[Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hi, I'm working on https://bugzilla.redhat.com/905754, trying to have Apache proxy in all 3.3 installations. I'm looking in the code and I've found a point where I'm in doubt about how to handle the case. The current engine-setup implementation perform some checks that change the behavior of the installer documented as: 1. Check whether the relevant httpd configuration files were changed, as it's an indication for the setup that the httpd application is being actively used, Therefore we may need to ask (dynamic change) the user whether to override this configuration. 2. Check if IPA is installed and drop port 80/443 support. What the script really do is setting OVERRIDE_HTTPD_CONFIG default to False in both cases and just for case 2 call also setHttpPortsToNonProxyDefault. About 1, if we can consider Apache "owned" by the engine we can drop any question to the user, else I think we need to ask what to do or abort the setup considering the configuration as unsupported. About 2, it seems that the best solution for that is to abort the setup if IPA is found on the same system where we're installing the engine. As far I've understood having IPA and engine on the same host is not a supported configuration. What do you think about this? -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
Hello, I don't understand why you start discussion from start... there were some additional facts. So first answer: No we cannot assume we own the machine nor own the apache, nor own the postgresql. These assumptions made in the past were plain wrong and cause more harm than good, and eventually saved no resources nor efforts. At master we altered the ajp proxy configuration to be less intrusive[1][2]. We split the http configuration into three: 1. Install ajp proxy per our URIs[1]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate. The mandatory apache configuration[1] does not alter any configuration file, hence the chance of conflict is the chance of conflict between ovirt-engine URIs and other product URIs. ovirt-engine URIs: --- /UserPortal /OvirtEngineWeb /webadmin /docs /spice /ca.crt /engine.ssh.key.txt /rhevm.ssh.key.txt /ovirt-engine-style.css /console.vv /api /ovirt-engine --- As we have done this without cooperation of developers we kept URIs as-is. URIs that cannot be changed until next major: /engine.ssh.key.txt /rhevm.ssh.key.txt /ca.crt /api [I guess, although we can provide migration path alternative] All the other can be moved into /ovirt-engine with cooperation of developers, especially UI and Virt developers, it should be easy to do this, and reduce the chance of conflict. Regards, Alon Bar-Lev. [1] http://gerrit.ovirt.org/#/c/13318/ [2] http://gerrit.ovirt.org/#/c/14304/ ----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "engine-devel" <engine-devel@ovirt.org> Cc: "users" <users@ovirt.org> Sent: Monday, May 6, 2013 6:32:08 PM Subject: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hi, I'm working on https://bugzilla.redhat.com/905754, trying to have Apache proxy in all 3.3 installations.
I'm looking in the code and I've found a point where I'm in doubt about how to handle the case. The current engine-setup implementation perform some checks that change the behavior of the installer documented as:
1. Check whether the relevant httpd configuration files were changed, as it's an indication for the setup that the httpd application is being actively used, Therefore we may need to ask (dynamic change) the user whether to override this configuration.
2. Check if IPA is installed and drop port 80/443 support. What the script really do is setting OVERRIDE_HTTPD_CONFIG default to False in both cases and just for case 2 call also setHttpPortsToNonProxyDefault.
About 1, if we can consider Apache "owned" by the engine we can drop any question to the user, else I think we need to ask what to do or abort the setup considering the configuration as unsupported.
About 2, it seems that the best solution for that is to abort the setup if IPA is found on the same system where we're installing the engine. As far I've understood having IPA and engine on the same host is not a supported configuration.
What do you think about this?
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl@redhat.com> wrote:
Hello,
I don't understand why you start discussion from start... there were some additional facts.
So first answer: No we cannot assume we own the machine nor own the apache, nor own the postgresql. These assumptions made in the past were plain wrong and cause more harm than good, and eventually saved no resources nor efforts.
At master we altered the ajp proxy configuration to be less intrusive[1][2].
We split the http configuration into three: 1. Install ajp proxy per our URIs[1]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate.
I don't know if this was already brought up, There is a conflict between our configuration and IPA's IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a conflict. We can try move to mod_nss on upgrade and solve all issues Barak
The mandatory apache configuration[1] does not alter any configuration file, hence the chance of conflict is the chance of conflict between ovirt-engine URIs and other product URIs.
ovirt-engine URIs: --- /UserPortal /OvirtEngineWeb /webadmin /docs /spice /ca.crt /engine.ssh.key.txt /rhevm.ssh.key.txt /ovirt-engine-style.css /console.vv /api /ovirt-engine ---
As we have done this without cooperation of developers we kept URIs as-is.
URIs that cannot be changed until next major: /engine.ssh.key.txt /rhevm.ssh.key.txt /ca.crt /api [I guess, although we can provide migration path alternative]
All the other can be moved into /ovirt-engine with cooperation of developers, especially UI and Virt developers, it should be easy to do this, and reduce the chance of conflict.
Regards, Alon Bar-Lev.
[1] http://gerrit.ovirt.org/#/c/13318/ [2] http://gerrit.ovirt.org/#/c/14304/
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "engine-devel" <engine-devel@ovirt.org> Cc: "users" <users@ovirt.org> Sent: Monday, May 6, 2013 6:32:08 PM Subject: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hi, I'm working on https://bugzilla.redhat.com/905754, trying to have Apache proxy in all 3.3 installations.
I'm looking in the code and I've found a point where I'm in doubt about how to handle the case. The current engine-setup implementation perform some checks that change the behavior of the installer documented as:
1. Check whether the relevant httpd configuration files were changed, as it's an indication for the setup that the httpd application is being actively used, Therefore we may need to ask (dynamic change) the user whether to override this configuration.
2. Check if IPA is installed and drop port 80/443 support. What the script really do is setting OVERRIDE_HTTPD_CONFIG default to False in both cases and just for case 2 call also setHttpPortsToNonProxyDefault.
About 1, if we can consider Apache "owned" by the engine we can drop any question to the user, else I think we need to ask what to do or abort the setup considering the configuration as unsupported.
About 2, it seems that the best solution for that is to abort the setup if IPA is found on the same system where we're installing the engine. As far I've understood having IPA and engine on the same host is not a supported configuration.
What do you think about this?
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
----- Original Message -----
From: "Barak Azulay" <bazulay@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Sandro Bonazzola" <sbonazzo@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Monday, May 6, 2013 10:42:02 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl@redhat.com> wrote:
Hello,
I don't understand why you start discussion from start... there were some additional facts.
So first answer: No we cannot assume we own the machine nor own the apache, nor own the postgresql. These assumptions made in the past were plain wrong and cause more harm than good, and eventually saved no resources nor efforts.
At master we altered the ajp proxy configuration to be less intrusive[1][2].
We split the http configuration into three: 1. Install ajp proxy per our URIs[1]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate.
I don't know if this was already brought up,
There is a conflict between our configuration and IPA's IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a conflict.
