Skip to content

oVirt/ovirt-provider-ovn

Repository files navigation

oVirt external network provider for OVN

last build

The oVirt external network provider for OVN allows to integrate oVirt with the Open vSwitch Open Virtual Network (OVN) solution. OVN is a Software Defined Networking extension to Open vSwitch. OVN is integrated into oVirt using oVirt’s external network API, which is a subset of the OpenStack Networking API v2.0 and the OpenStack Identity API v2.0. The oVirt provider for OVN serves as a proxy between oVirt engine and OVN Northbound Database. This role is called a "Cloud Management System (CMS) Plugin" in the OVN documentation.

Configuration

The configuration of the ovirt-provider-ovn service is read from /etc/ovirt-provider-ovn/ovirt-provider-ovn.conf and /etc/ovirt-provider-ovn/conf.d/*.conf, where files are sorted by name, last wins. If a value is not set in one of the configuration files, an internal hardcoded value is used, which is called default here.

The configuration files consist of key value pairs, which are structured by named sections. Sections headings are marked with square brackets. The configuration files are read with python’s ConfigParser, so documentation about the ConfigParser’s accepted syntax can be applied. used.

A complete configuration can be generated by oVirt engine-setup.

Section [PROVIDER]

ovs-version-2.9

Indicates that all ovn-controller versions are at least 2.9.
default: false

neutron-port

The TCP port where the Networking API will listen.
default: 9696

keystone-port

The TCP port where the Identity API will listen.
default: 35357

provider-host

The hostname of the Networking and Identity API used in the URLs returned by the Identity API
default: localhost

openstack-region

The region of the endpoints returned by the Identity API
default: RegionOne

openstack-neutron-id

The id of the neutron endpoint returned by the Identity API
default: 00000000000000000000000000000001

openstack-keystone-id

The id of the keystone endpoint returned by the Identity API
default: 00000000000000000000000000000002

openstack-tenant-id

The tenant id returned by the Networking and Identity API
default: 00000000000000000000000000000001

openstack-tenant-name

The tenant name returned by the Identity API
default: tenant

openstack-tenant-description

The description of the tenant returned by the Identity API
default: tenant

Section [OVN REMOTE]

This section defines which OVN Northbound Database is used.

ovn-remote

The address used to connect to the OVN Northbound Database server.
The address is expected in the following format:
[tcp|ssl]:<ovn central ip>:<north db port, 6641 by default>
default: tcp:127.0.0.1:6641

Section [NETWORK]

This section specifies the default behaviors for Networking API L2 networks.

port-security-enabled-default

The default value for the port_security_enabled for created Networking API networks.
When port_security is enabled on a port, anti-spoofing rules are added to that port, only allowing ARP whose source MAC address matches the MAC address assigned to the port. This prevents MAC spoofing.
Rules only allowing DHCP requests / replies originating from the MAC address assigned to that port are also installed.
A newly created port will inherit the port_security_enabled value from the network it is attached to unless the port itself overrides that attribute.
default: false

Section [DHCP]

If subnets are defined, OVN will provide an internal DHCP server. See documentation of OVN Northbound Database for more details.

dhcp-server-mac

The MAC address of the internal DHCP server.
default: 02:00:00:00:00:00

dhcp-lease-time

The offered DHCP lease time in seconds.
default: 86400

dhcp-enable-mtu

Enables setting the MTU by the internal DHCP server.
The default value may be changed in future versions.
default: true

dhcp-mtu

The offered MTU.
The tunneling adds additional encapsulation headers to the tunneled data. In default configuration OVN does not set the Don’t Fragment bit, see df_default in ovs-vswitchd.conf.db(5). For this reason the offert MTU plus the additional encapsulation headers length must not be larger than the MTU of the tunneling network. For an encapsulation in Geneve, UDP, IPv4 and Ethernet without 802.1Q are 58 bytes added. If the tunneling network has a MTU of 1500, this results to a MTU of 1442 for the tunneld network.
default: 1442

Section [SSL]

TLS may be used to secure the communication to the OVN Northbound Database and on oVirt’s external network API.

https-enabled

Enables HTTPS/TLS for oVirt’s external network API.
default: false

ssl-key-file

Path of the private key file.
default: /etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass

ssl-cert-file

Path of the certificate associated with the private key file.
default: /etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer

ssl-cacert-file

Path to the certificate authority’s certificate used to validate the OVN Northbound Database’s identity.
default: /etc/pki/ovirt-engine/ca.pem

ssl-ciphers-string

The ciphers for oVirt external network API’s HTTPS/TLS.
It should be a string in the OpenSSL cipher list format.

dhcp-default-ipv6-address-mode

The default address mode for IPv6 subnets.
The possible values are dhcpv6-stateful, or dhcpv6-stateless. default: dhcpv6-stateful

Section [AUTH]

Authorization and authentication of requests to the external network API are handled by a plugin. Multiple implementations of the plugin are available. Currently two authentication plugins are supported:

  • AuthorizationByUserName - oVirt engine’s SSO generates a token, which must be used to validate subsequent requests to the oVirt’s external network API. The plugin AuthorizationByUserName uses oVirt engine’s SSO to create a token from the given username and password. The user has to be a valid user of oVirt engine. The token in the requests to the oVirt’s external network API is authorized, if it is associated to the username defined in the provider’s configuration. This plugin is the default, because after the installation of oVirt only the default user "admin@internal", but no groups, may be available.

