4:25 a.m.
A smaller change than v2, we simply generalize the ability to pass
through flags to the underlying openstack command, allowing the
--insecure flag to be specified directly.
Rich.
4:25 a.m.
Previously we allowed arbitrary flags to be passed through to the
underlying openstack CLI command, provided they have the format
‘--key=value’. We want to pass the ‘--insecure’ flag through, but
that doesn't have the key=value form. However a small modification to
the matching rules would allow this.
The effect of this change is that you can now use ‘virt-v2v -oo
insecure’ to turn off SSL certificate validation. The default is to
verify the server certificate (which is the default of the openstack
command).
---
v2v/output_openstack.ml | 11 +++++++----
v2v/test-v2v-o-openstack.sh | 2 ++
v2v/virt-v2v-output-openstack.pod | 7 +++++++
3 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/v2v/output_openstack.ml b/v2v/output_openstack.ml
index 22fac69bd..76e269c85 100644
--- a/v2v/output_openstack.ml
+++ b/v2v/output_openstack.ml
@@ -110,11 +110,14 @@ let parse_output_options options =
dev_disk_by_id := Some v
| "guest-id", v ->
guest_id := Some v
+ (* Accumulate any remaining/unknown -oo parameters
+ * into the authentication list, where they will be
+ * passed unmodified through to the openstack command.
+ *)
+ | k, "" ->
+ let opt = sprintf "--%s" k in
+ authentication := opt :: !authentication
| k, v ->
- (* Accumulate any remaining/unknown -oo parameters
- * into the authentication list, where they will be
- * pass unmodified through to the openstack command.
- *)
let opt = sprintf "--%s=%s" k v in
authentication := opt :: !authentication
) options;
diff --git a/v2v/test-v2v-o-openstack.sh b/v2v/test-v2v-o-openstack.sh
index 3a10a5475..8b809a1aa 100755
--- a/v2v/test-v2v-o-openstack.sh
+++ b/v2v/test-v2v-o-openstack.sh
@@ -56,6 +56,7 @@ $VG virt-v2v --debug-gc \
-o openstack -on test \
-oo server-id=test \
-oo guest-id=guestid \
+ -oo insecure \
-oo dev-disk-by-id=$d
# Check the log of openstack commands to make sure they look reasonable.
@@ -65,5 +66,6 @@ grep 'server add volume' $d/log
grep 'volume set.*--bootable.*dummy-vol-id' $d/log
grep 'volume set.*--property.*virt_v2v_guest_id=guestid' $d/log
grep 'server remove volume' $d/log
+grep -- '--insecure' $d/log
rm -r $d
diff --git a/v2v/virt-v2v-output-openstack.pod b/v2v/virt-v2v-output-openstack.pod
index 7ea3bc75c..64c431b6c 100644
--- a/v2v/virt-v2v-output-openstack.pod
+++ b/v2v/virt-v2v-output-openstack.pod
@@ -124,6 +124,13 @@ This can be used to find disks associated with a guest, or to
associate which disks are related to which guests when converting many
guests.
+=head2 OpenStack: Ignore server certificate
+
+Using I<virt-v2v -oo insecure> you can tell the openstack client to
+ignore the server certificate when connecting to the OpenStack API
+endpoints. This has the same effect as passing the I<--insecure>
+option to the C<openstack> command.
+
=head2 OpenStack: Converting a guest
The final command to convert the guest, running as root, will be:
--
2.19.0.rc0
5:35 a.m.
On Tue, 20 Nov 2018 10:25:10 +0000
"Richard W.M. Jones" <rjones(a)redhat.com> wrote:
Previously we allowed arbitrary flags to be passed through to the
underlying openstack CLI command, provided they have the format
‘--key=value’. We want to pass the ‘--insecure’ flag through, but
that doesn't have the key=value form. However a small modification to
the matching rules would allow this.
The effect of this change is that you can now use ‘virt-v2v -oo
insecure’ to turn off SSL certificate validation. The default is to
verify the server certificate (which is the default of the openstack
command).
---
v2v/output_openstack.ml | 11 +++++++----
v2v/test-v2v-o-openstack.sh | 2 ++
v2v/virt-v2v-output-openstack.pod | 7 +++++++
3 files changed, 16 insertions(+), 4 deletions(-)
LGTM
I would just enhance the commit message little bit. The change allows
you to pass arbitrary argument and not just --insecure. E.g. --validate
(the opposite of --insecure) or --debug and --verbose.
5:46 a.m.
On Tuesday, 20 November 2018 11:25:10 CET Richard W.M. Jones wrote:
Previously we allowed arbitrary flags to be passed through to the
underlying openstack CLI command, provided they have the format
‘--key=value’. We want to pass the ‘--insecure’ flag through, but
that doesn't have the key=value form. However a small modification to
the matching rules would allow this.
The effect of this change is that you can now use ‘virt-v2v -oo
insecure’ to turn off SSL certificate validation. The default is to
verify the server certificate (which is the default of the openstack
command).
---
I'm not sure this is something we should support. This effectively
passes through every -oo to openstack, and I'm afraid people will just
(ab)use it to workaround stuff rather than reporting issues in
virt-v2v. Potentially even options that conflict/revert what virt-v2v
itself passes to the openstack client.
IMHO it is still better, and safer to explicitly allow options as
needed.
--
Pino Toscano
6:14 a.m.
On Tue, Nov 20, 2018 at 12:46:29PM +0100, Pino Toscano wrote:
On Tuesday, 20 November 2018 11:25:10 CET Richard W.M. Jones wrote:
> Previously we allowed arbitrary flags to be passed through to the
> underlying openstack CLI command, provided they have the format
> ‘--key=value’. We want to pass the ‘--insecure’ flag through, but
> that doesn't have the key=value form. However a small modification to
> the matching rules would allow this.
>
> The effect of this change is that you can now use ‘virt-v2v -oo
> insecure’ to turn off SSL certificate validation. The default is to
> verify the server certificate (which is the default of the openstack
> command).
> ---
I'm not sure this is something we should support. This effectively
passes through every -oo to openstack, and I'm afraid people will just
(ab)use it to workaround stuff rather than reporting issues in
virt-v2v. Potentially even options that conflict/revert what virt-v2v
itself passes to the openstack client.
IMHO it is still better, and safer to explicitly allow options as
needed.
I generally agree with the sentiment. The precise list of
authentication options (eg. --os-username etc) however is
ever-changing and we were warned not to bake it into our program.
We could restrict to passing --os-* options only (we do NOT restrict
that at the moment).
My reading of the CLI documentation here:
https://docs.openstack.org/python-openstackclient/pike/cli/man/openstack....
is that every authentication option does match --os-*, whereas some
options that we wouldn't want to pass (eg. --log-file or --help) do
not. There are a very few which don't quite match the pattern,
--os-identity-api-version(?), but I guess we can ignore those.
It's unfortunate that --insecure does not match this pattern.
I'll try to come up with a patch which does both.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
2193
days inactive
2193
days old
4 comments
3 participants
participants (3)
-
Pino Toscano -
Richard W.M. Jones -
Tomáš Golembiovský