We can try move to mod_nss on upgrade and solve all issues
Barak
The fact that ovirt-engine depends on mod_ssl is a mistake... well, at least I think so. The product should not care how ssl is provided as long as it is provided. Personally, I think that product should not attempt to configure ssl at all, but provide the instructions of how to do so... But never the less, let's try to keep this to avoid argument. In case IPA is installed (and I really don't understand why should we care about IPA specifically, well, I actually do... as IPA makes the same faulty assumptions of 'owning' resources), the admin should just avoid selecting the 'set ovirt-engine as default page' and 'configure apache ssl', user should access ovirt-engine using: http://host/ovirt-engine It should work as long as there are no URI conflicts between products as I listed in previous message. Regards, Alon
The mandatory apache configuration[1] does not alter any configuration file, hence the chance of conflict is the chance of conflict between ovirt-engine URIs and other product URIs.
ovirt-engine URIs: --- /UserPortal /OvirtEngineWeb /webadmin /docs /spice /ca.crt /engine.ssh.key.txt /rhevm.ssh.key.txt /ovirt-engine-style.css /console.vv /api /ovirt-engine ---
As we have done this without cooperation of developers we kept URIs as-is.
URIs that cannot be changed until next major: /engine.ssh.key.txt /rhevm.ssh.key.txt /ca.crt /api [I guess, although we can provide migration path alternative]
All the other can be moved into /ovirt-engine with cooperation of developers, especially UI and Virt developers, it should be easy to do this, and reduce the chance of conflict.
Regards, Alon Bar-Lev.
[1] http://gerrit.ovirt.org/#/c/13318/ [2] http://gerrit.ovirt.org/#/c/14304/
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "engine-devel" <engine-devel@ovirt.org> Cc: "users" <users@ovirt.org> Sent: Monday, May 6, 2013 6:32:08 PM Subject: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hi, I'm working on https://bugzilla.redhat.com/905754, trying to have Apache proxy in all 3.3 installations.
I'm looking in the code and I've found a point where I'm in doubt about how to handle the case. The current engine-setup implementation perform some checks that change the behavior of the installer documented as:
1. Check whether the relevant httpd configuration files were changed, as it's an indication for the setup that the httpd application is being actively used, Therefore we may need to ask (dynamic change) the user whether to override this configuration.
2. Check if IPA is installed and drop port 80/443 support. What the script really do is setting OVERRIDE_HTTPD_CONFIG default to False in both cases and just for case 2 call also setHttpPortsToNonProxyDefault.
About 1, if we can consider Apache "owned" by the engine we can drop any question to the user, else I think we need to ask what to do or abort the setup considering the configuration as unsupported.
About 2, it seems that the best solution for that is to abort the setup if IPA is found on the same system where we're installing the engine. As far I've understood having IPA and engine on the same host is not a supported configuration.
What do you think about this?
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
Hello, if I've understood correctly then: - there is no reason for checking if user altered http configuration - proxy doesn't depend on any other related http configuration we do and does not alter any other configuration file, so we can do it without asking anything - if ipa is installed, engine-setup should issue a warning about it and default to No for 'set ovirt-engine as default page' and 'configure apache ssl' I think I've enough info. Thanks. Il 06/05/2013 22:11, Alon Bar-Lev ha scritto:
----- Original Message -----
From: "Barak Azulay" <bazulay@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Sandro Bonazzola" <sbonazzo@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Monday, May 6, 2013 10:42:02 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl@redhat.com> wrote:
Hello,
I don't understand why you start discussion from start... there were some additional facts.
So first answer: No we cannot assume we own the machine nor own the apache, nor own the postgresql. These assumptions made in the past were plain wrong and cause more harm than good, and eventually saved no resources nor efforts.
At master we altered the ajp proxy configuration to be less intrusive[1][2].
We split the http configuration into three: 1. Install ajp proxy per our URIs[1]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate. I don't know if this was already brought up,
There is a conflict between our configuration and IPA's IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a conflict.
We can try move to mod_nss on upgrade and solve all issues
Barak The fact that ovirt-engine depends on mod_ssl is a mistake... well, at least I think so. The product should not care how ssl is provided as long as it is provided.
Personally, I think that product should not attempt to configure ssl at all, but provide the instructions of how to do so... But never the less, let's try to keep this to avoid argument.
In case IPA is installed (and I really don't understand why should we care about IPA specifically, well, I actually do... as IPA makes the same faulty assumptions of 'owning' resources), the admin should just avoid selecting the 'set ovirt-engine as default page' and 'configure apache ssl', user should access ovirt-engine using: http://host/ovirt-engine
It should work as long as there are no URI conflicts between products as I listed in previous message.
Regards, Alon
The mandatory apache configuration[1] does not alter any configuration file, hence the chance of conflict is the chance of conflict between ovirt-engine URIs and other product URIs.
ovirt-engine URIs: --- /UserPortal /OvirtEngineWeb /webadmin /docs /spice /ca.crt /engine.ssh.key.txt /rhevm.ssh.key.txt /ovirt-engine-style.css /console.vv /api /ovirt-engine ---
As we have done this without cooperation of developers we kept URIs as-is.
URIs that cannot be changed until next major: /engine.ssh.key.txt /rhevm.ssh.key.txt /ca.crt /api [I guess, although we can provide migration path alternative]
All the other can be moved into /ovirt-engine with cooperation of developers, especially UI and Virt developers, it should be easy to do this, and reduce the chance of conflict.
Regards, Alon Bar-Lev.
[1] http://gerrit.ovirt.org/#/c/13318/ [2] http://gerrit.ovirt.org/#/c/14304/
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "engine-devel" <engine-devel@ovirt.org> Cc: "users" <users@ovirt.org> Sent: Monday, May 6, 2013 6:32:08 PM Subject: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hi, I'm working on https://bugzilla.redhat.com/905754, trying to have Apache proxy in all 3.3 installations.
I'm looking in the code and I've found a point where I'm in doubt about how to handle the case. The current engine-setup implementation perform some checks that change the behavior of the installer documented as:
1. Check whether the relevant httpd configuration files were changed, as it's an indication for the setup that the httpd application is being actively used, Therefore we may need to ask (dynamic change) the user whether to override this configuration.
2. Check if IPA is installed and drop port 80/443 support. What the script really do is setting OVERRIDE_HTTPD_CONFIG default to False in both cases and just for case 2 call also setHttpPortsToNonProxyDefault.
About 1, if we can consider Apache "owned" by the engine we can drop any question to the user, else I think we need to ask what to do or abort the setup considering the configuration as unsupported.
About 2, it seems that the best solution for that is to abort the setup if IPA is found on the same system where we're installing the engine. As far I've understood having IPA and engine on the same host is not a supported configuration.
What do you think about this?
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 3:51:03 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hello, if I've understood correctly then: - there is no reason for checking if user altered http configuration - proxy doesn't depend on any other related http configuration we do and does not alter any other configuration file, so we can do it without asking anything - if ipa is installed, engine-setup should issue a warning about it and default to No for 'set ovirt-engine as default page' and 'configure apache ssl'
AFAIU and I don't think it was changed, there is a conflict between IPA and mod_ssl (they did it ugly ... not in rpm level... that was the status a year ago) SO it will not work, as long we do not move to mod_nss. In addition there wad an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server. please make sure all the above are solved. Thanks Barak
I think I've enough info. Thanks.
Il 06/05/2013 22:11, Alon Bar-Lev ha scritto:
----- Original Message -----
From: "Barak Azulay" <bazulay@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Sandro Bonazzola" <sbonazzo@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Monday, May 6, 2013 10:42:02 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl@redhat.com> wrote:
Hello,
I don't understand why you start discussion from start... there were some additional facts.
