Richard W.M. Jones
2018-Nov-20 10:25 UTC
[Libguestfs] [PATCH v3] v2v: -o openstack: Allow -oo insecure (RHBZ#1651432).
A smaller change than v2, we simply generalize the ability to pass through flags to the underlying openstack command, allowing the --insecure flag to be specified directly. Rich.
Richard W.M. Jones
2018-Nov-20 10:25 UTC
[Libguestfs] [PATCH v3] v2v: -o openstack: Allow -oo insecure (RHBZ#1651432).
Previously we allowed arbitrary flags to be passed through to the underlying openstack CLI command, provided they have the format ‘--key=value’. We want to pass the ‘--insecure’ flag through, but that doesn't have the key=value form. However a small modification to the matching rules would allow this. The effect of this change is that you can now use ‘virt-v2v -oo insecure’ to turn off SSL certificate validation. The default is to verify the server certificate (which is the default of the openstack command). --- v2v/output_openstack.ml | 11 +++++++---- v2v/test-v2v-o-openstack.sh | 2 ++ v2v/virt-v2v-output-openstack.pod | 7 +++++++ 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/v2v/output_openstack.ml b/v2v/output_openstack.ml index 22fac69bd..76e269c85 100644 --- a/v2v/output_openstack.ml +++ b/v2v/output_openstack.ml @@ -110,11 +110,14 @@ let parse_output_options options dev_disk_by_id := Some v | "guest-id", v -> guest_id := Some v + (* Accumulate any remaining/unknown -oo parameters + * into the authentication list, where they will be + * passed unmodified through to the openstack command. + *) + | k, "" -> + let opt = sprintf "--%s" k in + authentication := opt :: !authentication | k, v -> - (* Accumulate any remaining/unknown -oo parameters - * into the authentication list, where they will be - * pass unmodified through to the openstack command. - *) let opt = sprintf "--%s=%s" k v in authentication := opt :: !authentication ) options; diff --git a/v2v/test-v2v-o-openstack.sh b/v2v/test-v2v-o-openstack.sh index 3a10a5475..8b809a1aa 100755 --- a/v2v/test-v2v-o-openstack.sh +++ b/v2v/test-v2v-o-openstack.sh @@ -56,6 +56,7 @@ $VG virt-v2v --debug-gc \ -o openstack -on test \ -oo server-id=test \ -oo guest-id=guestid \ + -oo insecure \ -oo dev-disk-by-id=$d # Check the log of openstack commands to make sure they look reasonable. @@ -65,5 +66,6 @@ grep 'server add volume' $d/log grep 'volume set.*--bootable.*dummy-vol-id' $d/log grep 'volume set.*--property.*virt_v2v_guest_id=guestid' $d/log grep 'server remove volume' $d/log +grep -- '--insecure' $d/log rm -r $d diff --git a/v2v/virt-v2v-output-openstack.pod b/v2v/virt-v2v-output-openstack.pod index 7ea3bc75c..64c431b6c 100644 --- a/v2v/virt-v2v-output-openstack.pod +++ b/v2v/virt-v2v-output-openstack.pod @@ -124,6 +124,13 @@ This can be used to find disks associated with a guest, or to associate which disks are related to which guests when converting many guests. +=head2 OpenStack: Ignore server certificate + +Using I<virt-v2v -oo insecure> you can tell the openstack client to +ignore the server certificate when connecting to the OpenStack API +endpoints. This has the same effect as passing the I<--insecure> +option to the C<openstack> command. + =head2 OpenStack: Converting a guest The final command to convert the guest, running as root, will be: -- 2.19.0.rc0
Tomáš Golembiovský
2018-Nov-20 11:35 UTC
Re: [Libguestfs] [PATCH v3] v2v: -o openstack: Allow -oo insecure (RHBZ#1651432).
On Tue, 20 Nov 2018 10:25:10 +0000 "Richard W.M. Jones" <rjones@redhat.com> wrote:> Previously we allowed arbitrary flags to be passed through to the > underlying openstack CLI command, provided they have the format > ‘--key=value’. We want to pass the ‘--insecure’ flag through, but > that doesn't have the key=value form. However a small modification to > the matching rules would allow this. > > The effect of this change is that you can now use ‘virt-v2v -oo > insecure’ to turn off SSL certificate validation. The default is to > verify the server certificate (which is the default of the openstack > command). > --- > v2v/output_openstack.ml | 11 +++++++---- > v2v/test-v2v-o-openstack.sh | 2 ++ > v2v/virt-v2v-output-openstack.pod | 7 +++++++ > 3 files changed, 16 insertions(+), 4 deletions(-) >LGTM I would just enhance the commit message little bit. The change allows you to pass arbitrary argument and not just --insecure. E.g. --validate (the opposite of --insecure) or --debug and --verbose.
Pino Toscano
2018-Nov-20 11:46 UTC
Re: [Libguestfs] [PATCH v3] v2v: -o openstack: Allow -oo insecure (RHBZ#1651432).
On Tuesday, 20 November 2018 11:25:10 CET Richard W.M. Jones wrote:> Previously we allowed arbitrary flags to be passed through to the > underlying openstack CLI command, provided they have the format > ‘--key=value’. We want to pass the ‘--insecure’ flag through, but > that doesn't have the key=value form. However a small modification to > the matching rules would allow this. > > The effect of this change is that you can now use ‘virt-v2v -oo > insecure’ to turn off SSL certificate validation. The default is to > verify the server certificate (which is the default of the openstack > command). > ---I'm not sure this is something we should support. This effectively passes through every -oo to openstack, and I'm afraid people will just (ab)use it to workaround stuff rather than reporting issues in virt-v2v. Potentially even options that conflict/revert what virt-v2v itself passes to the openstack client. IMHO it is still better, and safer to explicitly allow options as needed. -- Pino Toscano
Possibly Parallel Threads
- [PATCH v4 0/2] v2v: -o openstack: -oo verify-server-certificate=(true|false) (RHBZ#1651432).
- [PATCH v3] v2v: -o openstack: Allow -oo insecure (RHBZ#1651432).
- [PATCH v2 0/2] v2v: Add -o openstack target.
- Re: [PATCH v3] v2v: -o openstack: Allow -oo insecure (RHBZ#1651432).
- [PATCH] UNTESTED v2v: openstack: Read server-id from metadata service.