Douglas Schilling Landgraf has posted comments on this change. Change subject: BZ#815825 validate vdsmcert against cacert ......................................................................
Patch Set 2: (1 inline comment) .................................................... File libvirtd.upstart Line 6: pre-start script Hi Dan, > Can you think of another place to better-fit this cert backup function? Since libvirt daemon depends on certs match to start, I cannot see, at moment, a better place to validate the certificates. > Since certificate is security-sensitive file, I'm not sure out-of-context > restoration > is acceptable (assume the backed up version is obsolete). It became obsolete if the host get approved, otherwise not. There is a bug situation where the administrator of oVirt Node executes the Engine registration procedure, and the host doesn't get 'approved' (note: at this point cacert.pem from Engine already replaced the /etc/pki/vdsm/certs/cacert.pem) causing a failure in the next reboot on libvirt daemon startup. This happens because cacert.pem certificate file cannot be validated with vdsmcert.pem, so if we have a backup, we can easily revert it. The full description/context: http://gerrit.ovirt.org/#patch,sidebyside,3883,3,/COMMIT_MSG -- To view, visit http://gerrit.ovirt.org/3885 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I3d9de5d131fdaca0f875b14d21a97943c63b1770 Gerrit-PatchSet: 2 Gerrit-Project: ovirt-node Gerrit-Branch: master Gerrit-Owner: Douglas Schilling Landgraf <[email protected]> Gerrit-Reviewer: Dan Kenigsberg <[email protected]> Gerrit-Reviewer: Douglas Schilling Landgraf <[email protected]> Gerrit-Reviewer: Michael Burns <[email protected]> _______________________________________________ node-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/node-patches