So first answer: No we cannot assume we own the machine nor own the apache, nor own the postgresql. These assumptions made in the past were plain wrong and cause more harm than good, and eventually saved no resources nor efforts.
At master we altered the ajp proxy configuration to be less intrusive[1][2].
We split the http configuration into three: 1. Install ajp proxy per our URIs[1]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate. I don't know if this was already brought up,
There is a conflict between our configuration and IPA's IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a conflict.
We can try move to mod_nss on upgrade and solve all issues
Barak The fact that ovirt-engine depends on mod_ssl is a mistake... well, at least I think so. The product should not care how ssl is provided as long as it is provided.
Personally, I think that product should not attempt to configure ssl at all, but provide the instructions of how to do so... But never the less, let's try to keep this to avoid argument.
In case IPA is installed (and I really don't understand why should we care about IPA specifically, well, I actually do... as IPA makes the same faulty assumptions of 'owning' resources), the admin should just avoid selecting the 'set ovirt-engine as default page' and 'configure apache ssl', user should access ovirt-engine using: http://host/ovirt-engine
It should work as long as there are no URI conflicts between products as I listed in previous message.
Regards, Alon
The mandatory apache configuration[1] does not alter any configuration file, hence the chance of conflict is the chance of conflict between ovirt-engine URIs and other product URIs.
ovirt-engine URIs: --- /UserPortal /OvirtEngineWeb /webadmin /docs /spice /ca.crt /engine.ssh.key.txt /rhevm.ssh.key.txt /ovirt-engine-style.css /console.vv /api /ovirt-engine ---
As we have done this without cooperation of developers we kept URIs as-is.
URIs that cannot be changed until next major: /engine.ssh.key.txt /rhevm.ssh.key.txt /ca.crt /api [I guess, although we can provide migration path alternative]
All the other can be moved into /ovirt-engine with cooperation of developers, especially UI and Virt developers, it should be easy to do this, and reduce the chance of conflict.
Regards, Alon Bar-Lev.
[1] http://gerrit.ovirt.org/#/c/13318/ [2] http://gerrit.ovirt.org/#/c/14304/
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "engine-devel" <engine-devel@ovirt.org> Cc: "users" <users@ovirt.org> Sent: Monday, May 6, 2013 6:32:08 PM Subject: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hi, I'm working on https://bugzilla.redhat.com/905754, trying to have Apache proxy in all 3.3 installations.
I'm looking in the code and I've found a point where I'm in doubt about how to handle the case. The current engine-setup implementation perform some checks that change the behavior of the installer documented as:
1. Check whether the relevant httpd configuration files were changed, as it's an indication for the setup that the httpd application is being actively used, Therefore we may need to ask (dynamic change) the user whether to override this configuration.
2. Check if IPA is installed and drop port 80/443 support. What the script really do is setting OVERRIDE_HTTPD_CONFIG default to False in both cases and just for case 2 call also setHttpPortsToNonProxyDefault.
About 1, if we can consider Apache "owned" by the engine we can drop any question to the user, else I think we need to ask what to do or abort the setup considering the configuration as unsupported.
About 2, it seems that the best solution for that is to abort the setup if IPA is found on the same system where we're installing the engine. As far I've understood having IPA and engine on the same host is not a supported configuration.
What do you think about this?
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
----- Original Message -----
From: "Barak Azulay" <bazulay@redhat.com> To: "Sandro Bonazzola" <sbonazzo@redhat.com> Cc: "Alon Bar-Lev" <alonbl@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 4:00:34 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 3:51:03 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hello, if I've understood correctly then: - there is no reason for checking if user altered http configuration - proxy doesn't depend on any other related http configuration we do and does not alter any other configuration file, so we can do it without asking anything - if ipa is installed, engine-setup should issue a warning about it and default to No for 'set ovirt-engine as default page' and 'configure apache ssl'
AFAIU and I don't think it was changed, there is a conflict between IPA and mod_ssl (they did it ugly ... not in rpm level... that was the status a year ago)
SO it will not work, as long we do not move to mod_nss.
In addition there wad an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server.
please make sure all the above are solved.
I just do not understand why we treat IPA in special way... it is as if we need to have knowledge of very application out there that hacks the apache. Playing nice with mod_nss and not force mod_ssl or actually any is a positive move. Thanks, Alon
Thanks Barak
I think I've enough info. Thanks.
Il 06/05/2013 22:11, Alon Bar-Lev ha scritto:
From: "Barak Azulay" <bazulay@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Sandro Bonazzola" <sbonazzo@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Monday, May 6, 2013 10:42:02 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl@redhat.com> wrote:
Hello,
I don't understand why you start discussion from start... there were some additional facts.
So first answer: No we cannot assume we own the machine nor own the apache, nor own the postgresql. These assumptions made in the past were plain wrong and cause more harm than good, and eventually saved no resources nor efforts.
At master we altered the ajp proxy configuration to be less intrusive[1][2].
We split the http configuration into three: 1. Install ajp proxy per our URIs[1]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate. I don't know if this was already brought up,
There is a conflict between our configuration and IPA's IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a conflict.
We can try move to mod_nss on upgrade and solve all issues
Barak The fact that ovirt-engine depends on mod_ssl is a mistake... well, at least I think so. The product should not care how ssl is provided as long as it is
----- Original Message ----- provided.
Personally, I think that product should not attempt to configure ssl at all, but provide the instructions of how to do so... But never the less, let's try to keep this to avoid argument.
In case IPA is installed (and I really don't understand why should we care about IPA specifically, well, I actually do... as IPA makes the same faulty assumptions of 'owning' resources), the admin should just avoid selecting the 'set ovirt-engine as default page' and 'configure apache ssl', user should access ovirt-engine using: http://host/ovirt-engine
It should work as long as there are no URI conflicts between products as I listed in previous message.
Regards, Alon
The mandatory apache configuration[1] does not alter any configuration file, hence the chance of conflict is the chance of conflict between ovirt-engine URIs and other product URIs.
ovirt-engine URIs: --- /UserPortal /OvirtEngineWeb /webadmin /docs /spice /ca.crt /engine.ssh.key.txt /rhevm.ssh.key.txt /ovirt-engine-style.css /console.vv /api /ovirt-engine ---
As we have done this without cooperation of developers we kept URIs as-is.
URIs that cannot be changed until next major: /engine.ssh.key.txt /rhevm.ssh.key.txt /ca.crt /api [I guess, although we can provide migration path alternative]
All the other can be moved into /ovirt-engine with cooperation of developers, especially UI and Virt developers, it should be easy to do this, and reduce the chance of conflict.
Regards, Alon Bar-Lev.
[1] http://gerrit.ovirt.org/#/c/13318/ [2] http://gerrit.ovirt.org/#/c/14304/
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "engine-devel" <engine-devel@ovirt.org> Cc: "users" <users@ovirt.org> Sent: Monday, May 6, 2013 6:32:08 PM Subject: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hi, I'm working on https://bugzilla.redhat.com/905754, trying to have Apache proxy in all 3.3 installations.
I'm looking in the code and I've found a point where I'm in doubt about how to handle the case. The current engine-setup implementation perform some checks that change the behavior of the installer documented as:
1. Check whether the relevant httpd configuration files were changed, as it's an indication for the setup that the httpd application is being actively used, Therefore we may need to ask (dynamic change) the user whether to override this configuration.
