I'm stuck with integrating Incus and microovn

I’m trying to integrate microovn with Incus in my test Lab. However, I caught deadlock in Incus configuration.

My test environment is:

  • 3x Ubuntu 24.04.1 VMs with latest/stable microceph, latest/stable micoovn snaps and Incus 6.7.
  • all 3 cluster (incus, microceph and microovn) built in basic configuration.
  • I’m glad to see that latest Incus supports microceph out-of-the box and it’s able to create ceph storage with microceph during initial setup.

I started microovn cluster integration in Incus with this steps:

  • configured OpenSwitch socket location running command incus config set network.ovs.connection=unix:/var/snap/microovn/common/run/switch/db.sock on every Incus cluster node. This step completed without any issue.
  • Next I was trying to set NorthDB socket location with the command incus config set network.ovn.northbound_connection=unix:/var/snap/microovn/common/run/ovn/ovnnb_db.sock. However it fails with message: Error: failed to notify peer VM-02:8443: OVN is configured to use SSL but no client certificate was found. It’s looks logically reasonable and I think I need provide certificates for `Incus’.
  • I tried to set certificate, key and CA Certificate using corresponded files from microceph location:
    • incus config set network.ovn.client_cert=/var/snap/microovn/common/data/pki/client-cert.pem
    • sudo incus config set network.ovn.client_key=/var/snap/microovn/common/data/pki/client-privkey.pem
    • incus config set network.ovn.ca_cert=/var/snap/microovn/common/data/pki/cacert.pem
      However, I constantly get the error: Error: failed to notify peer VM-02:8443: OVN is configured to use SSL but no client certificate was found

What I’m doing wrong? I would appreciate for any suggestions.

For MicroOVN, you need to set:

  • network.ovn.ca_cert to the content of /var/snap/microovn/common/data/pki/cacert.pem
  • network.ovn.client_cert to the content of /var/snap/microovn/common/data/pki/client-cert.pem
  • network.ovn.northbound_connection to the value of OVN_NB_CONNECT as found in /var/snap/microovn/common/data/env/ovn.env
  • network.ovs.connection to unix:/var/snap/microovn/common/run/switch/db.sock

Thank you Stéphane for a quick response.

What I found I can’t change network.ovs.connection to the default state when is set to unix:/var/snap/microovn/common/run/switch/db.sock. I’m getting the error: Error: Failed to connect to OVS: failed to connect to unix:/run/openvswitch/db.sock: failed to open connection: dial unix /run/openvswitch/db.sock: connect: no such file or directory.

I tried to set-up network.ovn.ca_cert and network.ovn.client_cert before setting network.ovs.connection and network.ovn.northbound_connection ; However, the Incus returns error: Error: failed to notify peer VM-02:8443: Failed to connect to OVS: Failed to connect to OVS: Failed to connect to OVS: failed to connect to unix:/run/openvswitch/db.sock: failed to open connection: dial unix /run/openvswitch/db.sock: connect: no such file or directory in this case. I reproduced it again after reverting VMs to clean snapshots.

What happens if you set them all together in one shot?

How to do this? Is it possible to set multiple variables in in one command?

Yep, incus config set key1=value1 key2=value2 key3=value3 or use incus config edit to se them all through a text editor instead.

1 Like

Step one :
Executed on one node only: sudo incus config set network.ovn.ca_cert=/var/snap/microovn/common/data/pki/cacert.pem network.ovn.client_cert=/var/snap/microovn/common/data/pki/client-cert.pem network.ovn.northbound_connection=/var/snap/microovn/common/data/env/ovn.env network.ovs.connection=unix:/var/snap/microovn/common/run/switch/db.sock

Result: Error: failed to notify peer 172.25.81.250:8443: Failed to connect to OVS: Failed to connect to OVS: Failed to connect to OVS: failed to connect to unix:/run/openvswitch/db.sock: failed to open connection: dial unix /run/openvswitch/db.sock: connect: no such file or directory

Config updated. The only network.ovn.northbound_connection value added:

config:
  cluster.https_address: 172.25.81.252:8443
  core.https_address: 172.25.81.252:8443
  network.ovn.northbound_connection: /var/snap/microovn/common/data/env/ovn.env

