Richard W.M. Jones
2020-Jan-15 13:01 UTC
[Libguestfs] [PATCH v2v] v2v: -o rhv-upload: Make -oo rhv-cafile optional in all cases (RHBZ#1791240).
This is actually not required, because ovirtsdk4 will use the system's
global trust store if necessary. Therefore we can make it optional in
all cases.
---
docs/virt-v2v-output-rhv.pod | 5 ++++-
v2v/output_rhv_upload.ml | 2 --
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/docs/virt-v2v-output-rhv.pod b/docs/virt-v2v-output-rhv.pod
index 04a894268..4520c9184 100644
--- a/docs/virt-v2v-output-rhv.pod
+++ b/docs/virt-v2v-output-rhv.pod
@@ -101,7 +101,10 @@ The storage domain.
The F<ca.pem> file (Certificate Authority), copied from
F</etc/pki/ovirt-engine/ca.pem> on the oVirt engine.
-This option must be specified if I<-oo rhv-verifypeer> is enabled.
+If I<-oo rhv-verifypeer> is enabled then this option can
+be used to control which CA is used to verify the client’s
+identity. If this option is not used then the system’s
+global trust store is used.
=item I<-oo rhv-cluster=>C<CLUSTERNAME>
diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml
index 7b5ad7a86..14153db36 100644
--- a/v2v/output_rhv_upload.ml
+++ b/v2v/output_rhv_upload.ml
@@ -81,8 +81,6 @@ let parse_output_options options let rhv_direct =
!rhv_direct in
let rhv_verifypeer = !rhv_verifypeer in
let rhv_disk_uuids = Option.map List.rev !rhv_disk_uuids in
- if rhv_verifypeer && rhv_cafile = None then
- error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the path
to the oVirt or RHV user’s ‘ca.pem’ file");
{ rhv_cafile; rhv_cluster; rhv_direct; rhv_verifypeer; rhv_disk_uuids }
--
2.24.1
Pino Toscano
2020-Jan-16 14:21 UTC
Re: [Libguestfs] [PATCH v2v] v2v: -o rhv-upload: Make -oo rhv-cafile optional in all cases (RHBZ#1791240).
On Wednesday, 15 January 2020 14:01:11 CET Richard W.M. Jones wrote:> This is actually not required, because ovirtsdk4 will use the system's > global trust store if necessary. Therefore we can make it optional in > all cases. > ---LGTM. Thanks, -- Pino Toscano
Nir Soffer
2020-Jan-16 16:50 UTC
Re: [Libguestfs] [PATCH v2v] v2v: -o rhv-upload: Make -oo rhv-cafile optional in all cases (RHBZ#1791240).
On Wed, Jan 15, 2020 at 3:01 PM Richard W.M. Jones <rjones@redhat.com> wrote:> This is actually not required, because ovirtsdk4 will use the system's > global trust store if necessary. Therefore we can make it optional in > all cases. >The only way to avoid the cafile is to set insecure=True both when creating sdk connection and when connecting to imageio. Otherwise the system trust store must include the CA used when creating engine and vdsm certificates. In development setup this is never true, in production It may work if you are lucky. Nir ---> docs/virt-v2v-output-rhv.pod | 5 ++++- > v2v/output_rhv_upload.ml | 2 -- > 2 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/docs/virt-v2v-output-rhv.pod b/docs/virt-v2v-output-rhv.pod > index 04a894268..4520c9184 100644 > --- a/docs/virt-v2v-output-rhv.pod > +++ b/docs/virt-v2v-output-rhv.pod > @@ -101,7 +101,10 @@ The storage domain. > The F<ca.pem> file (Certificate Authority), copied from > F</etc/pki/ovirt-engine/ca.pem> on the oVirt engine. > > -This option must be specified if I<-oo rhv-verifypeer> is enabled. > +If I<-oo rhv-verifypeer> is enabled then this option can > +be used to control which CA is used to verify the client’s > +identity. If this option is not used then the system’s > +global trust store is used. > > =item I<-oo rhv-cluster=>C<CLUSTERNAME> > > diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml > index 7b5ad7a86..14153db36 100644 > --- a/v2v/output_rhv_upload.ml > +++ b/v2v/output_rhv_upload.ml > @@ -81,8 +81,6 @@ let parse_output_options options > let rhv_direct = !rhv_direct in > let rhv_verifypeer = !rhv_verifypeer in > let rhv_disk_uuids = Option.map List.rev !rhv_disk_uuids in > - if rhv_verifypeer && rhv_cafile = None then > - error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the > path to the oVirt or RHV user’s ‘ca.pem’ file"); > > { rhv_cafile; rhv_cluster; rhv_direct; rhv_verifypeer; rhv_disk_uuids } > > -- > 2.24.1 > > _______________________________________________ > Libguestfs mailing list > Libguestfs@redhat.com > https://www.redhat.com/mailman/listinfo/libguestfs
Fabien Dupont
2020-Jan-17 10:47 UTC
Re: [Libguestfs] [PATCH v2v] v2v: -o rhv-upload: Make -oo rhv-cafile optional in all cases (RHBZ#1791240).