2. Check if IPA is installed and drop port 80/443 support. What the script really do is setting OVERRIDE_HTTPD_CONFIG default to False in both cases and just for case 2 call also setHttpPortsToNonProxyDefault.
About 1, if we can consider Apache "owned" by the engine we can drop any question to the user, else I think we need to ask what to do or abort the setup considering the configuration as unsupported.
About 2, it seems that the best solution for that is to abort the setup if IPA is found on the same system where we're installing the engine. As far I've understood having IPA and engine on the same host is not a supported configuration.
What do you think about this?
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Barak Azulay" <bazulay@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 5:20:51 PM Subject: Re: [Users] [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Barak Azulay" <bazulay@redhat.com> To: "Sandro Bonazzola" <sbonazzo@redhat.com> Cc: "Alon Bar-Lev" <alonbl@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 4:00:34 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 3:51:03 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hello, if I've understood correctly then: - there is no reason for checking if user altered http configuration - proxy doesn't depend on any other related http configuration we do and does not alter any other configuration file, so we can do it without asking anything - if ipa is installed, engine-setup should issue a warning about it and default to No for 'set ovirt-engine as default page' and 'configure apache ssl'
AFAIU and I don't think it was changed, there is a conflict between IPA and mod_ssl (they did it ugly ... not in rpm level... that was the status a year ago)
SO it will not work, as long we do not move to mod_nss.
In addition there wad an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server.
please make sure all the above are solved.
I just do not understand why we treat IPA in special way... it is as if we need to have knowledge of very application out there that hacks the apache.
What if IPA is installed after ovirt-engine?
Playing nice with mod_nss and not force mod_ssl or actually any is a positive move.
Thanks, Alon
Thanks Barak
I think I've enough info. Thanks.
Il 06/05/2013 22:11, Alon Bar-Lev ha scritto:
From: "Barak Azulay" <bazulay@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Sandro Bonazzola" <sbonazzo@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Monday, May 6, 2013 10:42:02 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl@redhat.com> wrote:
Hello,
I don't understand why you start discussion from start... there were some additional facts.
So first answer: No we cannot assume we own the machine nor own the apache, nor own the postgresql. These assumptions made in the past were plain wrong and cause more harm than good, and eventually saved no resources nor efforts.
At master we altered the ajp proxy configuration to be less intrusive[1][2].
We split the http configuration into three: 1. Install ajp proxy per our URIs[1]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate. I don't know if this was already brought up,
There is a conflict between our configuration and IPA's IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a conflict.
We can try move to mod_nss on upgrade and solve all issues
Barak The fact that ovirt-engine depends on mod_ssl is a mistake... well, at least I think so. The product should not care how ssl is provided as long as it is
----- Original Message ----- provided.
Personally, I think that product should not attempt to configure ssl at all, but provide the instructions of how to do so... But never the less, let's try to keep this to avoid argument.
In case IPA is installed (and I really don't understand why should we care about IPA specifically, well, I actually do... as IPA makes the same faulty assumptions of 'owning' resources), the admin should just avoid selecting the 'set ovirt-engine as default page' and 'configure apache ssl', user should access ovirt-engine using: http://host/ovirt-engine
It should work as long as there are no URI conflicts between products as I listed in previous message.
Regards, Alon
The mandatory apache configuration[1] does not alter any configuration file, hence the chance of conflict is the chance of conflict between ovirt-engine URIs and other product URIs.
ovirt-engine URIs: --- /UserPortal /OvirtEngineWeb /webadmin /docs /spice /ca.crt /engine.ssh.key.txt /rhevm.ssh.key.txt /ovirt-engine-style.css /console.vv /api /ovirt-engine ---
As we have done this without cooperation of developers we kept URIs as-is.
URIs that cannot be changed until next major: /engine.ssh.key.txt /rhevm.ssh.key.txt /ca.crt /api [I guess, although we can provide migration path alternative]
All the other can be moved into /ovirt-engine with cooperation of developers, especially UI and Virt developers, it should be easy to do this, and reduce the chance of conflict.
Regards, Alon Bar-Lev.
[1] http://gerrit.ovirt.org/#/c/13318/ [2] http://gerrit.ovirt.org/#/c/14304/
----- Original Message ----- > From: "Sandro Bonazzola" <sbonazzo@redhat.com> > To: "engine-devel" <engine-devel@ovirt.org> > Cc: "users" <users@ovirt.org> > Sent: Monday, May 6, 2013 6:32:08 PM > Subject: [Engine-devel] 3.3 scratch or upgraded installation must > use > Apache proxy > (https://bugzilla.redhat.com/905754) > > Hi, > I'm working on https://bugzilla.redhat.com/905754, trying to have > Apache > proxy in all 3.3 installations. > > I'm looking in the code and I've found a point where I'm in doubt > about > how to handle the case. > The current engine-setup implementation perform some checks that > change > the behavior of the installer documented as: > > 1. Check whether the relevant httpd configuration files were > changed, > as > it's an indication for the setup that the httpd application is being > actively used, Therefore we may need to ask (dynamic change) the > user > whether to override this configuration. > > 2. Check if IPA is installed and drop port 80/443 support. What the > script really do is setting OVERRIDE_HTTPD_CONFIG default to False > in > both cases and just for case 2 call also > setHttpPortsToNonProxyDefault. > > > About 1, if we can consider Apache "owned" by the engine we can drop > any > question to the user, else I think we need to ask what to do or > abort > the setup considering the configuration as unsupported. > > About 2, it seems that the best solution for that is to abort the > setup > if IPA is found on the same system where > we're installing the engine. > As far I've understood having IPA and engine on the same host is not > a > supported configuration. > > > What do you think about this? > > > -- > Sandro Bonazzola > Better technology. Faster innovation. Powered by community > collaboration. > See how it works at redhat.com > > _______________________________________________ > Engine-devel mailing list > Engine-devel@ovirt.org > http://lists.ovirt.org/mailman/listinfo/engine-devel > _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Barak Azulay" <bazulay@redhat.com> Cc: "Sandro Bonazzola" <sbonazzo@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 5:20:51 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Barak Azulay" <bazulay@redhat.com> To: "Sandro Bonazzola" <sbonazzo@redhat.com> Cc: "Alon Bar-Lev" <alonbl@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 4:00:34 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 3:51:03 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hello, if I've understood correctly then: - there is no reason for checking if user altered http configuration - proxy doesn't depend on any other related http configuration we do and does not alter any other configuration file, so we can do it without asking anything - if ipa is installed, engine-setup should issue a warning about it and default to No for 'set ovirt-engine as default page' and 'configure apache ssl'
AFAIU and I don't think it was changed, there is a conflict between IPA and mod_ssl (they did it ugly ... not in rpm level... that was the status a year ago)
SO it will not work, as long we do not move to mod_nss.
In addition there wad an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server.
please make sure all the above are solved.
I just do not understand why we treat IPA in special way... it is as if we need to have knowledge of very application out there that hacks the apache.
Playing nice with mod_nss and not force mod_ssl or actually any is a positive move.
The reason is that in 3.0 we supported IPA (and PMs even recommended to install it on the same host as RHEVM so save HW) So if someone continues with that deployment we should not break it. Having said that - we need to handle any installation on any supported RHEL version, on those server one might have apache with other application, and you have said we should not assume we own the host. Barak
Thanks, Alon
Thanks Barak
I think I've enough info. Thanks.
