Libguestfs - Nov 2018 - [PATCH v3] v2v: -o openstack: Allow -oo insecure (RHBZ#1651432).

A smaller change than v2, we simply generalize the ability to pass
through flags to the underlying openstack command, allowing the
--insecure flag to be specified directly.

Rich.

Previously we allowed arbitrary flags to be passed through to the
underlying openstack CLI command, provided they have the format
‘--key=value’.  We want to pass the ‘--insecure’ flag through, but
that doesn't have the key=value form.  However a small modification to
the matching rules would allow this.

The effect of this change is that you can now use ‘virt-v2v -oo
insecure’ to turn off SSL certificate validation.  The default is to
verify the server certificate (which is the default of the openstack
command).
---
 v2v/output_openstack.ml           | 11 +++++++----
 v2v/test-v2v-o-openstack.sh       |  2 ++
 v2v/virt-v2v-output-openstack.pod |  7 +++++++
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/v2v/output_openstack.ml b/v2v/output_openstack.ml
index 22fac69bd..76e269c85 100644
--- a/v2v/output_openstack.ml
+++ b/v2v/output_openstack.ml
@@ -110,11 +110,14 @@ let parse_output_options options         dev_disk_by_id :=
Some v
     | "guest-id", v ->
        guest_id := Some v
+    (* Accumulate any remaining/unknown -oo parameters
+     * into the authentication list, where they will be
+     * passed unmodified through to the openstack command.
+     *)
+    | k, "" ->
+       let opt = sprintf "--%s" k in
+       authentication := opt :: !authentication
     | k, v ->
-       (* Accumulate any remaining/unknown -oo parameters
-        * into the authentication list, where they will be
-        * pass unmodified through to the openstack command.
-        *)
        let opt = sprintf "--%s=%s" k v in
        authentication := opt :: !authentication
   ) options;
diff --git a/v2v/test-v2v-o-openstack.sh b/v2v/test-v2v-o-openstack.sh
index 3a10a5475..8b809a1aa 100755
--- a/v2v/test-v2v-o-openstack.sh
+++ b/v2v/test-v2v-o-openstack.sh
@@ -56,6 +56,7 @@ $VG virt-v2v --debug-gc \
     -o openstack -on test \
     -oo server-id=test \
     -oo guest-id=guestid \
+    -oo insecure \
     -oo dev-disk-by-id=$d
 
 # Check the log of openstack commands to make sure they look reasonable.
@@ -65,5 +66,6 @@ grep 'server add volume' $d/log
 grep 'volume set.*--bootable.*dummy-vol-id' $d/log
 grep 'volume set.*--property.*virt_v2v_guest_id=guestid' $d/log
 grep 'server remove volume' $d/log
+grep -- '--insecure' $d/log
 
 rm -r $d
diff --git a/v2v/virt-v2v-output-openstack.pod
b/v2v/virt-v2v-output-openstack.pod
index 7ea3bc75c..64c431b6c 100644
--- a/v2v/virt-v2v-output-openstack.pod
+++ b/v2v/virt-v2v-output-openstack.pod
@@ -124,6 +124,13 @@ This can be used to find disks associated with a guest, or
to
 associate which disks are related to which guests when converting many
 guests.
 
+=head2 OpenStack: Ignore server certificate
+
+Using I<virt-v2v -oo insecure> you can tell the openstack client to
+ignore the server certificate when connecting to the OpenStack API
+endpoints.  This has the same effect as passing the I<--insecure>
+option to the C<openstack> command.
+
 =head2 OpenStack: Converting a guest
 
 The final command to convert the guest, running as root, will be:
-- 
2.19.0.rc0

On Tue, 20 Nov 2018 10:25:10 +0000
"Richard W.M. Jones" <rjones@redhat.com> wrote:
> Previously we allowed arbitrary flags to be passed through to the
> underlying openstack CLI command, provided they have the format
> ‘--key=value’.  We want to pass the ‘--insecure’ flag through, but
> that doesn't have the key=value form.  However a small modification to
> the matching rules would allow this.
> 
> The effect of this change is that you can now use ‘virt-v2v -oo
> insecure’ to turn off SSL certificate validation.  The default is to
> verify the server certificate (which is the default of the openstack
> command).
> ---
>  v2v/output_openstack.ml           | 11 +++++++----
>  v2v/test-v2v-o-openstack.sh       |  2 ++
>  v2v/virt-v2v-output-openstack.pod |  7 +++++++
>  3 files changed, 16 insertions(+), 4 deletions(-)
> 
LGTM

I would just enhance the commit message little bit. The change allows
you to pass arbitrary argument and not just --insecure. E.g. --validate
(the opposite of --insecure) or --debug and --verbose.

On Tuesday, 20 November 2018 11:25:10 CET Richard W.M. Jones
wrote:
> Previously we allowed arbitrary flags to be passed through to the
> underlying openstack CLI command, provided they have the format
> ‘--key=value’.  We want to pass the ‘--insecure’ flag through, but
> that doesn't have the key=value form.  However a small modification to
> the matching rules would allow this.
> 
> The effect of this change is that you can now use ‘virt-v2v -oo
> insecure’ to turn off SSL certificate validation.  The default is to
> verify the server certificate (which is the default of the openstack
> command).
> ---
I'm not sure this is something we should support.  This effectively
passes through every -oo to openstack, and I'm afraid people will just
(ab)use it to workaround stuff rather than reporting issues in
virt-v2v.  Potentially even options that conflict/revert what virt-v2v
itself passes to the openstack client.

IMHO it is still better, and safer to explicitly allow options as
needed.

-- 
Pino Toscano