  • AuthorizationByGroup - oVirt engine’s SSO generates a token, which must be used to validate subsequent requests to the oVirt’s external network API. The plugin AuthorizationByUserName uses oVirt engine’s SSO to create a token from the given username and password. The user has to be a valid user of oVirt engine. The token in the requests to the oVirt’s external network API is authorized, if it is associated to a user which is a member of the group defined in the provider’s configuration. In the configuration file in the section [OVIRT], the option ovirt-admin-group-atrribute-name defines the name of the attribute in the directory server holding the group name. The option ovirt-admin-group-attribute-value defines the name of the group, which grants authorization to it’s members. The default configuration is to authorize members of the group NetAdmin in the default extension ovirt-engine-extension-aaa-jdbc. If oVirt engine uses an external LDAP provider for authentification, ovirt-admin-group-attribute-value has to be adopted in the ovn-provider’s configuration.

User Names for Authentication gives more details about the expected format of the user name.

Other plugins exists, but they are not supported:

  • NoAuthPlugin - generates a static token, independently from the provided username and password, and accepts every request to oVirt’s external network API. Even requests, which do not contain the X-Auth-Token HTTP header are accepted.

  • MagicTokenPlugin - generates a static token, independently from the provided username and password. Request to oVirt’s external network API must provide this static token.

  • AuthorizationByRole - uses the oVirt engine’s SSO to create a token from the given username and password. The token in the requests to oVirt’s external network API is authorized, if it is associated to a user with the role defined in the provider’s configuration.

It is also possible to use a custom authentication plugin implementation and use it here. provider/auth/plugin.py defines the interface every authentication plugin has to implement.

auth-plugin

Plugin to use for authorization and authentication. The plugin is expected in the following format:
python_module_name:class_name
default: auth.plugins.ovirt:AuthorizationByUserName

auth-token-timeout

Period in seconds until the token expires which will be reported in keystone. Please note that this value exists only to fulfill the API the has no influence on the validity of the token, which is decided by the auth-plugin.
The value 0 indicates that the token looks like it never expires.
default: 360000

Section [OVIRT]

This section provides information used by the ovirt authentication plugins.

ovirt-host

URL scheme and host of ovirt-engine. Used by all auth-plugins from auth.plugins.ovirt.
The following format is expected: https://host[:port]
default: https://engine-host

ovirt-base

Base path of ovirt-engine relative to ovirt-host.
default: /ovirt-engine

ovirt-ca-file

Path to the certificate authority’s certificate to validate the engine’s identity.
default: /etc/pki/ovirt-engine/ca.pem

ovirt-auth-timeout

This value is used as connection and read timeout during communication with the engine.
default: 110

ovirt-sso-client-id

Only registered clients can connect to engine’s SSO. This value is the id of the client as registered in the engine’s SSO. engine-setup or ovirt-register-sso-client can be used to register the external network provider.
default: ovirt-provider-ovn

ovirt-sso-client-secret

The password required to connect using the client-id specified in the previous property. The ovirt-sso-client-secret is provided after registration at engine’s SSO.
default: to_be_set

ovirt-admin-user-name

The name of the user allowed to access the external network API by the AuthorizationByUserName plugin.
User Names for Authentication gives more details about the expected format of the user name.
default: admin@internal

ovirt-admin-role-id

Users having this role, are allowed to access the external network API by the AuthorizationByRole plugin.
default: def00005-0000-0000-0000-def000000005, maps to the role "NetworkAdmin"

ovirt-admin-group-attribute-name

The AuthorizationByGroup plugin allows members of a given group access to the external network API. This option defines the name of the attribute in the directory server which holds the group name. The default value must not changed, if the ovirt-engine-extension-aaa-jdbc is used.
default: AAA_AUTHZ_GROUP_NAME;java.lang.String;0eebe54f-b429-44f3-aa80-4704cbb16835

ovirt-admin-group-attribute-value

The name of the group allowed to access the external network API.
default: NetAdmin

Section [VALIDATION]

This section configures data validation settings.

validation-max-allowed-mtu

The maximum allowed MTU.
Attempts to set the MTU of a network to a value greater than the configured maximum will result in an error.
A value of 0 means that this MTU limiting feature is not used.
default: 0

User Names for Authentication

The three plugins for authorization and authentication by oVirt (AuthorizationByUserName, AuthorizationByGroup and AuthorizationByRole) require a user name to access the oVirt external network provider for OVN from a Cloud Management System (e.g. as an external network provider in oVirt). The name has to match the following format: <admin_username>[@<fqdn>]@<ovirt_profile>, while the optional <fqdn> is the Active Directory or LDAP domain. Please find more details in oVirt’s REST API documentation about user_name

Virtual interface driver for oVirt external network provider for OVN

The driver handles the connection of virtual NICs provisioned on oVirt hosts to OVN.