Il 06/05/2013 22:11, Alon Bar-Lev ha scritto:
From: "Barak Azulay" <bazulay@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Sandro Bonazzola" <sbonazzo@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Monday, May 6, 2013 10:42:02 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl@redhat.com> wrote:
Hello,
I don't understand why you start discussion from start... there were some additional facts.
So first answer: No we cannot assume we own the machine nor own the apache, nor own the postgresql. These assumptions made in the past were plain wrong and cause more harm than good, and eventually saved no resources nor efforts.
At master we altered the ajp proxy configuration to be less intrusive[1][2].
We split the http configuration into three: 1. Install ajp proxy per our URIs[1]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate. I don't know if this was already brought up,
There is a conflict between our configuration and IPA's IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a conflict.
We can try move to mod_nss on upgrade and solve all issues
Barak The fact that ovirt-engine depends on mod_ssl is a mistake... well, at least I think so. The product should not care how ssl is provided as long as it is
----- Original Message ----- provided.
Personally, I think that product should not attempt to configure ssl at all, but provide the instructions of how to do so... But never the less, let's try to keep this to avoid argument.
In case IPA is installed (and I really don't understand why should we care about IPA specifically, well, I actually do... as IPA makes the same faulty assumptions of 'owning' resources), the admin should just avoid selecting the 'set ovirt-engine as default page' and 'configure apache ssl', user should access ovirt-engine using: http://host/ovirt-engine
It should work as long as there are no URI conflicts between products as I listed in previous message.
Regards, Alon
The mandatory apache configuration[1] does not alter any configuration file, hence the chance of conflict is the chance of conflict between ovirt-engine URIs and other product URIs.
ovirt-engine URIs: --- /UserPortal /OvirtEngineWeb /webadmin /docs /spice /ca.crt /engine.ssh.key.txt /rhevm.ssh.key.txt /ovirt-engine-style.css /console.vv /api /ovirt-engine ---
As we have done this without cooperation of developers we kept URIs as-is.
URIs that cannot be changed until next major: /engine.ssh.key.txt /rhevm.ssh.key.txt /ca.crt /api [I guess, although we can provide migration path alternative]
All the other can be moved into /ovirt-engine with cooperation of developers, especially UI and Virt developers, it should be easy to do this, and reduce the chance of conflict.
Regards, Alon Bar-Lev.
[1] http://gerrit.ovirt.org/#/c/13318/ [2] http://gerrit.ovirt.org/#/c/14304/
----- Original Message ----- > From: "Sandro Bonazzola" <sbonazzo@redhat.com> > To: "engine-devel" <engine-devel@ovirt.org> > Cc: "users" <users@ovirt.org> > Sent: Monday, May 6, 2013 6:32:08 PM > Subject: [Engine-devel] 3.3 scratch or upgraded installation must > use > Apache proxy > (https://bugzilla.redhat.com/905754) > > Hi, > I'm working on https://bugzilla.redhat.com/905754, trying to have > Apache > proxy in all 3.3 installations. > > I'm looking in the code and I've found a point where I'm in doubt > about > how to handle the case. > The current engine-setup implementation perform some checks that > change > the behavior of the installer documented as: > > 1. Check whether the relevant httpd configuration files were > changed, > as > it's an indication for the setup that the httpd application is being > actively used, Therefore we may need to ask (dynamic change) the > user > whether to override this configuration. > > 2. Check if IPA is installed and drop port 80/443 support. What the > script really do is setting OVERRIDE_HTTPD_CONFIG default to False > in > both cases and just for case 2 call also > setHttpPortsToNonProxyDefault. > > > About 1, if we can consider Apache "owned" by the engine we can drop > any > question to the user, else I think we need to ask what to do or > abort > the setup considering the configuration as unsupported. > > About 2, it seems that the best solution for that is to abort the > setup > if IPA is found on the same system where > we're installing the engine. > As far I've understood having IPA and engine on the same host is not > a > supported configuration. > > > What do you think about this? > > > -- > Sandro Bonazzola > Better technology. Faster innovation. Powered by community > collaboration. > See how it works at redhat.com > > _______________________________________________ > Engine-devel mailing list > Engine-devel@ovirt.org > http://lists.ovirt.org/mailman/listinfo/engine-devel > _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
----- Original Message -----
From: "Barak Azulay" <bazulay@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Sandro Bonazzola" <sbonazzo@redhat.com>, "engine-devel" <engine-devel@ovirt.org> Sent: Wednesday, May 8, 2013 10:02:29 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Barak Azulay" <bazulay@redhat.com> Cc: "Sandro Bonazzola" <sbonazzo@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 5:20:51 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Barak Azulay" <bazulay@redhat.com> To: "Sandro Bonazzola" <sbonazzo@redhat.com> Cc: "Alon Bar-Lev" <alonbl@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 4:00:34 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Wednesday, May 8, 2013 3:51:03 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Hello, if I've understood correctly then: - there is no reason for checking if user altered http configuration - proxy doesn't depend on any other related http configuration we do and does not alter any other configuration file, so we can do it without asking anything - if ipa is installed, engine-setup should issue a warning about it and default to No for 'set ovirt-engine as default page' and 'configure apache ssl'
AFAIU and I don't think it was changed, there is a conflict between IPA and mod_ssl (they did it ugly ... not in rpm level... that was the status a year ago)
SO it will not work, as long we do not move to mod_nss.
In addition there wad an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server.
please make sure all the above are solved.
I just do not understand why we treat IPA in special way... it is as if we need to have knowledge of very application out there that hacks the apache.
Playing nice with mod_nss and not force mod_ssl or actually any is a positive move.
The reason is that in 3.0 we supported IPA (and PMs even recommended to install it on the same host as RHEVM so save HW) So if someone continues with that deployment we should not break it.
Having said that - we need to handle any installation on any supported RHEL version, on those server one might have apache with other application, and you have said we should not assume we own the host.
Right. First, we need to support any installation not just rhel. Second, we can support only other well behaved products. Until recently we were not well behaved... well we still not fully because we do not have our own configurable URI namespace. We cannot control which applications are installed on the same host, however we can: 1. postgresql: support skipping the automatic provisioning [supported in the otopi setup] 2. apache: do not enforce specific apache SSL implementation [to be done]. 3. apache: support skipping the automatic SSL configuration [supported]. 4. apache: support skipping the root redirect to ovirt application [supported in otopi setup] 5. apache: move application to own name space, example /ovirt-engine [to be done, I will be happy if you can help pushing this] 6. firewall: support skipping configuration [supported] 7. packaging: remove the versionlock usage. 8. packaging: support proper upgrade path, compatible with packaging best practices. 9. files: rename all utilities and public artifacts from engine-* to ovirt-engine-* [more?] If we do the above we are acting as well behaved application, and can co-exist with other well behaved applications.
Barak
Thanks, Alon
Thanks Barak
I think I've enough info. Thanks.
