
-          proto: 'tcp'
-          dport:
-            - {get_param: OVNNorthboundServerPort}
-            - {get_param: OVNSouthboundServerPort}
-            - {get_param: OVNNorthboundClusterPort}
-            - {get_param: OVNSouthboundClusterPort}
+        map_merge:
+          repeat:
+            for_each:
+              <%net_cidr%>:
+                get_param:
+                  - ServiceData
+                  - net_cidr_map
+                  - {get_param: [ServiceNetMap, OvnDbsNetwork]}
+            template:
+              '121 OVN DB server and cluster ports':
+                proto: 'tcp'
+                source: <%net_cidr%>
+                dport:
+                  - {get_param: OVNNorthboundServerPort}
+                  - {get_param: OVNSouthboundServerPort}
+                  - {get_param: OVNNorthboundClusterPort}
+                  - {get_param: OVNSouthboundClusterPort}
      kolla_config:
        /var/lib/kolla/config_files/ovn_cluster_north_db_server.json:
          command: bash -c $* -- eval source /etc/sysconfig/ovn_cluster; exec /usr/local/bin/start-nb-db-server ${OVN_NB_DB_OPTS}
@ -308,18 +322,19 @@ outputs:
                - ovn_cluster_northd
              loop_control:
                loop_var: ovn_container
-            - name: Set connection # FIXME workaround until RHBZ #1952038 is fixed
+            - name: Set connection
              become: true
              shell: |
-                podman exec ovn_cluster_north_db_server bash -c "ovn-nbctl -p /etc/pki/tls/private/ovn_dbs.key -c /etc/pki/tls/certs/ovn_dbs.crt -C /etc/ipa/ca.crt set-connection pssl:{{ tripleo_ovn_cluster_nb_db_port }}"
-                podman exec ovn_cluster_south_db_server bash -c "ovn-sbctl -p /etc/pki/tls/private/ovn_dbs.key -c /etc/pki/tls/certs/ovn_dbs.crt -C /etc/ipa/ca.crt set-connection pssl:{{ tripleo_ovn_cluster_sb_db_port }}"
+                podman exec ovn_cluster_north_db_server bash -c "ovn-nbctl --no-leader-only --inactivity-probe={{ tripleo_ovn_cluster_probe_interval }} set-connection p{{ tripleo_ovn_cluster_dbs_protocol }}:{{ tripleo_ovn_cluster_nb_db_port }}"
+                podman exec ovn_cluster_south_db_server bash -c "ovn-sbctl --no-leader-only --inactivity-probe={{ tripleo_ovn_cluster_probe_interval }} set-connection p{{ tripleo_ovn_cluster_dbs_protocol }}:{{ tripleo_ovn_cluster_sb_db_port }}"
              when:
-                - enable_internal_tls | bool
                - is_ovn_dbs_bootstrap_node | bool
              vars:
                tripleo_ovn_cluster_network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
                tripleo_ovn_cluster_nb_db_port: {get_param: OVNNorthboundServerPort}
                tripleo_ovn_cluster_sb_db_port: {get_param: OVNSouthboundServerPort}
+                tripleo_ovn_cluster_dbs_protocol: "{{ enable_internal_tls | ternary('ssl', 'tcp', 'tcp') }}"
+                tripleo_ovn_cluster_probe_interval: {get_param: OVNOvsdbProbeInterval}
        - name: Start OVN DBs and northd containers (non-bootstrap nodes)
          when:
            - step|int == 4
--- a/releasenotes/notes/add-param-ovn-ovsdb-probe-interval-7ec6aa7f68b9a133.yaml
+++ b/releasenotes/notes/add-param-ovn-ovsdb-probe-interval-7ec6aa7f68b9a133.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Added a new parameter `OVNOvsdbProbeInterval` to configure
+    OVSDB Connection.probe_interval. This requires setting the
+    a single Connection entry for all RAFT servers which listens
+    on all interfaces. To address the security implications, the
+    iptables rules are set to limit traffic to the proper subnet.