On Mon, Apr 6, 2020 at 7:43 PM Nir Soffer <nsoffer(a)redhat.com> wrote:
On Mon, Apr 6, 2020 at 7:49 PM Vojtech Juranek
<vjuranek(a)redhat.com>
wrote:
>
> Hi,
> I'd like to add imageio configuration into engine. Previously, it was
done by
> dedicated setup code in imageio-proxy [1], but in new imageio we remove
the
> proxy package and to configure imageio for engine we need just to place
> firewalld and imageio config files into proper place.
We should probably also add imageio dependency to the engine spec file,
because I understand that imageio proxy running on engine is always
required, right?
>
> Initial idea was to do it directly in engine spec file, but it seems to
me
> that configuration of the engine is done by dedicated packages and custom
> code. Ansible roles in packaging/ansible-runner-service-project seem to
be
> only for host configuration.
>
> What is a proper way how to configure imageio?
All engine and related services configuration is performed via
engine-setup, which is based on otopi.
More correctly, how to configure engine for using imageio daemon.
Please write a plugin to engine-setup which will handle imageio proxy
configuration
In the past we supported these options:
- configuration without imageio proxy. This does not make sense since
without the proxy you cannot
upload images from the UI. We don't want to support such
configuration. The imageio proxy must always
be available, and there is nothing which is user configurable (in the
context of engine setup).
- proxy address. This configuration is not needed since the only
supported configuration is proxy
installed on the engine host, and engine already knows it's address.
- certificates - in the past we created certificates and key for the
proxy. This has been a constant source
of trouble. Recently Didi switched to using apache pki files. There
is no need to support other
configurations. If users want to change the certificates, they can
edit the imageio daemon
configuration file.
Well, you need to support not only engine CA and engine certificate, but
also custom engine HTTPS certificate signed by custom CA in the same way as
engine:
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html
So even if proxy is going to use the same custom certificate and CA as
engine, we at least need to update documentation with the need to restart
imageio service on the host.
And more thing: are all clients connecting only to imageio proxy on engine
or is there any connection directly to imageio running on the host?
imageio provides a sample configuration file, and leaves the actual
configuration to the user of the
package. We have 2 users - vdsm and engine.
Vdsm handles imageio configuration by installing the static
configuration files in the spec. I don't
see why engine cannot use the same simple solution. However if engine
needs special configuration
code (e.g. engine setup plugin), it must be part of engine repo and
maintained by engine maintainers.
The configuration for using imageio in engine:
- tls - paths to apache certificates
- remote port - always 54323
- control port - accessible only locally, TBD
The remote port must be open in the engine host firewall, and
requires
another static file for firewalld rule.
Every engine configuration is handled within engine-setup, so please write
a plugin for engine-setup to configure imageio proxy on engine
Vojta, can you share a working configuration file and firewalld rule,
or post a patch adding them to
engine?
Nir
_______________________________________________
Devel mailing list -- devel(a)ovirt.org
To unsubscribe send an email to devel-leave(a)ovirt.org
Privacy Statement:
https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/devel@ovirt.org/message/NLV2DRTUAFY...
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.