Il 06/05/2013 22:11, Alon Bar-Lev ha scritto:
From: "Barak Azulay" <bazulay@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Sandro Bonazzola" <sbonazzo@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "users" <users@ovirt.org> Sent: Monday, May 6, 2013 10:42:02 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl@redhat.com> wrote:
> Hello, > > I don't understand why you start discussion from start... there > were > some > additional facts. > > So first answer: > No we cannot assume we own the machine nor own the apache, nor own > the > postgresql. These assumptions made in the past were plain wrong and > cause > more harm than good, and eventually saved no resources nor efforts. > > At master we altered the ajp proxy configuration to be less > intrusive[1][2]. > > We split the http configuration into three: > 1. Install ajp proxy per our URIs[1]. > 2. Optionally set root redirection from / to /ovirt-engine > 3. Optionally configure mod_ssl with our certificate. I don't know if this was already brought up,
There is a conflict between our configuration and IPA's IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a conflict.
We can try move to mod_nss on upgrade and solve all issues
Barak The fact that ovirt-engine depends on mod_ssl is a mistake... well, at least I think so. The product should not care how ssl is provided as long as it is
----- Original Message ----- provided.
Personally, I think that product should not attempt to configure ssl at all, but provide the instructions of how to do so... But never the less, let's try to keep this to avoid argument.
In case IPA is installed (and I really don't understand why should we care about IPA specifically, well, I actually do... as IPA makes the same faulty assumptions of 'owning' resources), the admin should just avoid selecting the 'set ovirt-engine as default page' and 'configure apache ssl', user should access ovirt-engine using: http://host/ovirt-engine
It should work as long as there are no URI conflicts between products as I listed in previous message.
Regards, Alon
> The mandatory apache configuration[1] does not alter any > configuration > file, hence the chance of conflict is the chance of conflict > between > ovirt-engine URIs and other product URIs. > > ovirt-engine URIs: > --- > /UserPortal > /OvirtEngineWeb > /webadmin > /docs > /spice > /ca.crt > /engine.ssh.key.txt > /rhevm.ssh.key.txt > /ovirt-engine-style.css > /console.vv > /api > /ovirt-engine > --- > > As we have done this without cooperation of developers we kept URIs > as-is. > > URIs that cannot be changed until next major: > /engine.ssh.key.txt > /rhevm.ssh.key.txt > /ca.crt > /api [I guess, although we can provide migration path alternative] > > All the other can be moved into /ovirt-engine with cooperation of > developers, especially UI and Virt developers, it should be easy to > do > this, and reduce the chance of conflict. > > Regards, > Alon Bar-Lev. > > [1] http://gerrit.ovirt.org/#/c/13318/ > [2] http://gerrit.ovirt.org/#/c/14304/ > > ----- Original Message ----- >> From: "Sandro Bonazzola" <sbonazzo@redhat.com> >> To: "engine-devel" <engine-devel@ovirt.org> >> Cc: "users" <users@ovirt.org> >> Sent: Monday, May 6, 2013 6:32:08 PM >> Subject: [Engine-devel] 3.3 scratch or upgraded installation must >> use >> Apache proxy >> (https://bugzilla.redhat.com/905754) >> >> Hi, >> I'm working on https://bugzilla.redhat.com/905754, trying to have >> Apache >> proxy in all 3.3 installations. >> >> I'm looking in the code and I've found a point where I'm in doubt >> about >> how to handle the case. >> The current engine-setup implementation perform some checks that >> change >> the behavior of the installer documented as: >> >> 1. Check whether the relevant httpd configuration files were >> changed, >> as >> it's an indication for the setup that the httpd application is >> being >> actively used, Therefore we may need to ask (dynamic change) the >> user >> whether to override this configuration. >> >> 2. Check if IPA is installed and drop port 80/443 support. What >> the >> script really do is setting OVERRIDE_HTTPD_CONFIG default to False >> in >> both cases and just for case 2 call also >> setHttpPortsToNonProxyDefault. >> >> >> About 1, if we can consider Apache "owned" by the engine we can >> drop >> any >> question to the user, else I think we need to ask what to do or >> abort >> the setup considering the configuration as unsupported. >> >> About 2, it seems that the best solution for that is to abort the >> setup >> if IPA is found on the same system where >> we're installing the engine. >> As far I've understood having IPA and engine on the same host is >> not >> a >> supported configuration. >> >> >> What do you think about this? >> >> >> -- >> Sandro Bonazzola >> Better technology. Faster innovation. Powered by community >> collaboration. >> See how it works at redhat.com >> >> _______________________________________________ >> Engine-devel mailing list >> Engine-devel@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/engine-devel >> > _______________________________________________ > Engine-devel mailing list > Engine-devel@ovirt.org > http://lists.ovirt.org/mailman/listinfo/engine-devel > >
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
Il 08/05/2013 21:18, Alon Bar-Lev ha scritto:
Right. First, we need to support any installation not just rhel. Second, we can support only other well behaved products. Until recently we were not well behaved... well we still not fully because we do not have our own configurable URI namespace.
We cannot control which applications are installed on the same host, however we can:
1. postgresql: support skipping the automatic provisioning [supported in the otopi setup] 2. apache: do not enforce specific apache SSL implementation [to be done]. 3. apache: support skipping the automatic SSL configuration [supported]. 4. apache: support skipping the root redirect to ovirt application [supported in otopi setup] 5. apache: move application to own name space, example /ovirt-engine [to be done, I will be happy if you can help pushing this] 6. firewall: support skipping configuration [supported] 7. packaging: remove the versionlock usage. 8. packaging: support proper upgrade path, compatible with packaging best practices. 9. files: rename all utilities and public artifacts from engine-* to ovirt-engine-* [more?]
If we do the above we are acting as well behaved application, and can co-exist with other well behaved applications.
Trying to set the point on this issue in order to start coding. We split the http configuration into three: 1. Install ajp proxy per our URIs[1][2]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate. The mandatory apache configuration[1] does not alter any configuration file. [1] http://gerrit.ovirt.org/13318 [2] http://gerrit.ovirt.org/14304 So there is no reason for checking if user has changed the http configuration for just forcing proxy. About IPA conflicts if I've understood correctly there is only collision between mod_nss used by IPA and mod_ssl used if we enable mod_ssl configuration. It seems there was an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server. So, I can force proxy enabled and I can force SSL configuration disabled if IPA is detected. I can leave root redirection optional in any case. otopi implementation already force proxy enabled so there should be just to disable ssl if IPA is detected. During the discussion about this bug it was suggested also to avoid to force dependency on mod_ssl or force migration to mod_nss during upgrade allowing ipa and engine to coexist. I don't think that that issue should be tracked by https://bugzilla.redhat.com/905754 so if there is the will to either drop dependency on mod_ssl or migrate to mod_nss please open a new bug about that. That could solve also another question: what if IPA is installed after ovirt-engine? In order to act as well behaved application, and co-exist with other well behaved applications there is more to do as Alon pointed out. I think that any point not satisfied in order to behave correctly need a bug to be opened. When we'll behave correctly I'll remove any check on IPA presence, totally ignoring it and removing any enforcement about its presence. Am I missing something? -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Friday, May 17, 2013 11:11:54 AM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Il 08/05/2013 21:18, Alon Bar-Lev ha scritto:
Right. First, we need to support any installation not just rhel. Second, we can support only other well behaved products. Until recently we were not well behaved... well we still not fully because we do not have our own configurable URI namespace.
