[Ovirt-devel] [PATCH node] Use --no-check-certificate with wget
Jason Guiditta
jguiditt at redhat.com
Wed Feb 25 18:01:38 UTC 2009
On Wed, 2009-02-25 at 08:54 -0800, Ian Main wrote:
> On Wed, 25 Feb 2009 07:53:30 -0500
> Perry Myers <pmyers at redhat.com> wrote:
>
> > Ian Main wrote:
> > > This patch adds the --no-check-certificate to wget for all wgets since
> > > the server now requires ssl and doesn't have a valid cert. I'm not
> > > certain this is the best way to handle this case but I'm posting this
> > > patch anyway to see if it works and if it's an acceptable solution.
> > > Note that I have not yet tested this either. :)
> >
> > ovirt-listen-awake is only used on the 'demo setup' (i.e. running guests
> > on the host where the ovirt-appliance is running) so no issues with that.
>
> Ah, I was wondering if it was even used at all..
>
> > The other two places are during normal oVirt Node startup. This method of
> > retrieving keytabs from the oVirt Server was already insecure (and noted
> > as such) so this doesn't make it any worse. However, we should make it
> > clear that just because the keytabs are retrieved over SSL there is still
> > no guarantee of security using this scheme.
> >
> > The only secure method of distributing keytabs at the moment is providing
> > them via sneaker-net on a USB thumb drive.
> >
> > Perry
>
> Yes, good point. Thanks Perry.
>
> Ian
>
ACK, this works for me. Nodes now successfully get krb stuff and show up in wui.
More information about the ovirt-devel
mailing list