How to extract root ssh
--Apple-Mail=_D752EEF2-35C1-4F37-A894-B7FDAA10F92C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii oVirt own a private ssh keys that it can use to do remote installation = on host, instead of using a password. But I didn't found at = https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/h= tml/rest_api_guide/ = <https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/= html/rest_api_guide/> how to find it's public key. Where can I found it = ? --Apple-Mail=_D752EEF2-35C1-4F37-A894-B7FDAA10F92C Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii <html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">oVirt own a private ssh keys that it can use to do remote installation on host, instead of using a password. But I didn't found at <a href="https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/htm..." class="">https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/rest_api_guide/</a> how to find it's public key. Where can I found it ?<div class=""><br class=""></div></body></html> --Apple-Mail=_D752EEF2-35C1-4F37-A894-B7FDAA10F92C--
On Wed, Aug 9, 2017 at 4:35 PM, Fabrice Bacchella <fabrice.bacchella@orange.fr> wrote:
oVirt own a private ssh keys that it can use to do remote installation on host, instead of using a password. But I didn't found at https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/htm... how to find it's public key. Where can I found it ?
For the public key, see: http://www.ovirt.org/develop/release-management/features/infra/pki/#services Not sure if it's part of the API, or if it should be - adding Juan. For the private key, see: http://www.ovirt.org/develop/release-management/features/infra/pki/#file-loc... This is definitely not part of the API, although I do not expect it to change any time soon. E.g., this should work, as root from the engine machine: ssh -i /etc/pki/ovirt-engine/keys/engine_id_rsa $host But note that it will prompt you to save the host's public key to your known_hosts file. AFAICT the engine does not save them anywhere, and only saves in the database, and verifies when needed, their fingerprint. Best, -- Didi
Le 9 août 2017 à 16:03, Yedidyah Bar David <didi@redhat.com> a écrit :
On Wed, Aug 9, 2017 at 4:35 PM, Fabrice Bacchella <fabrice.bacchella@orange.fr> wrote:
oVirt own a private ssh keys that it can use to do remote installation on host, instead of using a password. But I didn't found at https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/htm... how to find it's public key. Where can I found it ?
For the public key, see:
http://www.ovirt.org/develop/release-management/features/infra/pki/#services
Not sure if it's part of the API, or if it should be - adding Juan.
I'm writing code to create automatically datacenter/cluster/host, without storing the root password in scripts. Having a way to have the sdk automatically get it would be nice. Having a known URL is good enough, but it it's not obvious to find it. The resource is missing content-disposition, and the date is not optimal: $ curl -JORLkv 'https://XXXX/ovirt-engine/services/pki-resource?format=OPENSSH-PUBKEY&resource=engine-certificate' < HTTP/1.1 200 OK < Date: Wed, 09 Aug 2017 14:22:49 GMT < Server: Apache < Set-Cookie: locale=en_US; path=/; HttpOnly; Max-Age=2147483647; Expires=Mon, 27-Aug-2085 17:36:56 GMT < Content-Type: text/plain; charset=ISO-8859-1 < Content-Length: 394 $ls ... pki-resource\?format\=OPENSSH-PUBKEY\&resource\=engine-certificate See curl(1) -J, --remote-header-name (HTTP) This option tells the -O, --remote-name option to use the server-specified Content-Disposition filename instead of extracting a filename from the URL. If the server specifies a file name and a file with that name already exists in the current working directory it will not be overwritten and an error will occur. If the server doesn't specify a file name then this option has no effect. There's no attempt to decode %-sequences (yet) in the provided file name, so this option may provide you with rather unexpected file names. WARNING: Exercise judicious use of this option, especially on Windows. A rogue server could send you the name of a DLL or other file that could possibly be loaded automatically by Windows or some third party software.
