3:08 p.m.
Federico Simoncelli has uploaded a new change for review.
Change subject: setup: move the the certificate generation
......................................................................
setup: move the the certificate generation
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=860067
Signed-off-by: Federico Simoncelli <fsimonce(a)redhat.com>
Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
---
M vdsm.spec.in
M vdsm/vdsm-gencerts.sh.in
M vdsm/vdsmd.init.in
3 files changed, 95 insertions(+), 38 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/68/8368/1
diff --git a/vdsm.spec.in b/vdsm.spec.in
index 61b0c3e..2f80b8d 100644
--- a/vdsm.spec.in
+++ b/vdsm.spec.in
@@ -456,9 +456,6 @@
# set the vdsm "secret" password for libvirt
%{_bindir}/vdsm-tool set-saslpasswd
-# generate the vdsm certificates (if missing)
-%{_libexecdir}/%{vdsm_name}/vdsm-gencerts.sh
-
# Have moved vdsm section in /etc/sysctl.conf to /etc/sysctl.d/vdsm.
# So Remove them if it is played with /etc/sysctl.conf.
if grep -q "# VDSM section begin" /etc/sysctl.conf; then
diff --git a/vdsm/vdsm-gencerts.sh.in b/vdsm/vdsm-gencerts.sh.in
index 6cdb227..8beba64 100755
--- a/vdsm/vdsm-gencerts.sh.in
+++ b/vdsm/vdsm-gencerts.sh.in
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
#
# Copyright 2012 Red Hat, Inc.
#
@@ -19,56 +19,105 @@
# Refer to the README and COPYING files for full details of the license
#
-VDSM_PKI="@TRUSTSTORE@"
-VDSM_KEY="$VDSM_PKI/keys/vdsmkey.pem"
-VDSM_CRT="$VDSM_PKI/certs/vdsmcert.pem"
-VDSM_CA="$VDSM_PKI/certs/cacert.pem"
+__vdsm_gencerts_key="@TRUSTSTORE(a)/keys/vdsmkey.pem"
+__vdsm_gencerts_crt="@TRUSTSTORE(a)/certs/vdsmcert.pem"
+__vdsm_gencerts_ca="@TRUSTSTORE(a)/certs/cacert.pem"
+__vdsm_gencerts_perms="@VDSMUSER@:@VDSMGROUP@"
-VDSM_TEMPLATE="$(mktemp)"
+vdsm_check_certificate() {
+ [ -s "$__vdsm_gencerts_key" -o -s "$__vdsm_gencerts_ca" -o \
+ -s "$__vdsm_gencerts_crt" ]
+}
-VDSM_FQDN=`hostname -f`
-[ -z "$VDSM_FQDN" ] && VDSM_FQDN="localhost.localdomain"
+vdsm_create_key() {
+ [ -s "$__vdsm_gencerts_key" ] && return
-VDSM_PERMS="@VDSMUSER@:@VDSMGROUP@"
+ (umask 0077
+ /usr/bin/certtool --generate-privkey \
+ --outfile "${__vdsm_gencerts_key}~" \
+ 2> /dev/null)
+ local __retcode=$?
-umask 077
+ if [ $__retcode -ne 0 ]; then
+ return $__retcode
+ fi
-if [ ! -f "$VDSM_KEY" ]; then
- /usr/bin/certtool --generate-privkey --outfile "$VDSM_KEY" 2> /dev/null
- /bin/chown "$VDSM_PERMS" "$VDSM_KEY"
- /sbin/restorecon "$VDSM_KEY"
-fi
+ /bin/mv -f "${__vdsm_gencerts_key}~" "$__vdsm_gencerts_key"
-if [ ! -f "$VDSM_CA" ]; then
- /bin/cat > "$VDSM_TEMPLATE" <<EOF
+ /bin/chown "$__vdsm_gencerts_perms" "$__vdsm_gencerts_key"
+ /sbin/restorecon "$__vdsm_gencerts_key"
+}
+
+vdsm_create_ca() {
+ [ -s "$__vdsm_gencerts_ca" ] && return
+
+ local __vdsm_gencerts_template=`mktemp`
+ /bin/cat > "$__vdsm_gencerts_template" <<EOF
cn = "VDSM Certificate Authority"
ca
cert_signing_key
EOF
- /usr/bin/certtool --generate-self-signed --load-privkey "$VDSM_KEY" \
- --template "$VDSM_TEMPLATE" --outfile
"$VDSM_CA" \
- 2> /dev/null
- /bin/chown "$VDSM_PERMS" "$VDSM_CA"
- /sbin/restorecon "$VDSM_CA"
-fi
+ (umask 0077
+ /usr/bin/certtool --generate-self-signed \
+ --load-privkey "$__vdsm_gencerts_key" \
+ --template "$__vdsm_gencerts_template" \
+ --outfile "${__vdsm_gencerts_ca}~" \
+ 2> /dev/null)
+ local __retcode=$?
