From fabrice.bacchella at orange.fr Wed Aug 9 13:35:30 2017 Content-Type: multipart/mixed; boundary="===============8047918257792008860==" MIME-Version: 1.0 From: Fabrice Bacchella To: users at ovirt.org Subject: [ovirt-users] How to extract root ssh Date: Wed, 09 Aug 2017 15:35:24 +0200 Message-ID: <3667C747-7368-4B38-8FE0-51D9B60E37C4@orange.fr> --===============8047918257792008860== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable --Apple-Mail=3D_D752EEF2-35C1-4F37-A894-B7FDAA10F92C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=3Dus-ascii oVirt own a private ssh keys that it can use to do remote installation =3D on host, instead of using a password. But I didn't found at =3D https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/h= =3D tml/rest_api_guide/ =3D how to find it's public key. Where can I found it =3D ? --Apple-Mail=3D_D752EEF2-35C1-4F37-A894-B7FDAA10F92C Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=3Dus-ascii oVirt own a pri= vate ssh keys that it can use to do remote installation on host, instead of= using a password. But I didn't found at https://access.redhat.com/documentation/en-us/red_hat_virtuali= zation/4.1/html/rest_api_guide/ how to find it's public key. Where= can I found it ?

--Apple-Mail=3D_D752EEF2-35C1-4F37-A894-B7FDAA10F92C-- --===============8047918257792008860== Content-Type: multipart/alternative MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.bin" Ci0tQXBwbGUtTWFpbD1fRDc1MkVFRjItMzVDMS00RjM3LUE4OTQtQjdGREFBMTBGOTJDCkNvbnRl bnQtVHJhbnNmZXItRW5jb2Rpbmc6IHF1b3RlZC1wcmludGFibGUKQ29udGVudC1UeXBlOiB0ZXh0 L3BsYWluOwoJY2hhcnNldD11cy1hc2NpaQoKb1ZpcnQgb3duIGEgcHJpdmF0ZSBzc2gga2V5cyB0 aGF0IGl0IGNhbiB1c2UgdG8gZG8gcmVtb3RlIGluc3RhbGxhdGlvbiA9Cm9uIGhvc3QsIGluc3Rl YWQgb2YgdXNpbmcgYSBwYXNzd29yZC4gQnV0IEkgZGlkbid0IGZvdW5kIGF0ID0KaHR0cHM6Ly9h Y2Nlc3MucmVkaGF0LmNvbS9kb2N1bWVudGF0aW9uL2VuLXVzL3JlZF9oYXRfdmlydHVhbGl6YXRp b24vNC4xL2g9CnRtbC9yZXN0X2FwaV9ndWlkZS8gPQo8aHR0cHM6Ly9hY2Nlc3MucmVkaGF0LmNv bS9kb2N1bWVudGF0aW9uL2VuLXVzL3JlZF9oYXRfdmlydHVhbGl6YXRpb24vNC4xLz0KaHRtbC9y ZXN0X2FwaV9ndWlkZS8+IGhvdyB0byBmaW5kIGl0J3MgcHVibGljIGtleS4gV2hlcmUgY2FuIEkg Zm91bmQgaXQgPQo/CgoKLS1BcHBsZS1NYWlsPV9ENzUyRUVGMi0zNUMxLTRGMzctQTg5NC1CN0ZE QUExMEY5MkMKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdApDb250ZW50LVR5cGU6IHRl eHQvaHRtbDsKCWNoYXJzZXQ9dXMtYXNjaWkKCjxodG1sPjxoZWFkPjxtZXRhIGh0dHAtZXF1aXY9 IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sIGNoYXJzZXQ9dXMtYXNjaWkiPjwvaGVh ZD48Ym9keSBzdHlsZT0id29yZC13cmFwOiBicmVhay13b3JkOyAtd2Via2l0LW5ic3AtbW9kZTog c3BhY2U7IC13ZWJraXQtbGluZS1icmVhazogYWZ0ZXItd2hpdGUtc3BhY2U7IiBjbGFzcz0iIj5v VmlydCBvd24gYSBwcml2YXRlIHNzaCBrZXlzIHRoYXQgaXQgY2FuIHVzZSB0byBkbyByZW1vdGUg aW5zdGFsbGF0aW9uIG9uIGhvc3QsIGluc3RlYWQgb2YgdXNpbmcgYSBwYXNzd29yZC4gQnV0IEkg ZGlkbid0IGZvdW5kIGF0Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly9hY2Nlc3MucmVkaGF0LmNvbS9k b2N1bWVudGF0aW9uL2VuLXVzL3JlZF9oYXRfdmlydHVhbGl6YXRpb24vNC4xL2h0bWwvcmVzdF9h cGlfZ3VpZGUvIiBjbGFzcz0iIj5odHRwczovL2FjY2Vzcy5yZWRoYXQuY29tL2RvY3VtZW50YXRp b24vZW4tdXMvcmVkX2hhdF92aXJ0dWFsaXphdGlvbi80LjEvaHRtbC9yZXN0X2FwaV9ndWlkZS88 L2E+Jm5ic3A7aG93IHRvIGZpbmQgaXQncyBwdWJsaWMga2V5LiBXaGVyZSBjYW4gSSBmb3VuZCBp dCA/PGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+PC9kaXY+PC9ib2R5PjwvaHRtbD4KLS1BcHBs