[node-patches] Change in ovirt-node[master]: BZ#815825 validate vdsmcert against cacert
dougsland at redhat.com
dougsland at redhat.com
Thu May 3 12:03:33 UTC 2012
Douglas Schilling Landgraf has posted comments on this change.
Change subject: BZ#815825 validate vdsmcert against cacert
......................................................................
Patch Set 2: (1 inline comment)
....................................................
File libvirtd.upstart
Line 6: pre-start script
Hi Dan,
> Can you think of another place to better-fit this cert backup function?
Since libvirt daemon depends on certs match to start, I cannot see, at moment, a better place to validate the certificates.
> Since certificate is security-sensitive file, I'm not sure out-of-context restoration
> is acceptable (assume the backed up version is obsolete).
It became obsolete if the host get approved, otherwise not. There is a bug situation where the administrator of oVirt Node executes the Engine registration procedure, and the host doesn't get 'approved' (note: at this point cacert.pem from Engine already replaced the /etc/pki/vdsm/certs/cacert.pem) causing a failure in the next reboot on libvirt daemon startup. This happens because cacert.pem certificate file cannot be validated with vdsmcert.pem, so if we have a backup, we can easily revert it.
The full description/context:
http://gerrit.ovirt.org/#patch,sidebyside,3883,3,/COMMIT_MSG
--
To view, visit http://gerrit.ovirt.org/3885
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I3d9de5d131fdaca0f875b14d21a97943c63b1770
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Douglas Schilling Landgraf <dougsland at redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken at redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland at redhat.com>
Gerrit-Reviewer: Michael Burns <mburns at redhat.com>
More information about the node-patches
mailing list