Hello, we are subject to PCI-DSS. I have some questions. We currently have setup oVirt in our environnement. We created 2 Datacenter. - one with a cluster with hosted engine on gluster (Hyperconverged env) which represents the "LAN" part - one with a cluster with gluster storage wich is the DMZ In PCI-DSS we have to secure communication (use HTTPs as much as possible). I did saw that ovirt-ha-agent (on hosted-engine capable host) check the status of the engine by sending GET request on the hosted-engine on port 80 (the same check that hosted-engine --vm-status did in fact). Since ovirt 4.2.2, with the introduction of gluster eventing, a new flow (HTTP post resquest) is needed from gluster nodes to the engine. (In my case, it's a flow from the DMZ to the LAN part in HTTP (non secure) Here is my question. Is it possible to "hardering" this part of the engine ? Another question out of PCI scope. Events like warning and error in the dashboard are clean each days. I tried to find which process did that (look into /etc/cron.daily, root crontab, etc) on the engine without succes. Is there any maintenance task that is run periodicaly ? Could we have the list of all the engine's task ? (regulary check the status of host, vm, storage) also the frequency ? I would appreciate the help. (Great great product ovirt !) Thank you for your jobs ! We did manage KVM hypervisor as standalone machine without all the power that libvirt provides. No need to spend lot of money into licencing product (VSphere and co)
Any ideas anyone ? At least, could you please provide your opinion ? Regards,
On Sun, May 27, 2018 at 5:33 AM, Punaatua PK <punaatua.pk@gmail.com> wrote:
Hello,
we are subject to PCI-DSS. I have some questions. We currently have setup oVirt in our environnement. We created 2 Datacenter. - one with a cluster with hosted engine on gluster (Hyperconverged env) which represents the "LAN" part - one with a cluster with gluster storage wich is the DMZ
In PCI-DSS we have to secure communication (use HTTPs as much as possible). I did saw that ovirt-ha-agent (on hosted-engine capable host) check the status of the engine by sending GET request on the hosted-engine on port 80 (the same check that hosted-engine --vm-status did in fact). Since ovirt 4.2.2, with the introduction of gluster eventing, a new flow (HTTP post resquest) is needed from gluster nodes to the engine. (In my case, it's a flow from the DMZ to the LAN part in HTTP (non secure)
If https is enabled, the webhook uses the https url to communicate. What does "gluster-eventsapi status" on any of the gluster nodes return?
Here is my question. Is it possible to "hardering" this part of the engine ?
Another question out of PCI scope. Events like warning and error in the dashboard are clean each days. I tried to find which process did that (look into /etc/cron.daily, root crontab, etc) on the engine without succes. Is there any maintenance task that is run periodicaly ? Could we have the list of all the engine's task ? (regulary check the status of host, vm, storage) also the frequency ?
The periodic jobs are run by the Quartz scheduler.
I would appreciate the help. (Great great product ovirt !) Thank you for your jobs ! We did manage KVM hypervisor as standalone machine without all the power that libvirt provides. No need to spend lot of money into licencing product (VSphere and co) _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org
On Sun, May 27, 2018 at 5:33 AM, Punaatua PK <punaatua.pk(a)gmail.com> wrote:
If https is enabled, the webhook uses the https url to communicate. What does "gluster-eventsapi status" on any of the gluster nodes return?
[root@test ~]# gluster-eventsapi status Webhooks: http://engine.local.com:80/ovirt-engine/services/glusterevents +--------------+-------------+-----------------------+ | NODE | NODE STATUS | GLUSTEREVENTSD STATUS | +--------------+-------------+-----------------------+ | 10.17.14.153 | UP | OK | | 10.17.14.152 | UP | OK | | localhost | UP | OK | +--------------+-------------+-----------------------+ The webhook is configured with http not https. I think i can modify it to https but i dont know if gluster event api can handle https (the CA may be asked)
The periodic jobs are run by the Quartz scheduler.
participants (2)
-
Punaatua PK -
Sahina Bose