ZS1NYWlsPV9ENzUyRUVGMi0zNUMxLTRGMzctQTg5NC1CN0ZEQUExMEY5MkMtLQo= --===============8047918257792008860==-- From didi at redhat.com Wed Aug 9 14:03:47 2017 Content-Type: multipart/mixed; boundary="===============3988119865844974127==" MIME-Version: 1.0 From: Yedidyah Bar David To: users at ovirt.org Subject: Re: [ovirt-users] How to extract root ssh Date: Wed, 09 Aug 2017 17:03:44 +0300 Message-ID: In-Reply-To: 3667C747-7368-4B38-8FE0-51D9B60E37C4@orange.fr --===============3988119865844974127== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Wed, Aug 9, 2017 at 4:35 PM, Fabrice Bacchella wrote: > oVirt own a private ssh keys that it can use to do remote installation on > host, instead of using a password. But I didn't found at > https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/= html/rest_api_guide/ > how to find it's public key. Where can I found it ? For the public key, see: http://www.ovirt.org/develop/release-management/features/infra/pki/#services Not sure if it's part of the API, or if it should be - adding Juan. For the private key, see: http://www.ovirt.org/develop/release-management/features/infra/pki/#file-lo= cations This is definitely not part of the API, although I do not expect it to change any time soon. E.g., this should work, as root from the engine machine: ssh -i /etc/pki/ovirt-engine/keys/engine_id_rsa $host But note that it will prompt you to save the host's public key to your known_hosts file. AFAICT the engine does not save them anywhere, and only saves in the database, and verifies when needed, their fingerprint. Best, -- = Didi --===============3988119865844974127==-- From fabrice.bacchella at orange.fr Wed Aug 9 14:27:25 2017 Content-Type: multipart/mixed; boundary="===============0373865317234648195==" MIME-Version: 1.0 From: Fabrice Bacchella To: users at ovirt.org Subject: Re: [ovirt-users] How to extract root ssh Date: Wed, 09 Aug 2017 16:27:21 +0200 Message-ID: In-Reply-To: CAHRwYXvPxxt4LwuFW=kt7eKfiGTfmz-M0amgO41Dr_5fT+xAKw@mail.gmail.com --===============0373865317234648195== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable > Le 9 ao=C3=BBt 2017 =C3=A0 16:03, Yedidyah Bar David = a =C3=A9crit : > = > On Wed, Aug 9, 2017 at 4:35 PM, Fabrice Bacchella > wrote: >> oVirt own a private ssh keys that it can use to do remote installation on >> host, instead of using a password. But I didn't found at >> https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1= /html/rest_api_guide/ >> how to find it's public key. Where can I found it ? > = > For the public key, see: > = > http://www.ovirt.org/develop/release-management/features/infra/pki/#servi= ces > = > Not sure if it's part of the API, or if it should be - adding Juan. I'm writing code to create automatically datacenter/cluster/host, without s= toring the root password in scripts. Having a way to have the sdk automatic= ally get it would be nice. Having a known URL is good enough, but it it's n= ot obvious to find it. The resource is missing content-disposition, and the date is not optimal: $ curl -JORLkv 'https://XXXX/ovirt-engine/services/pki-resource?format=3DOP= ENSSH-PUBKEY&resource=3Dengine-certificate' < HTTP/1.1 200 OK < Date: Wed, 09 Aug 2017 14:22:49 GMT < Server: Apache < Set-Cookie: locale=3Den_US; path=3D/; HttpOnly; Max-Age=3D2147483647; Exp= ires=3DMon, 27-Aug-2085 