-if [ ! -f "$VDSM_CRT" ]; then
- /bin/cat > "$VDSM_TEMPLATE" <<EOF
+ rm -f "$__vdsm_gencerts_template"
+
+ if [ $__retcode -ne 0 ]; then
+ return $__retcode
+ fi
+
+ /bin/mv -f "${__vdsm_gencerts_ca}~" "$__vdsm_gencerts_ca"
+
+ /bin/chown "$__vdsm_gencerts_perms" "$__vdsm_gencerts_ca"
+ /sbin/restorecon "$__vdsm_gencerts_ca"
+}
+
+vdsm_create_cert() {
+ [ -s "$__vdsm_gencerts_crt" ] && return
+
+ local __vdsm_gencerts_fqdn=`hostname -f`
+ [ -z "$__vdsm_gencerts_fqdn" ] \
+ && __vdsm_gencerts_fqdn="localhost.localdomain"
+
+ local __vdsm_gencerts_template=`mktemp`
+ /bin/cat > "$__vdsm_gencerts_template" <<EOF
organization = "VDSM Certificate"
-cn = "$VDSM_FQDN"
-email = "root@$VDSM_FQDN"
+cn = "$__vdsm_gencerts_fqdn"
+email = "root@$__vdsm_gencerts_fqdn"
signing_key
encryption_key
tls_www_server
tls_www_client
EOF
- /usr/bin/certtool --generate-certificate --load-privkey "$VDSM_KEY" \
- --load-ca-privkey "$VDSM_KEY" \
- --load-ca-certificate "$VDSM_CA" \
- --template "$VDSM_TEMPLATE" --outfile
"$VDSM_CRT" \
+ /usr/bin/certtool --generate-certificate \
+ --load-privkey "$__vdsm_gencerts_key" \
+ --load-ca-privkey "$__vdsm_gencerts_key" \
+ --load-ca-certificate "$__vdsm_gencerts_ca" \
+ --template "$__vdsm_gencerts_template" \
+ --outfile "${__vdsm_gencerts_crt}~" \
2> /dev/null
- /bin/chown "$VDSM_PERMS" "$VDSM_CRT"
- /sbin/restorecon "$VDSM_CRT"
-fi
+ local __retcode=$?
-/bin/rm -f "$VDSM_TEMPLATE"
+ rm -f "$__vdsm_gencerts_template"
+
+ if [ $__retcode -ne 0 ]; then
+ return $__retcode
+ fi
+
+ /bin/mv -f "${__vdsm_gencerts_crt}~" "$__vdsm_gencerts_crt"
+
+ /bin/chown "$__vdsm_gencerts_perms" "$__vdsm_gencerts_crt"
+ /sbin/restorecon "$__vdsm_gencerts_crt"
+ /bin/rm -f "$__vdsm_gencerts_template"
+}
+
+if [ "$1" != "--bash-import" ]; then
+ vdsm_create_key
+ vdsm_create_ca
+ vdsm_create_cert
+fi
diff --git a/vdsm/vdsmd.init.in b/vdsm/vdsmd.init.in
index 0012157..2267b74 100755
--- a/vdsm/vdsmd.init.in
+++ b/vdsm/vdsmd.init.in
@@ -22,6 +22,7 @@
### END INIT INFO
. @LIBEXECDIR(a)/ovirt_functions.sh
+. @LIBEXECDIR(a)/vdsm-gencerts.sh --bash-import
VDSM_BIN=@VDSMDIR@/vdsm
CONF_FILE=@CONFDIR(a)/vdsm.conf
@@ -449,6 +450,16 @@
shutdown_conflicting_srv && stop_libvirtd_sysv
+ if ! vdsm_check_certificate; then
+ echo -n $"Configuring the VDSM host certificate "
+ if vdsm_create_key && vdsm_create_ca && vdsm_create_cert; then
+ success
+ else
+ failure
+ fi
+ echo
+ fi
+
reconfigure noforce
ret_val=$?
