Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)

From: "Sandro Bonazzola" <sbonazzo(a)redhat.com&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; Cc: "Barak Azulay" <bazulay(a)redhat.com&gt;, "engine-devel" <engine-devel(a)ovirt.org&gt;, "Alex Lourie" <alourie(a)redhat.com&gt; Sent: Friday, May 17, 2013 11:11:54 AM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754) Il 08/05/2013 21:18, Alon Bar-Lev ha scritto: > Right. > First, we need to support any installation not just rhel. > Second, we can support only other well behaved products. > Until recently we were not well behaved... well we still not fully because > we do not have our own configurable URI namespace. > > We cannot control which applications are installed on the same host, > however we can: > > 1. postgresql: support skipping the automatic provisioning [supported in > the otopi setup] > 2. apache: do not enforce specific apache SSL implementation [to be done]. > 3. apache: support skipping the automatic SSL configuration [supported]. > 4. apache: support skipping the root redirect to ovirt application > [supported in otopi setup] > 5. apache: move application to own name space, example /ovirt-engine [to be > done, I will be happy if you can help pushing this] > 6. firewall: support skipping configuration [supported] > 7. packaging: remove the versionlock usage. > 8. packaging: support proper upgrade path, compatible with packaging best > practices. > 9. files: rename all utilities and public artifacts from engine-* to > ovirt-engine-* > [more?] > > If we do the above we are acting as well behaved application, and can > co-exist with other well behaved applications. Trying to set the point on this issue in order to start coding. We split the http configuration into three: 1. Install ajp proxy per our URIs[1][2]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate. The mandatory apache configuration[1] does not alter any configuration file. [1] http://gerrit.ovirt.org/13318 [2] http://gerrit.ovirt.org/14304 So there is no reason for checking if user has changed the http configuration for just forcing proxy. About IPA conflicts if I've understood correctly there is only collision between mod_nss used by IPA and mod_ssl used if we enable mod_ssl configuration. It seems there was an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server. So, I can force proxy enabled and I can force SSL configuration disabled if IPA is detected. I can leave root redirection optional in any case. otopi implementation already force proxy enabled so there should be just to disable ssl if IPA is detected. During the discussion about this bug it was suggested also to avoid to force dependency on mod_ssl or force migration to mod_nss during upgrade allowing ipa and engine to coexist. I don't think that that issue should be tracked by https://bugzilla.redhat.com/905754 so if there is the will to either drop dependency on mod_ssl or migrate to mod_nss please open a new bug about that.

That could solve also another question: what if IPA is installed after ovirt-engine? In order to act as well behaved application, and co-exist with other well behaved applications there is more to do as Alon pointed out. I think that any point not satisfied in order to behave correctly need a bug to be opened. When we'll behave correctly I'll remove any check on IPA presence, totally ignoring it and removing any enforcement about its presence. Am I missing something?