Project

General

Profile

Bug #3896

OVirt console connection fails

Added by Jimmi Dyson over 5 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Compute resources
Target version:
Difficulty:
easy
Triaged:
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Our RHEV manager is behind a firewall & so from Foreman server we opened up port 443 for mnagement through the API & 5900-6011 for console access.

Things didn't work, connection timed out. I narrowed it down to some code in app/models/compute_resources/foreman/model/ovirt.rb, lines 218ff:

def cacert
ca_url = URI.parse(url)
ca_url.path = "/ca.crt"
ca_url.scheme = "http"
ca_url.port = 8080 if ca_url.port 8443
ca_url.port = 80 if ca_url.port 443
Net::HTTP.get(ca_url).to_s
end

It's fetching the (normally) self-signed CA certificate over an unencrypted channel & later on using this to validate the SSL connection. This is in effect no different to connecting directly over SSL & disabling certificate verification, but it does mean that port 80 or 8080 needs to be opened up as well which there seems no need to do.

I see 2 options:

1. Connect over SSL to retrieve the CA certificate, but disable certificate verification.
2. Retrieve & store the CA certificate only when the compute resource is added & display a warning to user around connecting to insecure site.

I prefer 2, but this is more work to implement. I have already written the trivial patch for 1 & will submit a pull request for this soon.

Thanks,
Jimmi

Associated revisions

Revision 6a85948c (diff)
Added by Jimmi Dyson over 5 years ago

fixes #3896 Retrieve OVirt CA certificate via same URL scheme as API URL by disabling SSL verification

History

#1 Updated by Dominic Cleal over 5 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Jimmi Dyson
  • Target version set to 1.9.3

#2 Updated by Anonymous over 5 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#3 Updated by Dominic Cleal over 5 years ago

  • Legacy Backlogs Release (now unused) set to 2

Also available in: Atom PDF