[Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)

Thu May 23 14:01:58 UTC 2013

Il 19/05/2013 14:11, Alon Bar-Lev ha scritto:
>
> ----- Original Message -----
>> From: "Sandro Bonazzola" <sbonazzo at redhat.com>
>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>> Cc: "Barak Azulay" <bazulay at redhat.com>, "engine-devel" <engine-devel at ovirt.org>, "Alex Lourie" <alourie at redhat.com>
>> Sent: Friday, May 17, 2013 11:11:54 AM
>> Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache	proxy
>> (https://bugzilla.redhat.com/905754)
>>
>> Il 08/05/2013 21:18, Alon Bar-Lev ha scritto:
>>> Right.
>>> First, we need to support any installation not just rhel.
>>> Second, we can support only other well behaved products.
>>> Until recently we were not well behaved... well we still not fully because
>>> we do not have our own configurable URI namespace.
>>>
>>> We cannot control which applications are installed on the same host,
>>> however we can:
>>>
>>> 1. postgresql: support skipping the automatic provisioning [supported in
>>> the otopi setup]
>>> 2. apache: do not enforce specific apache SSL implementation [to be done].
>>> 3. apache: support skipping the automatic SSL configuration [supported].
>>> 4. apache: support skipping the root redirect to ovirt application
>>> [supported in otopi setup]
>>> 5. apache: move application to own name space, example /ovirt-engine [to be
>>> done, I will be happy if you can help pushing this]
>>> 6. firewall: support skipping configuration [supported]
>>> 7. packaging: remove the versionlock usage.
>>> 8. packaging: support proper upgrade path, compatible with packaging best
>>> practices.
>>> 9. files: rename all utilities and public artifacts from engine-* to
>>> ovirt-engine-*
>>> [more?]
>>>
>>> If we do the above we are acting as well behaved application, and can
>>> co-exist with other well behaved applications.
>>
>> Trying to set the point on this issue in order to start coding.
>>
>> We split the http configuration into three:
>> 1. Install ajp proxy per our URIs[1][2].
>> 2. Optionally set root redirection from / to /ovirt-engine
>> 3. Optionally configure mod_ssl with our certificate.
>>
>> The mandatory apache configuration[1] does not alter any configuration file.
>> [1] http://gerrit.ovirt.org/13318
>> [2] http://gerrit.ovirt.org/14304
>>
>> So there is no reason for checking if user has changed the http
>> configuration for just forcing proxy.
>>
>> About IPA conflicts if I've understood correctly there is only collision
>> between mod_nss used by IPA and mod_ssl used if we enable mod_ssl
>> configuration.
>> It seems there was an issue with mod_proxy and using 2 different SSL
>> certificates (IPA & RHEV) on the same apache server.
>>
>> So, I can force proxy enabled and I can force SSL configuration disabled
>> if IPA is detected.
>> I can leave root redirection optional in any case.
>>
>> otopi implementation already force proxy enabled so there should be just
>> to disable ssl if IPA is detected.
>>
>> During the discussion about this bug it was suggested also to avoid to
>> force dependency on mod_ssl or force migration to mod_nss during upgrade
>> allowing ipa and engine to coexist. I don't think that that issue should
>> be tracked by https://bugzilla.redhat.com/905754 so if there is the will
>> to either drop dependency on mod_ssl or migrate to mod_nss please open a
>> new bug about that.
> Right. I just mentioned that so all will be aware of this abnormality.
>
>> That could solve also another question: what if IPA is installed after
>> ovirt-engine?
>>
>> In order to act as well behaved application, and co-exist with other
>> well behaved applications there is more to do as Alon pointed out.
>> I think that any point not satisfied in order to behave correctly need a
>> bug to be opened.
>>
>> When we'll behave correctly I'll remove any check on IPA presence,
>> totally ignoring it and removing any enforcement about its presence.
>>
>> Am I missing something?
> I don't think so... just am not sure what is the answer in the past for post IPA installation...
>
> Thanks!
> Alon

I think I was missing something.
I don't know if other distro do the same, but on Fedora 18
freeipa-server has a package conflict with mod_ssl.
So it is not possible having both IPA and the oVirt engine on the same host.
This should answer also for post IPA installation for Fedora.

I think the best thing to do here is just warn that we are requiring
mod_ssl when enabling SSL support so any service that has conflicts like
freeipa-server will have issues
and let the administrator decide what to do.

-- 
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com