Alon Bar-Lev has posted comments on this change. Change subject: services, setup: vmconsole/openssh integration ......................................................................
Patch Set 7: (7 comments) https://gerrit.ovirt.org/#/c/41329/7/packaging/setup/plugins/ovirt-engine-setup/vmconsole_proxy/pki.py File packaging/setup/plugins/ovirt-engine-setup/vmconsole_proxy/pki.py: Line 240: self.environment[oenginecons.PKIEnv.STORE_PASS], Line 241: ), Line 242: '--subject=/CN=%s' % ( Line 243: self._subjectComponentEscape(name) Line 244: ), please also use organization and country as other enrollments. Line 245: ), Line 246: ) Line 247: Line 248: cmd = [ Line 255: if host_mode else Line 256: ovmpcons.Const.VMCONSOLE_PROXY_SERVICE_NAME, Line 257: ), Line 258: ) Line 259: ] :) + (['--host' ] if host_mode else []) Line 260: if host_mode: Line 261: cmd.append('--host') Line 262: Line 263: self.execute(tuple(cmd)) Line 259: ] Line 260: if host_mode: Line 261: cmd.append('--host') Line 262: Line 263: self.execute(tuple(cmd)) you do not need to case Line 264: Line 265: cert = os.path.join( Line 266: ovmpcons.FileLocations.OVIRT_ENGINE_PKICERTSDIR, Line 267: '%s-cert.pub' % name Line 273: ) Line 274: ) Line 275: # prepare final path in the engine pki directory. Line 276: # copy in the vmconsole pki directory later Line 277: os.rename(cert, proxy_cert) leave the file in his place, just prepare a transaction to copy it, avoid managing the filesystem directly. Line 278: uninstall_files.append(proxy_cert) Line 279: pki_artifacts.append(proxy_cert) Line 280: Line 281: def _expandPKCS12SSHKey(self, host_mode, uninstall_files, pki_artifacts): Line 300: '-nodes', Line 301: '-nocerts', Line 302: ), Line 303: logStreams=False, Line 304: ) I think that master already have such helper in ca.py, but this belongs to the code that configure the proxy, I think. Line 305: Line 306: key_file = os.path.join( Line 307: oenginecons.FileLocations.OVIRT_ENGINE_PKIDIR, Line 308: 'proxy-ssh_%s_rsa' % name, Line 349: '\x00\x00\x00\x07ssh-rsa{exponent}{modulus}'.format( Line 350: exponent=data[0], Line 351: modulus=data[1], Line 352: ) Line 353: ) you cannot assume the length... you should get it out of the actual key. actually this is: openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -pubkey | ssh-keygen -i -m PKCS8 -f /proc/self/fd/0 but as this is not supported at rhel7 I created for you: openssl x509 -in xxx/etc/pki/ovirt-engine/ca.pem -noout -pubkey | EPYTHON=python2 ./packaging/bin/pki-ssh-keygen.py -i -m PKCS8 -f /proc/self/fd/0 Line 354: Line 355: Line 356: def _fixOwnerPermissions(dialog, pki_artifacts): Line 357: if os.geteuid() == 0: Line 396: ) Line 397: Line 398: Line 399: def _copyVMConsoleProxyPKIArtifacts(dialog, pki_artifacts): Line 400: if os.geteuid() == 0: please use DEVELOPER_MODE environment and not system attributes. Line 401: for f in pki_artifacts: Line 402: shutil.copy2( Line 403: f, Line 404: ovmpcons.FileLocations.OVIRT_VMCONSOLE_PROXY_PKIDIR -- To view, visit https://gerrit.ovirt.org/41329 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I740e37d5c34633bbe51922fb047d6b1a0a2431b6 Gerrit-PatchSet: 7 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Francesco Romani <from...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Francesco Romani <from...@redhat.com> Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Omer Frenkel <ofren...@redhat.com> Gerrit-Reviewer: Sandro Bonazzola <sbona...@redhat.com> Gerrit-Reviewer: Simone Tiraboschi <stira...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
