Change in vdsm[master]: BZ#856167 - Store engine CA cert in enginecacert.pem

Mon, 24 Sep 2012 07:22:07 -0700 

Juan Hernandez has posted comments on this change.

Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem
......................................................................


Patch Set 2: (1 inline comment)

....................................................
File vdsm_reg/deployUtil.py.in
Line 1468:             ovirtfunctions.ovirt_safe_delete_config(CACERT)
Line 1469:         if os.path.exists(ENGINECACERT):
Line 1470:             ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT)
Line 1471: 
Line 1472: def getRhevmCert(IP, port):
Ok, now I understand.

There are two CA certificates involved:

1. The VDSM default CA certificate that is part of the node .iso. This CA is 
used to generate a VDSM certificate that is also part of the .iso. My 
understanding is that this VDSM certificate is needed in order to be able to 
start VDSM and libvirt while the final VDSM certificate is not yet generated.

2. The engine CA certificate, generated during the installation of the engine.

The problem is that both are stored in the same place: 
/etc/pki/vdsm/certs/cacert.pem. When the node installation begins it downloads 
the engine CA certificate to this location. Then, after the reboot, the VDSM 
start scripts overwrites it with its own (to be able to start libvirt). Then 
vdsm-reg tries to use it to download the SSH key from the engine and fails, 
because it is using VDSM default CA certificate instead of the engine CA 
certificate.

What this patch tries to do is to make sure that the engine CA certificate is 
downloaded to a different place, so that VDSM will not overwrite it during the 
reboot.
Line 1473: 
Line 1474:     dontcare, VDSMCERT, ENGINECACERT = certPaths('')
Line 1475:     RHEVM_CERT_FILE = "/ca.crt"
Line 1476:     rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE)


--
To view, visit http://gerrit.ovirt.org/8038
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Dan Kenigsberg <[email protected]>
Gerrit-Reviewer: Doron Fediuck <[email protected]>
Gerrit-Reviewer: Douglas Schilling Landgraf <[email protected]>
Gerrit-Reviewer: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Michael Burns <[email protected]>
_______________________________________________
vdsm-patches mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches

Reply via email to