Bug 1848095
| Summary: | [RFE] Collect information about RHV PKI | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sandro Bonazzola <sbonazzo> |
| Component: | sos | Assignee: | Pavel Moravec <pmoravec> |
| Status: | CLOSED ERRATA | QA Contact: | Miroslav HradĂlek <mhradile> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.4 | CC: | agk, bmr, dougsland, jcastillo, jortialc, lleistne, mhradile, mkalinin, mmartinv, plambri, pmoravec, rhodain, sbradley |
| Target Milestone: | rc | Keywords: | FutureFeature, OtherQA |
| Target Release: | 8.4 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sos-4.0-3.el8 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1845877 | Environment: | |
| Last Closed: | 2021-05-18 14:47:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 902971, 1845877 | ||
| Deadline: | 2020-07-31 | ||
|
Comment 3
Pavel Moravec
2020-06-18 08:48:17 UTC
Forgot to ask: Can't '/etc/pki/vdsm/' contain some sensitive information (SSL keys or their passwords or similar) that we must skip in collection? (In reply to Pavel Moravec from comment #3) > 1) To settle down specification (that seems bit unclear for me): > - sos should collect "/etc/pki/ovirt-engine/.truststore" as - despite a > truststore contains SSL keys be default - this contains ovirt-engine CA > certificate only (and is it really safe to be shared this from a customer?) Truststores are not supposed to contain any private keys, only CA certificates. When a JKS (Java Key Store) file contains private keys is referred as 'keystore' not 'truststore' In the end the file format is exactly the same but this convention exists in java world AFAIK. > - it should collect whole '/etc/pki/vdsm/', not only '/etc/pki/vdsm/certs/' > > First fully covers #Engine, second covers # Host requirements. Yes, we would like to get all the certificates used by libvirt also. > > > > 2) "Deadline: 2020-07-31" - I hope this is was added just from BZ clone and > it is not required? > > > > 3) Is RHEL8.4 sufficient target release? And no RHEL7? (I expect so, and > that will be trivial to fulfil, anything else might not be easy) It would be great to have this backported alongside the "ovirt_engine_backup" plugin if possible. >Forgot to ask: >Can't '/etc/pki/vdsm/' contain some sensitive information (SSL keys or their passwords or similar) that we must skip in collection? Al the sensitive data is already excluded in the upstream PR (In reply to Pavel Moravec from comment #3) > 1) To settle down specification (that seems bit unclear for me): > - sos should collect "/etc/pki/ovirt-engine/.truststore" as - despite a > truststore contains SSL keys be default - this contains ovirt-engine CA > certificate only (and is it really safe to be shared this from a customer?) > - it should collect whole '/etc/pki/vdsm/', not only '/etc/pki/vdsm/certs/' > > First fully covers #Engine, second covers # Host requirements. Already answered by Miguel Martin > 2) "Deadline: 2020-07-31" - I hope this is was added just from BZ clone and > it is not required? Yes, came from the bug cloning > 3) Is RHEL8.4 sufficient target release? And no RHEL7? (I expect so, and > that will be trivial to fulfil, anything else might not be easy) Already answered by Miguel Martin I see fixes got in upstream, will this bug make it for RHEL 8.3? (In reply to Sandro Bonazzola from comment #7) > I see fixes got in upstream, will this bug make it for RHEL 8.3? Nope /o\. Scope of 8.3 is closed already, this isn't in (neither in sos-3.9 we rebase to in RHEL8.3, or as a separate patch above it). Planned to 8.4 where it should appear "gratis" due to planned rebase to sos-4.0. Hello, can you please verify the bug against below build (not sure if QE will have capacity to verify this by themselves)? Thanks in advance. A yum repository for the build of sos-4.0-2.el8 (task 32548242) is available at: http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/ You can install the rpms locally by putting this .repo file in your /etc/yum.repos.d/ directory: http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/sos-4.0-2.el8.repo RPMs and build logs can be found in the following locations: http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/noarch/ The full list of available rpms is: http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/noarch/sos-4.0-2.el8.src.rpm http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/noarch/sos-4.0-2.el8.noarch.rpm http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/noarch/sos-audit-4.0-2.el8.noarch.rpm The repository will be available for the next 60 days. Scratch build output will be deleted earlier, based on the Brew scratch build retention policy. I tested sos-4.0-2.el8.noarch in RHV 4.4 and found a couple of issues: I don't know why, but in the host I had a 'libvirt-vnc' dir inside /etc/pki/vdsm/libvirt-vnc, this could be a bug in RHV. Anyway, inside there is a server-key.pem file and I checked that the private key is visible. ~~~ # tar tvf /var/tmp/sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq.tar.xz | egrep '/etc/pki|truststore' drwxr-xr-x root/root 0 2020-11-04 09:42 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/ drwxr-xr-x root/root 0 2020-09-29 23:55 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/nssdb/ -rw-r--r-- root/root 451 2020-07-31 01:46 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/nssdb/pkcs11.txt drwxr-xr-x root/root 0 2020-09-29 23:48 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/tls/ -rw-r--r-- root/root 11225 2020-03-05 11:01 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/tls/openssl.cnf drwxr-xr-x root/root 0 2020-11-04 09:42 