summaryrefslogtreecommitdiff
path: root/bz2029791-2-fence_openstack-cacert-default.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bz2029791-2-fence_openstack-cacert-default.patch')
-rw-r--r--bz2029791-2-fence_openstack-cacert-default.patch59
1 files changed, 59 insertions, 0 deletions
diff --git a/bz2029791-2-fence_openstack-cacert-default.patch b/bz2029791-2-fence_openstack-cacert-default.patch
new file mode 100644
index 0000000..419ce33
--- /dev/null
+++ b/bz2029791-2-fence_openstack-cacert-default.patch
@@ -0,0 +1,59 @@
+From b7032d16a07997ecab3b2c11a6436b3fa21f9043 Mon Sep 17 00:00:00 2001
+From: "Fabio M. Di Nitto" <fdinitto@redhat.com>
+Date: Thu, 6 Jan 2022 12:53:28 +0100
+Subject: [PATCH] fence_openstack: relax ssl cacert default
+
+allow the agent to use Base OS defaults vs forcing a specific file
+to increase portability.
+
+Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
+---
+ agents/openstack/fence_openstack.py | 12 +++++++++---
+ tests/data/metadata/fence_openstack.xml | 2 +-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/agents/openstack/fence_openstack.py b/agents/openstack/fence_openstack.py
+index c2d9df160..36b353b52 100755
+--- a/agents/openstack/fence_openstack.py
++++ b/agents/openstack/fence_openstack.py
+@@ -127,7 +127,13 @@ def nova_login(username, password, projectname, auth_url, user_domain_name,
+ cacert=cacert,
+ )
+
+- session = ksc_session.Session(auth=auth, verify=False if ssl_insecure else cacert, timeout=apitimeout)
++ caverify=True
++ if ssl_insecure:
++ caverify=False
++ elif cacert:
++ caverify=cacert
++
++ session = ksc_session.Session(auth=auth, verify=caverify, timeout=apitimeout)
+ nova = client.Client("2", session=session, timeout=apitimeout)
+ apiversion = None
+ try:
+@@ -189,10 +195,10 @@ def define_new_opts():
+ all_opt["cacert"] = {
+ "getopt": ":",
+ "longopt": "cacert",
+- "help": "--cacert=[cacert] Path to the PEM file with trusted authority certificates",
++ "help": "--cacert=[cacert] Path to the PEM file with trusted authority certificates (override global CA trust)",
+ "required": "0",
+ "shortdesc": "SSL X.509 certificates file",
+- "default": "/etc/pki/tls/certs/ca-bundle.crt",
++ "default": "",
+ "order": 7,
+ }
+ all_opt["apitimeout"] = {
+diff --git a/tests/data/metadata/fence_openstack.xml b/tests/data/metadata/fence_openstack.xml
+index 926d18c3d..c8dc2e60f 100644
+--- a/tests/data/metadata/fence_openstack.xml
++++ b/tests/data/metadata/fence_openstack.xml
+@@ -100,7 +100,7 @@
+ </parameter>
+ <parameter name="cacert" unique="0" required="0">
+ <getopt mixed="--cacert=[cacert]" />
+- <content type="string" default="/etc/pki/tls/certs/ca-bundle.crt" />
++ <content type="string" default="" />
+ <shortdesc lang="en">SSL X.509 certificates file</shortdesc>
+ </parameter>
+ <parameter name="apitimeout" unique="0" required="0">
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-18 00:46:51 +0000