Bug 1342322

Summary: Image Upload - PKI setup for secure communications with Image I/O Proxy
Product: [oVirt] ovirt-engine Reporter: Greg Padgett <gpadgett>
Component: Setup.EngineAssignee: Amit Aviram <aaviram>
Status: CLOSED CURRENTRELEASE QA Contact: Natalie Gavrielov <ngavrilo>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.0.0CC: aaviram, amureini, bugs, stirabos, tnisan
Target Milestone: ovirt-4.0.0-rcFlags: rule-engine: ovirt-4.0.0+
rule-engine: planning_ack+
tnisan: devel_ack+
acanan: testing_ack+
Target Release: 4.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-01 12:23:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Storage RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1049604    

Description Greg Padgett 2016-06-03 01:13:36 UTC 
Description of problem:
In order for the Image Upload functionality to have secure communication to the proxy during the upload process, some PKI setup during engine-setup is required.  Specifically, a key/cert pair needs to be created and the proper proxy hostname needs to be written to the database so that the certificate verification will succeed.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install the ovirt-engine, ovirt-image-proxy, and ovirt-image-proxy-setup packages.
2. Run engine-setup.
3. Add a host and storage.
4. Attempt an Image Upload.

Actual results:
The upload is soon "Paused by System" due to connection errors.

Expected results:
The upload should succeed (or at least not have any connection and/or configuration errors).

Additional info:
Comment 1 Greg Padgett 2016-06-03 02:05:32 UTC 
FYI, you probably want to have your browser or OS trust the engine CA cert, which may require manual steps if your engine cert is self-signed.  To do this, after running engine-setup, follow the instructions here:

http://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list

The certificate can be retrieved with the following command (all one line):

wget -O engine-ca.pem http://<YOUR ENGINE ADDRESS>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
Comment 2 Red Hat Bugzilla Rules Engine 2016-06-05 09:14:14 UTC 
Bug tickets must have version flags set prior to targeting them to a release. Please ask maintainer to set the correct version flags and only then set the target milestone.
Comment 4 Allon Mureinik 2016-06-16 09:29:24 UTC 
Amit, is there anything to document here?
Comment 5 Amit Aviram 2016-06-16 10:34:10 UTC 
No, The resolution for this bug is transparent for the user.
Comment 7 Natalie Gavrielov 2016-07-26 08:28:32 UTC 
(In reply to Amit Aviram from comment #5)
> No, The resolution for this bug is transparent for the user.

So, is there a way to test this except for just uploading a file?
Comment 8 Amit Aviram 2016-07-26 11:35:22 UTC 
(In reply to Natalie Gavrielov from comment #7)
> (In reply to Amit Aviram from comment #5)
> > No, The resolution for this bug is transparent for the user.
> 
> So, is there a way to test this except for just uploading a file?

Just make sure you use https, and not http. if you can upload a file, this bug can be verified.

Thanks
Comment 9 Natalie Gavrielov 2016-07-26 12:00:39 UTC 
Verified using:
rhevm-4.0.2-0.1.rc.el7ev.noarch
ovirt-imageio-proxy-0.3.0-0.el7ev.noarch
ovirt-imageio-common-0.3.0-0.el7ev.noarch
ovirt-imageio-daemon-0.3.0-0.el7ev.noarch
vdsm-4.18.8-1.el7ev.x86_64