[Ovirt-devel] [PATCH]: Fix ovirt-identify-node to work at boot time
Perry N. Myers
pmyers at redhat.com
Wed Jun 4 21:17:35 UTC 2008
Darryl Pierce wrote:
> Daniel P. Berrange wrote:
>>> However, in practice oVirt may be deployed on machines with 0 local
>>> storage and no TPM. And in these cases the keytab needs to be
>>> retrieved on every boot. So our design is to use the local keytab if
>>> present, if not, ask for it.
>>
>> That's fine - I still think the two steps should be separated as you show
>> above, with libvirt in the middle :-) Other things which are kerberos
>> enabled can potentially be dependant on the keytab setup besides libvirt/
>> ovirt, so it makes sense to allow that to be completed as early in boot
>> as possible.
>
> So, to be clear, we're talking about the following steps:
Some notes inline
1. managed node pings the host-browser service
2. host-browser service generates (if necessary) a keytab and returns the
filename, or just returns an ACK
3. managed node looks for TPM to find keytab, then checks for a locally
attached disk with a partition (ext3 with label OVIRT) for the keytab.
4. managed node retrieves the keytab if it does not have one (if step 2
failed)
5. managed node grabs krb5.conf from oVirt Server (via wget for now) since
that can never be stored in TPM (might be stored on local disk perhaps)
6. managed node starts libvirt (which should start properly now that we
have a keytab and krb5.conf)
7. managed node collects hardware details and pings the host-browser
8. host-browser grabs the info and updates the Host table
We don't need a separate service for this, it should just be the
host-browser with two different types of messages.
Perry
More information about the ovirt-devel
mailing list