12:39 p.m.
Juan Hernandez has uploaded a new change for review.
Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem
......................................................................
BZ#856167 - Store engine CA cert in enginecacert.pem
Currently we store the CA certificate downloaded that we get from the
engine for registration purposes in the /etc/pki/vdsm/cacert.pem file.
This file is then replaced by VDSM by its default one during reboot,
making a backup before. This means that after the reboot vdsm-reg can't
use it to download the SSH key, and this means that registration fails.
This patch changes deployUtil.py so that it downloads the engine CA
certificate to a new file: /etc/pki/vdsm/enginecacert.pem. This file is
preserved, so that vdsm-reg can use it to download the SSH key
correctly.
Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Signed-off-by: Juan Hernandez <juan.hernandez(a)redhat.com>
---
M vdsm_reg/deployUtil.py.in
M vdsm_reg/engine.py.in
2 files changed, 24 insertions(+), 20 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/38/8038/1
diff --git a/vdsm_reg/deployUtil.py.in b/vdsm_reg/deployUtil.py.in
index bbda70e..60fda9e 100644
--- a/vdsm_reg/deployUtil.py.in
+++ b/vdsm_reg/deployUtil.py.in
@@ -629,10 +629,10 @@
"""
This functions returns the public ssh key of @ENGINENAME@.
"""
- CACERT, dontcare = certPaths('')
+ dontcare, dontcare, ENGINECACERT = certPaths('')
for cert in REMOTE_SSH_KEY_FILE:
data = getRemoteFile(IP, port, cert,
- timeout=HTTP_TIMEOUT, certPath=CACERT)
+ timeout=HTTP_TIMEOUT, certPath=ENGINECACERT)
if data != None:
break
@@ -1137,8 +1137,9 @@
if fAddID:
VDSMCERT = tsDir + "/certs/vdsm-" +
os.environ.get("SSH_CONNECTION").split()[2] + "-cert.pem"
CACERT = tsDir + "/certs/cacert.pem"
+ ENGINECACERT = tsDir + "/certs/enginecacert.pem"
- return CACERT, VDSMCERT
+ return CACERT, VDSMCERT, ENGINECACERT
def pkiCleanup(key, cert):
"""
@@ -1185,7 +1186,7 @@
nGID = gGroup.gr_gid
uUserInfo = pwd.getpwnam(VDSM_USER)
nUID = uUserInfo.pw_uid
- CACERT, VDSMCERT = certPaths(confFile)
+ CACERT, VDSMCERT, ENGINECACERT = certPaths(confFile)
# Delete old certificates
logging.debug("instCert: try to delete old certificates")
@@ -1447,34 +1448,37 @@
backupTime = dt.strftime("%Y-%m-%d_%H%M%S")
for pemFile in certs:
- certName = os.path.basename(pemFile)
- dirName = os.path.dirname(pemFile)
+ if os.path.exists(pemFile):
+ certName = os.path.basename(pemFile)
+ dirName = os.path.dirname(pemFile)
- bkpCertName = dirName + "/bkp-" + backupTime + '_' + certName
+ bkpCertName = dirName + "/bkp-" + backupTime + '_' +
certName
- shutil.copy2(pemFile, bkpCertName)
- st = os.stat(pemFile)
- os.chown(bkpCertName, st.st_uid, st.st_gid)
- ovirtfunctions.ovirt_store_config(bkpCertName)
+ shutil.copy2(pemFile, bkpCertName)
+ st = os.stat(pemFile)
+ os.chown(bkpCertName, st.st_uid, st.st_gid)
+ ovirtfunctions.ovirt_store_config(bkpCertName)
def nodeCleanup():
if isOvirt():
- CACERT, VDSMCERT = certPaths('')
+ CACERT, VDSMCERT, ENGINECACERT = certPaths('')
- _nodeBackupCerts([CACERT, VDSMCERT])
+ _nodeBackupCerts([CACERT, VDSMCERT, ENGINECACERT])
if os.path.exists(CACERT):
ovirtfunctions.ovirt_safe_delete_config(CACERT)
+ if os.path.exists(ENGINECACERT):
+ ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT)
def getRhevmCert(IP, port):
- CACERT, VDSMCERT = certPaths('')
+ dontcare, VDSMCERT, ENGINECACERT = certPaths('')
RHEVM_CERT_FILE = "/ca.crt"
rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE)
if rhevmCert:
- dirName = os.path.dirname(CACERT)
+ dirName = os.path.dirname(ENGINECACERT)
if not os.path.exists(dirName):
os.makedirs(dirName)
- crt = file(CACERT, "w+")
+ crt = file(ENGINECACERT, "w+")
try:
crt.write(rhevmCert)
finally:
@@ -1542,14 +1546,14 @@
if not getRhevmCert(options.serverIp, options.serverPort):
print 'Failed downloading the @ENGINENAME@ certificate file'
return -1
- CACERT, dontcare = certPaths('')
- fp = generateFingerPrint(CACERT)
+ dontcare, dontcare, ENGINECACERT = certPaths('')
+ fp = generateFingerPrint(ENGINECACERT)
if options.fingerPrint != fp:
print 'Expected fingerprint %s is different from recieved fingerprint
%s' % (options.fingerPrint, fp)
return -1
if isOvirt():
- ovirtfunctions.ovirt_store_config(CACERT)
+ ovirtfunctions.ovirt_store_config(ENGINECACERT)
print '@ENGINENAME@ certificate downloaded and verified successfully.'