The CA file also needs to contain the engine and VDSM signing certs, so somehow the users need to get them. What stops them to put it in the trust store ? On Thu, Jan 16, 2020 at 5:51 PM Nir Soffer <nsoffer@redhat.com> wrote:> On Wed, Jan 15, 2020 at 3:01 PM Richard W.M. Jones <rjones@redhat.com> > wrote: > >> This is actually not required, because ovirtsdk4 will use the system's >> global trust store if necessary. Therefore we can make it optional in >> all cases. >> > > The only way to avoid the cafile is to set insecure=True both when > creating sdk connection > and when connecting to imageio. > > Otherwise the system trust store must include the CA used when creating > engine and > vdsm certificates. In development setup this is never true, in production > It may work > if you are lucky. > > Nir > > --- >> docs/virt-v2v-output-rhv.pod | 5 ++++- >> v2v/output_rhv_upload.ml | 2 -- >> 2 files changed, 4 insertions(+), 3 deletions(-) >> >> diff --git a/docs/virt-v2v-output-rhv.pod b/docs/virt-v2v-output-rhv.pod >> index 04a894268..4520c9184 100644 >> --- a/docs/virt-v2v-output-rhv.pod >> +++ b/docs/virt-v2v-output-rhv.pod >> @@ -101,7 +101,10 @@ The storage domain. >> The F<ca.pem> file (Certificate Authority), copied from >> F</etc/pki/ovirt-engine/ca.pem> on the oVirt engine. >> >> -This option must be specified if I<-oo rhv-verifypeer> is enabled. >> +If I<-oo rhv-verifypeer> is enabled then this option can >> +be used to control which CA is used to verify the client’s >> +identity. If this option is not used then the system’s >> +global trust store is used. >> >> =item I<-oo rhv-cluster=>C<CLUSTERNAME> >> >> diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml >> index 7b5ad7a86..14153db36 100644 >> --- a/v2v/output_rhv_upload.ml >> +++ b/v2v/output_rhv_upload.ml >> @@ -81,8 +81,6 @@ let parse_output_options options >> let rhv_direct = !rhv_direct in >> let rhv_verifypeer = !rhv_verifypeer in >> let rhv_disk_uuids = Option.map List.rev !rhv_disk_uuids in >> - if rhv_verifypeer && rhv_cafile = None then >> - error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the >> path to the oVirt or RHV user’s ‘ca.pem’ file"); >> >> { rhv_cafile; rhv_cluster; rhv_direct; rhv_verifypeer; rhv_disk_uuids } >> >> -- >> 2.24.1 >> >> _______________________________________________ >> Libguestfs mailing list >> Libguestfs@redhat.com >> https://www.redhat.com/mailman/listinfo/libguestfs > > _______________________________________________ > Libguestfs mailing list > Libguestfs@redhat.com > https://www.redhat.com/mailman/listinfo/libguestfs-- Fabien Dupont, RHCA Senior Principal Software Engineer Red Hat - Migration Engineering <https://www.redhat.com> <https://red.ht/sig> <https://redhat.com/summit>
Maybe Matching Threads
- [PATCH] v2v: -o rhv-upload: make -oo rhv-cafile optional
- Re: [PATCH v2v] v2v: -o rhv-upload: Make -oo rhv-cafile optional in all cases (RHBZ#1791240).
- Re: [PATCH v2v v2 1/2] rhv-upload: Validate UUIDs passed to -oo rhv-disk-uuid (RHBZ#1789279)
- [PATCH v2v v2 0/2] rhv-upload: Validate UUIDs and check they don't exist already
- [PATCH v2v v3 0/2] rhv-upload: Validate UUIDs and check they don't exist already