Bug 887556 - [RFE] Consistent handling of libvirt pki artifacts
Summary: [RFE] Consistent handling of libvirt pki artifacts
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: vdsm
Classification: oVirt
Component: RFEs
Version: 4.14.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Alon Bar-Lev
QA Contact: yeylon@redhat.com
URL:
Whiteboard: infra
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-16 11:22 UTC by Alon Bar-Lev
Modified: 2016-04-18 06:52 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-20 22:11:22 UTC
oVirt Team: Infra
Embargoed:
alonbl: devel_ack?

Attachments (Terms of Use)

Description Alon Bar-Lev 2012-12-16 11:22:39 UTC 
Currently we configure libvirtd and qemu to access pki artifacts located at /etc/pki/vdsm.

This is <somewhat> well behaved, as we put our own artiacts at our own trust store. However, we do modify the entire machine configuration by altering libvirt. I would expect we could execute our own instance of libvirtd with our configuration located at /etc/vdsm... but this is a different issue.

There is one exception, the libvirt client. We do not configure it, so it accesses the default libvirt pki artifacts.

So we end up in hybrid solution, some artifacts are configured to use our trust stores, and some are used at libvirt default trust store.

We should be more coherent, either we use libvirt while it access its default trust store for all artifacts, or we configure it to use our own trust store for all interfaces.

Thanks for Dan who pointed me, the solution for configuration of the client is at[1], by using the pkipath, so it should be trivial to support.

However, as we modify /etc/libvirt at a machine wide, there is no real difference between configuring libvirt to use our own resources or putting resources at libvirt default location.

So both options are valid and trivial, while allowing libvirt to access its default store for all resources removes some lines of code...

[1] http://libvirt.org/remote.html#Remote_URI_parameters
Comment 2 Martin Kletzander 2012-12-19 16:48:10 UTC 
All the clients can be configured as well and I think by fair amount of "granularity".

The configuration is system-wide in /etc/libvirt/libvirt.conf and user-wide in ~/.config/libvirt/libvirt.conf.  In both these places you can either configure a default URI (with those parameters) or (and this I see as a better option) an 'alias', for example:
uri_aliases = ['vdsm=qemu+tls://user@server/system?param1&param2']

This would mean that whenever vdsm wants runs any libvirt client, it would supply this uri (e.g. virsh -c vdsm <command>) and that would have the configuration inside.  You can use this alias even in API calls from all the bindings available.

The second approach would mean that potential user can use any clients (virt-manager, virsh, etc.) without having to override the default address and configuration, whether vdsm would just use this alias to specify all those options needed and the certificates can thus be in any location you want without interfering with the user.
Comment 3 RHEL Program Management 2012-12-23 06:47:42 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 6 Dan Kenigsberg 2013-03-20 21:00:31 UTC 
Vdsm does not use the pkipath-in-URI tricks only because they did not exist when vdsm was integrated with libvirt (see bug 629510). Now is a good time as any to clean up this mess.
Comment 7 Alon Bar-Lev 2013-03-20 22:23:49 UTC 
If we can avoid the vdsmd reconfigure, it would be super! I guess there is more than pki artifacts to provide to libvirt at runtime.
Note You need to log in before you can comment on or make changes to this bug.