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/ drwxr-xr-x root/root 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-spice/ -rw-r--r-- root/kvm 1372 2020-07-17 08:36 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-spice/ca-cert.pem -rw-r--r-- root/kvm 5283 2020-11-04 09:34 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-spice/server-cert.pem drwxr-xr-x root/root 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/ drwxr-xr-x root/root 0 2020-07-17 08:41 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiqlibvirt-vnc/libvirt-vnc/ -rw-r--r-- root/root 5283 2020-07-17 08:37 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/libvirt-vnc/server-cert.pem -rw-r--r-- root/root 1704 2020-07-17 08:36 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/libvirt-vnc/server-key.pem <---- -rw-r--r-- root/root 1372 2020-07-17 08:36 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/libvirt-vnc/ca-cert.pem -rw-r--r-- root/root 5283 2020-11-04 09:42 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/server-cert.pem -rw-r--r-- root/root 1372 2020-11-04 09:42 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/ca-cert.pem drwxr-xr-x root/root 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/certs/ -rw-r--r-- root/kvm 1372 2020-07-17 08:36 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/certs/cacert.pem -rw-r--r-- root/kvm 5283 2020-11-04 09:34 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/certs/vdsmcert.pem drwxr-xr-x root/root 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-migrate/ -rw-r--r-- root/kvm 1432 2020-07-17 08:37 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-migrate/ca-cert.pem -rw-r--r-- root/kvm 5374 2020-11-04 09:34 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-migrate/server-cert.pem drwxr-xr-x root/root 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/consumer/ -rw-r----- root/root 2232 2020-07-16 10:18 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/consumer/cert.pem drwxr-xr-x root/root 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/entitlement/ -rw-r--r-- root/root 147613 2020-11-04 08:52 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/entitlement/1419475447725441131.pem ~~~ In the manager I miss the /etc/pki/ovirt-engine/.truststore file which should contain only the public CA certificates: # TRUSTSTORE_PASS="mypass" keytool -list -storepass:env TRUSTSTORE_PASS -keystore /etc/pki/ovirt-engine/.truststore Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 2 entries cacert, Nov 4, 2020, trustedCertEntry, Certificate fingerprint (SHA1): 8D:1C:FC:FF:E4:F9:16:21:57:13:A3:ED:96:F0:B2:DD:68:7E:EA:55 qemu-cacert, Nov 4, 2020, trustedCertEntry, Certificate fingerprint (SHA1): 75:23:2A:2F:1D:D5:B4:64:0B:1E:2F:28:FF:88:9C:91:D2:1C:54:6E ~~~ # tar tvf /var/tmp/sosreport-jorti-rhvm44-2020-11-04-ttfacbs.tar.xz | egrep '/etc/pki|truststore' drwxr-xr-x root/root 0 2020-04-23 08:25 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ drwxr-xr-x root/root 0 2020-11-04 09:14 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ca-trust/ drwxr-xr-x root/root 0 2020-11-04 09:14 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ca-trust/extracted/ drwxr-xr-x root/root 0 2020-11-04 09:24 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ca-trust/extracted/java/ -r--r--r-- root/root 157499 2020-11-04 09:24 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ca-trust/extracted/java/cacerts drwxr-xr-x root/root 0 2020-11-04 09:14 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/java/ lr--r--r-- root/root 0 2020-11-04 09:24 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/java/cacerts -> ../ca-trust/extracted/java/cacerts drwxr-xr-x root/root 0 2020-11-04 09:14 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/tls/ -rw-r--r-- root/root 11225 2020-07-20 15:07 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/tls/openssl.cnf drwxr-xr-x root/root 0 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/ drwxr-xr-x root/root 0 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ -rw-r--r-- root/root 5149 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-user.cer -rw-r--r-- root/root 5085 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100B.pem -rw-r--r-- ovirt/ovirt 1433 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-02.nested.lab-ssh-cert.pub -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1006.pem -rw-r--r-- root/root 1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/imageio-proxy.cer -rw-r--r-- root/root 381 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-user.pub -rw-r--r-- root/root 5149 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-host.cer -rw-r--r-- root/root 1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovn-ndb.cer -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1001.pem -rw-r--r-- root/root 1436 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100A.pem -rw-r--r-- ovirt/ovirt 5283 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1014.pem -rw-r--r-- root/root 1375 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1000.pem -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/imageio-proxy.cer.20200717081849 -rw-r--r-- root/root 1403 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-host-cert.pub -rw-r--r-- ovirt/ovirt 1425 2020-07-17 08:41 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh-cert.pub.20201104093439 -rw-r--r-- root/root 1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovn-sdb.cer -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/apache.cer.20200717081848 -rw-r--r-- ovirt/ovirt 5137 2020-07-17 08:41 