[Ovirt-devel] [PATCH]: Fix ovirt-identify-node to work at boot time
Ian Main
imain at redhat.com
Wed Jun 4 21:43:57 UTC 2008
On Wed, 04 Jun 2008 17:10:39 -0400
Darryl Pierce <dpierce at redhat.com> wrote:
> Daniel P. Berrange wrote:
> >> However, in practice oVirt may be deployed on machines with 0 local
> >> storage and no TPM. And in these cases the keytab needs to be retrieved
> >> on every boot. So our design is to use the local keytab if present, if
> >> not, ask for it.
> >
> > That's fine - I still think the two steps should be separated as you show
> > above, with libvirt in the middle :-) Other things which are kerberos
> > enabled can potentially be dependant on the keytab setup besides libvirt/
> > ovirt, so it makes sense to allow that to be completed as early in boot
> > as possible.
>
> So, to be clear, we're talking about the following steps:
>
> 1. managed node pings the keytab service
> 2. keytab service generates (if necessary) a keytab and returns the filename
> 3. managed node retrieves the keytab if it does not have one
> 4. managed node starts libvirt
> 5. managed node collects hardware details and pings the hardware service
> 6. hardware service grabs the info and updates the Host table
>
> Is that right?
That sounds right to me. The only thing I was wondering about is doing this:
- start libvirt
- run node-identify as normal
- restart libvirt service to pick up new keytab
Although ideally the keytab gets in place first, then we transfer the host info so there's no race where it's registered with the wui, but not actually available yet.
I assume we can talk to libvirt on localhost with no keytab.. in which case the above would work.
Ian
More information about the ovirt-devel
mailing list