[Engine-devel] [Users] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)

Alon Bar-Lev alonbl at redhat.com
Wed May 8 14:28:28 UTC 2013



----- Original Message -----
> From: "Alon Bar-Lev" <alonbl at redhat.com>
> To: "Barak Azulay" <bazulay at redhat.com>
> Cc: "engine-devel" <engine-devel at ovirt.org>, "users" <users at ovirt.org>
> Sent: Wednesday, May 8, 2013 5:20:51 PM
> Subject: Re: [Users] [Engine-devel] 3.3 scratch or upgraded installation must use Apache	proxy
> (https://bugzilla.redhat.com/905754)
> 
> 
> 
> ----- Original Message -----
> > From: "Barak Azulay" <bazulay at redhat.com>
> > To: "Sandro Bonazzola" <sbonazzo at redhat.com>
> > Cc: "Alon Bar-Lev" <alonbl at redhat.com>, "engine-devel"
> > <engine-devel at ovirt.org>, "users" <users at ovirt.org>
> > Sent: Wednesday, May 8, 2013 4:00:34 PM
> > Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use
> > Apache	proxy
> > (https://bugzilla.redhat.com/905754)
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Sandro Bonazzola" <sbonazzo at redhat.com>
> > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > Cc: "engine-devel" <engine-devel at ovirt.org>, "users" <users at ovirt.org>
> > > Sent: Wednesday, May 8, 2013 3:51:03 PM
> > > Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use
> > > Apache	proxy
> > > (https://bugzilla.redhat.com/905754)
> > > 
> > > Hello,
> > > if I've understood correctly then:
> > > - there is no reason for checking if user altered http configuration
> > > - proxy doesn't depend on any other related http configuration we do and
> > > does not alter any other configuration file, so we can do it without
> > > asking anything
> > > - if ipa is installed, engine-setup should issue a warning about it and
> > > default to No for 'set ovirt-engine as default page' and 'configure
> > > apache ssl'
> > 
> > 
> > AFAIU and I don't think it was changed, there is a conflict between IPA and
> > mod_ssl (they did it ugly ... not in rpm level... that was the status a
> > year
> > ago)
> > 
> > SO it will not work, as long we do not move to mod_nss.
> > 
> > In addition there wad an issue with mod_proxy and using 2 different SSL
> > certificates (IPA & RHEV) on the same apache server.
> > 
> > 
> > please make sure all the above are solved.
> 
> I just do not understand why we treat IPA in special way... it is as if we
> need to have knowledge of very application out there that hacks the apache.

What if IPA is installed after ovirt-engine?

