Richard W.M. Jones
2018-Nov-20 12:22 UTC
[Libguestfs] [PATCH v4 0/2] v2v: -o openstack: -oo verify-server-certificate=(true|false) (RHBZ#1651432).
The first patch restricts passthrough parameters to ones matching "os-*". This was how it was documented, but not how it was implemented. The second patch is the same as v2 here: https://www.redhat.com/archives/libguestfs/2018-November/msg00187.html Rich.
Richard W.M. Jones
2018-Nov-20 12:22 UTC
[Libguestfs] [PATCH v4 1/2] v2v: -o openstack: Restrict passthrough auth params to ‘os-*’.
This was already documented, but the implementation allowed you to pass through anything to the openstack command. --- v2v/output_openstack.ml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/v2v/output_openstack.ml b/v2v/output_openstack.ml index 22fac69bd..b35a1f72a 100644 --- a/v2v/output_openstack.ml +++ b/v2v/output_openstack.ml @@ -110,13 +110,15 @@ let parse_output_options options dev_disk_by_id := Some v | "guest-id", v -> guest_id := Some v - | k, v -> - (* Accumulate any remaining/unknown -oo parameters + | k, v when String.is_prefix k "os-" -> + (* Accumulate any remaining/unknown -oo os-* parameters * into the authentication list, where they will be * pass unmodified through to the openstack command. *) let opt = sprintf "--%s=%s" k v in authentication := opt :: !authentication + | k, _ -> + error (f_"-o openstack: unknown output option ‘-oo %s’") k ) options; let server_id = !server_id in let authentication = List.rev !authentication in -- 2.19.0.rc0
Richard W.M. Jones
2018-Nov-20 12:22 UTC
[Libguestfs] [PATCH v4 2/2] v2v: -o openstack: -oo verify-server-certificate=(true|false) (RHBZ#1651432).
If ‘virt-v2v -oo verify-server-certificate=false’ is used then ‘openstack --insecure’ flag is added whenever we invoke the openstack command. This turns off SSL certificate validation. The default is to verify the server certificate (which is the default of the openstack command). --- v2v/output_openstack.ml | 16 +++++++++++++++- v2v/test-v2v-o-openstack.sh | 2 ++ v2v/virt-v2v-output-openstack.pod | 8 ++++++++ v2v/virt-v2v.pod | 8 ++++++++ 4 files changed, 33 insertions(+), 1 deletion(-) diff --git a/v2v/output_openstack.ml b/v2v/output_openstack.ml index b35a1f72a..5bd14c727 100644 --- a/v2v/output_openstack.ml +++ b/v2v/output_openstack.ml @@ -56,6 +56,11 @@ type os_options = { *) authentication : string list; + (* If false, use the [openstack --insecure] switch (turns off SSL + * cert validation). + *) + verify_server_certificate : bool; + (* Optional guest_id which, if present, is saved as * Cinder volume property virt_v2v_guest_id on every disk * associated with this guest. @@ -100,6 +105,7 @@ The os-* parameters and environment variables are optional. let parse_output_options options let server_id = ref None in let dev_disk_by_id = ref None in + let verify_server_certificate = ref true in let guest_id = ref None in let authentication = ref [] in List.iter ( @@ -108,6 +114,10 @@ let parse_output_options options server_id := Some v | "dev-disk-by-id", v -> dev_disk_by_id := Some v + | "verify-server-certificate", "" -> + verify_server_certificate := true + | "verify-server-certificate", v -> + verify_server_certificate := bool_of_string v | "guest-id", v -> guest_id := Some v | k, v when String.is_prefix k "os-" -> @@ -122,9 +132,11 @@ let parse_output_options options ) options; let server_id = !server_id in let authentication = List.rev !authentication in + let verify_server_certificate = !verify_server_certificate in let guest_id = !guest_id in let dev_disk_by_id = !dev_disk_by_id in - { server_id; authentication; guest_id; dev_disk_by_id } + { server_id; authentication; verify_server_certificate; + guest_id; dev_disk_by_id } (* UTC conversion time. *) let iso_time @@ -142,6 +154,8 @@ class output_openstack output_conn output_password output_storage let args = ref os_options.authentication in Option.may (fun oc -> List.push_back args (sprintf "--os-auth-url=%s" oc)) output_conn; + if not os_options.verify_server_certificate then + List.push_back args "--insecure"; !args in (* The server ID (the name or UUID of the conversion appliance) can diff --git a/v2v/test-v2v-o-openstack.sh b/v2v/test-v2v-o-openstack.sh index 3a10a5475..cbdd3367c 100755 --- a/v2v/test-v2v-o-openstack.sh +++ b/v2v/test-v2v-o-openstack.sh @@ -56,6 +56,7 @@ $VG virt-v2v --debug-gc \ -o openstack -on test \ -oo server-id=test \ -oo guest-id=guestid \ + -oo verify-server-certificate=false \ -oo dev-disk-by-id=$d # Check the log of openstack commands to make sure they look reasonable. @@ -65,5 +66,6 @@ grep 'server add volume' $d/log grep 'volume set.*--bootable.*dummy-vol-id' $d/log grep 'volume set.*--property.*virt_v2v_guest_id=guestid' $d/log grep 'server remove volume' $d/log +grep -- '--insecure' $d/log rm -r $d diff --git a/v2v/virt-v2v-output-openstack.pod b/v2v/virt-v2v-output-openstack.pod index 7ea3bc75c..0e4166f5e 100644 --- a/v2v/virt-v2v-output-openstack.pod +++ b/v2v/virt-v2v-output-openstack.pod @@ -7,6 +7,7 @@ virt-v2v-output-openstack - Using virt-v2v to convert guests to OpenStack virt-v2v [-i* options] -o openstack [-oo server-id=SERVER] [-oo guest-id=GUEST] + [-oo verify-server-certificate=false] [-oo os-username=admin] [-oo os-*=*] virt-v2v [-i* options] -o glance @@ -124,6 +125,13 @@ This can be used to find disks associated with a guest, or to associate which disks are related to which guests when converting many guests. +=head2 OpenStack: Ignore server certificate + +Using I<-oo verify-server-certificate=false> you can tell the +openstack client to ignore the server certificate when connecting to +the OpenStack API endpoints. This has the same effect as passing the +I<--insecure> option to the C<openstack> command. + =head2 OpenStack: Converting a guest The final command to convert the guest, running as root, will be: diff --git a/v2v/virt-v2v.pod b/v2v/virt-v2v.pod index 3f0620bc6..651933bea 100644 --- a/v2v/virt-v2v.pod +++ b/v2v/virt-v2v.pod @@ -555,6 +555,14 @@ For I<-o openstack> (L<virt-v2v-output-openstack(1)>) only, set a guest ID which is saved on each Cinder volume in the C<virt_v2v_guest_id> volume property. +=item B<-oo verify-server-certificate> + +=item B<-oo verify-server-certificate=>C<true|false> + +For I<-o openstack> (L<virt-v2v-output-openstack(1)>) only, this can +be used to disable SSL certification validation when connecting to +OpenStack by specifying I<-oo verify-server-certificate=false>. + =item B<-oo os->*B<=>* For I<-o openstack> (L<virt-v2v-output-openstack(1)>) only, set optional -- 2.19.0.rc0
Pino Toscano
2018-Nov-20 15:41 UTC
Re: [Libguestfs] [PATCH v4 0/2] v2v: -o openstack: -oo verify-server-certificate=(true|false) (RHBZ#1651432).
On Tuesday, 20 November 2018 13:22:34 CET Richard W.M. Jones wrote:> The first patch restricts passthrough parameters to ones matching > "os-*". This was how it was documented, but not how it was > implemented. > > The second patch is the same as v2 here: > https://www.redhat.com/archives/libguestfs/2018-November/msg00187.htmlLGTM now. -- Pino Toscano
Possibly Parallel Threads
- [PATCH] UNTESTED v2v: openstack: Read server-id from metadata service.
- [PATCH v2] v2v: -o openstack: -oo verify-server-certificate=(true|false) (RHBZ#1651432).
- [PATCH v2 0/2] v2v: Add -o openstack target.
- [PATCH v3] v2v: -o openstack: Allow -oo insecure (RHBZ#1651432).
- [PATCH] v2v: -o openstack: Option to add --insecure flag to openstack command.