Step two :
Modify config like:

config:
  cluster.https_address: 172.25.81.252:8443
  core.https_address: 172.25.81.252:8443
  network.ovn.ca_cert: /var/snap/microovn/common/data/pki/cacert.pem
  network.ovn.client_cert: /var/snap/microovn/common/data/pki/client-cert.pem
  network.ovn.northbound_connection: /var/snap/microovn/common/data/env/ovn.env
  network.ovs.connection: unix:/var/snap/microovn/common/run/switch/db.sock

Result:

Config parsing error: failed to notify peer 172.25.81.250:8443: Failed to connect to OVS: Failed to connect to OVS: Failed to connect to OVS: failed to connect to unix:/run/openvswitch/db.sock: failed to open connection: dial unix /run/openvswitch/db.sock: connect: no such file or directory
Press enter to open the editor again or ctrl+c to abort change

Step Three :
Modifying config like:

config:
  cluster.https_address: 172.25.81.252:8443
  core.https_address: 172.25.81.252:8443
  network.ovs.connection: unix:/var/snap/microovn/common/run/switch/db.sock
  network.ovn.ca_cert: /var/snap/microovn/common/data/pki/cacert.pem
  network.ovn.client_cert: /var/snap/microovn/common/data/pki/client-cert.pem
  network.ovn.northbound_connection: /var/snap/microovn/common/data/env/ovn.env

Result:

Config parsing error: failed to notify peer 172.25.81.250:8443: Failed to connect to OVS: Failed to connect to OVS: Failed to connect to OVS: failed to connect to unix:/run/openvswitch/db.sock: failed to open connection: dial unix /run/openvswitch/db.sock: connect: no such file or directory
Press enter to open the editor again or ctrl+c to abort change

Ah right, that makes sense, the OVN config is global so once set all servers will attempt to connect, this won’t work given that they don’t know how to connect to OVS.

So what you should do is start by setting the network.ovs.connection config key on each server, you can check the current values for a server with incus config show --target NAME.

Once they all have their network.ovs.connection set to the correct value, then set the OVN config keys. If you already have some of the OVN keys set, unset them before setting OVS on all servers.

Unfortunately, nothing helps to complete microovn integration with the Incus cluster,

Below is details on my test environment:

  • 3x Ubuntu VMs under Hyper-V
  • basic microovn cluster setup over these 3 nodes:
    microovn: a2c59c105b
    ovn: 24.03.2-0ubuntu0.24.04.1
    openvswitch: 3.3.0-1ubuntu3
    
    $ sudo microovn status                                                                                                                                                       
    MicroOVN deployment summary:                                                                                                                                                               
    - vm-01 (172.25.81.250)                                                                                                                                                                      
    Services: central, chassis, switch                                                                                                                                                       
    - vm-02 (172.25.81.251)                                                                                                                                                                      
    Services: central, chassis, switch                                                                                                                                                       
    - vm-03 (172.25.81.252)                                                                                                                                                                      
    Services: central, chassis, switch                                                                                                                                                       
    OVN Database summary:                                                                                                                                                                      
    OVN Northbound: OK (7.3.0)                                                                                                                                                                 
    OVN Southbound: OK (20.33.0)  
    
    $ sudo microovn.ovn-sbctl show
    Chassis vm-01
        hostname: vm-01
        Encap geneve
            ip: "172.25.81.250"
            options: {csum="true"}
    Chassis vm-02
        hostname: vm-02
        Encap geneve
            ip: "172.25.81.251"
            options: {csum="true"}
    Chassis vm-03
        hostname: vm-03
        Encap geneve
            ip: "172.25.81.252"
            options: {csum="true"}
    
  • basic Incus cluster setup over these 3 nodes:
    $ sudo incus cluster list
    +-------+----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
    | NAME  |            URL             |      ROLES      | ARCHITECTURE | FAILURE DOMAIN | DESCRIPTION | STATUS |      MESSAGE      |
    +-------+----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
    | vm-01 | https://172.25.81.250:8443 | database-leader | x86_64       | default        |             | ONLINE | Fully operational |
    |       |                            | database        |              |                |             |        |                   |
    +-------+----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
    | vm-02 | https://172.25.81.251:8443 | database        | x86_64       | default        |             | ONLINE | Fully operational |
    +-------+----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
    | vm-03 | https://172.25.81.252:8443 | database        | x86_64       | default        |             | ONLINE | Fully operational |
    +-------+----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+ 
    
