Pino Toscano
2019-Sep-27 12:23 UTC
[Libguestfs] [PATCH] v2v: -o rhv-upload: make -oo rhv-cafile optional
It makes little sense to require the oVirt certificate, especially when the verification of the connection (-oo rhv-verifypeer) is disabled by default. The only work done with the certificate in that case is checking that it is a valid certificate file. Hence, make -oo rhv-cafile optional, requiring it only when -oo rhv-verifypeer is enabled. --- v2v/output_rhv_upload.ml | 16 +++++++++------- v2v/virt-v2v-output-rhv.pod | 2 ++ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml index 24a289169..d08502826 100644 --- a/v2v/output_rhv_upload.ml +++ b/v2v/output_rhv_upload.ml @@ -28,7 +28,7 @@ open Types open Utils type rhv_options = { - rhv_cafile : string; + rhv_cafile : string option; rhv_cluster : string option; rhv_direct : bool; rhv_verifypeer : bool; @@ -76,15 +76,13 @@ let parse_output_options options error (f_"-o rhv-upload: unknown output option ‘-oo %s’") k ) options; - let rhv_cafile - match !rhv_cafile with - | Some s -> s - | None -> - error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the path to the oVirt or RHV user’s ‘ca.pem’ file") in + let rhv_cafile = !rhv_cafile in let rhv_cluster = !rhv_cluster in let rhv_direct = !rhv_direct in let rhv_verifypeer = !rhv_verifypeer in let rhv_disk_uuids = Option.map List.rev !rhv_disk_uuids in + if rhv_verifypeer && rhv_cafile = None then + error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the path to the oVirt or RHV user’s ‘ca.pem’ file"); { rhv_cafile; rhv_cluster; rhv_direct; rhv_verifypeer; rhv_disk_uuids } @@ -92,6 +90,10 @@ let nbdkit_python_plugin = Config.virt_v2v_nbdkit_python_plugin let pidfile_timeout = 30 let finalization_timeout = 5*60 +let json_optstring = function + | Some s -> JSON.String s + | None -> JSON.Null + class output_rhv_upload output_alloc output_conn output_password output_storage rhv_options @@ -195,7 +197,7 @@ See also the virt-v2v-output-rhv(1) manual.") "output_sparse", JSON.Bool (match output_alloc with | Sparse -> true | Preallocated -> false); - "rhv_cafile", JSON.String rhv_options.rhv_cafile; + "rhv_cafile", json_optstring rhv_options.rhv_cafile; "rhv_cluster", JSON.String (Option.default "Default" rhv_options.rhv_cluster); "rhv_direct", JSON.Bool rhv_options.rhv_direct; diff --git a/v2v/virt-v2v-output-rhv.pod b/v2v/virt-v2v-output-rhv.pod index e840ca78d..04a894268 100644 --- a/v2v/virt-v2v-output-rhv.pod +++ b/v2v/virt-v2v-output-rhv.pod @@ -101,6 +101,8 @@ The storage domain. The F<ca.pem> file (Certificate Authority), copied from F</etc/pki/ovirt-engine/ca.pem> on the oVirt engine. +This option must be specified if I<-oo rhv-verifypeer> is enabled. + =item I<-oo rhv-cluster=>C<CLUSTERNAME> Set the RHV Cluster Name. If not given it uses C<Default>. -- 2.21.0
Richard W.M. Jones
2019-Sep-28 11:19 UTC
Re: [Libguestfs] [PATCH] v2v: -o rhv-upload: make -oo rhv-cafile optional
On Fri, Sep 27, 2019 at 02:23:29PM +0200, Pino Toscano wrote:> It makes little sense to require the oVirt certificate, especially when > the verification of the connection (-oo rhv-verifypeer) is disabled by > default. The only work done with the certificate in that case is > checking that it is a valid certificate file. > > Hence, make -oo rhv-cafile optional, requiring it only when > -oo rhv-verifypeer is enabled. > --- > v2v/output_rhv_upload.ml | 16 +++++++++------- > v2v/virt-v2v-output-rhv.pod | 2 ++ > 2 files changed, 11 insertions(+), 7 deletions(-) > > diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml > index 24a289169..d08502826 100644 > --- a/v2v/output_rhv_upload.ml > +++ b/v2v/output_rhv_upload.ml > @@ -28,7 +28,7 @@ open Types > open Utils > > type rhv_options = { > - rhv_cafile : string; > + rhv_cafile : string option; > rhv_cluster : string option; > rhv_direct : bool; > rhv_verifypeer : bool; > @@ -76,15 +76,13 @@ let parse_output_options options > error (f_"-o rhv-upload: unknown output option ‘-oo %s’") k > ) options; > > - let rhv_cafile > - match !rhv_cafile with > - | Some s -> s > - | None -> > - error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the path to the oVirt or RHV user’s ‘ca.pem’ file") in > + let rhv_cafile = !rhv_cafile in > let rhv_cluster = !rhv_cluster in > let rhv_direct = !rhv_direct in > let rhv_verifypeer = !rhv_verifypeer in > let rhv_disk_uuids = Option.map List.rev !rhv_disk_uuids in > + if rhv_verifypeer && rhv_cafile = None then > + error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the path to the oVirt or RHV user’s ‘ca.pem’ file"); > > { rhv_cafile; rhv_cluster; rhv_direct; rhv_verifypeer; rhv_disk_uuids } > > @@ -92,6 +90,10 @@ let nbdkit_python_plugin = Config.virt_v2v_nbdkit_python_plugin > let pidfile_timeout = 30 > let finalization_timeout = 5*60 > > +let json_optstring = function > + | Some s -> JSON.String s > + | None -> JSON.Null > + > class output_rhv_upload output_alloc output_conn > output_password output_storage > rhv_options > @@ -195,7 +197,7 @@ See also the virt-v2v-output-rhv(1) manual.") > "output_sparse", JSON.Bool (match output_alloc with > | Sparse -> true > | Preallocated -> false); > - "rhv_cafile", JSON.String rhv_options.rhv_cafile; > + "rhv_cafile", json_optstring rhv_options.rhv_cafile; > "rhv_cluster", > JSON.String (Option.default "Default" rhv_options.rhv_cluster); > "rhv_direct", JSON.Bool rhv_options.rhv_direct; > diff --git a/v2v/virt-v2v-output-rhv.pod b/v2v/virt-v2v-output-rhv.pod > index e840ca78d..04a894268 100644 > --- a/v2v/virt-v2v-output-rhv.pod > +++ b/v2v/virt-v2v-output-rhv.pod > @@ -101,6 +101,8 @@ The storage domain. > The F<ca.pem> file (Certificate Authority), copied from > F</etc/pki/ovirt-engine/ca.pem> on the oVirt engine. > > +This option must be specified if I<-oo rhv-verifypeer> is enabled. > + > =item I<-oo rhv-cluster=>C<CLUSTERNAME> > > Set the RHV Cluster Name. If not given it uses C<Default>. > -- > 2.21.0Yes, as discussed on IRC this makes sense, thanks. ACK. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org
Reasonably Related Threads
- [PATCH v2v] v2v: -o rhv-upload: Make -oo rhv-cafile optional in all cases (RHBZ#1791240).
- [PATCH] v2v: -o rhv-upload: add -oo rhv-disk-uuid option
- Re: [PATCH v2v v2 1/2] rhv-upload: Validate UUIDs passed to -oo rhv-disk-uuid (RHBZ#1789279)
- [PATCH] v2v: -o rhv-upload: decouple name of nbdkit python plugin
- [PATCH v8] v2v: Add -o rhv-upload output mode (RHBZ#1557273).