[Libguestfs] [PATCH v3] v2v: -o openstack: Allow -oo insecure (RHBZ#1651432).
Richard W.M. Jones
rjones at redhat.com
Tue Nov 20 12:14:40 UTC 2018
On Tue, Nov 20, 2018 at 12:46:29PM +0100, Pino Toscano wrote:
> On Tuesday, 20 November 2018 11:25:10 CET Richard W.M. Jones wrote:
> > Previously we allowed arbitrary flags to be passed through to the
> > underlying openstack CLI command, provided they have the format
> > ‘--key=value’. We want to pass the ‘--insecure’ flag through, but
> > that doesn't have the key=value form. However a small modification to
> > the matching rules would allow this.
> >
> > The effect of this change is that you can now use ‘virt-v2v -oo
> > insecure’ to turn off SSL certificate validation. The default is to
> > verify the server certificate (which is the default of the openstack
> > command).
> > ---
>
> I'm not sure this is something we should support. This effectively
> passes through every -oo to openstack, and I'm afraid people will just
> (ab)use it to workaround stuff rather than reporting issues in
> virt-v2v. Potentially even options that conflict/revert what virt-v2v
> itself passes to the openstack client.
>
> IMHO it is still better, and safer to explicitly allow options as
> needed.
I generally agree with the sentiment. The precise list of
authentication options (eg. --os-username etc) however is
ever-changing and we were warned not to bake it into our program.
We could restrict to passing --os-* options only (we do NOT restrict
that at the moment).
My reading of the CLI documentation here:
https://docs.openstack.org/python-openstackclient/pike/cli/man/openstack.html
is that every authentication option does match --os-*, whereas some
options that we wouldn't want to pass (eg. --log-file or --help) do
not. There are a very few which don't quite match the pattern,
--os-identity-api-version(?), but I guess we can ignore those.
It's unfortunate that --insecure does not match this pattern.
I'll try to come up with a patch which does both.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
More information about the Libguestfs
mailing list