> 
> Playing nice with mod_nss and not force mod_ssl or actually any is a positive
> move.
> 
> Thanks,
> Alon
> 
> > 
> > 
> > Thanks
> > Barak
> > > 
> > > I think I've enough info.
> > > Thanks.
> > > 
> > > 
> > > Il 06/05/2013 22:11, Alon Bar-Lev ha scritto:
> > > >
> > > > ----- Original Message -----
> > > >> From: "Barak Azulay" <bazulay at redhat.com>
> > > >> To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > >> Cc: "Sandro Bonazzola" <sbonazzo at redhat.com>, "engine-devel"
> > > >> <engine-devel at ovirt.org>, "users" <users at ovirt.org>
> > > >> Sent: Monday, May 6, 2013 10:42:02 PM
> > > >> Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must
> > > >> use
> > > >> Apache	proxy
> > > >> (https://bugzilla.redhat.com/905754)
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl at redhat.com> wrote:
> > > >>
> > > >>> Hello,
> > > >>>
> > > >>> I don't understand why you start discussion from start... there were
> > > >>> some
> > > >>> additional facts.
> > > >>>
> > > >>> So first answer:
> > > >>> No we cannot assume we own the machine nor own the apache, nor own
> > > >>> the
> > > >>> postgresql. These assumptions made in the past were plain wrong and
> > > >>> cause
> > > >>> more harm than good, and eventually saved no resources nor efforts.
> > > >>>
> > > >>> At master we altered the ajp proxy configuration to be less
> > > >>> intrusive[1][2].
> > > >>>
> > > >>> We split the http configuration into three:
> > > >>> 1. Install ajp proxy per our URIs[1].
> > > >>> 2. Optionally set root redirection from / to /ovirt-engine
> > > >>> 3. Optionally configure mod_ssl with our certificate.
> > > >> I don't know if this was already brought up,
> > > >>
> > > >> There is a conflict between our configuration and IPA's
> > > >> IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a
> > > >> conflict.
> > > >>
> > > >> We can try move to mod_nss on upgrade and solve all issues
> > > >>
> > > >> Barak
> > > > The fact that ovirt-engine depends on mod_ssl is a mistake... well, at
> > > > least I think so.
> > > > The product should not care how ssl is provided as long as it is
> > > > provided.
> > > >
> > > > Personally, I think that product should not attempt to configure ssl at
> > > > all, but provide the instructions of how to do so... But never the
> > > > less,
> > > > let's try to keep this to avoid argument.
> > > >
> > > > In case IPA is installed (and I really don't understand why should we
> > > > care
> > > > about IPA specifically, well, I actually do... as IPA makes the same
> > > > faulty assumptions of 'owning' resources), the admin should just avoid
> > > > selecting the 'set ovirt-engine as default page' and 'configure apache
> > > > ssl', user should access ovirt-engine using:
> > > > http://host/ovirt-engine
> > > >
> > > > It should work as long as there are no URI conflicts between products
> > > > as
> > > > I
> > > > listed in previous message.
> > > >
> > > > Regards,
> > > > Alon
> > > >
> > > >>> The mandatory apache configuration[1] does not alter any
> > > >>> configuration
> > > >>> file, hence the chance of conflict is the chance of conflict between
> > > >>> ovirt-engine URIs and other product URIs.
> > > >>>
> > > >>> ovirt-engine URIs:
> > > >>> ---
> > > >>> /UserPortal
> > > >>> /OvirtEngineWeb
> > > >>> /webadmin
> > > >>> /docs
> > > >>> /spice
> > > >>> /ca.crt
> > > >>> /engine.ssh.key.txt
> > > >>> /rhevm.ssh.key.txt
> > > >>> /ovirt-engine-style.css
> > > >>> /console.vv
> > > >>> /api
> > > >>> /ovirt-engine
> > > >>> ---
> > > >>>
> > > >>> As we have done this without cooperation of developers we kept URIs
> > > >>> as-is.
> > > >>>
> > > >>> URIs that cannot be changed until next major:
> > > >>> /engine.ssh.key.txt
> > > >>> /rhevm.ssh.key.txt
> > > >>> /ca.crt
> > > >>> /api [I guess, although we can provide migration path alternative]
> > > >>>
> > > >>> All the other can be moved into /ovirt-engine with cooperation of
> > > >>> developers, especially UI and Virt developers, it should be easy to
> > > >>> do
> > > >>> this, and reduce the chance of conflict.
> > > >>>
> > > >>> Regards,
> > > >>> Alon Bar-Lev.
> > > >>>
> > > >>> [1] http://gerrit.ovirt.org/#/c/13318/
> > > >>> [2] http://gerrit.ovirt.org/#/c/14304/
> > > >>>
> > > >>> ----- Original Message -----
> > > >>>> From: "Sandro Bonazzola" <sbonazzo at redhat.com>
> > > >>>> To: "engine-devel" <engine-devel at ovirt.org>
> > > >>>> Cc: "users" <users at ovirt.org>
> > > >>>> Sent: Monday, May 6, 2013 6:32:08 PM
> > > >>>> Subject: [Engine-devel] 3.3 scratch or upgraded installation must
> > > >>>> use
> > > >>>> Apache    proxy
> > > >>>> (https://bugzilla.redhat.com/905754)
> > > >>>>
> > > >>>> Hi,
> > > >>>> I'm working on https://bugzilla.redhat.com/905754, trying to have
> > > >>>> Apache
> > > >>>> proxy in all 3.3 installations.
> > > >>>>
> > > >>>> I'm looking in the code and I've found a point where I'm in doubt
> > > >>>> about
> > > >>>> how to handle the case.
> > > >>>> The current engine-setup implementation perform some checks that
> > > >>>> change
> > > >>>> the behavior of the installer documented as:
> > > >>>>
> > > >>>> 1. Check whether the relevant httpd configuration files were
> > > >>>> changed,
> > > >>>> as
> > > >>>> it's an indication for the setup that the httpd application is being
> > > >>>> actively used, Therefore we may need to ask (dynamic change) the
> > > >>>> user
> > > >>>> whether to override this configuration.
> > > >>>>
> > > >>>> 2. Check if IPA is installed and drop port 80/443 support. What the
> > > >>>> script really do is setting OVERRIDE_HTTPD_CONFIG default to False
> > > >>>> in
> > > >>>> both cases and just for case 2 call also
> > > >>>> setHttpPortsToNonProxyDefault.
> > > >>>>
> > > >>>>
> > > >>>> About 1, if we can consider Apache "owned" by the engine we can drop
> > > >>>> any
> > > >>>> question to the user, else I think we need to ask what to do or
> > > >>>> abort
> > > >>>> the setup considering the configuration as unsupported.
> > > >>>>
> > > >>>> About 2, it seems that the best solution for that is to abort the
> > > >>>> setup
> > > >>>> if IPA is found on the same system where
> > > >>>> we're installing the engine.
> > > >>>> As far I've understood having IPA and engine on the same host is not
> > > >>>> a
> > > >>>> supported configuration.
> > > >>>>
> > > >>>>
> > > >>>> What do you think about this?
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Sandro Bonazzola
> > > >>>> Better technology. Faster innovation. Powered by community
> > > >>>> collaboration.
> > > >>>> See how it works at redhat.com
> > > >>>>
> > > >>>> _______________________________________________
> > > >>>> Engine-devel mailing list
> > > >>>> Engine-devel at ovirt.org
> > > >>>> http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > >>>>
> > > >>> _______________________________________________
> > > >>> Engine-devel mailing list
> > > >>> Engine-devel at ovirt.org
> > > >>> http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > >>>
> > > >>>
> > > 
> > > 
> > > --
> > > Sandro Bonazzola
> > > Better technology. Faster innovation. Powered by community collaboration.
> > > See how it works at redhat.com
> > > 
> > > _______________________________________________
> > > Engine-devel mailing list
> > > Engine-devel at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > 
> > > 
> > > 
> > 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 



More information about the Devel mailing list