Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)

From: "Sandro Bonazzola" <sbonazzo(a)redhat.com&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; Cc: "engine-devel" <engine-devel(a)ovirt.org&gt;, "users" <users(a)ovirt.org&gt; Sent: Wednesday, May 8, 2013 3:51:03 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754) Hello, if I've understood correctly then: - there is no reason for checking if user altered http configuration - proxy doesn't depend on any other related http configuration we do and does not alter any other configuration file, so we can do it without asking anything - if ipa is installed, engine-setup should issue a warning about it and default to No for 'set ovirt-engine as default page' and 'configure apache ssl'

I think I've enough info. Thanks. Il 06/05/2013 22:11, Alon Bar-Lev ha scritto: > > ----- Original Message ----- >> From: "Barak Azulay" <bazulay(a)redhat.com&gt; >> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >> Cc: "Sandro Bonazzola" <sbonazzo(a)redhat.com&gt;, "engine-devel" >> <engine-devel(a)ovirt.org&gt;, "users" <users(a)ovirt.org&gt; >> Sent: Monday, May 6, 2013 10:42:02 PM >> Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use >> Apache proxy >> (https://bugzilla.redhat.com/905754) >> >> >> >> >> >> On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl(a)redhat.com&gt; wrote: >> >>> Hello, >>> >>> I don't understand why you start discussion from start... there were some >>> additional facts. >>> >>> So first answer: >>> No we cannot assume we own the machine nor own the apache, nor own the >>> postgresql. These assumptions made in the past were plain wrong and cause >>> more harm than good, and eventually saved no resources nor efforts. >>> >>> At master we altered the ajp proxy configuration to be less >>> intrusive[1][2]. >>> >>> We split the http configuration into three: >>> 1. Install ajp proxy per our URIs[1]. >>> 2. Optionally set root redirection from / to /ovirt-engine >>> 3. Optionally configure mod_ssl with our certificate. >> I don't know if this was already brought up, >> >> There is a conflict between our configuration and IPA's >> IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a >> conflict. >> >> We can try move to mod_nss on upgrade and solve all issues >> >> Barak > The fact that ovirt-engine depends on mod_ssl is a mistake... well, at > least I think so. > The product should not care how ssl is provided as long as it is provided. > > Personally, I think that product should not attempt to configure ssl at > all, but provide the instructions of how to do so... But never the less, > let's try to keep this to avoid argument. > > In case IPA is installed (and I really don't understand why should we care > about IPA specifically, well, I actually do... as IPA makes the same > faulty assumptions of 'owning' resources), the admin should just avoid > selecting the 'set ovirt-engine as default page' and 'configure apache > ssl', user should access ovirt-engine using: > http://host/ovirt-engine > > It should work as long as there are no URI conflicts between products as I > listed in previous message. > > Regards, > Alon > >>> The mandatory apache configuration[1] does not alter any configuration >>> file, hence the chance of conflict is the chance of conflict between >>> ovirt-engine URIs and other product URIs. >>> >>> ovirt-engine URIs: >>> --- >>> /UserPortal >>> /OvirtEngineWeb >>> /webadmin >>> /docs >>> /spice >>> /ca.crt >>> /engine.ssh.key.txt >>> /rhevm.ssh.key.txt >>> /ovirt-engine-style.css >>> /console.vv >>> /api >>> /ovirt-engine >>> --- >>> >>> As we have done this without cooperation of developers we kept URIs >>> as-is. >>> >>> URIs that cannot be changed until next major: >>> /engine.ssh.key.txt >>> /rhevm.ssh.key.txt >>> /ca.crt >>> /api [I guess, although we can provide migration path alternative] >>> >>> All the other can be moved into /ovirt-engine with cooperation of >>> developers, especially UI and Virt developers, it should be easy to do >>> this, and reduce the chance of conflict. >>> >>> Regards, >>> Alon Bar-Lev. >>> >>> [1] http://gerrit.ovirt.org/#/c/13318/ >>> [2] http://gerrit.ovirt.org/#/c/14304/ >>> >>> ----- Original Message ----- >>>> From: "Sandro Bonazzola" <sbonazzo(a)redhat.com&gt; >>>> To: "engine-devel" <engine-devel(a)ovirt.org&gt; >>>> Cc: "users" <users(a)ovirt.org&gt; >>>> Sent: Monday, May 6, 2013 6:32:08 PM >>>> Subject: [Engine-devel] 3.3 scratch or upgraded installation must use >>>> Apache proxy >>>> (https://bugzilla.redhat.com/905754) >>>> >>>> Hi, >>>> I'm working on https://bugzilla.redhat.com/905754, trying to have Apache >>>> proxy in all 3.3 installations. >>>> >>>> I'm looking in the code and I've found a point where I'm in doubt about >>>> how to handle the case. >>>> The current engine-setup implementation perform some checks that change >>>> the behavior of the installer documented as: >>>> >>>> 1. Check whether the relevant httpd configuration files were changed, as >>>> it's an indication for the setup that the httpd application is being >>>> actively used, Therefore we may need to ask (dynamic change) the user >>>> whether to override this configuration. >>>> >>>> 2. Check if IPA is installed and drop port 80/443 support. What the >>>> script really do is setting OVERRIDE_HTTPD_CONFIG default to False in >>>> both cases and just for case 2 call also setHttpPortsToNonProxyDefault. >>>> >>>> >>>> About 1, if we can consider Apache "owned" by the engine we can drop any >>>> question to the user, else I think we need to ask what to do or abort >>>> the setup considering the configuration as unsupported. >>>> >>>> About 2, it seems that the best solution for that is to abort the setup >>>> if IPA is found on the same system where >>>> we're installing the engine. >>>> As far I've understood having IPA and engine on the same host is not a >>>> supported configuration. >>>> >>>> >>>> What do you think about this? >>>> >>>> >>>> -- >>>> Sandro Bonazzola >>>> Better technology. Faster innovation. Powered by community >>>> collaboration. >>>> See how it works at redhat.com >>>> >>>> _______________________________________________ >>>> Engine-devel mailing list >>>> Engine-devel(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/engine-devel >>>> >>> _______________________________________________ >>> Engine-devel mailing list >>> Engine-devel(a)ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/engine-devel >>> >>> -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com _______________________________________________ Engine-devel mailing list Engine-devel(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel