Bug 1342322 - Image Upload - PKI setup for secure communications with Image I/O Proxy
Summary: Image Upload - PKI setup for secure communications with Image I/O Proxy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Setup.Engine
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-4.0.0-rc
: 4.0.0
Assignee: Amit Aviram
QA Contact: Natalie Gavrielov
URL:
Whiteboard:
Depends On:
Blocks: 1049604
TreeView+ depends on / blocked
 
Reported: 2016-06-03 01:13 UTC by Greg Padgett
Modified: 2017-05-11 09:27 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-01 12:23:52 UTC
oVirt Team: Storage
rule-engine: ovirt-4.0.0+
rule-engine: planning_ack+
tnisan: devel_ack+
acanan: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 57438 0 master MERGED setup: Image Proxy PKI setup 2016-06-06 10:00:47 UTC
oVirt gerrit 58589 0 None None None 2016-06-03 01:55:53 UTC
oVirt gerrit 58590 0 None None None 2016-06-03 01:56:32 UTC
oVirt gerrit 58591 0 master ABANDONED setup: Store address of Image Proxy in database 2016-06-09 19:14:32 UTC
oVirt gerrit 58659 0 ovirt-engine-4.0 MERGED setup: Image Proxy PKI setup 2016-06-08 09:56:57 UTC

Description Greg Padgett 2016-06-03 01:13:36 UTC
Description of problem:
In order for the Image Upload functionality to have secure communication to the proxy during the upload process, some PKI setup during engine-setup is required.  Specifically, a key/cert pair needs to be created and the proper proxy hostname needs to be written to the database so that the certificate verification will succeed.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install the ovirt-engine, ovirt-image-proxy, and ovirt-image-proxy-setup packages.
2. Run engine-setup.
3. Add a host and storage.
4. Attempt an Image Upload.

Actual results:
The upload is soon "Paused by System" due to connection errors.

Expected results:
The upload should succeed (or at least not have any connection and/or configuration errors).

Additional info:

Comment 1 Greg Padgett 2016-06-03 02:05:32 UTC
FYI, you probably want to have your browser or OS trust the engine CA cert, which may require manual steps if your engine cert is self-signed.  To do this, after running engine-setup, follow the instructions here:

http://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list

The certificate can be retrieved with the following command (all one line):

wget -O engine-ca.pem http://<YOUR ENGINE ADDRESS>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA

Comment 2 Red Hat Bugzilla Rules Engine 2016-06-05 09:14:14 UTC
Bug tickets must have version flags set prior to targeting them to a release. Please ask maintainer to set the correct version flags and only then set the target milestone.

Comment 4 Allon Mureinik 2016-06-16 09:29:24 UTC
Amit, is there anything to document here?

Comment 5 Amit Aviram 2016-06-16 10:34:10 UTC
No, The resolution for this bug is transparent for the user.

Comment 7 Natalie Gavrielov 2016-07-26 08:28:32 UTC
(In reply to Amit Aviram from comment #5)
> No, The resolution for this bug is transparent for the user.

So, is there a way to test this except for just uploading a file?

Comment 8 Amit Aviram 2016-07-26 11:35:22 UTC
(In reply to Natalie Gavrielov from comment #7)
> (In reply to Amit Aviram from comment #5)
> > No, The resolution for this bug is transparent for the user.
> 
> So, is there a way to test this except for just uploading a file?

Just make sure you use https, and not http. if you can upload a file, this bug can be verified.

Thanks

Comment 9 Natalie Gavrielov 2016-07-26 12:00:39 UTC
Verified using:
rhevm-4.0.2-0.1.rc.el7ev.noarch
ovirt-imageio-proxy-0.3.0-0.el7ev.noarch
ovirt-imageio-common-0.3.0-0.el7ev.noarch
ovirt-imageio-daemon-0.3.0-0.el7ev.noarch
vdsm-4.18.8-1.el7ev.x86_64


Note You need to log in before you can comment on or make changes to this bug.