return 0
print 'Missing arguments'
diff --git a/vdsm_reg/engine.py.in b/vdsm_reg/engine.py.in
index 15e38b5..8be6940 100644
--- a/vdsm_reg/engine.py.in
+++ b/vdsm_reg/engine.py.in
@@ -283,7 +283,7 @@
if self.verify_engine_cert.selected():
if deployUtil.getRhevmCert(self.engine_server.value(), enginePort):
- path, dontCare = deployUtil.certPaths('')
+ path, dontCare, dontCare = deployUtil.certPaths('')
fp = deployUtil.generateFingerPrint(path)
approval = ButtonChoiceWindow(self.ncs.screen,
"Certificate Fingerprint:",
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
1:07 p.m.
Douglas Schilling Landgraf has posted comments on this change.
Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem
......................................................................
Patch Set 2: Looks good to me, but someone else must approve
(1 inline comment)
....................................................
File vdsm_reg/deployUtil.py.in
Line 1447: dt = datetime.datetime.now()
Line 1448: backupTime = dt.strftime("%Y-%m-%d_%H%M%S")
Line 1449:
Line 1450: for pemFile in certs:
Line 1451: if os.path.exists(pemFile):
hopefully the certs will exists from the before certPaths(''), line 1464 but good
call.
Line 1452: certName = os.path.basename(pemFile)
Line 1453: dirName = os.path.dirname(pemFile)
Line 1454:
Line 1455: bkpCertName = dirName + "/bkp-" + backupTime +
'_' + certName
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
12:57 p.m.
Alon Bar-Lev has posted comments on this change.
Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem
......................................................................
Patch Set 2: Looks good to me, but someone else must approve
Minor note... I would have called this REGCA or anything of 'registration' term...
engine has nothing to do with this...
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
12:36 p.m.
New subject: Change in vdsm[master]: Store engine web CA cert in engine_web_ca.pem
Dan Kenigsberg has submitted this change and it was merged.
Change subject: Store engine web CA cert in engine_web_ca.pem
......................................................................
Store engine web CA cert in engine_web_ca.pem
Currently we store the CA certificate downloaded from the engine for
registration purposes in the /etc/pki/vdsm/cacert.pem file. This file
is then replaced by VDSM by its default one during reboot, making a
backup before. This means that after the reboot vdsm-reg can't use it to
download the SSH key, and this means that registration fails.
This patch changes deployUtil.py so that it downloadto s the certificate
of the CA that signs the certificate of the engine web server to a new
file: /etc/pki/vdsm/enginecacert.pem. This file is not touched by the
VDSM start script, so that vdsm-reg can use it later to download the SSH
key correctly.
Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Bug-Url: https://bugzilla.redhat.com/856167
Signed-off-by: Juan Hernandez <juan.hernandez(a)redhat.com>
---
M vdsm_reg/deployUtil.py.in
M vdsm_reg/engine.py.in
2 files changed, 30 insertions(+), 22 deletions(-)
Approvals:
Alon Bar-Lev: Looks good to me, but someone else must approve
Douglas Schilling Landgraf: Looks good to me, but someone else must approve
Juan Hernandez: Verified
Dan Kenigsberg: Looks good to me, approved
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 3
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
12:36 p.m.
New subject: Change in vdsm[master]: Store engine web CA cert in engine_web_ca.pem
Dan Kenigsberg has posted comments on this change.
