Use new ssl certificate kickstart options #1745
Conversation
pyanaconda/kickstart.py
Outdated
| @@ -2506,13 +2506,13 @@ def _getArgsAsStr(self): | |||
| return retval | |||
|
|
|||
| def _getParser(self): | |||
| op = KSOptionParser(prog="installclass", version=F27, description=""" | |||
| op = KSOptionParser(prog="installclass", version=F30, description=""" | |||
There was a problem hiding this comment.
Please, don't change this version.
pyanaconda/kickstart.py
Outdated
| Require the specified install class to be used for | ||
| the installation. Otherwise, the best available | ||
| install class will be used.""") | ||
|
|
||
| op.add_argument("--name", dest="name", required=True, type=str, | ||
| version=F27, help=""" | ||
| version=F30, help=""" |
| @@ -657,7 +657,11 @@ def _refreshInstallTree(self, url): | |||
| else: | |||
| proxy_url = None | |||
|
|
|||
| sslverify = not flags.noverifyssl | |||
| sslverify = getattr(self.data.method, "sslcacert", not flags.noverifyssl) | |||
There was a problem hiding this comment.
Please, don't change the type of sslverify. It should be a boolean.
|
Jenkins, test this please. |
poncovka
added
master
larskarlitski
force-pushed
the
clientcert
branch
from
9bef99d
to
9151199
Compare
|
Update fixing the issues @poncovka raised and rebase to latest master. Thanks, and sorry for the obvious mistakes. |
pyanaconda/payload/__init__.py
Outdated
| @@ -657,7 +657,11 @@ def _refreshInstallTree(self, url): | |||
| else: | |||
| proxy_url = None | |||
|
|
|||
| sslverify = not flags.noverifyssl | |||
| sslverify = hasattr(self.data.method, "sslcacert") or not flags.noverifyssl | |||
There was a problem hiding this comment.
I am not sure if this is correct. Shouldn't sslverify be set based on the value of self.data.method.sslcacert? Now it is set based on the existence of the attribute.
There was a problem hiding this comment.
The value is a url to the cert. If one is given, this code assumes that ssl should be verified (overriding flags.noverifyssl).
There was a problem hiding this comment.
If self.data.method.sslcacert is None, then hasattr(self.data.method, "sslcacert") returns True. https://docs.python.org/3/library/functions.html#hasattr
There was a problem hiding this comment.
Ugh, I've been doing too much JavaScript. Sorry for the noise. Made it more explicit now.
larskarlitski
force-pushed
the
clientcert
branch
2 times, most recently
from
80e9d83
to
e4351c3
Compare
|
Rebase to resolve merge conflict. |
|
I can confirm that Anaconda doesn't crash, when the options are not set, but I am not sure how to easily test the functionality. Have you tested this pull request, @larskarlitski? |
larskarlitski
force-pushed
the
clientcert
branch
from
e4351c3
to
820e491
Compare
|
@poncovka: I'm sorry, I had to revert to the old I've added a comment to (hopefully) make this more clear.
To confirm that this works, you need a valid RHEL subscription. It will fill |
anaconda.spec.in
Outdated
| @@ -38,7 +38,7 @@ Source0: %{name}-%{version}.tar.bz2 | |||
| %define libxklavierver 5.4 | |||
| %define mehver 0.23-1 | |||
| %define nmver 1.0 | |||
| %define pykickstartver 3.16-1 | |||
| %define pykickstartver 3.20-1 | |||
There was a problem hiding this comment.
Can you please change it to 3.19?
There was a problem hiding this comment.
Sure! Also rebased to latest master.
The `repo` and `url` commands can now contain --sslcacert, --sslclientcert, and --sslclientkey options. Use those when accessing repositories.
larskarlitski
force-pushed
the
clientcert
branch
from
820e491
to
a2a5678
Compare
|
Jenkins, test this please. |
poncovka
removed
the
manual testing required
The
repoandurlcommands can now contain --sslcacert,--sslclientcert, and --sslclientkey options. Use those when accessing
repositories.
The corresponding change in pykickstart: pykickstart/pykickstart#250