    $ sudo incus network ls
    +----------------+----------+---------+---------------+---------------------------+-------------+---------+---------+
    |      NAME      |   TYPE   | MANAGED |     IPV4      |           IPV6            | DESCRIPTION | USED BY |  STATE  |
    +----------------+----------+---------+---------------+---------------------------+-------------+---------+---------+
    | br-int         | bridge   | NO      |               |                           |             | 0       |         |
    +----------------+----------+---------+---------------+---------------------------+-------------+---------+---------+
    | eth0           | physical | NO      |               |                           |             | 0       |         |
    +----------------+----------+---------+---------------+---------------------------+-------------+---------+---------+
    | genev_sys_6081 | unknown  | NO      |               |                           |             | 0       |         |
    +----------------+----------+---------+---------------+---------------------------+-------------+---------+---------+
    | ibr0           | bridge   | YES     | 10.172.5.1/24 | fd42:62d9:e672:bf19::1/64 |             | 0       | CREATED |
    +----------------+----------+---------+---------------+---------------------------+-------------+---------+---------+
    | lo             | loopback | NO      |               |                           |             | 0       |         |
    +----------------+----------+---------+---------------+---------------------------+-------------+---------+---------+
    | ovs-system     | unknown  | NO      |               |                           |             | 0       |         |
    +----------------+----------+---------+---------------+---------------------------+-------------+---------+---------+
    

Preparation steps for microovn integration

  1. I configured network.ovs.connection variable on every node:
$ sudo incus config show --target vm-01
config:
  cluster.https_address: 172.25.81.250:8443
  core.https_address: 172.25.81.250:8443
  network.ovs.connection: unix:/var/snap/microovn/common/run/switch/db.sock
$ sudo incus config show --target vm-02
config:
  core.https_address: 172.25.81.251:8443
  network.ovs.connection: unix:/var/snap/microovn/common/run/switch/db.sock
$ sudo incus config show --target vm-03
config:
  core.https_address: 172.25.81.252:8443
  network.ovs.connection: unix:/var/snap/microovn/common/run/switch/db.sock
  1. I was tried to configure network.ovn.ca_cert, network.ovn.client_cert and network.ovn.northbound_connection by editing cluster node configs, using different combinations but every attempt fails. For example:
config:
  cluster.https_address: 172.25.81.250:8443
  core.https_address: 172.25.81.250:8443
  network.ovs.connection: unix:/var/snap/microovn/common/run/switch/db.sock
  network.ovn.northbound_connection: /var/snap/microovn/common/run/ovn/ovnnb_db.sock

fails with Config parsing error: failed to notify peer 172.25.81.251:8443: failed to connect to /var/snap/microovn/common/run/ovn/ovnnb_db.sock: failed to open connection: unknown network protocol;

another attempt:

config:
  cluster.https_address: 172.25.81.250:8443
  core.https_address: 172.25.81.250:8443
  network.ovs.connection: unix:/var/snap/microovn/common/run/switch/db.sock
  network.ovn.ca_cert: /var/snap/microovn/common/data/pki/cacert.pem
  network.ovn.client_cert: /var/snap/microovn/common/data/pki/client-cert.pem

fails with Config parsing error: failed to notify peer 172.25.81.251:8443: failed to connect to unix:/run/ovn/ovnnb_db.sock: failed to open connection: dial unix /run/ovn/ovnnb_db.sock: connect: no such file or directory, which is weird as network.ovs.connection is configured already.

and even one-shot config change fails:

config:
cluster.https_address: 172.25.81.250:8443
core.https_address: 172.25.81.250:8443
network.ovs.connection: unix:/var/snap/microovn/common/run/switch/db.sock
network.ovn.ca_cert: /var/snap/microovn/common/data/pki/cacert.pem
network.ovn.client_cert: /var/snap/microovn/common/data/pki/client-cert.pem
network.ovn.northbound_connection: /var/snap/microovn/common/run/ovn/ovnnb_db.sock

Error: Config parsing error: failed to notify peer 172.25.81.251:8443: failed to connect to /var/snap/microovn/common/run/ovn/ovnnb_db.sock: failed to open connection: unknown network protocol

northbound_connection must be set to a list of TLS endpoints, you can’t use the local socket as it’s only functional on exactly one server at a time.

