Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1100824 - option insecure doesn't work
Summary: option insecure doesn't work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-iso-uploader
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.5.0
Assignee: Simone Tiraboschi
QA Contact: Pavel Stehlik
URL:
Whiteboard: integration
Depends On: 1106458
Blocks: 1102226 1102535 rhev3.5beta 1156165
TreeView+ depends on / blocked
 
Reported: 2014-05-23 14:13 UTC by Petr Beňas
Modified: 2015-02-11 17:48 UTC (History)
14 users (show)

Fixed In Version: ovirt-3.5.0-alpha2
Doc Type: Bug Fix
Doc Text:
Previously, using the ISO uploader with the --insecure option skipped SSL validation and failed. With this update, it now works as normal.
Clone Of:
: 1102226 1102535 (view as bug list)
Environment:
Last Closed: 2015-02-11 17:48:36 UTC
oVirt Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0191 normal SHIPPED_LIVE rhevm-iso-uploader bug fix and enhancement update 2015-02-11 22:38:19 UTC
oVirt gerrit 28153 master MERGED ovirt-iso-uploader: using API SDK insecure parameter Never

Description Petr Beňas 2014-05-23 14:13:37 UTC
Description of problem:
[root@pb-rh34 11111111-1111-1111-1111-111111111111]# engine-iso-uploader -i ISO_DOMAIN upload /tmp/foo.iso 
Uploading, please wait...
INFO: Start uploading /tmp/foo.iso 
INFO: /tmp/foo.iso uploaded successfully
[root@pb-rh34 11111111-1111-1111-1111-111111111111]# rm -f *.iso
[root@pb-rh34 11111111-1111-1111-1111-111111111111]# engine-iso-uploader -i ISO_DOMAIN upload --insecure /tmp/foo.iso 
ERROR: Unable to connect to REST API.  Message: The host name "pb-rh34.rhev.lab.eng.brq.redhat.com" contained in the URL doesn't match any of the names in the server certificate.
ERROR: 'NoneType' object is not iterable
INFO: Use the -h option to see usage.


Version-Release number of selected component (if applicable):


How reproducible:
av9.2

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Sandro Bonazzola 2014-05-23 14:28:02 UTC
Juan, any change in SDK that may have caused this?

Comment 3 Juan Hernández 2014-05-23 14:40:39 UTC
Yes, the Python SDK has changed so that it validates the host name in the server certificate:

  http://gerrit.ovirt.org/26271

This is disabled when the "insecure=True" parameter is passed to the API constructor, so you need something like this in the ISO uploader:

diff --git a/src/__main__.py b/src/__main__.py
index 1c4c93a..f17d609 100644
--- a/src/__main__.py
+++ b/src/__main__.py
@@ -497,7 +497,7 @@ class ISOUploader(object):
                     username=self.configuration.get("user"),
                     password=self.configuration.get("passwd"),
                     ca_file=self.configuration.get("cert_file"),
-                    validate_cert_chain=not self.configuration.get("insecure"),
+                    insecure=self.configuration.get("insecure"),
                 )

That, or make sure that you connect to a host name that corresponds to the server certificate. I guess that the ISO uploader is using "localhost" in the URL.

Comment 4 Sandro Bonazzola 2014-05-28 06:27:23 UTC
Simone, please check also if image uploader is affected too and clone the BZ in that case.
Juan, can you tell us the SDK version that introduced the change in order to be sure to have proper requires in the spec file?

Comment 5 Simone Tiraboschi 2014-05-28 15:05:17 UTC
This was the side effect of a double bug: 
the secure mode was bugged in the SDK cause it didn't check the real host name against the host name in the cert and so it was always in quasi-insecure mode.
On the other side there was a bug in engine-iso-uploader engaging the insecure mode but we didn't notice it before just because it was always in insecure mode.

So it's not the effect of a change in SDK and I think we don't need to update the spec file to require a newer SDK version.

engine-image-uploader presents the same bug.

Comment 7 Petr Beňas 2014-06-18 11:27:28 UTC
[root@pb-rh35 11111111-1111-1111-1111-111111111111]# engine-iso-uploader -i ISO_DOMAIN upload -r localhost /root/test.iso 
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): 
ERROR: Unable to connect to REST API.  Message: The host name "localhost" contained in the URL doesn't match any of the names in the server certificate.
ERROR: 'NoneType' object is not iterable
INFO: Use the -h option to see usage.
[root@pb-rh35 11111111-1111-1111-1111-111111111111]# engine-iso-uploader -i ISO_DOMAIN upload -r localhost --insecure /root/test.iso 
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): 
Uploading, please wait...
INFO: Start uploading /root/test.iso 
INFO: /root/test.iso uploaded successfully
[root@pb-rh35 11111111-1111-1111-1111-111111111111]# rpm -qa ovirt-iso-uploader
ovirt-iso-uploader-3.5.0-0.0.master.20140605.gite89dcdf.el6.noarch

Will report the "'NoneType' object is not iterable" as a separate bug. I consider this bug as verified, since the option --insecure now works for bypassing engine cert verification.

Comment 11 errata-xmlrpc 2015-02-11 17:48:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0191.html


Note You need to log in before you can comment on or make changes to this bug.