We cannot control which applications are installed on the same host, however we can:
1. postgresql: support skipping the automatic provisioning [supported in the otopi setup] 2. apache: do not enforce specific apache SSL implementation [to be done]. 3. apache: support skipping the automatic SSL configuration [supported]. 4. apache: support skipping the root redirect to ovirt application [supported in otopi setup] 5. apache: move application to own name space, example /ovirt-engine [to be done, I will be happy if you can help pushing this] 6. firewall: support skipping configuration [supported] 7. packaging: remove the versionlock usage. 8. packaging: support proper upgrade path, compatible with packaging best practices. 9. files: rename all utilities and public artifacts from engine-* to ovirt-engine-* [more?]
If we do the above we are acting as well behaved application, and can co-exist with other well behaved applications.
Trying to set the point on this issue in order to start coding.
We split the http configuration into three: 1. Install ajp proxy per our URIs[1][2]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate.
The mandatory apache configuration[1] does not alter any configuration file. [1] http://gerrit.ovirt.org/13318 [2] http://gerrit.ovirt.org/14304
So there is no reason for checking if user has changed the http configuration for just forcing proxy.
About IPA conflicts if I've understood correctly there is only collision between mod_nss used by IPA and mod_ssl used if we enable mod_ssl configuration. It seems there was an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server.
So, I can force proxy enabled and I can force SSL configuration disabled if IPA is detected. I can leave root redirection optional in any case.
otopi implementation already force proxy enabled so there should be just to disable ssl if IPA is detected.
During the discussion about this bug it was suggested also to avoid to force dependency on mod_ssl or force migration to mod_nss during upgrade allowing ipa and engine to coexist. I don't think that that issue should be tracked by https://bugzilla.redhat.com/905754 so if there is the will to either drop dependency on mod_ssl or migrate to mod_nss please open a new bug about that.
Right. I just mentioned that so all will be aware of this abnormality.
That could solve also another question: what if IPA is installed after ovirt-engine?
In order to act as well behaved application, and co-exist with other well behaved applications there is more to do as Alon pointed out. I think that any point not satisfied in order to behave correctly need a bug to be opened.
When we'll behave correctly I'll remove any check on IPA presence, totally ignoring it and removing any enforcement about its presence.
Am I missing something?
I don't think so... just am not sure what is the answer in the past for post IPA installation... Thanks! Alon
Il 19/05/2013 14:11, Alon Bar-Lev ha scritto:
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Friday, May 17, 2013 11:11:54 AM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Il 08/05/2013 21:18, Alon Bar-Lev ha scritto:
Right. First, we need to support any installation not just rhel. Second, we can support only other well behaved products. Until recently we were not well behaved... well we still not fully because we do not have our own configurable URI namespace.
We cannot control which applications are installed on the same host, however we can:
1. postgresql: support skipping the automatic provisioning [supported in the otopi setup] 2. apache: do not enforce specific apache SSL implementation [to be done]. 3. apache: support skipping the automatic SSL configuration [supported]. 4. apache: support skipping the root redirect to ovirt application [supported in otopi setup] 5. apache: move application to own name space, example /ovirt-engine [to be done, I will be happy if you can help pushing this] 6. firewall: support skipping configuration [supported] 7. packaging: remove the versionlock usage. 8. packaging: support proper upgrade path, compatible with packaging best practices. 9. files: rename all utilities and public artifacts from engine-* to ovirt-engine-* [more?]
If we do the above we are acting as well behaved application, and can co-exist with other well behaved applications.
Trying to set the point on this issue in order to start coding.
We split the http configuration into three: 1. Install ajp proxy per our URIs[1][2]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate.
The mandatory apache configuration[1] does not alter any configuration file. [1] http://gerrit.ovirt.org/13318 [2] http://gerrit.ovirt.org/14304
So there is no reason for checking if user has changed the http configuration for just forcing proxy.
About IPA conflicts if I've understood correctly there is only collision between mod_nss used by IPA and mod_ssl used if we enable mod_ssl configuration. It seems there was an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server.
So, I can force proxy enabled and I can force SSL configuration disabled if IPA is detected. I can leave root redirection optional in any case.
otopi implementation already force proxy enabled so there should be just to disable ssl if IPA is detected.
During the discussion about this bug it was suggested also to avoid to force dependency on mod_ssl or force migration to mod_nss during upgrade allowing ipa and engine to coexist. I don't think that that issue should be tracked by https://bugzilla.redhat.com/905754 so if there is the will to either drop dependency on mod_ssl or migrate to mod_nss please open a new bug about that. Right. I just mentioned that so all will be aware of this abnormality.
That could solve also another question: what if IPA is installed after ovirt-engine?
In order to act as well behaved application, and co-exist with other well behaved applications there is more to do as Alon pointed out. I think that any point not satisfied in order to behave correctly need a bug to be opened.
When we'll behave correctly I'll remove any check on IPA presence, totally ignoring it and removing any enforcement about its presence.
Am I missing something? I don't think so... just am not sure what is the answer in the past for post IPA installation...
Thanks! Alon
I think I was missing something. I don't know if other distro do the same, but on Fedora 18 freeipa-server has a package conflict with mod_ssl. So it is not possible having both IPA and the oVirt engine on the same host. This should answer also for post IPA installation for Fedora. I think the best thing to do here is just warn that we are requiring mod_ssl when enabling SSL support so any service that has conflicts like freeipa-server will have issues and let the administrator decide what to do. -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:01:58 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
<snip>
I think I was missing something. I don't know if other distro do the same, but on Fedora 18 freeipa-server has a package conflict with mod_ssl. So it is not possible having both IPA and the oVirt engine on the same host. This should answer also for post IPA installation for Fedora.
I think the best thing to do here is just warn that we are requiring mod_ssl when enabling SSL support so any service that has conflicts like freeipa-server will have issues and let the administrator decide what to do.
We cannot warn... we attempt to configure it... and we do depend on it... So either it is installed before we run setup or we install it during(?!?!) setup. Alon
Il 23/05/2013 16:19, Alon Bar-Lev ha scritto:
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:01:58 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754) <snip>
I think I was missing something. I don't know if other distro do the same, but on Fedora 18 freeipa-server has a package conflict with mod_ssl. So it is not possible having both IPA and the oVirt engine on the same host. This should answer also for post IPA installation for Fedora.
I think the best thing to do here is just warn that we are requiring mod_ssl when enabling SSL support so any service that has conflicts like freeipa-server will have issues and let the administrator decide what to do. We cannot warn... we attempt to configure it... and we do depend on it... So either it is installed before we run setup or we install it during(?!?!) setup.
Alon
So let me try to revert the logic. Can't we drop the dependency on mod_ssl and warn that if you want SSL support you've to install mod_ssl allowing the user to abort, install the module and run engine-setup again? -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:26:19 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Il 23/05/2013 16:19, Alon Bar-Lev ha scritto:
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:01:58 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754) <snip>
I think I was missing something. I don't know if other distro do the same, but on Fedora 18 freeipa-server has a package conflict with mod_ssl. So it is not possible having both IPA and the oVirt engine on the same host. This should answer also for post IPA installation for Fedora.
I think the best thing to do here is just warn that we are requiring mod_ssl when enabling SSL support so any service that has conflicts like freeipa-server will have issues and let the administrator decide what to do. We cannot warn... we attempt to configure it... and we do depend on it... So either it is installed before we run setup or we install it during(?!?!) setup.
Alon
So let me try to revert the logic. Can't we drop the dependency on mod_ssl and warn that if you want SSL support you've to install mod_ssl allowing the user to abort, install the module and run engine-setup again?
