1342322 – Image Upload - PKI setup for secure communications with Image I/O Proxy

Bug 1342322 - Image Upload - PKI setup for secure communications with Image I/O Proxy

Summary: Image Upload - PKI setup for secure communications with Image I/O Proxy

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	Setup.Engine
Sub Component:
Version:	4.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.0.0-rc
Target Release:	4.0.0
Assignee:	Amit Aviram
QA Contact:	Natalie Gavrielov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1049604
TreeView+	depends on / blocked

Reported:	2016-06-03 01:13 UTC by Greg Padgett
Modified:	2017-05-11 09:27 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-01 12:23:52 UTC
oVirt Team:	Storage
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.0.0+ rule-engine: planning_ack+ tnisan: devel_ack+ acanan: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	57438	master	MERGED	setup: Image Proxy PKI setup	2016-06-06 10:00:47 UTC
oVirt gerrit	58589	None	None	None	2016-06-03 01:55:53 UTC
oVirt gerrit	58590	None	None	None	2016-06-03 01:56:32 UTC
oVirt gerrit	58591	master	ABANDONED	setup: Store address of Image Proxy in database	2016-06-09 19:14:32 UTC
oVirt gerrit	58659	ovirt-engine-4.0	MERGED	setup: Image Proxy PKI setup	2016-06-08 09:56:57 UTC

Description Greg Padgett 2016-06-03 01:13:36 UTC

Description of problem:
In order for the Image Upload functionality to have secure communication to the proxy during the upload process, some PKI setup during engine-setup is required.  Specifically, a key/cert pair needs to be created and the proper proxy hostname needs to be written to the database so that the certificate verification will succeed.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install the ovirt-engine, ovirt-image-proxy, and ovirt-image-proxy-setup packages.
2. Run engine-setup.
3. Add a host and storage.
4. Attempt an Image Upload.

Actual results:
The upload is soon "Paused by System" due to connection errors.

Expected results:
The upload should succeed (or at least not have any connection and/or configuration errors).

Additional info:

Comment 1 Greg Padgett 2016-06-03 02:05:32 UTC

FYI, you probably want to have your browser or OS trust the engine CA cert, which may require manual steps if your engine cert is self-signed.  To do this, after running engine-setup, follow the instructions here:

http://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list

The certificate can be retrieved with the following command (all one line):

wget -O engine-ca.pem http://<YOUR ENGINE ADDRESS>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA

Comment 2 Red Hat Bugzilla Rules Engine 2016-06-05 09:14:14 UTC

Bug tickets must have version flags set prior to targeting them to a release. Please ask maintainer to set the correct version flags and only then set the target milestone.

Comment 4 Allon Mureinik 2016-06-16 09:29:24 UTC

Amit, is there anything to document here?

Comment 5 Amit Aviram 2016-06-16 10:34:10 UTC

No, The resolution for this bug is transparent for the user.

Comment 7 Natalie Gavrielov 2016-07-26 08:28:32 UTC

(In reply to Amit Aviram from comment #5)
> No, The resolution for this bug is transparent for the user.

So, is there a way to test this except for just uploading a file?

Comment 8 Amit Aviram 2016-07-26 11:35:22 UTC

(In reply to Natalie Gavrielov from comment #7)
> (In reply to Amit Aviram from comment #5)
> > No, The resolution for this bug is transparent for the user.
> 
> So, is there a way to test this except for just uploading a file?

Just make sure you use https, and not http. if you can upload a file, this bug can be verified.

Thanks

Comment 9 Natalie Gavrielov 2016-07-26 12:00:39 UTC

Verified using:
rhevm-4.0.2-0.1.rc.el7ev.noarch
ovirt-imageio-proxy-0.3.0-0.el7ev.noarch
ovirt-imageio-common-0.3.0-0.el7ev.noarch
ovirt-imageio-daemon-0.3.0-0.el7ev.noarch
vdsm-4.18.8-1.el7ev.x86_64

Note You need to log in before you can comment on or make changes to this bug.