if [ $ret_val -ne 0 ]
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
11:44 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Federico Simoncelli has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
vdsm components: vdsm-reg, bootstrap, vdsm init.d have special
treatment for ovirt-node.
Correct, and only few special cases require to persist files (which anyway must be
addressed in a transparent way providing hooks).
An example from vdsm init.d:
ovirt_store_config "$lconf" "$qconf" "$ldconf"
"$llogr"
That is just an example of how doing it in the init file is wrong. First of all
there's no need to do this at runtime because in this case the files are the same on
all the ovirt nodes (in a perfect world the ovirt-node should be able to do this at
iso-generation time). As exception we recently introduced a workaround for a libvirt issue
temporarily adding the generation of an host_uuid (now saved to $lconf) which in the
future will be generated by libvirt bz864564 (WRT to ovirt-node is just a file to persist
that now happens to be $lconf, in the future not anymore).
Second, as you see the init file is not standard as it should and a vast majority of it is
already planned to be moved to external tools (where ovirt-node could hook additional
logic for persisting, but only if strictly required).
Why do you think the certificates and keys are so special to have
them persist in different place?
They aren't special, they just try to not repeat the errors of the past. The question
is why is vdsm so special to you that can't be treated as other services as for
example openssh.
It is obvious that when a code needs to be run on ovirt-node you
handle the implications without another bug opened for this task.
The "component" field in bugzilla should reflect the real component (I can't
commit a patch to the ovirt-node with a vdsm bz).
As a final note you should remember that:
1. persisting the key/ca/certificate is *not* mandatory because if you want to use the
host locally you are allowed to do so (even without persisting). If you personally as
sysadmin want to commit to a key/ca then persist it.
2. if you really want to persist key/ca/certificate (but as I said in 1 is not required)
you can do it in the ovirt-node as you already do it for all the other standard services
3. as you may know ovirt-node is going to support other applications (as for example
gluster), are you going to argue with all project to add a persist call when they make a
change to their files?
This is my take on the problem and the patch that solves bz860067 (vdsm should generate
keys and certificate when init.d script is started and not when installed), there's no
reason to spend more time on this.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
8:28 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Dan Kenigsberg has submitted this change and it was merged.
Change subject: setup: move the certificate generation
......................................................................
setup: move the certificate generation
Generating the certificate at the service startup (instead of during the
rpm installation) has a better chance to succeed (and a better recovery
process). Moreover this allows appliances (like ovirt-node) to postpone
the certificate generation when the service is actually used for the
first time.
In this patch:
* Move the certificate generation from the spec file to the init file
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=860067
Signed-off-by: Federico Simoncelli <fsimonce(a)redhat.com>
Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
---
M vdsm.spec.in
M vdsm/vdsm-gencerts.sh.in
M vdsm/vdsmd.init.in
3 files changed, 9 insertions(+), 3 deletions(-)
Approvals:
Michael Burns: Verified; Looks good to me, but someone else must approve
Dan Kenigsberg: Looks good to me, approved
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 5
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
8:28 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Dan Kenigsberg has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 5:
thanks, Mike, Federico and others!
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 5
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
6:49 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Michael Burns has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 5: Verified; Looks good to me, but someone else must approve
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 5
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
6:31 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Dan Kenigsberg has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 5: Looks good to me, approved
Thanks, Federico!
And sorry for all the shelved refactoring...
