7:50 p.m.
Hi,
I'd like to add imageio configuration into engine. Previously, it was done by
dedicated setup code in imageio-proxy [1], but in new imageio we remove the
proxy package and to configure imageio for engine we need just to place
firewalld and imageio config files into proper place.
Initial idea was to do it directly in engine spec file, but it seems to me
that configuration of the engine is done by dedicated packages and custom
code. Ansible roles in packaging/ansible-runner-service-project seem to be
only for host configuration.
What is a proper way how to configure imageio?
Thanks
Vojta
[1] https://github.com/oVirt/ovirt-imageio/tree/master/proxy/setup
8:42 p.m.
On Mon, Apr 6, 2020 at 7:49 PM Vojtech Juranek <vjuranek(a)redhat.com> wrote:
Hi,
I'd like to add imageio configuration into engine. Previously, it was done by
dedicated setup code in imageio-proxy [1], but in new imageio we remove the
proxy package and to configure imageio for engine we need just to place
firewalld and imageio config files into proper place.
Initial idea was to do it directly in engine spec file, but it seems to me
that configuration of the engine is done by dedicated packages and custom
code. Ansible roles in packaging/ansible-runner-service-project seem to be
only for host configuration.
What is a proper way how to configure imageio?
More correctly, how to configure engine for using imageio daemon.
In the past we supported these options:
- configuration without imageio proxy. This does not make sense since
without the proxy you cannot
upload images from the UI. We don't want to support such
configuration. The imageio proxy must always
be available, and there is nothing which is user configurable (in the
context of engine setup).
- proxy address. This configuration is not needed since the only
supported configuration is proxy
installed on the engine host, and engine already knows it's address.
- certificates - in the past we created certificates and key for the
proxy. This has been a constant source
of trouble. Recently Didi switched to using apache pki files. There
is no need to support other
configurations. If users want to change the certificates, they can
edit the imageio daemon
configuration file.
imageio provides a sample configuration file, and leaves the actual
configuration to the user of the
package. We have 2 users - vdsm and engine.
Vdsm handles imageio configuration by installing the static
configuration files in the spec. I don't
see why engine cannot use the same simple solution. However if engine
needs special configuration
code (e.g. engine setup plugin), it must be part of engine repo and
maintained by engine maintainers.
The configuration for using imageio in engine:
- tls - paths to apache certificates
- remote port - always 54323
- control port - accessible only locally, TBD
The remote port must be open in the engine host firewall, and requires
another static file for firewalld rule.
Vojta, can you share a working configuration file and firewalld rule,
or post a patch adding them to
engine?
Nir
12:43 a.m.
On Mon, Apr 6, 2020 at 7:43 PM Nir Soffer <nsoffer(a)redhat.com> wrote:
On Mon, Apr 6, 2020 at 7:49 PM Vojtech Juranek
<vjuranek(a)redhat.com>
wrote:
>
> Hi,
> I'd like to add imageio configuration into engine. Previously, it was
done by
> dedicated setup code in imageio-proxy [1], but in new imageio we remove
the
> proxy package and to configure imageio for engine we need just to place
> firewalld and imageio config files into proper place.
We should probably also add imageio dependency to the engine spec file,
because I understand that imageio proxy running on engine is always
required, right?
>
> Initial idea was to do it directly in engine spec file, but it seems to
me
> that configuration of the engine is done by dedicated packages and custom
> code. Ansible roles in packaging/ansible-runner-service-project seem to
be
> only for host configuration.
>
> What is a proper way how to configure imageio?
All engine and related services configuration is performed via
engine-setup, which is based on otopi.
More correctly, how to configure engine for using imageio daemon.
Please write a plugin to engine-setup which will handle imageio proxy
configuration
In the past we supported these options:
- configuration without imageio proxy. This does not make sense since
without the proxy you cannot
upload images from the UI. We don't want to support such
configuration. The imageio proxy must always
be available, and there is nothing which is user configurable (in the
context of engine setup).
- proxy address. This configuration is not needed since the only
supported configuration is proxy
installed on the engine host, and engine already knows it's address.
- certificates - in the past we created certificates and key for the
proxy. This has been a constant source
of trouble. Recently Didi switched to using apache pki files. There
is no need to support other
configurations. If users want to change the certificates, they can
edit the imageio daemon
configuration file.
Well, you need to support not only engine CA and engine certificate, but
also custom engine HTTPS certificate signed by custom CA in the same way as
engine:
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html
So even if proxy is going to use the same custom certificate and CA as
engine, we at least need to update documentation with the need to restart
imageio service on the host.
And more thing: are all clients connecting only to imageio proxy on engine
or is there any connection directly to imageio running on the host?
imageio provides a sample configuration file, and leaves the actual
configuration to the user of the
package. We have 2 users - vdsm and engine.
Vdsm handles imageio configuration by installing the static
configuration files in the spec. I don't
see why engine cannot use the same simple solution. However if engine
needs special configuration
code (e.g. engine setup plugin), it must be part of engine repo and
maintained by engine maintainers.
The configuration for using imageio in engine:
- tls - paths to apache certificates
- remote port - always 54323
- control port - accessible only locally, TBD
The remote port must be open in the engine host firewall, and
requires
another static file for firewalld rule.
Every engine configuration is handled within engine-setup, so please write
a plugin for engine-setup to configure imageio proxy on engine
Vojta, can you share a working configuration file and firewalld rule,
or post a patch adding them to
engine?
Nir
_______________________________________________
Devel mailing list -- devel(a)ovirt.org
To unsubscribe send an email to devel-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/devel@ovirt.org/message/NLV2DRTUAFY...
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
9:34 a.m.
On Tue, Apr 7, 2020 at 12:44 AM Martin Perina <mperina(a)redhat.com> wrote:
On Mon, Apr 6, 2020 at 7:43 PM Nir Soffer <nsoffer(a)redhat.com> wrote:
>
> On Mon, Apr 6, 2020 at 7:49 PM Vojtech Juranek <vjuranek(a)redhat.com> wrote:
> >
> > Hi,
> > I'd like to add imageio configuration into engine. Previously, it was done
by
> > dedicated setup code in imageio-proxy [1], but in new imageio we remove the
> > proxy package and to configure imageio for engine we need just to place
> > firewalld and imageio config files into proper place.
We should probably also add imageio dependency to the engine spec file, because I
understand that imageio proxy running on engine is always required, right?
>
> >
> > Initial idea was to do it directly in engine spec file, but it seems to me
> > that configuration of the engine is done by dedicated packages and custom
> > code. Ansible roles in packaging/ansible-runner-service-project seem to be
> > only for host configuration.
> >
> > What is a proper way how to configure imageio?
All engine and related services configuration is performed via engine-setup, which is
based on otopi.
>
>
> More correctly, how to configure engine for using imageio daemon.
Please write a plugin to engine-setup which will handle imageio proxy configuration
You already have that in imageio git repo, under proxy/setup/ . You'll
have to adapt it to the new structure, obviously.
>
>
> In the past we supported these options:
>
> - configuration without imageio proxy. This does not make sense since
> without the proxy you cannot
> upload images from the UI. We don't want to support such
> configuration. The imageio proxy must always
> be available, and there is nothing which is user configurable (in the
> context of engine setup).
>
> - proxy address. This configuration is not needed since the only
> supported configuration is proxy
> installed on the engine host, and engine already knows it's address.
>
> - certificates - in the past we created certificates and key for the
> proxy. This has been a constant source
> of trouble. Recently Didi switched to using apache pki files. There
> is no need to support other
> configurations. If users want to change the certificates, they can
> edit the imageio daemon
> configuration file.
Well, you need to support not only engine CA and engine certificate, but also custom
engine HTTPS certificate signed by custom CA in the same way as engine:
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html
So even if proxy is going to use the same custom certificate and CA as engine, we at
least need to update documentation with the need to restart imageio service on the host.
And more thing: are all clients connecting only to imageio proxy on engine or is there
any connection directly to imageio running on the host?
>
> imageio provides a sample configuration file, and leaves the actual
> configuration to the user of the
> package. We have 2 users - vdsm and engine.
>
> Vdsm handles imageio configuration by installing the static
> configuration files in the spec. I don't
Who/What enables the service on hosts? Is it enabled by default?
> see why engine cannot use the same simple solution. However if
engine
> needs special configuration
For one, something needs to enable it. You can't start (and therefore
enable) it before engine-setup runs, because you need key/cert. So at least
this must be done in engine-setup and not in spec.
> code (e.g. engine setup plugin), it must be part of engine repo
and
> maintained by engine maintainers.
Up until now, engine-setup plugins for the various projects was usually
(but not always, admittedly) in the projects' git repos, and maintained
by these projects. In some cases, we (integration team) helped these
projects by pushing and reviewing patches etc.
I do not mind that much, personally. Each location has its own pros/cons.
Major con for putting anything in the engine git repo is having to wait
for a full engine build in CI for each unrelated change to your setup code...
>
>
> The configuration for using imageio in engine:
> - tls - paths to apache certificates
> - remote port - always 54323
> - control port - accessible only locally, TBD
>
>
> The remote port must be open in the engine host firewall, and requires
> another static file for firewalld rule.
That's already done by:
proxy/setup/plugins/ovirt-engine-setup/ovirt_imageio_proxy/config.py
proxy/setup/data/ovirt-imageio-proxy.xml.in
Every engine configuration is handled within engine-setup, so please write a plugin for
engine-setup to configure imageio proxy on engine
>
>
> Vojta, can you share a working configuration file and firewalld rule,
> or post a patch adding them to
> engine?
I'd personally keep the setup code inside imageio git repo, as
explained above. Please ping me for any help needed!
Good luck and best regards,
--
Didi
1686
days inactive
1687
days old
3 comments
4 participants
participants (4)
-
Martin Perina -
Nir Soffer -
Vojtech Juranek -
Yedidyah Bar David