This is actually not required, because ovirtsdk4 will use the system's
global trust store if necessary. Therefore we can make it optional in
all cases.
The only way to avoid the cafile is to set insecure=True both when creating sdk connection
and when connecting to imageio.
Otherwise the system trust store must include the CA used when creating engine and
vdsm certificates. In development setup this is never true, in production It may work
if you are lucky.
Nir
---
docs/virt-v2v-output-rhv.pod | 5 ++++-
v2v/output_rhv_upload.ml | 2 --
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/docs/virt-v2v-output-rhv.pod b/docs/virt-v2v-output-rhv.pod
index 04a894268..4520c9184 100644
--- a/docs/virt-v2v-output-rhv.pod
+++ b/docs/virt-v2v-output-rhv.pod
@@ -101,7 +101,10 @@ The storage domain.
The F<ca.pem> file (Certificate Authority), copied from
F</etc/pki/ovirt-engine/ca.pem> on the oVirt engine.
-This option must be specified if I<-oo rhv-verifypeer> is enabled.
+If I<-oo rhv-verifypeer> is enabled then this option can
+be used to control which CA is used to verify the client’s
+identity. If this option is not used then the system’s
+global trust store is used.
=item I<-oo rhv-cluster=>C<CLUSTERNAME>
diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml
index 7b5ad7a86..14153db36 100644
--- a/v2v/output_rhv_upload.ml
+++ b/v2v/output_rhv_upload.ml
@@ -81,8 +81,6 @@ let parse_output_options options =
let rhv_direct = !rhv_direct in
let rhv_verifypeer = !rhv_verifypeer in
let rhv_disk_uuids = Option.map List.rev !rhv_disk_uuids in
- if rhv_verifypeer && rhv_cafile = None then
- error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the path to the oVirt or RHV user’s ‘ca.pem’ file");
{ rhv_cafile; rhv_cluster; rhv_direct; rhv_verifypeer; rhv_disk_uuids }
--
2.24.1
_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs