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 5
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
3:11 p.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Dan Kenigsberg has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 4: I would prefer that you didn't submit this
I suppose it got too late for today..
Marking as unready.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 4
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
11:15 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Federico Simoncelli has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 4: (1 inline comment)
....................................................
File vdsm/vdsmd.init.in
Line 431: shutdown_conflicting_srv && stop_libvirtd_sysv
Line 432:
Line 433: if ! @LIBEXECDIR(a)/vdsm-gencerts.sh --check; then
Line 434: echo -n $"Configuring a self-signed VDSM host certificate: "
Line 435: @LIBEXECDIR(a)/vdsm-gencerts.sh
&& success || failure ; echo
Line 436: fi
Line 437:
Line 438: reconfigure noforce
Line 439: ret_val=$?
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 4
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
10:07 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Dan Kenigsberg has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 3: (1 inline comment)
....................................................
File vdsm/vdsmd.init.in
Line 430: python @VDSMDIR(a)/hooks.pyc before_vdsm_start
Line 431:
Line 432: shutdown_conflicting_srv && stop_libvirtd_sysv
Line 433:
Line 434: if ! vdsm_check_certificate; then
please help the future re-write of this into vdsm-tool by replacing this new code block
with something like
if ! /usr/libexec/.../vdsm-gencert.sh --check; then
echo bla
/usr/libexec/.../vdsm-gencert.sh
fi
I feel strongly against sourcing more function into this script.
Line 435: echo -n $"Configuring a self-signed VDSM host certificate: "
Line 436: (vdsm_create_key && vdsm_create_ca && vdsm_create_cert)
\
Line 437: && success || failure; echo
Line 438: fi
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 3
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
10:58 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
Mike, thinking of it.. when exactly is "final steps in the installation
process"? As there is no option "Done" or "Exit" in the TUI...
Thanks!
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
10:52 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
Thank you Mike.
If end of installation is the trigger, then you can get the md5sum of /etc/ before and
after installation and persist all files whose md5sum changed. The resulting partition
size is the same as individual file persist.
So within current implementation, we should either create the keys/certificates during the
TUI (vdsm-reg dialogs) or make sure vdsmd is started/stopped upon registration.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
7:36 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Michael Burns has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
/etc/pki is small and very low hanging fruit.
/etc is *much* bigger and beyond what we can persist with the current partitioning layout.
extending the size of the LV where we persist is non-trivial given it's upgrade
impact.
Persisting is done as one of the final steps in the installation process. There is no
trigger, it just happens automatically when you install, similar to how we persist ssh
keys, etc. Essentially, we have a list of files/directories that we think are important
and we persist those in a batch at the end of the installation.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
3:24 p.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2: No score
Good to hear.
So Mike, why not apply this mechanism to the entire /etc ?
This will allow us to remove all the the special references to node configuration.
BTW: when does it persist? What is the trigger? On boot? using scheduler?
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
3:17 p.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Michael Burns has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2: Looks good to me, but someone else must approve
Similar to how ovirt-node handles ssh keys, we can also handle certificates. As long as
the certificates exist in /etc/pki somewhere, they will be persisted automatically. This
has already been reviewed and pushed into ovirt-node.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
8:58 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2: I would prefer that you didn't submit this
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
8:57 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
This is barak call.
And barak ignores this.
I don't care. just break the user's configuration.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
8:48 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Ayal Baron has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2: Looks good to me, but someone else must approve
Alon, vdsm is *not* the package that is responsible for configuring ovirt-node.
ovirt-node is not dependent on vdsm and vdsm will probably become a plugin in and by
itself.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
8:38 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Michael Burns has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2: Verified
Works for me (in conjunction with ovirt-node patch http://gerrit.ovirt.org/#/c/8440/ )
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
2:28 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
Ayal,
Yes, the plugin or the application package should be node aware.
Anyway this is the responsibility of the packager for the node. It has nothing to do with
100 packages or so. One (or more) package should be responsible for the configuration of
the node. In this case the package is vdsm as this is the meta package we installing. As I
wrote in future there may be a vdsm plugin which will be maintained by us anyway, and we
move <something> from <somewhere> to <different place>.