17:36:56 GMT < Content-Type: text/plain; charset=3DISO-8859-1 < Content-Length: 394 $ls = ... pki-resource\?format\=3DOPENSSH-PUBKEY\&resource\=3Dengine-certificate = See curl(1) -J, --remote-header-name (HTTP) This option tells the -O, --remote-name option to us= e the server-specified Content-Disposition filename instead of extracting a filename from the URL. If the server specifies a file name and a file with that name= already exists in the current working directory it will not be overwritten and an error will occur. If the server doesn't specify a file= name then this option has no effect. There's no attempt to decode %-sequences (yet) in the pro= vided file name, so this option may provide you with rather unexpected file names. WARNING: Exercise judicious use of this option, especially on= Windows. A rogue server could send you the name of a DLL or other file that could possibly be loaded automatically by Windows or som= e third party software. --===============0373865317234648195==-- From didi at redhat.com Thu Aug 10 05:51:20 2017 Content-Type: multipart/mixed; boundary="===============4098076479116710438==" MIME-Version: 1.0 From: Yedidyah Bar David To: users at ovirt.org Subject: Re: [ovirt-users] How to extract root ssh Date: Thu, 10 Aug 2017 08:51:16 +0300 Message-ID: In-Reply-To: B490664D-9A7B-4885-A596-605D8B613390@orange.fr --===============4098076479116710438== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Wed, Aug 9, 2017 at 5:27 PM, Fabrice Bacchella wrote: > >> Le 9 ao=C3=BBt 2017 =C3=A0 16:03, Yedidyah Bar David = a =C3=A9crit : >> >> On Wed, Aug 9, 2017 at 4:35 PM, Fabrice Bacchella >> wrote: >>> oVirt own a private ssh keys that it can use to do remote installation = on >>> host, instead of using a password. But I didn't found at >>> https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.= 1/html/rest_api_guide/ >>> how to find it's public key. Where can I found it ? >> >> For the public key, see: >> >> http://www.ovirt.org/develop/release-management/features/infra/pki/#serv= ices >> >> Not sure if it's part of the API, or if it should be - adding Juan. > > I'm writing code to create automatically datacenter/cluster/host, without= storing the root password in scripts. How do you provision your hosts? If using pxe or cloud-init or something like that, you can arrange to add a public key to the authorized keys during installation, and then you can use the matching private key later on for management, with no relation to oVirt. > Having a way to have the sdk automatically get it would be nice. Having a= known URL is good enough, but it it's not obvious to find it. Doc patches/Blog posts/etc. are welcome :-) > > The resource is missing content-disposition, and the date is not optimal: > > $ curl -JORLkv 'https://XXXX/ovirt-engine/services/pki-resource?format=3D= OPENSSH-PUBKEY&resource=3Dengine-certificate' > < HTTP/1.1 200 OK > < Date: Wed, 09 Aug 2017 14:22:49 GMT > < Server: Apache > < Set-Cookie: locale=3Den_US; path=3D/; HttpOnly; Max-Age=3D2147483647; E= xpires=3DMon, 27-Aug-2085 17:36:56 GMT > < Content-Type: text/plain; charset=3DISO-8859-1 > < Content-Length: 394 > > $ls > ... > pki-resource\?format\=3DOPENSSH-PUBKEY\&resource\=3Dengine-certificate > > See curl(1) > > -J, --remote-header-name > (HTTP) This option