How to add imageio configuration into engine?
Hi, I'd like to add imageio configuration into engine. Previously, it was done by dedicated setup code in imageio-proxy [1], but in new imageio we remove the proxy package and to configure imageio for engine we need just to place firewalld and imageio config files into proper place. Initial idea was to do it directly in engine spec file, but it seems to me that configuration of the engine is done by dedicated packages and custom code. Ansible roles in packaging/ansible-runner-service-project seem to be only for host configuration. What is a proper way how to configure imageio? Thanks Vojta [1] https://github.com/oVirt/ovirt-imageio/tree/master/proxy/setup
On Mon, Apr 6, 2020 at 7:49 PM Vojtech Juranek <vjuranek@redhat.com> wrote:
Hi, I'd like to add imageio configuration into engine. Previously, it was done by dedicated setup code in imageio-proxy [1], but in new imageio we remove the proxy package and to configure imageio for engine we need just to place firewalld and imageio config files into proper place.
Initial idea was to do it directly in engine spec file, but it seems to me that configuration of the engine is done by dedicated packages and custom code. Ansible roles in packaging/ansible-runner-service-project seem to be only for host configuration.
What is a proper way how to configure imageio?
More correctly, how to configure engine for using imageio daemon. In the past we supported these options: - configuration without imageio proxy. This does not make sense since without the proxy you cannot upload images from the UI. We don't want to support such configuration. The imageio proxy must always be available, and there is nothing which is user configurable (in the context of engine setup). - proxy address. This configuration is not needed since the only supported configuration is proxy installed on the engine host, and engine already knows it's address. - certificates - in the past we created certificates and key for the proxy. This has been a constant source of trouble. Recently Didi switched to using apache pki files. There is no need to support other configurations. If users want to change the certificates, they can edit the imageio daemon configuration file. imageio provides a sample configuration file, and leaves the actual configuration to the user of the package. We have 2 users - vdsm and engine. Vdsm handles imageio configuration by installing the static configuration files in the spec. I don't see why engine cannot use the same simple solution. However if engine needs special configuration code (e.g. engine setup plugin), it must be part of engine repo and maintained by engine maintainers. The configuration for using imageio in engine: - tls - paths to apache certificates - remote port - always 54323 - control port - accessible only locally, TBD The remote port must be open in the engine host firewall, and requires another static file for firewalld rule. Vojta, can you share a working configuration file and firewalld rule, or post a patch adding them to engine? Nir
On Mon, Apr 6, 2020 at 7:43 PM Nir Soffer <nsoffer@redhat.com> wrote:
On Mon, Apr 6, 2020 at 7:49 PM Vojtech Juranek <vjuranek@redhat.com> wrote:
Hi, I'd like to add imageio configuration into engine. Previously, it was
dedicated setup code in imageio-proxy [1], but in new imageio we remove
done by the
proxy package and to configure imageio for engine we need just to place firewalld and imageio config files into proper place.
We should probably also add imageio dependency to the engine spec file, because I understand that imageio proxy running on engine is always required, right?
Initial idea was to do it directly in engine spec file, but it seems to
me
that configuration of the engine is done by dedicated packages and custom code. Ansible roles in packaging/ansible-runner-service-project seem to be only for host configuration.
What is a proper way how to configure imageio?
All engine and related services configuration is performed via engine-setup, which is based on otopi.
More correctly, how to configure engine for using imageio daemon.
Please write a plugin to engine-setup which will handle imageio proxy configuration
In the past we supported these options:
- configuration without imageio proxy. This does not make sense since without the proxy you cannot upload images from the UI. We don't want to support such configuration. The imageio proxy must always be available, and there is nothing which is user configurable (in the context of engine setup).
- proxy address. This configuration is not needed since the only supported configuration is proxy installed on the engine host, and engine already knows it's address.
- certificates - in the past we created certificates and key for the proxy. This has been a constant source of trouble. Recently Didi switched to using apache pki files. There is no need to support other configurations. If users want to change the certificates, they can edit the imageio daemon configuration file.
Well, you need to support not only engine CA and engine certificate, but also custom engine HTTPS certificate signed by custom CA in the same way as engine: https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html So even if proxy is going to use the same custom certificate and CA as engine, we at least need to update documentation with the need to restart imageio service on the host. And more thing: are all clients connecting only to imageio proxy on engine or is there any connection directly to imageio running on the host?
imageio provides a sample configuration file, and leaves the actual configuration to the user of the package. We have 2 users - vdsm and engine.