We need a solution for current implementation in which we do not have helper package.
There is no sense in discussing theoretical design pattern when we need a solution to a
problem. First we provide a solution within current design, then improve design and fix
the entire implementation.
Alon
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
5:22 p.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Ayal Baron has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
Patch Set 2:
> 1. persisting the key/ca/certificate is *not* mandatory because
if you want to use the host locally you are allowed to do so (even without persisting). If
you personally as sysadmin want to commit to a key/ca then persist it.
We are not asking sysadmin to persist anything, we are doing this for
sysadmin in call use cases. I would not like to introduce new sysadmin requirement only
because we moved the place we generate keys.
Why do you ignore the remote usecase?
> 2. if you really want to persist key/ca/certificate (but as I
said in 1 is not required) you can do it in the ovirt-node as you already do it for all
the other standard services
standard services are what ovirt-node manages, vdsm is not standard
service.
vdsm should take care of his own persistence as done so far.
> 3. as you may know ovirt-node is going to support other
applications (as for example gluster), are you going to argue with all project to add a
persist call when they make a change to their files?
yes I do.
seriously? there are over 100 packages that ovirt-node pulls. Do you really think that
the maintainer of each and every one of these (and any other ovirt-node chooses to pull
in) should be aware of the quirks ovirt-node has and make sure to 'persist'
correctly? do you really think the package owners would even care?
Imo ovirt-node as a distribution should take care of it's eccentricities and not
impose these on the different packages (as it's doomed to fail anyway and I also think
is wrong).
The plugins into ovirt-node will also not be handled by the package owners. e.g. if
someone chooses to add a nagios agent, the persist will be handled not by the agent, but
by an external 'installation' script that customizes the use of the agent to the
ovirt-node use case. This would be written e.g. by a user interested in having this
plugin.
So by design you're imposing on the users the knowledge that ovirt-node is different
and requires extra handling when configuring.
How is this different for vdsm?
We could however provide a script that takes care of these things separately for
interested parties, just to make things simpler or simply document what needs to be done
(seeing as it's simply running 'persist' in a loop on a set of files and there
may be users who would want part of the files persisted and other parts not (e.g. in this
case, generating the keys externally and importing, but the rest persisting according to
the recommendations)
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
11:54 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
1. persisting the key/ca/certificate is *not* mandatory because if
you want to use the host locally you are allowed to do so (even without persisting). If
you personally as sysadmin want to commit to a key/ca then persist it.
We are not asking sysadmin to persist anything, we are doing this for sysadmin in call use
cases. I would not like to introduce new sysadmin requirement only because we moved the
place we generate keys.
Why do you ignore the remote usecase?
2. if you really want to persist key/ca/certificate (but as I said in
1 is not required) you can do it in the ovirt-node as you already do it for all the other
standard services
standard services are what ovirt-node manages, vdsm is not standard service.
vdsm should take care of his own persistence as done so far.
3. as you may know ovirt-node is going to support other applications
(as for example gluster), are you going to argue with all project to add a persist call
when they make a change to their files?
yes I do.
---
I will have Barak add his comments. As I your argue the current implementation and future
implementation, and clearly we need more views.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
10:19 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
Hello Federico,
I had small talk with Ayal regarding this issue.
I agree that if you use vdsClient locally, you can re-generate certificate at each boot.
However, when working with remote vdsClient in standalone VDSM mode, we force user to
fetch certificate of CA. In this case when ovirt-node is rebooted we need to keep the same
key.
Because of the above I think we should behave similar to sshd regarding keys.
As we support both standard (rhel) and ovirt-node configurations, we should not expect the
user to distinguish between the two, and perform manually persist if working remote and
using ovirt-node.
Regarding the component which needs to perform the persistence... The ovirt-node core is
not aware of vdsm, its roadmap is going toward total separation between the node platform
and the application that is running. As result the application should be node aware (and
in fact, it is currently is).
As the sshd is part of the core node, the core node persists its keys, which is correct.
But core node should not persist anything of vdsm.
