mooli tayer has uploaded a new change for review.
Change subject: vdsm-tool: always configures files as if certificates exist.
......................................................................
vdsm-tool: always configures files as if certificates exist.
Problem description:
====================
When vdsm-tool is called on a fresh host installed w/o host-deploy
(e.g built from source) ssl_enabled=1 and there are no certificates
on the machine (/etc/pki/vdsm/certs/cacert.pem,
/etc/pki/vdsm/certs/vdsmcert.pem and /etc/pki/vdsm/keys/vdsmkey.pem).
In such conditions certain configuration values are defined as
none ssl by vdsm-tool(see patch).
When attempting to start vdsm:
1.) a self signed certificate is created since none exist
2.) vdsm-tool validate fails, since vdsm is defined as on
but dependent configuration is not fully ssl on.
A second vdsm-tool run fixes the situation of course.
Solution:
=========
Always configure as if the self signed certificates are found,
knowing that upon initialization vdsm will create them.
Note: This is a temporary solution for 3.5.
In the next version the creation of self signed certificates
will be a done as part of vdsm-tool in it's own module.
This is better since we will be able to manage a lifecycle
for certs e.g remove them when uninstalling vdsm, validate etc.
Change-Id: Ieaafc81fabdcecf2bbd7498e9c70393be5847472
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1127877
Signed-off-by: Mooli Tayer <[email protected]>
---
M lib/vdsm/tool/configurator.py
1 file changed, 0 insertions(+), 27 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/66/31466/1
diff --git a/lib/vdsm/tool/configurator.py b/lib/vdsm/tool/configurator.py
index 8136613..031a356 100644
--- a/lib/vdsm/tool/configurator.py
+++ b/lib/vdsm/tool/configurator.py
@@ -121,11 +121,6 @@
config.read(self._getFile('VDSM_CONF'))
vdsmConfiguration = {
- 'certs_exist': all(os.path.isfile(f) for f in [
- self.CA_FILE,
- self.CERT_FILE,
- self.KEY_FILE
- ]),
'ssl_enabled': config.getboolean('vars', 'ssl'),
'sanlock_enabled': SANLOCK_ENABLED,
'libvirt_selinux': LIBVIRT_SELINUX
@@ -412,7 +407,6 @@
{
'conditions': {
"ssl_enabled": True,
- "certs_exist": True,
},
'content': {
'ca_file': '\"' + CA_FILE + '\"',
@@ -421,18 +415,6 @@
},
},
- {
- 'conditions': {
- "ssl_enabled": True,
- "certs_exist": False,
- },
- 'content': {
- 'auth_tcp': '"none"',
- 'listen_tcp': 1,
- 'listen_tls': 0,
- },
-
- }
]
},
@@ -471,15 +453,6 @@
},
'content': {
'spice_tls': 1,
- },
-
- },
- {
- 'conditions': {
- "ssl_enabled": True,
- "certs_exist": True,
- },
- 'content': {
'spice_tls_x509_cert_dir': '\"' + LS_CERT_DIR + '\"',
},
--
To view, visit http://gerrit.ovirt.org/31466
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ieaafc81fabdcecf2bbd7498e9c70393be5847472
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: mooli tayer <[email protected]>
_______________________________________________
vdsm-patches mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