Change subject: Store engine web CA cert in engine_web_ca.pem
......................................................................
Patch Set 3: Looks good to me, approved
(1 inline comment)
summing-up Alon and Douglas's acks.
....................................................
Commit Message
Line 13: download the SSH key, and this means that registration fails.
Line 14:
Line 15: This patch changes deployUtil.py so that it downloadto s the certificate
Line 16: of the CA that signs the certificate of the engine web server to a new
Line 17: file: /etc/pki/vdsm/enginecacert.pem. This file is not touched by the
this has changed since this has been written, but I don't want to loose the nice acks
you've got.
Line 18: VDSM start script, so that vdsm-reg can use it later to download the SSH
Line 19: key correctly.
Line 20:
Line 21: Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 3
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
4:29 a.m.
New subject: Change in vdsm[master]: Store engine web CA cert in engine_web_ca.pem
Juan Hernandez has posted comments on this change.
Change subject: Store engine web CA cert in engine_web_ca.pem
......................................................................
Patch Set 3: Verified
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 3
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
10:16 p.m.
New subject: Change in vdsm[master]: Store engine web CA cert in engine_web_ca.pem
Douglas Schilling Landgraf has posted comments on this change.
Change subject: Store engine web CA cert in engine_web_ca.pem
......................................................................
Patch Set 3: Looks good to me, but someone else must approve
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 3
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
4:09 p.m.
New subject: Change in vdsm[master]: Store engine web CA cert in engine_web_ca.pem
Alon Bar-Lev has posted comments on this change.
Change subject: Store engine web CA cert in engine_web_ca.pem
......................................................................
Patch Set 3: Looks good to me, but someone else must approve
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 3
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
1:38 p.m.
New subject: Change in vdsm[master]: Store engine web CA cert in engine_web_ca.pem
Juan Hernandez has posted comments on this change.
Change subject: Store engine web CA cert in engine_web_ca.pem
......................................................................
Patch Set 3:
Rebased and renamed the file and the variable containing the certificate of the engine web
server, as per comments in previous patch set.
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 3
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
10:24 a.m.
Dan Kenigsberg has posted comments on this change.
Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem
......................................................................
Patch Set 2: (1 inline comment)
....................................................
File vdsm_reg/deployUtil.py.in
Line 1468: ovirtfunctions.ovirt_safe_delete_config(CACERT)
Line 1469: if os.path.exists(ENGINECACERT):
Line 1470: ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT)
Line 1471:
Line 1472: def getRhevmCert(IP, port):
ok,,, recently, upstream added a feature for stand-alone installation of vdsm, where a
self-signed vdsmcert.pem and its cacert.pem are generated on vdsm.rpm installation.
They are intended to be overwritten by the bootstrap process, as they have no value for
Engine-controlled installation. (note to self/Alon - there's wasted time here, of
needless key generation).
Since the .iso is generated by means of installing rpms, these files are shipped on the
image. But I believe this is an unfortunate coincidence. Vdsm should not be running before
registration.
I would suggest to somehow drop the default key/certs from the shipped ovirt-node image.
Line 1473:
Line 1474: dontcare, VDSMCERT, ENGINECACERT = certPaths('')
Line 1475: RHEVM_CERT_FILE = "/ca.crt"
Line 1476: rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE)
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
9:21 a.m.
Juan Hernandez has posted comments on this change.
Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem
......................................................................
Patch Set 2: (1 inline comment)
....................................................
File vdsm_reg/deployUtil.py.in
Line 1468: ovirtfunctions.ovirt_safe_delete_config(CACERT)
Line 1469: if os.path.exists(ENGINECACERT):
Line 1470: ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT)
Line 1471:
Line 1472: def getRhevmCert(IP, port):
Ok, now I understand.
There are two CA certificates involved:
1. The VDSM default CA certificate that is part of the node .iso. This CA is used to
generate a VDSM certificate that is also part of the .iso. My understanding is that this
VDSM certificate is needed in order to be able to start VDSM and libvirt while the final
VDSM certificate is not yet generated.
2. The engine CA certificate, generated during the installation of the engine.
The problem is that both are stored in the same place: /etc/pki/vdsm/certs/cacert.pem.
When the node installation begins it downloads the engine CA certificate to this location.
Then, after the reboot, the VDSM start scripts overwrites it with its own (to be able to
start libvirt). Then vdsm-reg tries to use it to download the SSH key from the engine and
fails, because it is using VDSM default CA certificate instead of the engine CA
certificate.
What this patch tries to do is to make sure that the engine CA certificate is downloaded
to a different place, so that VDSM will not overwrite it during the reboot.
Line 1473:
Line 1474: dontcare, VDSMCERT, ENGINECACERT = certPaths('')
Line 1475: RHEVM_CERT_FILE = "/ca.crt"
Line 1476: rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE)
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
8:58 a.m.
Dan Kenigsberg has posted comments on this change.
Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem
......................................................................
Patch Set 2: (1 inline comment)
....................................................
File vdsm_reg/deployUtil.py.in
Line 1468: ovirtfunctions.ovirt_safe_delete_config(CACERT)
Line 1469: if os.path.exists(ENGINECACERT):
Line 1470: ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT)
Line 1471:
Line 1472: def getRhevmCert(IP, port):
So I'm missing something important here.
Isn't CACERT the certificate of the CA that signs both vdsm and Engine's
certificates? Or do we have two different CAs?
Line 1473:
Line 1474: dontcare, VDSMCERT, ENGINECACERT = certPaths('')
Line 1475: RHEVM_CERT_FILE = "/ca.crt"
Line 1476: rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE)
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
8:33 a.m.
Juan Hernandez has posted comments on this change.
Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem
......................................................................
Patch Set 2: (2 inline comments)
....................................................
File vdsm_reg/deployUtil.py.in
Line 1468: ovirtfunctions.ovirt_safe_delete_config(CACERT)
Line 1469: if os.path.exists(ENGINECACERT):
Line 1470: ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT)
Line 1471:
Line 1472: def getRhevmCert(IP, port):
I will add a comment. I think there are other patches around to rename this to
"getEngineCert", so I prefer to avoid that rename in this patch. If I were to
rename it I would use "downloadEngineCACertificate" or something similar.
I don't understand the second part of your comment. What is downloaded here is the
certificate of the CA of the engine, not the certificate of the engine itself. Why do you
say that the CA in ENGINECACERT is misplaced? I am open to rename that variable, but I
need to understand your point.
Line 1473:
Line 1474: dontcare, VDSMCERT, ENGINECACERT = certPaths('')
Line 1475: RHEVM_CERT_FILE = "/ca.crt"
Line 1476: rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE)
Line 1470: ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT)
Line 1471:
Line 1472: def getRhevmCert(IP, port):
Line 1473:
Line 1474: dontcare, VDSMCERT, ENGINECACERT = certPaths('')
Done
Line 1475: RHEVM_CERT_FILE = "/ca.crt"
Line 1476: rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE)
Line 1477: if rhevmCert:
Line 1478: dirName = os.path.dirname(ENGINECACERT)
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
8:18 a.m.
Dan Kenigsberg has posted comments on this change.
Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem
......................................................................
Patch Set 2: I would prefer that you didn't submit this
(2 inline comments)
only naming issues.
....................................................
File vdsm_reg/deployUtil.py.in
Line 1468: ovirtfunctions.ovirt_safe_delete_config(CACERT)
Line 1469: if os.path.exists(ENGINECACERT):
Line 1470: ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT)
Line 1471:
Line 1472: def getRhevmCert(IP, port):
I could use a comment (or a function rename...) telling that here we obtain the
certificate for Engine's https communication.
Come to think of it, the CA in ENGINECACERT is misplaced.
Line 1473:
Line 1474: dontcare, VDSMCERT, ENGINECACERT = certPaths('')
Line 1475: RHEVM_CERT_FILE = "/ca.crt"
Line 1476: rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE)
Line 1470: ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT)
Line 1471:
Line 1472: def getRhevmCert(IP, port):
Line 1473:
Line 1474: dontcare, VDSMCERT, ENGINECACERT = certPaths('')
I suppose you dontcare here about VDSMCERT, too.
A more commonplace way to name dontcare is "_".
Line 1475: RHEVM_CERT_FILE = "/ca.crt"
Line 1476: rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE)
Line 1477: if rhevmCert:
Line 1478: dirName = os.path.dirname(ENGINECACERT)
--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfediuck(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
4248
days inactive
4262
days old
vdsm-patches@lists.fedorahosted.org
13 comments
4 participants
participants (4)
-
Alon Bar-Lev -
Dan Kenigsberg -
Douglas Schilling Landgraf -
juan.hernandez@redhat.com