Bug 1649285 - [RFE] Re-enroll host certificates during host upgrade
Summary: [RFE] Re-enroll host certificates during host upgrade
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Host-Deploy
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-4.3.1
: ---
Assignee: Ondra Machacek
QA Contact: Petr Matyáš
URL:
Whiteboard:
Depends On:
Blocks: 1683281
TreeView+ depends on / blocked
 
Reported: 2018-11-13 10:27 UTC by Simone Tiraboschi
Modified: 2019-03-01 10:20 UTC (History)
4 users (show)

Fixed In Version: ovirt-engine-4.3.1.1
Doc Type: If docs needed, set a value
Doc Text:
During host upgrade we do re-enroll host certificates in case the certificate is invalid.
Clone Of:
Environment:
Last Closed: 2019-03-01 10:20:22 UTC
oVirt Team: Infra
rule-engine: ovirt-4.3+
pmatyas: testing_plan_complete-
mgoldboi: planning_ack+
mperina: devel_ack+
lsvaty: testing_ack+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1648190 0 high CLOSED [RHEL76] libvirt is unable to start after upgrade due to malformed UTCTIME values in cacert.pem, because properly renewe... 2021-12-10 18:37:18 UTC
oVirt gerrit 96917 0 master MERGED ansible: Rewrite Host Enroll Certificate to Ansible 2020-03-18 23:44:22 UTC
oVirt gerrit 96919 0 master MERGED upgrade: Run re-enroll certificates on upgrade 2020-03-18 23:44:22 UTC

Internal Links: 1648190

Description Simone Tiraboschi 2018-11-13 10:27:31 UTC 
Description of problem:
For various reason (PKI renewal -- see https://bugzilla.redhat.com/1648190, expiration...) host certs could requires to be enrolled again.

We already have a specific action on engine side but being able to do it also at host upgrade time (at least if lead by the engine) could be a good idea since the host is in maintenance for sure and it can save the user from a second pass just to re-enroll certs if needed.
Comment 1 Sandro Bonazzola 2018-11-13 12:59:11 UTC 
Martin, what do you think? Looks reasonable to me.
Do you see any side effect I can't think of?
Comment 2 Martin Perina 2018-11-14 12:06:16 UTC 
(In reply to Sandro Bonazzola from comment #1)
> Martin, what do you think? Looks reasonable to me.
> Do you see any side effect I can't think of?

It makes sense to move another part from class host-deploy to ansible and add execution of enrolling certificates also to upgrade, but we are very late in the game for 4.3 RFEs. We will try to work on that, but it may be ready in some of oVirt 4.3.z releases ...

I've also removed "optionally" from the title, in order to solve that issue, this needs to be by default turned on, but yeah we will add a flag so administrators could disable it.
Comment 3 Petr Matyáš 2019-02-26 13:47:29 UTC 
Verified on ovirt-engine-4.3.1.2-0.0.master.20190225111554.git314f81b.el7.noarch
Comment 4 Sandro Bonazzola 2019-03-01 10:20:22 UTC 
This bugzilla is included in oVirt 4.3.1 release, published on February 28th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.