Alon Bar-Lev has posted comments on this change. Change subject: Avoiding legacy health servlet usage ......................................................................
Patch Set 2: (6 comments) http://gerrit.ovirt.org/#/c/26878/2/src/ovirt_hosted_engine_setup/check_liveliness.py File src/ovirt_hosted_engine_setup/check_liveliness.py: Line 48: self.logger.debug('Acquiring ca.crt from the engine') Line 49: with contextlib.closing( Line 50: urllib2.urlopen( Line 51: 'http://{fqdn}/ca.crt'.format( Line 52: fqdn=fqdn, if this localhost, please use localhost, not sure. also, please use the v1 registration protocol[1] should be: /ovirt-engine/services/host-register?version=1&command=get-pki-trust also to avoid man-in-the-middle, you should allow getting the certificate via setup parameter or at least input the key hash, getting it blindly is void unless localhost. [1] http://gerrit.ovirt.org/#/c/20815/ Line 53: ) Line 54: ) Line 55: ) as urlObj: Line 56: content = urlObj.read() Line 53: ) Line 54: ) Line 55: ) as urlObj: Line 56: content = urlObj.read() Line 57: if content: not sure why is this block cannot be outside of the with Line 58: self.logger.debug(content) Line 59: fd, self.cert = tempfile.mkstemp( Line 60: prefix='engine-ca', Line 61: suffix='.crt', Line 59: fd, self.cert = tempfile.mkstemp( Line 60: prefix='engine-ca', Line 61: suffix='.crt', Line 62: ) Line 63: os.fchmod(fd, 0o600) mkstemp already does 0600 Line 64: with os.fdopen(fd, 'w') as fileobj: Line 65: fileobj.write(content) Line 66: Line 67: def isEngineUp(self, fqdn): Line 70: Line 71: if self.cert is None: Line 72: self._getPKICert(fqdn) Line 73: Line 74: try: loop? Line 75: # Now we are using the SDK to authenticate vs the API Line 76: # to check if the engine is up. Line 77: # Maybe in the future we can just rely on a Line 78: # not authenticated health API URL Line 79: self._ovirtsdk_api.API( Line 80: url='https://{fqdn}/ovirt-engine/api'.format( Line 81: # should we also handle installation over Line 82: # non standar port? Line 83: fqdn=fqdn, again... if it can be localhost, I suggest use localhost and insecure as we done in aio Line 84: ), Line 85: username='admin@internal', Line 86: password=self.environment[ Line 87: ohostedcons.EngineEnv.ADMIN_PASSWORD, Line 85: username='admin@internal', Line 86: password=self.environment[ Line 87: ohostedcons.EngineEnv.ADMIN_PASSWORD, Line 88: ], Line 89: ca_file=self.cert, we should file rfe against api to allow using chains from memory Line 90: ) Line 91: isUp = True Line 92: except self._ovirtsdk_api.RequestError: Line 93: self.logger.error(_('Engine is still unreachable')) -- To view, visit http://gerrit.ovirt.org/26878 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I3522ccb82eee4bf7f04ded012d9badc97c55b5a0 Gerrit-PatchSet: 2 Gerrit-Project: ovirt-hosted-engine-setup Gerrit-Branch: master Gerrit-Owner: Simone Tiraboschi <stira...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: David Caro <dcaro...@redhat.com> Gerrit-Reviewer: Lev Veyde <lve...@gmail.com> Gerrit-Reviewer: Sandro Bonazzola <sbona...@redhat.com> Gerrit-Reviewer: Simone Tiraboschi <stira...@redhat.com> Gerrit-Reviewer: Yedidyah Bar David <d...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