Vdsm handles imageio configuration by installing the static configuration files in the spec. I don't see why engine cannot use the same simple solution. However if engine needs special configuration code (e.g. engine setup plugin), it must be part of engine repo and maintained by engine maintainers.
The configuration for using imageio in engine: - tls - paths to apache certificates - remote port - always 54323 - control port - accessible only locally, TBD
The remote port must be open in the engine host firewall, and requires another static file for firewalld rule.
Every engine configuration is handled within engine-setup, so please write a plugin for engine-setup to configure imageio proxy on engine
Vojta, can you share a working configuration file and firewalld rule, or post a patch adding them to engine?
Nir _______________________________________________ Devel mailing list -- devel@ovirt.org To unsubscribe send an email to devel-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/NLV2DRTUAFY2WW...
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
On Tue, Apr 7, 2020 at 12:44 AM Martin Perina <mperina@redhat.com> wrote:
On Mon, Apr 6, 2020 at 7:43 PM Nir Soffer <nsoffer@redhat.com> wrote:
On Mon, Apr 6, 2020 at 7:49 PM Vojtech Juranek <vjuranek@redhat.com> wrote:
Hi, I'd like to add imageio configuration into engine. Previously, it was done by dedicated setup code in imageio-proxy [1], but in new imageio we remove the proxy package and to configure imageio for engine we need just to place firewalld and imageio config files into proper place.
We should probably also add imageio dependency to the engine spec file, because I understand that imageio proxy running on engine is always required, right?
Initial idea was to do it directly in engine spec file, but it seems to me that configuration of the engine is done by dedicated packages and custom code. Ansible roles in packaging/ansible-runner-service-project seem to be only for host configuration.
What is a proper way how to configure imageio?
All engine and related services configuration is performed via engine-setup, which is based on otopi.
More correctly, how to configure engine for using imageio daemon.
Please write a plugin to engine-setup which will handle imageio proxy configuration
You already have that in imageio git repo, under proxy/setup/ . You'll have to adapt it to the new structure, obviously.
In the past we supported these options:
- configuration without imageio proxy. This does not make sense since without the proxy you cannot upload images from the UI. We don't want to support such configuration. The imageio proxy must always be available, and there is nothing which is user configurable (in the context of engine setup).
- proxy address. This configuration is not needed since the only supported configuration is proxy installed on the engine host, and engine already knows it's address.
- certificates - in the past we created certificates and key for the proxy. This has been a constant source of trouble. Recently Didi switched to using apache pki files. There is no need to support other configurations. If users want to change the certificates, they can edit the imageio daemon configuration file.
Well, you need to support not only engine CA and engine certificate, but also custom engine HTTPS certificate signed by custom CA in the same way as engine:
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html
So even if proxy is going to use the same custom certificate and CA as engine, we at least need to update documentation with the need to restart imageio service on the host.
And more thing: are all clients connecting only to imageio proxy on engine or is there any connection directly to imageio running on the host?
imageio provides a sample configuration file, and leaves the actual configuration to the user of the package. We have 2 users - vdsm and engine.
Vdsm handles imageio configuration by installing the static configuration files in the spec. I don't
Who/What enables the service on hosts? Is it enabled by default?
see why engine cannot use the same simple solution. However if engine needs special configuration
For one, something needs to enable it. You can't start (and therefore enable) it before engine-setup runs, because you need key/cert. So at least this must be done in engine-setup and not in spec.
code (e.g. engine setup plugin), it must be part of engine repo and maintained by engine maintainers.
Up until now, engine-setup plugins for the various projects was usually (but not always, admittedly) in the projects' git repos, and maintained by these projects. In some cases, we (integration team) helped these projects by pushing and reviewing patches etc. I do not mind that much, personally. Each location has its own pros/cons. Major con for putting anything in the engine git repo is having to wait for a full engine build in CI for each unrelated change to your setup code...
The configuration for using imageio in engine: - tls - paths to apache certificates - remote port - always 54323 - control port - accessible only locally, TBD
The remote port must be open in the engine host firewall, and requires another static file for firewalld rule.
That's already done by: proxy/setup/plugins/ovirt-engine-setup/ovirt_imageio_proxy/config.py proxy/setup/data/ovirt-imageio-proxy.xml.in
Every engine configuration is handled within engine-setup, so please write a plugin for engine-setup to configure imageio proxy on engine
Vojta, can you share a working configuration file and firewalld rule, or post a patch adding them to engine?
I'd personally keep the setup code inside imageio git repo, as explained above. Please ping me for any help needed! Good luck and best regards, -- Didi
participants (4)
-
Martin Perina -
Nir Soffer -
Vojtech Juranek -
Yedidyah Bar David