Right... this is just for 3.3... This matches the logic of multiple execution of setup to add new components :) Not sure this will be acceptable by those who like 'simple-on-click' installation. Regards. Alon
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Sandro Bonazzola" <sbonazzo@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com>, "Simon Grinberg" <simon@redhat.com> Sent: Thursday, May 23, 2013 6:07:31 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:26:19 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Il 23/05/2013 16:19, Alon Bar-Lev ha scritto:
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:01:58 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754) <snip>
I think I was missing something. I don't know if other distro do the same, but on Fedora 18 freeipa-server has a package conflict with mod_ssl. So it is not possible having both IPA and the oVirt engine on the same host. This should answer also for post IPA installation for Fedora.
I think the best thing to do here is just warn that we are requiring mod_ssl when enabling SSL support so any service that has conflicts like freeipa-server will have issues and let the administrator decide what to do. We cannot warn... we attempt to configure it... and we do depend on it... So either it is installed before we run setup or we install it during(?!?!) setup.
Alon
So let me try to revert the logic. Can't we drop the dependency on mod_ssl and warn that if you want SSL support you've to install mod_ssl allowing the user to abort, install the module and run engine-setup again?
Right... this is just for 3.3...
This matches the logic of multiple execution of setup to add new components :)
Not sure this will be acceptable by those who like 'simple-on-click' installation.
Regards. Alon
Oh... sorry, we cannot work without SSL... it is not just a matter of support. We have to have valid SSL configuration or product will not work. Alon
Il 23/05/2013 17:08, Alon Bar-Lev ha scritto:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Sandro Bonazzola" <sbonazzo@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com>, "Simon Grinberg" <simon@redhat.com> Sent: Thursday, May 23, 2013 6:07:31 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:26:19 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:01:58 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754) <snip>
I think I was missing something. I don't know if other distro do the same, but on Fedora 18 freeipa-server has a package conflict with mod_ssl. So it is not possible having both IPA and the oVirt engine on the same host. This should answer also for post IPA installation for Fedora.
I think the best thing to do here is just warn that we are requiring mod_ssl when enabling SSL support so any service that has conflicts like freeipa-server will have issues and let the administrator decide what to do. We cannot warn... we attempt to configure it... and we do depend on it... So either it is installed before we run setup or we install it during(?!?!) setup.
Alon So let me try to revert the logic. Can't we drop the dependency on mod_ssl and warn that if you want SSL support you've to install mod_ssl allowing the user to abort, install
Il 23/05/2013 16:19, Alon Bar-Lev ha scritto: the module and run engine-setup again? Right... this is just for 3.3...
This matches the logic of multiple execution of setup to add new components :)
Not sure this will be acceptable by those who like 'simple-on-click' installation.
Regards. Alon Oh... sorry, we cannot work without SSL... it is not just a matter of support.
We have to have valid SSL configuration or product will not work.
Alon
We need the configuration in place also if we don't use mod_ssl? -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com>, "Simon Grinberg" <simon@redhat.com> Sent: Thursday, May 23, 2013 6:11:01 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Il 23/05/2013 17:08, Alon Bar-Lev ha scritto:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Sandro Bonazzola" <sbonazzo@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com>, "Simon Grinberg" <simon@redhat.com> Sent: Thursday, May 23, 2013 6:07:31 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:26:19 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:01:58 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754) <snip>
I think I was missing something. I don't know if other distro do the same, but on Fedora 18 freeipa-server has a package conflict with mod_ssl. So it is not possible having both IPA and the oVirt engine on the same host. This should answer also for post IPA installation for Fedora.
I think the best thing to do here is just warn that we are requiring mod_ssl when enabling SSL support so any service that has conflicts like freeipa-server will have issues and let the administrator decide what to do. We cannot warn... we attempt to configure it... and we do depend on it... So either it is installed before we run setup or we install it during(?!?!) setup.
Alon So let me try to revert the logic. Can't we drop the dependency on mod_ssl and warn that if you want SSL support you've to install mod_ssl allowing the user to abort, install
Il 23/05/2013 16:19, Alon Bar-Lev ha scritto: the module and run engine-setup again? Right... this is just for 3.3...
This matches the logic of multiple execution of setup to add new components :)
Not sure this will be acceptable by those who like 'simple-on-click' installation.
Regards. Alon Oh... sorry, we cannot work without SSL... it is not just a matter of support.
We have to have valid SSL configuration or product will not work.
Alon
We need the configuration in place also if we don't use mod_ssl?
We need active SSL configuration, as the application automatically redirect users to https. Alon
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Sandro Bonazzola" <sbonazzo@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "Simon Grinberg" <simon@redhat.com> Sent: Thursday, May 23, 2013 6:18:39 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com>, "Simon Grinberg" <simon@redhat.com> Sent: Thursday, May 23, 2013 6:11:01 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Il 23/05/2013 17:08, Alon Bar-Lev ha scritto:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Sandro Bonazzola" <sbonazzo@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com>, "Simon Grinberg" <simon@redhat.com> Sent: Thursday, May 23, 2013 6:07:31 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> Sent: Thursday, May 23, 2013 5:26:19 PM Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Il 23/05/2013 16:19, Alon Bar-Lev ha scritto:
----- Original Message ----- > From: "Sandro Bonazzola" <sbonazzo@redhat.com> > To: "Alon Bar-Lev" <alonbl@redhat.com> > Cc: "Barak Azulay" <bazulay@redhat.com>, "engine-devel" > <engine-devel@ovirt.org>, "Alex Lourie" <alourie@redhat.com> > Sent: Thursday, May 23, 2013 5:01:58 PM > Subject: Re: [Engine-devel] 3.3 scratch or upgraded > installation must > use > Apache proxy > (https://bugzilla.redhat.com/905754) <snip>
> I think I was missing something. > I don't know if other distro do the same, but on Fedora 18 > freeipa-server has a package conflict with mod_ssl. > So it is not possible having both IPA and the oVirt engine on > the same > host. > This should answer also for post IPA installation for Fedora.
That should not be a problem. Don't forget that one of the popular use cases for virtualization is to resolve conflict in services while still using the same amount of hardware. Instead of investing a huge effort to resolve conflicts you segregate services into virtual machines that in turn can share the same physical server.
> > I think the best thing to do here is just warn that we are > requiring > mod_ssl when enabling SSL support so any service that has > conflicts > like > freeipa-server will have issues > and let the administrator decide what to do. We cannot warn... we attempt to configure it... and we do depend on it... So either it is installed before we run setup or we install it during(?!?!) setup.
Alon So let me try to revert the logic. Can't we drop the dependency on mod_ssl and warn that if you want SSL support you've to install mod_ssl allowing the user to abort, install the module and run engine-setup again? Right... this is just for 3.3...
This matches the logic of multiple execution of setup to add new components :)
Not sure this will be acceptable by those who like 'simple-on-click' installation.
No it won't - but it's a moot point by now
Regards. Alon
Oh... sorry, we cannot work without SSL... it is not just a matter of support.
We have to have valid SSL configuration or product will not work.
Alon
We need the configuration in place also if we don't use mod_ssl?
We need active SSL configuration, as the application automatically redirect users to https.
Alon _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
participants (4)
-
Alon Bar-Lev -
Barak Azulay -
Sandro Bonazzola -
Simon Grinberg