Bug 1014935 - Update or remove .keystore configuration procedure
Update or remove .keystore configuration procedure
Status: CLOSED DUPLICATE of bug 1057603
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation (Show other bugs)
3.2.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Zac Dover
ecs-bugs
integration
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-03 03:03 EDT by Yoshinori Takahashi
Modified: 2014-03-28 00:37 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Build Name: 20662, Administration Guide-3.2-1 Build Date: 25-09-2013 11:53:52 Topic ID: 7606-431318 [Specified]
Last Closed: 2014-03-28 00:37:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Yoshinori Takahashi 2013-10-03 03:03:16 EDT
Title: Restoring Red Hat Enterprise Virtualization Manager Configuration Files

Describe the issue:

 Make sure the ownership of the .keystore file is correct:

# chown ovirt:ovirt /etc/pki/ovirt-engine/.keystore


  ->Upper sentences is not valid in rhevm3.2 then has to delete from doc.

Suggestions for improvement:

 Make sure the ownership of the .keystore file is correct:

# chown ovirt:ovirt /etc/pki/ovirt-engine/.keystore


  ->Upper sentences is not valid in rhevm3.2 then has to delete from doc.
    Actually rhevm3.2 has not upper file then when the user runs upper command,
    he meets error message.


Additional information:
Comment 1 Jodi Biddle 2013-10-16 22:06:42 EDT
The problem lies in the following procedure, in steps 9 and 10. 

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.3/html-single/Administration_Guide/index.html#Restoring_Red_Hat_Enterprise_Virtualization_Manager_configuration_files

So the keystore  as described above has been changed or removed, and we can't find what it's been replaced with (if anything).
Comment 2 Jodi Biddle 2013-10-17 00:04:49 EDT
Itamar

Can you please tell me who I should needinfo about PKI/authentication issues?
Comment 3 Itamar Heim 2013-10-17 01:22:47 EDT
alon or sandro should be able to clarify
Comment 4 Jodi Biddle 2013-10-17 01:46:55 EDT
(In reply to Jodi Biddle from comment #1)
> The problem lies in the following procedure, in steps 9 and 10. 
> 
> http://documentation-devel.engineering.redhat.com/docs/en-US/
> Red_Hat_Enterprise_Virtualization/3.3/html-single/Administration_Guide/index.
> html#Restoring_Red_Hat_Enterprise_Virtualization_Manager_configuration_files
> 
> So the keystore  as described above has been changed or removed, and we
> can't find what it's been replaced with (if anything).

Alon/Sandro

Can you please take a look at the above link and tell me if the keystore file has been renamed/replaced with something, or would it be fine to just remove those two steps from the procedure and leave it at that?
Comment 5 Sandro Bonazzola 2013-10-17 02:37:28 EDT
(In reply to Jodi Biddle from comment #1)
> The problem lies in the following procedure, in steps 9 and 10. 
> 
> http://documentation-devel.engineering.redhat.com/docs/en-US/
> Red_Hat_Enterprise_Virtualization/3.3/html-single/Administration_Guide/index.
> html#Restoring_Red_Hat_Enterprise_Virtualization_Manager_configuration_files
> 
> So the keystore  as described above has been changed or removed, and we
> can't find what it's been replaced with (if anything).

Note that the procedure is for 3.3 but in comment #0 the reporter is talking about 3.2.
BTW, I'm checking if that file has changed path.
Comment 6 Jodi Biddle 2013-10-17 02:44:36 EDT
> Note that the procedure is for 3.3 but in comment #0 the reporter is talking
> about 3.2.

Hi Sandro

You'll see that a lot in doc bugs. We don't have a lot of resources for backport, so the standard procedure is to fix this issue in the 3.3 documentation then backport it to the 3.2 documentation as time and resources allow.
Comment 7 Sandro Bonazzola 2013-10-17 02:47:23 EDT
If I've understood correctly, it should be "/etc/pki/ovirt-engine/.truststore" now in both 3.2 and 3.3.
Alon, please confirm.
Comment 8 Alon Bar-Lev 2013-10-17 03:26:34 EDT
This procedure is bad, restoring configuration files without database is almost sure path to breakage.