Current implementation of vdsm init.d script is node aware and does persist resources,
adding these resources as well is making sense in current implementation.
In future, if the roadmap of ovirt-node of pluggable application will be manifested, we
may move <something> to different locations.
But for now, if we want to provide the ability of remote access we should to persist the
key so standard or ovirt-node will behave the same.
I will be happy to discuss with you this farther if you still think some of the above is
incorrect.
Thanks,
Alon
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
11:21 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
Hello,
I really don't understand your point of view.
vdsm components: vdsm-reg, bootstrap, vdsm init.d have special treatment for ovirt-node.
An example from vdsm init.d:
ovirt_store_config "$lconf" "$qconf" "$ldconf"
"$llogr"
Why do you think the certificates and keys are so special to have them persist in
different place?
It is obvious that when a code needs to be run on ovirt-node you handle the implications
without another bug opened for this task.
If you like and it creates too much noise for you, I can complete this patchset to handle
this case as well.
Thank you,
Alon
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
11:09 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Federico Simoncelli has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
2. It should be persist by any tool/place by this patch. /me/ just
added this to the init.d script. if you find another place that is appropriate feel free
to do so.
There are several reason why your request can't be fulfilled, first of all persisting
in the vdsm init file is just plain wrong (no other rhel/fedora service that does that).
Second, it's not what the bug states: "vdsm should generate keys and certificate
when init.d script is started and not when installed". And third, no matter what, it
can't be done here because what you need is in the ovirt-node repository
(ovirt_store_firstboot_config) and we can't address it in one patch.
If you really want to persist these temporary keys/certificates (useless IMHO) then the
correct thing to do is to open an additional bug on ovirt-node and take it from there.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
10:01 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
2. It should be persist by any tool/place by this patch. /me/ just added this to the
init.d script. if you find another place that is appropriate feel free to do so.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
9:54 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Federico Simoncelli has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
1. I personally don't like leftovers as the iterative creation of
a->b->c may lead to c always fails if b is a bad resource. Creating the whole chain
upon failure has higher chance to success, as this is the atomic transaction we need,
either to succeed or fail. But I won't make life harder in this regard.
There are no leftovers, if b is a bad source it's because certtool failed, but we
already check that and we don't move the file into place in that case. If certtool
succeeded but the generated file is not valid then it means that certtool is in serious
trouble.
2. As far as I know ssh keys are persisted. Not sure at which point.
But I don't get invalid key when rebooting.
Ok good, so we agree that they should be persisted somewhere else.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
2:25 p.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
1. I personally don't like leftovers as the iterative creation of a->b->c may
lead to c always fails if b is a bad resource. Creating the whole chain upon failure has
higher chance to success, as this is the atomic transaction we need, either to succeed or
fail. But I won't make life harder in this regard.
2. As far as I know ssh keys are persisted. Not sure at which point. But I don't get
invalid key when rebooting.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
2:18 p.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Federico Simoncelli has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
Maybe I don't understand... but if vdsm_create_cert fails, we
have leftovers from vdsm_create_key and vdsm_create_ca, where am I wrong?
There's no benefit in removing the key and ca. No matter what, you need them all so
even if you clean up leftovers vdsm wouldn't be usable (unless you intend to insert a
kind of recovery, which is way exaggerated for an init script). During the next start you
would skip the creation of things that are already present.
I thought the whole point of these keys are to serve environment
without engine, as in environments with engine we generate keys at bootstrap.
Yes, *but* only for the local host (vdsClient 0), if you intend to use the client from a
remote host then you have to commit in some way to a key/ca pair and move them across the
hosts (this is basically a bootstrap and there's no automatic procedure other than the
one provided by the engine at the moment).
If that indeed the purpose, for these environment running on
ovirt-node we need to persist the keys as no engine will do that for vdsm.
Who cares, they'll be only for that instance. Anyway the discussed procedure (which is
not even defined yet) is completely unrelated to the patch.
What are the actions that ovirt-node takes for the ssh host keys? It should do the same
for vdsm (in fact you don't ask openssh to persist them).
