[Libguestfs] [PATCH v3] v2v: -o openstack: Allow -oo insecure (RHBZ#1651432).

Richard W.M. Jones rjones at redhat.com
Tue Nov 20 12:14:40 UTC 2018 

On Tue, Nov 20, 2018 at 12:46:29PM +0100, Pino Toscano wrote:
> On Tuesday, 20 November 2018 11:25:10 CET Richard W.M. Jones wrote:
> > Previously we allowed arbitrary flags to be passed through to the
> > underlying openstack CLI command, provided they have the format
> > ‘--key=value’.  We want to pass the ‘--insecure’ flag through, but
> > that doesn't have the key=value form.  However a small modification to
> > the matching rules would allow this.
> > 
> > The effect of this change is that you can now use ‘virt-v2v -oo
> > insecure’ to turn off SSL certificate validation.  The default is to
> > verify the server certificate (which is the default of the openstack
> > command).
> > ---
> 
> I'm not sure this is something we should support.  This effectively
> passes through every -oo to openstack, and I'm afraid people will just
> (ab)use it to workaround stuff rather than reporting issues in
> virt-v2v.  Potentially even options that conflict/revert what virt-v2v
> itself passes to the openstack client.
> 
> IMHO it is still better, and safer to explicitly allow options as
> needed.

I generally agree with the sentiment.  The precise list of
authentication options (eg. --os-username etc) however is
ever-changing and we were warned not to bake it into our program.

We could restrict to passing --os-* options only (we do NOT restrict
that at the moment).

My reading of the CLI documentation here:

  https://docs.openstack.org/python-openstackclient/pike/cli/man/openstack.html

is that every authentication option does match --os-*, whereas some
options that we wouldn't want to pass (eg. --log-file or --help) do
not.  There are a very few which don't quite match the pattern,
--os-identity-api-version(?), but I guess we can ignore those.

It's unfortunate that --insecure does not match this pattern.

I'll try to come up with a patch which does both.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/

More information about the Libguestfs mailing list