[Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)

Sun May 19 12:11:23 UTC 2013

----- Original Message -----
> From: "Sandro Bonazzola" <sbonazzo at redhat.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "Barak Azulay" <bazulay at redhat.com>, "engine-devel" <engine-devel at ovirt.org>, "Alex Lourie" <alourie at redhat.com>
> Sent: Friday, May 17, 2013 11:11:54 AM
> Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache	proxy
> (https://bugzilla.redhat.com/905754)
> 
> Il 08/05/2013 21:18, Alon Bar-Lev ha scritto:
> > Right.
> > First, we need to support any installation not just rhel.
> > Second, we can support only other well behaved products.
> > Until recently we were not well behaved... well we still not fully because
> > we do not have our own configurable URI namespace.
> >
> > We cannot control which applications are installed on the same host,
> > however we can:
> >
> > 1. postgresql: support skipping the automatic provisioning [supported in
> > the otopi setup]
> > 2. apache: do not enforce specific apache SSL implementation [to be done].
> > 3. apache: support skipping the automatic SSL configuration [supported].
> > 4. apache: support skipping the root redirect to ovirt application
> > [supported in otopi setup]
> > 5. apache: move application to own name space, example /ovirt-engine [to be
> > done, I will be happy if you can help pushing this]
> > 6. firewall: support skipping configuration [supported]
> > 7. packaging: remove the versionlock usage.
> > 8. packaging: support proper upgrade path, compatible with packaging best
> > practices.
> > 9. files: rename all utilities and public artifacts from engine-* to
> > ovirt-engine-*
> > [more?]
> >
> > If we do the above we are acting as well behaved application, and can
> > co-exist with other well behaved applications.
> 
> 
> Trying to set the point on this issue in order to start coding.
> 
> We split the http configuration into three:
> 1. Install ajp proxy per our URIs[1][2].
> 2. Optionally set root redirection from / to /ovirt-engine
> 3. Optionally configure mod_ssl with our certificate.
> 
> The mandatory apache configuration[1] does not alter any configuration file.
> [1] http://gerrit.ovirt.org/13318
> [2] http://gerrit.ovirt.org/14304
> 
> So there is no reason for checking if user has changed the http
> configuration for just forcing proxy.
> 
> About IPA conflicts if I've understood correctly there is only collision
> between mod_nss used by IPA and mod_ssl used if we enable mod_ssl
> configuration.
> It seems there was an issue with mod_proxy and using 2 different SSL
> certificates (IPA & RHEV) on the same apache server.
> 
> So, I can force proxy enabled and I can force SSL configuration disabled
> if IPA is detected.
> I can leave root redirection optional in any case.
> 
> otopi implementation already force proxy enabled so there should be just
> to disable ssl if IPA is detected.
> 
> During the discussion about this bug it was suggested also to avoid to
> force dependency on mod_ssl or force migration to mod_nss during upgrade
> allowing ipa and engine to coexist. I don't think that that issue should
> be tracked by https://bugzilla.redhat.com/905754 so if there is the will
> to either drop dependency on mod_ssl or migrate to mod_nss please open a
> new bug about that.

Right. I just mentioned that so all will be aware of this abnormality.

> That could solve also another question: what if IPA is installed after
> ovirt-engine?
> 
> In order to act as well behaved application, and co-exist with other
> well behaved applications there is more to do as Alon pointed out.
> I think that any point not satisfied in order to behave correctly need a
> bug to be opened.
> 
> When we'll behave correctly I'll remove any check on IPA presence,
> totally ignoring it and removing any enforcement about its presence.
> 
> Am I missing something?

I don't think so... just am not sure what is the answer in the past for post IPA installation...

Thanks!
Alon