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
1:43 p.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
I see the following code:
if ! vdsm_check_certificate; then
echo -n $"Configuring the VDSM host certificate: "
(vdsm_create_key && vdsm_create_ca && vdsm_create_cert) \
&& success || failure; echo
fi
Maybe I don't understand... but if vdsm_create_cert fails, we have leftovers from
vdsm_create_key and vdsm_create_ca, where am I wrong?
I thought the whole point of these keys are to serve environment without engine, as in
environments with engine we generate keys at bootstrap.
If that indeed the purpose, for these environment running on ovirt-node we need to persist
the keys as no engine will do that for vdsm.
Thanks!
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
7:12 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Federico Simoncelli has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
I still think the whole process should either succeed or fail. No use
for key that is left over nor CA or certificate.
Resources should be generated in temporary location and only if all process succeed move
into final position.
Wrong, if you already have a pre-generated key (and/or ca) and you want to create an host
certificate from it you just need to put the key/ca in the proper place.
The node support should part of this change, no mater if you think it
should be done in vdsm-reg or in vdsm init.d, but persisting it is something that should
be done, if not, every boot will regenerate a certificate.
I don't understand why you want to persist a key/certificate that is of no use. The
one you want to persist is the one coming from the engine. What do you care to persist a
temporary certificate. I even suggested to persist the correct ones (downloaded from the
engine) even before starting vdsm.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
1:49 p.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Douglas Schilling Landgraf has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
Agreed with Alon comment about node.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
11:09 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2:
Hi,
I still think the whole process should either succeed or fail. No use for key that is left
over nor CA or certificate.
Resources should be generated in temporary location and only if all process succeed move
into final position.
The node support should part of this change, no mater if you think it should be done in
vdsm-reg or in vdsm init.d, but persisting it is something that should be done, if not,
every boot will regenerate a certificate.
Thanks!
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
7:35 a.m.
Douglas Schilling Landgraf has posted comments on this change.
Change subject: setup: move the the certificate generation
......................................................................
Patch Set 1:
humm, IMHO, I still think we could use `if isOvirt` in init script and persist the files
as we already do for some others stuff related to node.
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
3:29 a.m.
Federico Simoncelli has posted comments on this change.
Change subject: setup: move the the certificate generation
......................................................................
Patch Set 1: (1 inline comment)
1. If we run on ovirt-node, shouldn't we persist?
Probably, but it doesn't belong here. It's ovirt-node specific, you could either
reuse this script at the end of the bootstrap (+persist) before starting the vdsm service,
or eventually start the vdsm service and persist the certificates after.
2. I would have created all the files in temporary folder, and if all
the process succeeded move to final destination.
Ok.
....................................................
File vdsm/vdsm-gencerts.sh.in
Line 115: /sbin/restorecon "$__vdsm_gencerts_crt"
Line 116: /bin/rm -f "$__vdsm_gencerts_template"
Line 117: }
Line 118:
Line 119: if [ "$1" != "--bash-import" ]; then
Done
Line 120: vdsm_create_key
Line 121: vdsm_create_ca
Line 122: vdsm_create_cert
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
3:24 p.m.
Alon Bar-Lev has posted comments on this change.
Change subject: setup: move the the certificate generation
......................................................................
Patch Set 1: (1 inline comment)
Thanks!!!
Questions:
1. If we run on ovirt-node, shouldn't we persist?
2. I would have created all the files in temporary folder, and if all the process
succeeded move to final destination.
I don't think there is real value in partial files.
What do you think?
....................................................
File vdsm/vdsm-gencerts.sh.in
Line 115: /sbin/restorecon "$__vdsm_gencerts_crt"
Line 116: /bin/rm -f "$__vdsm_gencerts_template"
Line 117: }
Line 118:
Line 119: if [ "$1" != "--bash-import" ]; then
--sh-import? :)
Line 120: vdsm_create_key
Line 121: vdsm_create_ca
Line 122: vdsm_create_cert
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
3:21 p.m.
Federico Simoncelli has posted comments on this change.
Change subject: setup: move the the certificate generation
......................................................................
Patch Set 1: (1 inline comment)
....................................................