tells the -O, --remote-name option to = use the server-specified Content-Disposition filename instead of extracting= a > filename from the URL. > > If the server specifies a file name and a file with that na= me already exists in the current working directory it will not be overwritt= en > and an error will occur. If the server doesn't specify a fi= le name then this option has no effect. > > There's no attempt to decode %-sequences (yet) in the p= rovided file name, so this option may provide you with rather unexpected fi= le > names. > > WARNING: Exercise judicious use of this option, especially = on Windows. A rogue server could send you the name of a DLL or other fi= le > that could possibly be loaded automatically by Windows or s= ome third party software. > -- = Didi --===============4098076479116710438==-- From fabrice.bacchella at orange.fr Thu Aug 10 07:43:49 2017 Content-Type: multipart/mixed; boundary="===============2721010609931726717==" MIME-Version: 1.0 From: Fabrice Bacchella To: users at ovirt.org Subject: Re: [ovirt-users] How to extract root ssh Date: Thu, 10 Aug 2017 09:43:44 +0200 Message-ID: <34D8836B-21F5-407E-BB92-DFBFE2BFF36F@orange.fr> In-Reply-To: CAHRwYXu+3jOsv0O-Qe0jvXhcXpn8BHTSs1=v=+uuJ5jAtzcREQ@mail.gmail.com --===============2721010609931726717== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable > Le 10 ao=C3=BBt 2017 =C3=A0 07:51, Yedidyah Bar David = a =C3=A9crit : > = > On Wed, Aug 9, 2017 at 5:27 PM, Fabrice Bacchella > wrote: >> = >>> Le 9 ao=C3=BBt 2017 =C3=A0 16:03, Yedidyah Bar David a =C3=A9crit : >>> = >>> On Wed, Aug 9, 2017 at 4:35 PM, Fabrice Bacchella >>> wrote: >>>> oVirt own a private ssh keys that it can use to do remote installation= on >>>> host, instead of using a password. But I didn't found at >>>> https://access.redhat.com/documentation/en-us/red_hat_virtualization/4= .1/html/rest_api_guide/ >>>> how to find it's public key. Where can I found it ? >>> = >>> For the public key, see: >>> = >>> http://www.ovirt.org/develop/release-management/features/infra/pki/#ser= vices >>> = >>> Not sure if it's part of the API, or if it should be - adding Juan. >> = >> I'm writing code to create automatically datacenter/cluster/host, withou= t storing the root password in scripts. > = > How do you provision your hosts? If using pxe or cloud-init or > something like that, you can arrange to add a public key to the > authorized keys during installation, and then you can use the matching > private key later on for management, with no relation to oVirt. I have no problem putting it in hosts, they are prepared using puppet, and = the public key is pushed at this time. > = >> Having a way to have the sdk automatically get it would be nice. Having = a known URL is good enough, but it it's not obvious to find it. > = > Doc patches/Blog posts/etc. are welcome :-) A simple service like /api/pki-resource that does the same thing that /ovi= rt-engine/services/pki-resource?resource=3DRESOURCE&format=3DFORMAT would m= ake finding it much easier. It could simply send a redirect or wrap the con= tent. Code using the sdk already have all the http connexion stuff prepared, it j= uste another sdk call. Calling /ovirt-engine/services/pki-resource make wri= ting custom code mandatory. --===============2721010609931726717==--