X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=ovn%2Fovn-architecture.7.xml;h=6ed2cf1325902e24ef16fa6312cb97c1304508f7;hb=56bfa517d9c8face982efc852644c72e1b5b1564;hp=bce32a606b65b83150c22e0d093321bcf609181d;hpb=00c875d0d315fa9fddfd5bae6ad92b08e67f2e7d;p=mirror_ovs.git
diff --git a/ovn/ovn-architecture.7.xml b/ovn/ovn-architecture.7.xml
index bce32a606..6ed2cf132 100644
--- a/ovn/ovn-architecture.7.xml
+++ b/ovn/ovn-architecture.7.xml
@@ -53,8 +53,7 @@
packets between tunnels and a physical Ethernet port. This allows
non-virtualized machines to participate in logical networks. A gateway
may be a physical host, a virtual machine, or an ASIC-based hardware
- switch that supports the vtep
(5) schema. (Support for the
- latter will come later in OVN implementation.)
+ switch that supports the vtep
(5) schema.
@@ -1027,6 +1026,16 @@
localport
exist on every hypervisor and by definition
their traffic should never go out through a tunnel.
+
ovn-controller
is the originator of the multicast packet.
+ Since each ovn-controller
instance is originating these
+ packets, the packets only need to be delivered to local ports.
+
+ OVN allows you to specify a prioritized list of chassis for a distributed
+ gateway port. This is done by associating multiple
+ Gateway_Chassis
rows with a Logical_Router_Port
+ in the OVN_Northbound
database.
+
+ When multiple chassis have been specified for a gateway, all chassis that + may send packets to that gateway will enable BFD on tunnels to all + configured gateway chassis. The current master chassis for the gateway + is the highest priority gateway chassis that is currently viewed as + active based on BFD status. +
+ ++ For more information on L3 gateway high availability, please refer to + http://docs.openvswitch.org/en/latest/topics/high-availability. +
+@@ -1436,6 +1467,160 @@
+ In order to provide additional security against the possibility of an OVN
+ chassis becoming compromised in such a way as to allow rogue software to
+ make arbitrary modifications to the southbound database state and thus
+ disrupt the OVN network, role-based access controls (see
+ ovsdb-server(1)
for additional details) are provided for the
+ southbound database.
+
+ The implementation of role-based access controls (RBAC) requires the
+ addition of two tables to an OVSDB schema: the RBAC_Role
+ table, which is indexed by role name and maps the the names of the various
+ tables that may be modifiable for a given role to individual rows in a
+ permissions table containing detailed permission information for that role,
+ and the permission table itself which consists of rows containing the
+ following information:
+
Table Name
Auth Criteria
Insert/Delete
Updatable Columns
+ RBAC configuration for the OVN southbound database is maintained by
+ ovn-northd. With RBAC enabled, modifications are only permitted for the
+ Chassis
, Encap
, Port_Binding
, and
+ MAC_Binding
tables, and are resstricted as follows:
+
Chassis
+ Authorization
: client ID must match the chassis name.
+
+ Insert/Delete
: authorized row insertion and deletion
+ are permitted.
+
+ Update
: The columns nb_cfg
,
+ external_ids
, encaps
, and
+ vtep_logical_switches
may be modified when authorized.
+
Encap
+ Authorization
: client ID must match the chassis name.
+
+ Insert/Delete
: row insertion and row deletion
+ are permitted.
+
+ Update
: The columns type
,
+ options
, and ip
can be modified.
+
Port_Binding
+ Authorization
: disabled (all clients are considered
+ authorized. A future enhancement may add columns (or keys to
+ external_ids
) in order to control which chassis are
+ allowed to bind each port.
+
+ Insert/Delete
: row insertion/deletion are not permitted
+ (ovn-northd maintains rows in this table.
+
+ Update
: Only modifications to the chassis
+ column are permitted.
+
MAC_Binding
+ Authorization
: disabled (all clients are considered
+ to be authorized).
+
+ Insert/Delete
: row insertion/deletion are permitted.
+
+ Update
: The columns logical_port
,
+ ip
, mac
, and datapath
may be
+ modified by ovn-controller.
+
+ Enabling RBAC for ovn-controller connections to the southbound database + requires the following steps: +
+ +external-ids:system-id=chassis-1
, via the command
+ "ovs-pki -u req+sign chassis-1 switch
").
+ ovs-vsctl set open .
+ external-ids:ovn-remote=ssl:x.x.x.x:6642
").
+ ovn-sbctl set-connection role=ovn-controller
+ pssl:6642
").
+