File vdsm/vdsm-gencerts.sh.in
Line 112: /bin/mv -f "${__vdsm_gencerts_crt}~"
"$__vdsm_gencerts_crt"
Line 113:
Line 114: /bin/chown "$__vdsm_gencerts_perms"
"$__vdsm_gencerts_crt"
Line 115: /sbin/restorecon "$__vdsm_gencerts_crt"
Line 116: /bin/rm -f "$__vdsm_gencerts_template"
Remove this.
Line 117: }
Line 118:
Line 119: if [ "$1" != "--bash-import" ]; then
Line 120: vdsm_create_key
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
3:18 p.m.
Federico Simoncelli has posted comments on this change.
Change subject: setup: move the the certificate generation
......................................................................
Patch Set 1: (1 inline comment)
....................................................
Commit Message
Line 3: AuthorDate: 2012-10-04 16:03:11 -0400
Line 4: Commit: Federico Simoncelli <fsimonce(a)redhat.com>
Line 5: CommitDate: 2012-10-04 16:08:28 -0400
Line 6:
Line 7: setup: move the the certificate generation
I'll improve the commit message and a couple of other things in the next push.
Line 8:
Line 9: Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=860067
Line 10: Signed-off-by: Federico Simoncelli <fsimonce(a)redhat.com>
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
9:22 a.m.
New subject: Change in vdsm[master]: setup: move the certificate generation
Dan Kenigsberg has posted comments on this change.
Change subject: setup: move the certificate generation
......................................................................
Patch Set 2: Looks good to me, but someone else must approve
(3 inline comments)
I'd rather have vdsmd have a single call to
vdsm-gencert.sh --interactive
(or whatever) so that a future port to vdsm-tool is clearer.
....................................................
Commit Message
Line 13: first time.
Line 14:
Line 15: In this patch:
Line 16: * Move the certificate generation from the spec file to the init file
Line 17: * Refactor and improve the vdsm-gencerts script (better error handling)
combining these two changes in one commit makes my head spin.
Line 18:
Line 19: Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=860067
Line 20: Signed-off-by: Federico Simoncelli <fsimonce(a)redhat.com>
....................................................
File vdsm/vdsmd.init.in
Line 21: # Short-Description: init script for the VDS management server
Line 22: ### END INIT INFO
Line 23:
Line 24: . @LIBEXECDIR(a)/ovirt_functions.sh
Line 25: . @LIBEXECDIR(a)/vdsm-gencerts.sh --sh-import
We would like to take code OUT of this over-grown script. Not source more functions into
it... this whole things looks like a task for vdsm-tool. But let's first solve the
current bug.
Line 26:
Line 27: VDSM_BIN=@VDSMDIR@/vdsm
Line 28: CONF_FILE=@CONFDIR(a)/vdsm.conf
Line 29: GETCONFITEM=@VDSMDIR@/get-conf-item
Line 450:
Line 451: shutdown_conflicting_srv && stop_libvirtd_sysv
Line 452:
Line 453: if ! vdsm_check_certificate; then
Line 454: echo -n $"Configuring the VDSM host certificate: "
the string here should be more specific, making clear that this is a stupid self-signed
certificate, made for local usage only. How about
Configuring a self-signed VDSM host certificate:
Line 455: (vdsm_create_key && vdsm_create_ca && vdsm_create_cert)
\
Line 456: && success || failure; echo
Line 457: fi
Line 458:
--
To view, visit http://gerrit.ovirt.org/8368
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl(a)redhat.com>
Gerrit-Reviewer: Ayal Baron <abaron(a)redhat.com>
Gerrit-Reviewer: Barak Azulay <bazulay(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimonce(a)redhat.com>
Gerrit-Reviewer: Michael Burns <mburns(a)redhat.com>
4233
days inactive
4246
days old
vdsm-patches@lists.fedorahosted.org
37 comments
6 participants
participants (6)
-
abaron@redhat.com -
Alon Bar-Lev -
Dan Kenigsberg -
Douglas Schilling Landgraf -
Federico Simoncelli -
mburns@redhat.com