12:58 a.m.
On Sun, Mar 6, 2022 at 11:42 PM Patrick Hibbs <hibbsncc1701(a)gmail.com> wrote:
I set up a new ovirt test instance on a clean Rocky Linux 8.5 server
with a custom apache cert about two weeks ago.
Do you have single server used both for running ovirt-engine and
as a hypervisor? This requires special configuration. If engine is
not running on the hypervisor, for example engine runs in a VM or
on another host, everything should work out of the box.
Uploading a test image
via the browser didn't work until I changed the .truststore file.
.truststore file where?
I should also point out that I also had to set the cert in
apache's
config. Simply replacing the symlink in the cert directory didn't work
as it wasn't pointing to it at all. (Instead it was pointing at some
snakeoil cert generated by apache.) Granted, the apache issue is
specific to Rocky, but the imageio service is definitely in ovirt's
full control.
If the imageio service is supposed to work out of the box with a custom
certificate, there's something amiss.
These are the defaults:
$ ovirt-imageio --show-config | jq '.tls'
{
"ca_file": "/etc/pki/ovirt-engine/apache-ca.pem",
"cert_file": "/etc/pki/ovirt-engine/certs/apache.cer",
"enable": true,
"enable_tls1_1": false,
"key_file": "/etc/pki/ovirt-engine/keys/apache.key.nopass"
}
The ovirt-imageio service works with apache configuration files.
If these symlinks point to the right files, everything should work
out of the box.
If you change the apache PKI files, you need to modify ovirt-imageio
configuration by adding a drop-in configuration file with the right
configuration:
$ cat /etc/ovirt-imageio/conf.d/99-local.conf
[tls]
key_file = /path/to/keyfile
cert_file = /path/to/certfile
ca_file = /path/to/cafile
Note: the following configuration *must not* change:
$ ovirt-imageio --show-config | jq '.backend_http'
{
"buffer_size": 8388608,
"ca_file": "/etc/pki/ovirt-engine/ca.pem"
}
This CA file is used to access the hosts, which are managed by
ovirt-engine self signed CA, and cannot be replaced.
WARNING: Small rant follows:
Yes, I could have changed a config file instead of changing
.truststore, but it's just another way to achieve the same result. (And
the one I discovered back in ovirt 3.x.) It doesn't make the process
any eaiser, if anything it's just another option to check if something
goes wrong. Instead of checking only .truststore, Now we have to check
.truststore, and any number of extra config files for a redirect
statement, and the load ordering of those config files, *and* whether
or not those redirect statements point to a valid cert or not. Instead
of having just one place to troubleshoot, now there's at least four.
The config file change also doesn't make it any eaiser to perform those
changes. You still need to manually make these changes via ssh on the
engine host. Why would I want to advice changing a config file, and
risk that much of an additional mess to deal with in support, when I
can tell them one specific file to fix that has none of these extras to
deal with? Personally, I would choose the option with less chance for
human error.
It is clear that you think we can have a better way to configure the system,
but it is not clear what is the issue and what is the better solution.
Can you explain in more details what is the problem with the documented
solution on using custom PKI files, and what is the easier way to do this?
If we have an easier way, it should be documented.
Nir
On Sun, 2022-03-06 at 21:54 +0200, Nir Soffer wrote:
> On Sun, Mar 6, 2022 at 9:42 PM <louisb(a)ameritech.net> wrote:
> >
> > I don't have the file "ovirt-imageio-proxy" on my system, is
there
> > another file that I should be looking at? Once I locate the
> > correct file what content in the file needs to change?
> >
> > I'm using the latest release of "Firefox/91.6.0" as my browser,
> > and i import the "Engine CA" after the fact. However, after the
> > import I tried again and got the same results.
>
> In oVirt 4.4 the ovirt-imageio-proxy service was replaced with the
> ovirt-imageio service.
>
> The built-in configuration should work with the default (self signed)
> CA and with custom
> CA without any configuration change.
>
> Is this all-in-one installation, when ovirt-engine is installed on
> the
> single hypervisor,
> and the same host is added later as an hypervisor?
>
> To make sure you configured the browser correctly, please open the
> "upload" dialog
> and click the "Test connection" button. If the testing the connection
> works the browser
> can communicate with the ovirt-imageio service and your system is
> ready for upload
> from the browser.
>
> Nir