[Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)
Sandro Bonazzola
sbonazzo at redhat.com
Fri May 17 08:11:54 UTC 2013
Il 08/05/2013 21:18, Alon Bar-Lev ha scritto:
> Right.
> First, we need to support any installation not just rhel.
> Second, we can support only other well behaved products.
> Until recently we were not well behaved... well we still not fully because we do not have our own configurable URI namespace.
>
> We cannot control which applications are installed on the same host, however we can:
>
> 1. postgresql: support skipping the automatic provisioning [supported in the otopi setup]
> 2. apache: do not enforce specific apache SSL implementation [to be done].
> 3. apache: support skipping the automatic SSL configuration [supported].
> 4. apache: support skipping the root redirect to ovirt application [supported in otopi setup]
> 5. apache: move application to own name space, example /ovirt-engine [to be done, I will be happy if you can help pushing this]
> 6. firewall: support skipping configuration [supported]
> 7. packaging: remove the versionlock usage.
> 8. packaging: support proper upgrade path, compatible with packaging best practices.
> 9. files: rename all utilities and public artifacts from engine-* to ovirt-engine-*
> [more?]
>
> If we do the above we are acting as well behaved application, and can co-exist with other well behaved applications.
Trying to set the point on this issue in order to start coding.
We split the http configuration into three:
1. Install ajp proxy per our URIs[1][2].
2. Optionally set root redirection from / to /ovirt-engine
3. Optionally configure mod_ssl with our certificate.
The mandatory apache configuration[1] does not alter any configuration file.
[1] http://gerrit.ovirt.org/13318
[2] http://gerrit.ovirt.org/14304
So there is no reason for checking if user has changed the http
configuration for just forcing proxy.
About IPA conflicts if I've understood correctly there is only collision
between mod_nss used by IPA and mod_ssl used if we enable mod_ssl
configuration.
It seems there was an issue with mod_proxy and using 2 different SSL
certificates (IPA & RHEV) on the same apache server.
So, I can force proxy enabled and I can force SSL configuration disabled
if IPA is detected.
I can leave root redirection optional in any case.
otopi implementation already force proxy enabled so there should be just
to disable ssl if IPA is detected.
During the discussion about this bug it was suggested also to avoid to
force dependency on mod_ssl or force migration to mod_nss during upgrade
allowing ipa and engine to coexist. I don't think that that issue should
be tracked by https://bugzilla.redhat.com/905754 so if there is the will
to either drop dependency on mod_ssl or migrate to mod_nss please open a
new bug about that.
That could solve also another question: what if IPA is installed after
ovirt-engine?
In order to act as well behaved application, and co-exist with other
well behaved applications there is more to do as Alon pointed out.
I think that any point not satisfied in order to behave correctly need a
bug to be opened.
When we'll behave correctly I'll remove any check on IPA presence,
totally ignoring it and removing any enforcement about its presence.
Am I missing something?
--
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com
More information about the Engine-devel
mailing list