I would have removed it entirely from the manual.

Anyway...

If one restore something he should also restore permissions.

Another note is yum remove rhevm will automatically rename /etc/pki/ovirt-engine, so no need to remove it.

.trust store should be world readable and owned by root, .keystore does not exist in 3.2.

Permission scheme of /etc/pki/ovirt-engine is quite complex:

# ls -la /etc/pki/ovirt-engine
total 92
drwxr-xr-x   6 ovirt ovirt 4096 Oct 11 02:38 .
drwxr-xr-x. 11 root  root  4096 Oct 11 02:36 ..
lrwxrwxrwx   1 root  root    28 Oct 11 02:38 apache-ca.pem -> /etc/pki/ovirt-engine/ca.pem
-rw-r--r--   1 root  root   384 Oct 11 02:38 cacert.conf
-rw-r--r--   1 root  root   384 Oct 11 02:38 cacert.template
-rw-r--r--   1 root  root  4615 Oct 11 02:38 ca.pem
-rw-r--r--   1 root  root   517 Oct 11 02:38 cert.conf
drwxr-xr-x   2 ovirt ovirt 4096 Oct 11 02:38 certs
-rw-r--r--   1 root  root   517 Oct 11 02:38 cert.template
-rw-r--r--   1 ovirt ovirt  401 Oct 11 02:38 database.txt
-rw-r--r--   1 ovirt ovirt   20 Oct 11 02:38 database.txt.attr
-rw-r--r--   1 ovirt ovirt   20 Oct 11 02:38 database.txt.attr.old
-rw-r--r--   1 ovirt ovirt  322 Oct 11 02:38 database.txt.old
drwxr-xr-x   2 root  root  4096 Oct 11 02:38 keys
-rw-r--r--   1 root  root   548 Oct 11 05:31 openssl.conf
drwxr-x---   2 ovirt ovirt 4096 Oct 11 02:38 private
drwxr-xr-x   2 ovirt ovirt 4096 Oct 11 02:38 requests
-rw-------   1 ovirt ovirt 1024 Oct 11 02:38 .rnd
-rw-r--r--   1 ovirt ovirt    5 Oct 11 02:38 serial.txt
-rw-r--r--   1 ovirt ovirt    5 Oct 11 02:38 serial.txt.old
-rw-r--r--   1 root  root  1049 Oct 11 02:38 .truststore

/etc/pki/ovirt-engine/keys:
-rw------- 1 root  root  1828 Oct 11 02:38 apache.key.nopass
-rw------- 1 root  root  2677 Oct 11 02:38 apache.p12
-rw------- 1 root  root  1828 Oct 11 02:38 engine_id_rsa
-rw------- 1 ovirt root  2677 Oct 11 02:38 engine.p12
-rw------- 1 ovirt root  2677 Oct 11 02:38 jboss.p12

/etc/pki/ovirt-engine/private:
-rw----r-- 1 ovirt ovirt 1679 Oct 11 02:38 ca.pem

Also restoring /etc/ovirt-engine should be sensitive to permission attribute for example /etc/ovirt-engine/.pgpass should be owned by readable by root only.
Comment 9 Zac Dover 2013-12-10 01:47:30 EST
This bug must be more completely researched, to determine whether the procedure in question should even be in the Admin Guide. Given Alon's Comment 8, I am disinclined to include it in the book. I will revisit this next week, however, when clearing out the triaged bugs.

I take this bug.
Comment 10 Andrew Dahms 2014-03-28 00:37:50 EDT
In Red Hat Enterprise Virtualization 3.3 and above, the keystore file has been replaced with a 'truststore' file in the same location.
The command for changing the permissions on this file is now as follows:

chown ovirt:ovirt /etc/pki/ovirt-engine/.truststore

Bug #1057603 was raised in regards to this change, where it has now been addressed.

Closing.

*** This bug has been marked as a duplicate of bug 1057603 ***

Note You need to log in before you can comment on or make changes to this bug.