As I mentioned earlier, you need to set network.ovn.northbound_connection to the value of OVN_NB_CONNECT as found in /var/snap/microovn/common/data/env/ovn.env

My fault :slight_smile:
Replacing network.ovn.northbound_connection with value: "ssl:172.25.81.250:6641,ssl:172.25.81.251:6641,ssl:172.25.81.252:6641" makes me know the network.ovn.client_key` needs also.

However, the config:

config:
  cluster.https_address: 172.25.81.250:8443
  core.https_address: 172.25.81.250:8443
  network.ovn.ca_cert: /var/snap/microovn/common/data/pki/cacert.pem
  network.ovn.client_cert: /var/snap/microovn/common/data/pki/client-cert.pem
  network.ovn.client_key: /var/snap/microovn/common/data/pki/client-privkey.pem
  network.ovn.northbound_connection: "ssl:172.25.81.250:6641,ssl:172.25.81.251:6641,ssl:172.25.81.252:6641"
  network.ovs.connection: unix:/var/snap/microovn/common/run/switch/db.sock

fails again: Config parsing error: tls: failed to find any PEM data in certificate input.

I’ve double checked and confirm that cacert.pem and client-cert.pem are valid certificates and client-privkey.pem is a valid key.

Please carefully read what I posted in I'm stuck with integrating Incus and microovn - #2 by stgraber

I clearly stated “the content of”, not the path :slight_smile:

Thank you Stéphane for your assistance!

Yeh, setting certificates and key values instead of paths fixed the problem.

I’m only a bit worried that config displays client certificate and key in the plain text, which is less secure. I would suggest to implement API extension especially for secure object manipulation.

So normally the way this is handled in our case is that in a shared environment using OpenFGA for access control, only admins or those with server-wide access can see the server configuration. Anyone who only has access to specific projects is not allowed to see the configuration.

Basically the intent is that if you can see that configuration, you’re basically allowed root access on the system anyways at which point you can see that directly too.

I agree that the RBAC or FGA solutions reduce the risk of exposing sensitive information and misconfigurations. However, the risk remains if secure variables are mixed with insecure ones in the same config. For example, troubleshooting steps with external support will require secure variable obfuscation as they may be exposed to external actors.

One of the general solutions is to implement a separate API for storing secured objects and use references to secure values in the configs. Of course, it will add some complexity to the code and maintaining configuration, but it helps avoid common user mistakes.

For example, Incus can implement such APIs (I use cmd interface for simplicity):

Server/Cluster config:


incus config secure list <name>

incus config secure add <name> [ --type=(certificate|key|bundle|password|...) ] [--f=<source filename with content to be imported>]

incus config secure remove <name>|<fingerprint>|<UUID>|...

Project config (if any secure values need be used there):


incus secure list <name> [--project=<project name>]

incus secure add <name> [ --type=(certificate|key|bundle|password|...) ] [--f=<source filename with content to be imported>] [--project=<project name>]

incus secure remove <name>|<fingerprint>|<UUID>|... [--project=<project name>]

So the microceph integration config could use referenced to certificates instead of values:

config:
  secure.variable.ovn-ca="certificate" # displaying the only object type, but not a value.
  secure.variable.ovn-clientcert="certificate" # displaying the only object type, but not a value.
  cluster.https_address: 172.25.81.250:8443
  core.https_address: 172.25.81.250:8443
  network.ovs.connection: unix:/var/snap/microovn/common/run/switch/ db.sock
  network.ovn.ca_cert: secure.variable.ovn-ca
  network.ovn.client_cert: secure.variable.ovn-clientcert
  network.ovn.northbound_connection: network.ovn.northbound_connection: ssl:172.25.81.250:6641,ssl:172.25.81.251:6641,ssl:172.25.81.252:6641

Another possible solution is using existing certificates API for integration with microovn as already done for metrics collection.