Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)

----- Original Message ----- > From: "Sandro Bonazzola" <sbonazzo(a)redhat.com&gt; > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > Cc: "Barak Azulay" <bazulay(a)redhat.com&gt;, "engine-devel" <engine-devel(a)ovirt.org&gt;, "Alex Lourie" <alourie(a)redhat.com&gt; > Sent: Friday, May 17, 2013 11:11:54 AM > Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy > (https://bugzilla.redhat.com/905754) > > Il 08/05/2013 21:18, Alon Bar-Lev ha scritto: >> Right. >> First, we need to support any installation not just rhel. >> Second, we can support only other well behaved products. >> Until recently we were not well behaved... well we still not fully because >> we do not have our own configurable URI namespace. >> >> We cannot control which applications are installed on the same host, >> however we can: >> >> 1. postgresql: support skipping the automatic provisioning [supported in >> the otopi setup] >> 2. apache: do not enforce specific apache SSL implementation [to be done]. >> 3. apache: support skipping the automatic SSL configuration [supported]. >> 4. apache: support skipping the root redirect to ovirt application >> [supported in otopi setup] >> 5. apache: move application to own name space, example /ovirt-engine [to be >> done, I will be happy if you can help pushing this] >> 6. firewall: support skipping configuration [supported] >> 7. packaging: remove the versionlock usage. >> 8. packaging: support proper upgrade path, compatible with packaging best >> practices. >> 9. files: rename all utilities and public artifacts from engine-* to >> ovirt-engine-* >> [more?] >> >> If we do the above we are acting as well behaved application, and can >> co-exist with other well behaved applications. > > Trying to set the point on this issue in order to start coding. > > We split the http configuration into three: > 1. Install ajp proxy per our URIs[1][2]. > 2. Optionally set root redirection from / to /ovirt-engine > 3. Optionally configure mod_ssl with our certificate. > > The mandatory apache configuration[1] does not alter any configuration file. > [1] http://gerrit.ovirt.org/13318 > [2] http://gerrit.ovirt.org/14304 > > So there is no reason for checking if user has changed the http > configuration for just forcing proxy. > > About IPA conflicts if I've understood correctly there is only collision > between mod_nss used by IPA and mod_ssl used if we enable mod_ssl > configuration. > It seems there was an issue with mod_proxy and using 2 different SSL > certificates (IPA & RHEV) on the same apache server. > > So, I can force proxy enabled and I can force SSL configuration disabled > if IPA is detected. > I can leave root redirection optional in any case. > > otopi implementation already force proxy enabled so there should be just > to disable ssl if IPA is detected. > > During the discussion about this bug it was suggested also to avoid to > force dependency on mod_ssl or force migration to mod_nss during upgrade > allowing ipa and engine to coexist. I don't think that that issue should > be tracked by https://bugzilla.redhat.com/905754 so if there is the will > to either drop dependency on mod_ssl or migrate to mod_nss please open a > new bug about that. Right. I just mentioned that so all will be aware of this abnormality. > That could solve also another question: what if IPA is installed after > ovirt-engine? > > In order to act as well behaved application, and co-exist with other > well behaved applications there is more to do as Alon pointed out. > I think that any point not satisfied in order to behave correctly need a > bug to be opened. > > When we'll behave correctly I'll remove any check on IPA presence, > totally ignoring it and removing any enforcement about its presence. > > Am I missing something? I don't think so... just am not sure what is the answer in the past for post IPA installation... Thanks! Alon