On Mon, Apr 6, 2020 at 7:49 PM Vojtech Juranek <vjuranek@redhat.com> wrote:
Hi, I'd like to add imageio configuration into engine. Previously, it was done by dedicated setup code in imageio-proxy [1], but in new imageio we remove the proxy package and to configure imageio for engine we need just to place firewalld and imageio config files into proper place.
Initial idea was to do it directly in engine spec file, but it seems to me that configuration of the engine is done by dedicated packages and custom code. Ansible roles in packaging/ansible-runner-service-project seem to be only for host configuration.
What is a proper way how to configure imageio?
More correctly, how to configure engine for using imageio daemon. In the past we supported these options: - configuration without imageio proxy. This does not make sense since without the proxy you cannot upload images from the UI. We don't want to support such configuration. The imageio proxy must always be available, and there is nothing which is user configurable (in the context of engine setup). - proxy address. This configuration is not needed since the only supported configuration is proxy installed on the engine host, and engine already knows it's address. - certificates - in the past we created certificates and key for the proxy. This has been a constant source of trouble. Recently Didi switched to using apache pki files. There is no need to support other configurations. If users want to change the certificates, they can edit the imageio daemon configuration file. imageio provides a sample configuration file, and leaves the actual configuration to the user of the package. We have 2 users - vdsm and engine. Vdsm handles imageio configuration by installing the static configuration files in the spec. I don't see why engine cannot use the same simple solution. However if engine needs special configuration code (e.g. engine setup plugin), it must be part of engine repo and maintained by engine maintainers. The configuration for using imageio in engine: - tls - paths to apache certificates - remote port - always 54323 - control port - accessible only locally, TBD The remote port must be open in the engine host firewall, and requires another static file for firewalld rule. Vojta, can you share a working configuration file and firewalld rule, or post a patch adding them to engine? Nir