Bug 1014935
Summary: | Update or remove .keystore configuration procedure | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Yoshinori Takahashi <hkim> |
Component: | Documentation | Assignee: | Zac Dover <zdover> |
Status: | CLOSED DUPLICATE | QA Contact: | ecs-bugs |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.2.0 | CC: | acathrow, alonbl, gklein, jbiddle, sbonazzo, yeylon, ykatabam, zdover |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | integration | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: |
Build Name: 20662, Administration Guide-3.2-1
Build Date: 25-09-2013 11:53:52
Topic ID: 7606-431318 [Specified]
|
|
Last Closed: | 2014-03-28 04:37:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Yoshinori Takahashi
2013-10-03 07:03:16 UTC
The problem lies in the following procedure, in steps 9 and 10. http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.3/html-single/Administration_Guide/index.html#Restoring_Red_Hat_Enterprise_Virtualization_Manager_configuration_files So the keystore as described above has been changed or removed, and we can't find what it's been replaced with (if anything). Itamar Can you please tell me who I should needinfo about PKI/authentication issues? alon or sandro should be able to clarify (In reply to Jodi Biddle from comment #1) > The problem lies in the following procedure, in steps 9 and 10. > > http://documentation-devel.engineering.redhat.com/docs/en-US/ > Red_Hat_Enterprise_Virtualization/3.3/html-single/Administration_Guide/index. > html#Restoring_Red_Hat_Enterprise_Virtualization_Manager_configuration_files > > So the keystore as described above has been changed or removed, and we > can't find what it's been replaced with (if anything). Alon/Sandro Can you please take a look at the above link and tell me if the keystore file has been renamed/replaced with something, or would it be fine to just remove those two steps from the procedure and leave it at that? (In reply to Jodi Biddle from comment #1) > The problem lies in the following procedure, in steps 9 and 10. > > http://documentation-devel.engineering.redhat.com/docs/en-US/ > Red_Hat_Enterprise_Virtualization/3.3/html-single/Administration_Guide/index. > html#Restoring_Red_Hat_Enterprise_Virtualization_Manager_configuration_files > > So the keystore as described above has been changed or removed, and we > can't find what it's been replaced with (if anything). Note that the procedure is for 3.3 but in comment #0 the reporter is talking about 3.2. BTW, I'm checking if that file has changed path.
> Note that the procedure is for 3.3 but in comment #0 the reporter is talking
> about 3.2.
Hi Sandro
You'll see that a lot in doc bugs. We don't have a lot of resources for backport, so the standard procedure is to fix this issue in the 3.3 documentation then backport it to the 3.2 documentation as time and resources allow.
If I've understood correctly, it should be "/etc/pki/ovirt-engine/.truststore" now in both 3.2 and 3.3. Alon, please confirm. This procedure is bad, restoring configuration files without database is almost sure path to breakage. I would have removed it entirely from the manual. Anyway... If one restore something he should also restore permissions. Another note is yum remove rhevm will automatically rename /etc/pki/ovirt-engine, so no need to remove it. .trust store should be world readable and owned by root, .keystore does not exist in 3.2. Permission scheme of /etc/pki/ovirt-engine is quite complex: # ls -la /etc/pki/ovirt-engine total 92 drwxr-xr-x 6 ovirt ovirt 4096 Oct 11 02:38 . drwxr-xr-x. 11 root root 4096 Oct 11 02:36 .. lrwxrwxrwx 1 root root 28 Oct 11 02:38 apache-ca.pem -> /etc/pki/ovirt-engine/ca.pem -rw-r--r-- 1 root root 384 Oct 11 02:38 cacert.conf -rw-r--r-- 1 root root 384 Oct 11 02:38 cacert.template -rw-r--r-- 1 root root 4615 Oct 11 02:38 ca.pem -rw-r--r-- 1 root root 517 Oct 11 02:38 cert.conf drwxr-xr-x 2 ovirt ovirt 4096 Oct 11 02:38 certs -rw-r--r-- 1 root root 517 Oct 11 02:38 cert.template -rw-r--r-- 1 ovirt ovirt 401 Oct 11 02:38 database.txt -rw-r--r-- 1 ovirt ovirt 20 Oct 11 02:38 database.txt.attr -rw-r--r-- 1 ovirt ovirt 20 Oct 11 02:38 database.txt.attr.old -rw-r--r-- 1 ovirt ovirt 322 Oct 11 02:38 database.txt.old drwxr-xr-x 2 root root 4096 Oct 11 02:38 keys -rw-r--r-- 1 root root 548 Oct 11 05:31 openssl.conf drwxr-x--- 2 ovirt ovirt 4096 Oct 11 02:38 private drwxr-xr-x 2 ovirt ovirt 4096 Oct 11 02:38 requests -rw------- 1 ovirt ovirt 1024 Oct 11 02:38 .rnd -rw-r--r-- 1 ovirt ovirt 5 Oct 11 02:38 serial.txt -rw-r--r-- 1 ovirt ovirt 5 Oct 11 02:38 serial.txt.old -rw-r--r-- 1 root root 1049 Oct 11 02:38 .truststore /etc/pki/ovirt-engine/keys: -rw------- 1 root root 1828 Oct 11 02:38 apache.key.nopass -rw------- 1 root root 2677 Oct 11 02:38 apache.p12 -rw------- 1 root root 1828 Oct 11 02:38 engine_id_rsa -rw------- 1 ovirt root 2677 Oct 11 02:38 engine.p12 -rw------- 1 ovirt root 2677 Oct 11 02:38 jboss.p12 /etc/pki/ovirt-engine/private: -rw----r-- 1 ovirt ovirt 1679 Oct 11 02:38 ca.pem Also restoring /etc/ovirt-engine should be sensitive to permission attribute for example /etc/ovirt-engine/.pgpass should be owned by readable by root only. This bug must be more completely researched, to determine whether the procedure in question should even be in the Admin Guide. Given Alon's Comment 8, I am disinclined to include it in the book. I will revisit this next week, however, when clearing out the triaged bugs. I take this bug. In Red Hat Enterprise Virtualization 3.3 and above, the keystore file has been replaced with a 'truststore' file in the same location. The command for changing the permissions on this file is now as follows: chown ovirt:ovirt /etc/pki/ovirt-engine/.truststore Bug #1057603 was raised in regards to this change, where it has now been addressed. Closing. *** This bug has been marked as a duplicate of bug 1057603 *** |