Expose missing --peer-ca-cert and SSL options in usage and manpages.

Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>

diff --git a/lib/automake.mk b/lib/automake.mk
index 915a33b1772c15089b109a1e98dca362a7e31f10..b647448b0dfb4168533d6b122c8b2478cd33e0ba 100644 (file)
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -476,6 +476,7 @@ EXTRA_DIST += \
        lib/db-ctl-base.xml \
        lib/ssl.xml \
        lib/ssl-bootstrap.xml \
+       lib/ssl-peer-ca-cert.xml \
        lib/table.xml \
        lib/vlog.xml \
        lib/unixctl.xml

diff --git a/lib/ssl-peer-ca-cert.xml b/lib/ssl-peer-ca-cert.xml
new file mode 100644 (file)
index 0000000..3d46ff5
--- /dev/null
+++ b/lib/ssl-peer-ca-cert.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dl>
+  <dt><code>--peer-ca-cert=</code><var>peer-cacert.pem</var></dt>
+  <dd>
+    <p>
+      Specifies a PEM file that contains one or more additional certificates
+      to send to SSL peers.  <var>peer-cacert.pem</var> should be the CA
+      certificate used to sign the program's own certificate, that is, the
+      certificate specified on <code>-c</code> or <code>--certificate</code>.
+      If the program's certificate is self-signed, then
+      <code>--certificate</code> and <code>--peer-ca-cert</code> should specify
+      the same file.
+    </p>
+    <p>
+      This option is not useful in normal operation, because the SSL peer
+      must already have the CA certificate for the peer to have any
+      confidence in the program's identity.  However, this offers a way for
+      a new installation to bootstrap the CA certificate on its first SSL
+      connection.
+    </p>
+  </dd>
+</dl>

diff --git a/manpages.mk b/manpages.mk
index 64141aa91a234ba03f1d2897fbe46620d1538554..f579e5cbd95e80400ab25ba62e92ec1aa7e5d8b3 100644 (file)
--- a/manpages.mk
+++ b/manpages.mk
@@ -256,6 +256,7 @@ vswitchd/ovs-vswitchd.8: \
        lib/netdev-dpdk-unixctl.man \
        lib/service.man \
        lib/ssl-bootstrap.man \
+       lib/ssl-peer-ca-cert.man \
        lib/ssl.man \
        lib/unixctl.man \
        lib/vlog-unixctl.man \

diff --git a/ovn/controller-vtep/ovn-controller-vtep.8.xml b/ovn/controller-vtep/ovn-controller-vtep.8.xml
index 7540b582359956f80526b1ca986d1a91b7c0e4f2..ca9b082a087a8425b593a155eeb72beb031751f4 100644 (file)
--- a/ovn/controller-vtep/ovn-controller-vtep.8.xml
+++ b/ovn/controller-vtep/ovn-controller-vtep.8.xml
@@ -19,6 +19,15 @@
       database (see <code>vtep</code>(5)) over the OVSDB protocol.
     </p>
 
+    <h2>PKI Options</h2>
+    <p>
+      PKI configuration is required in order to use SSL for the connections to
+      the VTEP and Southbound databases.
+    </p>
+    <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-peer-ca-cert.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+
     <h1>Configuration</h1>
     <p>
       <code>ovn-controller-vtep</code> retrieves its configuration

diff --git a/ovn/controller-vtep/ovn-controller-vtep.c b/ovn/controller-vtep/ovn-controller-vtep.c
index c1c2e68cbfd16d62bd96eed01e34ad8bf7978366..1fc6c8b2d641108301fd80c6fc8ccc712052c8ac 100644 (file)
--- a/ovn/controller-vtep/ovn-controller-vtep.c
+++ b/ovn/controller-vtep/ovn-controller-vtep.c
@@ -254,7 +254,7 @@ Options:\n\
   -o, --options             list available options\n\
   -V, --version             display version information\n\
 ", program_name, program_name, default_db(), default_db());
-    stream_usage("database", true, false, false);
+    stream_usage("database", true, false, true);
     daemon_usage();
     vlog_usage();
     exit(EXIT_SUCCESS);

diff --git a/ovn/controller/ovn-controller.8.xml b/ovn/controller/ovn-controller.8.xml
index 96a58ddf358d9e1b3820f13214419efa7d61d0b5..0eff2113f52ee33825f2dfaa0a5b43819d57c685 100644 (file)
--- a/ovn/controller/ovn-controller.8.xml
+++ b/ovn/controller/ovn-controller.8.xml
@@ -43,6 +43,8 @@
       the Northbound and Southbound databases.
     </p>
     <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-peer-ca-cert.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
 
     <h2>Other Options</h2>
 

diff --git a/ovn/controller/ovn-controller.c b/ovn/controller/ovn-controller.c
index 29b3f1cade0a959c7898010156063b9f0d4242ea..86e1836f94efa311c56a54f16dff3b8b492b1a3a 100644 (file)
--- a/ovn/controller/ovn-controller.c
+++ b/ovn/controller/ovn-controller.c
@@ -971,7 +971,7 @@ usage(void)
            "usage %s [OPTIONS] [OVS-DATABASE]\n"
            "where OVS-DATABASE is a socket on which the OVS OVSDB server is listening.\n",
                program_name, program_name);
-    stream_usage("OVS-DATABASE", true, false, false);
+    stream_usage("OVS-DATABASE", true, false, true);
     daemon_usage();
     vlog_usage();
     printf("\nOther options:\n"

diff --git a/utilities/ovs-vsctl.c b/utilities/ovs-vsctl.c
index 188a390b6c073f68e14952992fc61937b1f41df2..6933266c5a39e75255d39c55012ebd2852c2369b 100644 (file)
--- a/utilities/ovs-vsctl.c
+++ b/utilities/ovs-vsctl.c
@@ -434,7 +434,7 @@ Options:\n\
     vlog_usage();
     printf("\
   --no-syslog             equivalent to --verbose=vsctl:syslog:warn\n");
-    stream_usage("database", true, true, false);
+    stream_usage("database", true, true, true);
     printf("\n\
 Other options:\n\
   -h, --help                  display this help message\n\

diff --git a/vswitchd/ovs-vswitchd.8.in b/vswitchd/ovs-vswitchd.8.in
index 7fea6e20efbc977d21e8d3bbeafab6ed7e145385..a67383facfddb43a7f8a04fcae8f4f97c8fc42a5 100644 (file)
--- a/vswitchd/ovs-vswitchd.8.in
+++ b/vswitchd/ovs-vswitchd.8.in
@@ -97,6 +97,7 @@ configuration.
 .SS "Public Key Infrastructure Options"
 .so lib/ssl.man
 .so lib/ssl-bootstrap.man
+.so lib/ssl-peer-ca-cert.man
 .SS "Logging Options"
 .so lib/vlog.man
 .SS "Other Options"