This pull request changes behavior around the password key (certs/v2_key) and was just merged.
If you don’t care about the details, skip to the bold sections below.
The motivation was to prevent appliances from having a dirty git status as shown below:
We now have two v2_keys:
certs/v2_key: The key that is used by our password code to encrypt/decrypt two-way passwords. Unless you’re a developer wanting to share your database (AND passwords), never share this key outside of your organization. This file is never committed to git as it’s in the .gitignore.
certs/v2_key.dev: This is the developer public v2_key that enables us to share databases between each other and be able to read existing passwords in the database.
If you’re a user of manageiq on an appliance and you want to update to the latest manageiq code, you’ll need to copy off your generated v2_key that’s currently used to encrypt/decrypt 2-way passwords, discard any changes to the v2_key, git pull the latest code, and move your generated v2_key to certs/v2_key.
vmdb git status # verify the certs/v2_key is modified as shown above cp certs/v2_key certs/v2_key.mine git checkout -- certs/v2_key git pull mv certs/v2_key.mine certs/v2_key
If you’re developer, you’ll be greeted with this warning at startup seeding since you only have the developer key:
irb(main):002:0> MiqDatabase.seed ... /Users/joerafaniello/Code/manageiq/certs/v2_key doesn't exist! On an appliance, it should be generated on boot by evmserverd. If you're a developer, you can copy the /Users/joerafaniello/Code/manageiq/certs/v2_key.dev to /Users/joerafaniello/Code/manageiq/certs/v2_key. Caution, using the developer key will allow anyone with the public developer key to decrypt the two-way passwords in your database. ... RuntimeError: no encryption key v2_key
For developers only:
cp certs/v2_key.dev certs/v2_key
Now, MiqDatabase.seed will work as before:
irb(main):001:0> MiqDatabase.seed ... => nil
You should now have a cleaner git status on manageiq when running on appliances.