Bug 1650264

Summary: v2v - virt-v2v-wrapper support for SSL without validation for OSP
Product: Red Hat Enterprise Virtualization Manager Reporter: Brett Thurber <bthurber>
Component: libguestfsAssignee: Tomáš Golembiovský <tgolembi>
Status: CLOSED CURRENTRELEASE QA Contact: Yadnyawalk Tale <ytale>
Severity: high Docs Contact:
Priority: high    
Version: 4.2.7CC: emarcus, michal.skrivanek, mtessun, ohochman, rjones, smallamp
Target Milestone: ovirt-4.3.0Keywords: TestBlocker
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Previously, SSL certificates were inspected with the openstack method when HTTPS was selected as the connection protocol. This is a problem in environments with broken SSL configuration. In this release, a new keyword was added to the JSON API that allows disabling SSL verification.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-15 18:07:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1651543    
Attachments:
Description Flags
fixed_proof_wrapper.log none

Description Brett Thurber 2018-11-15 17:26:21 UTC 
Description of problem:
When attempting to migrate VMs from VMware to OSP, receive the following error when SSL without validation is used for the OSP connectivity:

SSL exception connecting to https://10.8.197.84:13000/v3/auth/tokens: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
 (virt-v2v-wrapper:166)

Version-Release number of selected component (if applicable):
http://download.eng.bos.redhat.com/brewroot/packages/ovirt-ansible-v2v-conversion-host/1.7.0/2.el7ev/noarch/ovirt-ansible-v2v-conversion-host-1.7.0-2.el7ev.noarch.rpm

How reproducible:
Every time

Steps to Reproduce:
1. Configure conversion host with aforementioned playbook
2. Initiate VM migration from VMware to OSP
3. Observe failure in virt-v2v-wrapper log

Actual results:
Failed VM migration due to SSL validation error.

Expected results:
Accept SSL without validation certificates

Additional info:
Need to include --insecure support in virt-v2v-wrapper.py
Comment 1 Omri Hochman 2018-11-15 17:38:30 UTC 
Added the relevant QE flags for TestBlocker keyword & Blocker flag to "?"   

SSL enabled deployments are the go-to deployments for osp customers - also included in the CFME test-plan testing v2v.
Comment 3 Brett Thurber 2018-11-16 04:17:17 UTC 
This happens whether SSL or SSL without validation is chosen for the provider in CF.  Works only for non-SSL.
Comment 5 Tomáš Golembiovský 2018-11-26 14:13:27 UTC 
ovirt-ansible-v2v-conversion-host-1.7.0-4.el7ev
Comment 8 Yadnyawalk Tale 2019-01-21 10:51:04 UTC 
Created attachment 1522104 [details]
fixed_proof_wrapper.log

Fixed! Tested with 'SSL without validation' and migration works without any error in virt-v2v-wrapper.log

Conversion host - ovirt-ansible-v2v-conversion-host-1.8.0
CFME - 5.10.0.31
virt-v2v-1.38.2-12.26.lp.el7ev.x86_64