From 5ad1e7c160f5fe0d499d8d25116cb0e1692f1e93 Mon Sep 17 00:00:00 2001

From: Pino Toscano <ptoscano@redhat.com>

Date: Fri, 27 Sep 2019 13:56:42 +0200

Subject: [PATCH] v2v: -o rhv-upload: make -oo rhv-cafile optional

It makes little sense to require the oVirt certificate, especially when

the verification of the connection (-oo rhv-verifypeer) is disabled by

default.  The only work done with the certificate in that case is

checking that it is a valid certificate file.

Hence, make -oo rhv-cafile optional, requiring it only when

-oo rhv-verifypeer is enabled.

(cherry picked from commit 0a5eaad7db3c9b9a03fa88102a9e6142c855bfd1)

---

 v2v/output_rhv_upload.ml    | 16 +++++++++-------

 v2v/virt-v2v-output-rhv.pod |  2 ++

 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml

index 206657a2b..2c8c18732 100644

--- a/v2v/output_rhv_upload.ml

+++ b/v2v/output_rhv_upload.ml

@@ -28,7 +28,7 @@ open Types

 open Utils

 type rhv_options = {

-  rhv_cafile : string;

+  rhv_cafile : string option;

   rhv_cluster : string option;

   rhv_direct : bool;

   rhv_verifypeer : bool;

@@ -76,15 +76,13 @@ let parse_output_options options =

        error (f_"-o rhv-upload: unknown output option ‘-oo %s’") k

   ) options;

-  let rhv_cafile =

-    match !rhv_cafile with

-    | Some s -> s

-    | None ->

-       error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the path to the oVirt or RHV user’s ‘ca.pem’ file") in

+  let rhv_cafile = !rhv_cafile in

   let rhv_cluster = !rhv_cluster in

   let rhv_direct = !rhv_direct in

   let rhv_verifypeer = !rhv_verifypeer in

   let rhv_disk_uuids = Option.map List.rev !rhv_disk_uuids in

+  if rhv_verifypeer && rhv_cafile = None then

+     error (f_"-o rhv-upload: must use ‘-oo rhv-cafile’ to supply the path to the oVirt or RHV user’s ‘ca.pem’ file");

   { rhv_cafile; rhv_cluster; rhv_direct; rhv_verifypeer; rhv_disk_uuids }

@@ -92,6 +90,10 @@ let nbdkit_python_plugin = Config.virt_v2v_nbdkit_python_plugin

 let pidfile_timeout = 30

 let finalization_timeout = 5*60

+let json_optstring = function

+  | Some s -> JSON.String s

+  | None -> JSON.Null

+

 class output_rhv_upload output_alloc output_conn

                         output_password output_storage

                         rhv_options =

@@ -200,7 +202,7 @@ See also the virt-v2v-output-rhv(1) manual.")

     "output_sparse", JSON.Bool (match output_alloc with

                                 | Sparse -> true

                                 | Preallocated -> false);

-    "rhv_cafile", JSON.String rhv_options.rhv_cafile;

+    "rhv_cafile", json_optstring rhv_options.rhv_cafile;

     "rhv_cluster",

       JSON.String (Option.default "Default" rhv_options.rhv_cluster);

     "rhv_direct", JSON.Bool rhv_options.rhv_direct;

diff --git a/v2v/virt-v2v-output-rhv.pod b/v2v/virt-v2v-output-rhv.pod

index e840ca78d..04a894268 100644

--- a/v2v/virt-v2v-output-rhv.pod

+++ b/v2v/virt-v2v-output-rhv.pod

@@ -101,6 +101,8 @@ The storage domain.

 The F<ca.pem> file (Certificate Authority), copied from

 F</etc/pki/ovirt-engine/ca.pem> on the oVirt engine.

+This option must be specified if I<-oo rhv-verifypeer> is enabled.

+

 =item I<-oo rhv-cluster=>C<CLUSTERNAME>

 Set the RHV Cluster Name.  If not given it uses C<Default>.

-- 

2.26.2