On Wed, Aug 9, 2017 at 5:27 PM, Fabrice Bacchella <fabrice.bacchella@orange.fr> wrote:
Le 9 août 2017 à 16:03, Yedidyah Bar David <didi@redhat.com> a écrit :
On Wed, Aug 9, 2017 at 4:35 PM, Fabrice Bacchella <fabrice.bacchella@orange.fr> wrote:
oVirt own a private ssh keys that it can use to do remote installation on host, instead of using a password. But I didn't found at https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/htm... how to find it's public key. Where can I found it ?
For the public key, see:
http://www.ovirt.org/develop/release-management/features/infra/pki/#services
Not sure if it's part of the API, or if it should be - adding Juan.
I'm writing code to create automatically datacenter/cluster/host, without storing the root password in scripts.
How do you provision your hosts? If using pxe or cloud-init or something like that, you can arrange to add a public key to the authorized keys during installation, and then you can use the matching private key later on for management, with no relation to oVirt.
Having a way to have the sdk automatically get it would be nice. Having a known URL is good enough, but it it's not obvious to find it.
Doc patches/Blog posts/etc. are welcome :-)
The resource is missing content-disposition, and the date is not optimal:
$ curl -JORLkv 'https://XXXX/ovirt-engine/services/pki-resource?format=OPENSSH-PUBKEY&resource=engine-certificate' < HTTP/1.1 200 OK < Date: Wed, 09 Aug 2017 14:22:49 GMT < Server: Apache < Set-Cookie: locale=en_US; path=/; HttpOnly; Max-Age=2147483647; Expires=Mon, 27-Aug-2085 17:36:56 GMT < Content-Type: text/plain; charset=ISO-8859-1 < Content-Length: 394
$ls ... pki-resource\?format\=OPENSSH-PUBKEY\&resource\=engine-certificate
See curl(1)
-J, --remote-header-name (HTTP) This option tells the -O, --remote-name option to use the server-specified Content-Disposition filename instead of extracting a filename from the URL.
If the server specifies a file name and a file with that name already exists in the current working directory it will not be overwritten and an error will occur. If the server doesn't specify a file name then this option has no effect.
There's no attempt to decode %-sequences (yet) in the provided file name, so this option may provide you with rather unexpected file names.
WARNING: Exercise judicious use of this option, especially on Windows. A rogue server could send you the name of a DLL or other file that could possibly be loaded automatically by Windows or some third party software.
-- Didi
Le 10 août 2017 à 07:51, Yedidyah Bar David <didi@redhat.com> a écrit :
On Wed, Aug 9, 2017 at 5:27 PM, Fabrice Bacchella <fabrice.bacchella@orange.fr> wrote:
Le 9 août 2017 à 16:03, Yedidyah Bar David <didi@redhat.com> a écrit :
On Wed, Aug 9, 2017 at 4:35 PM, Fabrice Bacchella <fabrice.bacchella@orange.fr> wrote:
oVirt own a private ssh keys that it can use to do remote installation on host, instead of using a password. But I didn't found at https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/htm... how to find it's public key. Where can I found it ?
For the public key, see:
http://www.ovirt.org/develop/release-management/features/infra/pki/#services
Not sure if it's part of the API, or if it should be - adding Juan.
I'm writing code to create automatically datacenter/cluster/host, without storing the root password in scripts.
How do you provision your hosts? If using pxe or cloud-init or something like that, you can arrange to add a public key to the authorized keys during installation, and then you can use the matching private key later on for management, with no relation to oVirt.
I have no problem putting it in hosts, they are prepared using puppet, and the public key is pushed at this time.
Having a way to have the sdk automatically get it would be nice. Having a known URL is good enough, but it it's not obvious to find it.
Doc patches/Blog posts/etc. are welcome :-)
A simple service like /api/pki-resource that does the same thing that /ovirt-engine/services/pki-resource?resource=RESOURCE&format=FORMAT would make finding it much easier. It could simply send a redirect or wrap the content. Code using the sdk already have all the http connexion stuff prepared, it juste another sdk call. Calling /ovirt-engine/services/pki-resource make writing custom code mandatory.
participants (2)
-
Fabrice Bacchella -
Yedidyah Bar David