[Libguestfs] [PATCH v2v] v2v: -o rhv-upload: Make -oo rhv-cafile optional in all cases (RHBZ#1791240).

Fri Jan 17 10:47:28 UTC 2020

The CA file also needs to contain the engine and VDSM signing certs, so
somehow the
users need to get them. What stops them to put it in the trust store ?

On Thu, Jan 16, 2020 at 5:51 PM Nir Soffer <nsoffer at redhat.com> wrote:

> On Wed, Jan 15, 2020 at 3:01 PM Richard W.M. Jones <rjones at redhat.com>
> wrote:
>
>> This is actually not required, because ovirtsdk4 will use the system's
>> global trust store if necessary.  Therefore we can make it optional in
>> all cases.
>>
>
> The only way to avoid the cafile is to set insecure=True both when
> creating sdk connection
> and when connecting to imageio.
>
> Otherwise the system trust store must include the CA used when creating
> engine and
> vdsm certificates. In development setup this is never true, in production
> It may work
> if you are lucky.
>
> Nir
>
> ---
>>  docs/virt-v2v-output-rhv.pod | 5 ++++-
>>  v2v/output_rhv_upload.ml     | 2 --
>>  2 files changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/docs/virt-v2v-output-rhv.pod b/docs/virt-v2v-output-rhv.pod
>> index 04a894268..4520c9184 100644
>> --- a/docs/virt-v2v-output-rhv.pod
>> +++ b/docs/virt-v2v-output-rhv.pod
>> @@ -101,7 +101,10 @@ The storage domain.
>>  The F<ca.pem> file (Certificate Authority), copied from
>>  F</etc/pki/ovirt-engine/ca.pem> on the oVirt engine.
>>
>> -This option must be specified if I<-oo rhv-verifypeer> is enabled.
>> +If I<-oo rhv-verifypeer> is enabled then this option can
>> +be used to control which CA is used to verify the client’s
>> +identity.  If this option is not used then the system’s
>> +global trust store is used.
>>
>>  =item I<-oo rhv-cluster=>C<CLUSTERNAME>
>>
>> diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml
>> index 7b5ad7a86..14153db36 100644
>> --- a/v2v/output_rhv_upload.ml
>> +++ b/v2v/output_rhv_upload.ml
>> @@ -81,8 +81,6 @@ let parse_output_options options =
>>    let rhv_direct = !rhv_direct in
>>    let rhv_verifypeer = !rhv_verifypeer in
>>    let rhv_disk_uuids = Option.map List.rev !rhv_disk_uuids in
>> -  if rhv_verifypeer && rhv_cafile = None then
>> -     error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the
>> path to the oVirt or RHV user’s ‘ca.pem’ file");
>>
>>    { rhv_cafile; rhv_cluster; rhv_direct; rhv_verifypeer; rhv_disk_uuids }
>>
>> --
>> 2.24.1
>>
>> _______________________________________________
>> Libguestfs mailing list
>> Libguestfs at redhat.com
>> https://www.redhat.com/mailman/listinfo/libguestfs
>
> _______________________________________________
> Libguestfs mailing list
> Libguestfs at redhat.com
> https://www.redhat.com/mailman/listinfo/libguestfs

-- 

Fabien Dupont, RHCA

Senior Principal Software Engineer

Red Hat - Migration Engineering <https://www.redhat.com>
<https://red.ht/sig>
<https://redhat.com/summit>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20200117/3266fc5e/attachment.htm>