X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=ovn%2Fovn-architecture.7.xml;h=6ed2cf1325902e24ef16fa6312cb97c1304508f7;hb=56bfa517d9c8face982efc852644c72e1b5b1564;hp=bce32a606b65b83150c22e0d093321bcf609181d;hpb=00c875d0d315fa9fddfd5bae6ad92b08e67f2e7d;p=mirror_ovs.git diff --git a/ovn/ovn-architecture.7.xml b/ovn/ovn-architecture.7.xml index bce32a606..6ed2cf132 100644 --- a/ovn/ovn-architecture.7.xml +++ b/ovn/ovn-architecture.7.xml @@ -53,8 +53,7 @@ packets between tunnels and a physical Ethernet port. This allows non-virtualized machines to participate in logical networks. A gateway may be a physical host, a virtual machine, or an ASIC-based hardware - switch that supports the vtep(5) schema. (Support for the - latter will come later in OVN implementation.) + switch that supports the vtep(5) schema.

@@ -1027,6 +1026,16 @@ localport exist on every hypervisor and by definition their traffic should never go out through a tunnel. +

  • + A higher-priority rule to match packets that have the MLF_LOCAL_ONLY + logical flow flag set, and whose destination is a multicast address. + This flag indicates that the packet should not be delivered to remote + hypervisors, even if the multicast destination includes ports on + remote hypervisors. This flag is used when + ovn-controller is the originator of the multicast packet. + Since each ovn-controller instance is originating these + packets, the packets only need to be delivered to local ports. +
  • A fallback flow that resubmits to table 33 if there is no other match. @@ -1341,6 +1350,28 @@ logical patch port representing the distributed gateway port.

    +

    High Availability for Distributed Gateway Ports

    + +

    + OVN allows you to specify a prioritized list of chassis for a distributed + gateway port. This is done by associating multiple + Gateway_Chassis rows with a Logical_Router_Port + in the OVN_Northbound database. +

    + +

    + When multiple chassis have been specified for a gateway, all chassis that + may send packets to that gateway will enable BFD on tunnels to all + configured gateway chassis. The current master chassis for the gateway + is the highest priority gateway chassis that is currently viewed as + active based on BFD status. +

    + +

    + For more information on L3 gateway high availability, please refer to + http://docs.openvswitch.org/en/latest/topics/high-availability. +

    +

    Life Cycle of a VTEP gateway

    @@ -1436,6 +1467,160 @@

    • +

    Security

    + +

    Role-Based Access Controls for the Soutbound DB

    +

    + In order to provide additional security against the possibility of an OVN + chassis becoming compromised in such a way as to allow rogue software to + make arbitrary modifications to the southbound database state and thus + disrupt the OVN network, role-based access controls (see + ovsdb-server(1) for additional details) are provided for the + southbound database. +

    + +

    + The implementation of role-based access controls (RBAC) requires the + addition of two tables to an OVSDB schema: the RBAC_Role + table, which is indexed by role name and maps the the names of the various + tables that may be modifiable for a given role to individual rows in a + permissions table containing detailed permission information for that role, + and the permission table itself which consists of rows containing the + following information: +

    +
    +
    Table Name
    +
    + The name of the associated table. This column exists primarily as an + aid for humans reading the contents of this table. +
    + +
    Auth Criteria
    +
    + A set of strings containing the names of columns (or column:key pairs + for columns containing string:string maps). The contents of at least + one of the columns or column:key values in a row to be modified, + inserted, or deleted must be equal to the ID of the client attempting + to act on the row in order for the authorization check to pass. If the + authorization criteria is empty, authorization checking is disabled and + all clients for the role will be treated as authorized. +
    + +
    Insert/Delete
    +
    + Row insertion/deletion permission; boolean value indicating whether + insertion and deletion of rows is allowed for the associated table. + If true, insertion and deletion of rows is allowed for authorized + clients. +
    + +
    Updatable Columns
    +
    + A set of strings containing the names of columns or column:key pairs + that may be updated or mutated by authorized clients. Modifications to + columns within a row are only permitted when the authorization check + for the client passes and all columns to be modified are included in + this set of modifiable columns. +
    +
    + +

    + RBAC configuration for the OVN southbound database is maintained by + ovn-northd. With RBAC enabled, modifications are only permitted for the + Chassis, Encap, Port_Binding, and + MAC_Binding tables, and are resstricted as follows: +

    +
    +
    Chassis
    +
    +

    + Authorization: client ID must match the chassis name. +

    +

    + Insert/Delete: authorized row insertion and deletion + are permitted. +

    +

    + Update: The columns nb_cfg, + external_ids, encaps, and + vtep_logical_switches may be modified when authorized. +

    +
    + +
    Encap
    +
    +

    + Authorization: client ID must match the chassis name. +

    +

    + Insert/Delete: row insertion and row deletion + are permitted. +

    +

    + Update: The columns type, + options, and ip can be modified. +

    +
    + +
    Port_Binding
    +
    +

    + Authorization: disabled (all clients are considered + authorized. A future enhancement may add columns (or keys to + external_ids) in order to control which chassis are + allowed to bind each port. +

    +

    + Insert/Delete: row insertion/deletion are not permitted + (ovn-northd maintains rows in this table. +

    +

    + Update: Only modifications to the chassis + column are permitted. +

    +
    + +
    MAC_Binding
    +
    +

    + Authorization: disabled (all clients are considered + to be authorized). +

    +

    + Insert/Delete: row insertion/deletion are permitted. +

    +

    + Update: The columns logical_port, + ip, mac, and datapath may be + modified by ovn-controller. +

    +
    +
    + +

    + Enabling RBAC for ovn-controller connections to the southbound database + requires the following steps: +

    + +
      +
    1. + Creating SSL certificates for each chassis with the certificate CN field + set to the chassis name (e.g. for a chassis with + external-ids:system-id=chassis-1, via the command + "ovs-pki -u req+sign chassis-1 switch"). +
      2. +
    2. + Configuring each ovn-controller to use SSL when connecting to the + southbound database (e.g. via "ovs-vsctl set open . + external-ids:ovn-remote=ssl:x.x.x.x:6642"). +
      3. +
    3. + Configuring a southbound database SSL remote with "ovn-controller" role + (e.g. via "ovn-sbctl set-connection role=ovn-controller + pssl:6642"). +
      4. +
    +

    Design Decisions

    Tunnel Encapsulations