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh.cer.20201104093439 -rw-r--r-- ovirt/ovirt 381 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-02.nested.lab-ssh.pub -rw-r--r-- root/root 5085 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1003.pem -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovn-sdb.cer.20200717081851 -rw-r--r-- ovirt/ovirt 5283 2020-07-17 08:36 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab.cer.20201104093342 -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/websocket-proxy.cer.20200717081847 -rw-r--r-- ovirt/ovirt 5283 2020-07-17 08:36 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100E.pem -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1008.pem -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1007.pem -rw-r--r-- ovirt/ovirt 5374 2020-07-17 09:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1012.pem -rw-r--r-- ovirt/ovirt 5283 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab.cer -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1005.pem -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1004.pem -rw-r--r-- ovirt/ovirt 1433 2020-11-04 09:34 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh-cert.pub -rw-r--r-- root/root 1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/websocket-proxy.cer -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1002.pem -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/engine.cer -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jboss.cer -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1009.pem -rw-r--r-- ovirt/ovirt 5137 2020-11-04 09:34 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh.cer -rw-r--r-- ovirt/ovirt 5283 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-02.nested.lab.cer -rw-r--r-- ovirt/ovirt 5283 2020-07-17 09:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1011.pem -rw-r--r-- root/root 1375 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ca.der -rw-r--r-- ovirt/ovirt 5137 2020-07-17 09:21 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1013.pem -rw-r--r-- root/root 1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer -rw-r--r-- ovirt/ovirt 381 2020-07-17 08:41 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh.pub.20201104093439 -rw-r--r-- root/root 5149 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100D.pem -rw-r--r-- ovirt/ovirt 381 2020-11-04 09:34 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh.pub -rw-r--r-- root/root 1436 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/qemu-ca.der -rw-r--r-- ovirt/ovirt 5374 2020-07-17 08:36 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100F.pem -rw-r--r-- root/root 1423 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-user-cert.pub -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovn-ndb.cer.20200717081850 -rw-r--r-- root/root 1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/reports.cer -rw-r--r-- root/root 1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/apache.cer -rw-r--r-- ovirt/ovirt 5137 2020-11-04 09:34 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1016.pem -rw-r--r-- root/root 381 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-host.pub -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer.20200717081852 -rw-r--r-- root/root 5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/reports.cer.20200717081849 -rw-r--r-- root/root 5149 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100C.pem -rw-r--r-- ovirt/ovirt 5137 2020-07-17 08:41 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1010.pem -rw-r--r-- ovirt/ovirt 5374 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1015.pem -rw-r--r-- ovirt/ovirt 5137 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-02.nested.lab-ssh.cer -rw-r--r-- root/root 1375 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/ca.pem drwxr-xr-x root/root 0 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/ -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/ca.csr -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/engine.req -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/jboss.req -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/websocket-proxy.req -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/apache.req -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/reports.req -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/imageio-proxy.req -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/ovn-ndb.req -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/ovn-sdb.req -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/ovirt-provider-ovn.req -rw-r--r-- root/root 863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/qemu-ca.csr -rw-r--r-- root/root 863 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/vmconsole-proxy-helper.req -rw-r--r-- root/root 863 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/vmconsole-proxy-user.req -rw-r--r-- root/root 863 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/vmconsole-proxy-host.req -rw-r--r-- ovirt/ovirt 862 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/jorti-rhvh44-01.nested.lab.req -rw-r--r-- ovirt/ovirt 862 2020-11-04 09:34 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/jorti-rhvh44-01.nested.lab-ssh.req -rw-r--r-- ovirt/ovirt 862 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/jorti-rhvh44-02.nested.lab.req -rw-r--r-- ovirt/ovirt 862 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/jorti-rhvh44-02.nested.lab-ssh.req -rw-r--r-- ovirt/ovirt 5 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/serial.txt.old -rw-r--r-- ovirt/ovirt 1998 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/database.txt -rw-r--r-- root/root 384 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cacert.template drwxr-xr-x root/root 0 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests-qemu/ -rw-r--r-- ovirt/ovirt 862 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests-qemu/jorti-rhvh44-02.nested.lab.req -rw-r--r-- ovirt/ovirt 862 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests-qemu/jorti-rhvh44-01.nested.lab.req -rw-r--r-- root/root 384 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cacert.conf -rw-r--r-- ovirt/ovirt 5 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/serial.txt drwxr-xr-x root/root 0 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs-qemu/ -rw-r--r-- ovirt/ovirt 5374 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs-qemu/jorti-rhvh44-01.nested.lab.cer -rw-r--r-- ovirt/ovirt 5374 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs-qemu/jorti-rhvh44-02.nested.lab.cer -rw-r--r-- ovirt/ovirt 5374 2020-07-17 08:36 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs-qemu/jorti-rhvh44-01.nested.lab.cer.20201104093342 -rw-r--r-- ovirt/ovirt 5374 2020-07-17 09:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs-qemu/jorti-rhvh44-02.nested.lab.cer.20201104105839 -rw-r--r-- root/root 1436 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/qemu-ca.pem -rw-r--r-- root/root 1489 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cert.conf -rw-r--r-- ovirt/ovirt 20 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/database.txt.attr.old -rw-r--r-- root/root 1156 2020-09-14 17:43 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cert.template.in -rw-r--r-- root/root 550 2020-09-14 17:43 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/openssl.conf -rw-r--r-- root/root 384 2020-09-14 17:43 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cacert.template.in lrw-r--r-- root/root 0 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/apache-ca.pem -> ca.pem -rw-r--r-- ovirt/ovirt 1924 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/database.txt.old -rw-r--r-- ovirt/ovirt 20 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/database.txt.attr -rw-r--r-- root/root 1489 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cert.template -rw-r--r-- root/root 1474 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cert.template.20200717081852 drwxr-xr-x root/root 0 2020-09-10 14:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/entitlement/ -rw-r--r-- root/root 147605 2020-11-04 08:52 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/entitlement/4376307980454443213.pem drwxr-xr-x root/root 0 2020-11-04 09:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/ -rw-r--r-- root/root 2171 2020-11-04 08:54 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/479.pem -rw-r--r-- root/root 2139 2020-11-04 09:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/408.pem -rw-r--r-- root/root 2155 2020-11-04 09:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/329.pem -rw-r--r-- root/root 2147 2020-11-04 08:54 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/415.pem -rw-r--r-- root/root 2167 2020-11-04 09:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/183.pem drwxr-xr-x root/root 0 2020-09-10 14:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/consumer/ -rw-r----- root/root 2228 2020-07-17 09:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/consumer/cert.pem -rw-r--r-- root/root 1048 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/var/lib/ovirt-engine/external_truststore ~~~ Hello,
thanks a lot for the check!
/etc/pki/vdsm/libvirt-vnc/libvirt-vnc/server-key.pem : No searching found such a dir / file to exist, and some virt SME confirms all cert files hsould be in /etc/pki/vdsm/libvirt-vnc directory. And there we do skip collecting that file:
sos/report/plugins/vdsm.py: self.add_forbidden_path('/etc/pki/vdsm/*/*-key.*')
/etc/pki/ovirt-engine/.truststore : interesting, sosreport skips hidden files, https://github.com/sosreport/sos/issues/2296 raised.
I am checking if the #2296 is worth backporting still to 8.4 or not..
Hello, if I would add the PR https://github.com/sosreport/sos/pull/2297 "collect .truststore file", would you be able to verify it in the next rpm package candidate version (together with previous check if nothing else is missing), please? Sure, if you provide the rpm I'll test it. (In reply to Juan Orti Alcaine from comment #14) > Sure, if you provide the rpm I'll test it. Hello, thanks for the offer. Could you please verify the bug against below build? Thanks in advance. A yum repository for the build of sos-4.0-3.el8 (task 33745106) is available at: http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/ You can install the rpms locally by putting this .repo file in your /etc/yum.repos.d/ directory: http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/sos-4.0-3.el8.repo RPMs and build logs can be found in the following locations: http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/noarch/ The full list of available rpms is: http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/noarch/sos-4.0-3.el8.src.rpm http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/noarch/sos-4.0-3.el8.noarch.rpm http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/noarch/sos-audit-4.0-3.el8.noarch.rpm The repository will be available for the next 60 days. The dot files are included now and I don't see any private key, so it looks good to me. Package versions tested: sos-4.0-3.el8.noarch sos-audit-4.0-3.el8.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sos bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:1604 |