Skip to the content.

Configuration

TLS Configuration

In order to secure bits sent over the network, ovirt-imageio encrypts the communication using TLS. Using TLS is by default turned on. Running imageio as a proxy without TLS enabled is not implemented. The keys paths can be configured in [tls] section of a drop-in config file *.conf placed in /etc/ovirt-imageio/conf.d or /usr/lib/ovirt-imageio/conf.d. Imageio does not provide any default TLS certificates and these has to be configured by the user.

Configuration options

TLS configuration on oVirt engine host

TLS is used to communicate securly with clients using oVirt image transfer API, or with oVit engine Administration Portal. Configuration used by imageio on oVirt engine host is placed in /etc/ovirt-imageio/conf.d/50-engine.conf and is configured by oVirt engine-setup. This file is owned by oVirt engine and any custom changes to imageio configuration should be placed into dedicated *.conf file with higher name (ordered alphabetically) in conf.d direcotry, e.g. /etc/ovirt-imageio/conf.d/99-user.conf.

Browser configuration

For using imageio via the oVirt engine Adminsitration Portal, the client will need to install oVirt’s CA in its browser. oVirt’s CA certificate can be fetched from the following link, as specified in oVirt’s PKI wiki page:

'http://{engine_url}/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA'

e.g.

curl -k
'https://ovirt-imageio.local/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA'
> cert.pem

TLS configuration on oVirt host

TLS is used in order to securely communicate with clients using oVirt image transfer API. imageio is configured by vdsm and the configuration file is place in /etc/ovirt-imageio/conf.d/50-vdsm.conf. This file is owned by vdsm and any custom changes to imageio configuration should be placed into dedicated *.conf file with higher name (ordered alphabetically) in conf.d direcotry, e.g. /etc/ovirt-imageio/conf.d/99-user.conf.