[Users] [Engine-devel] 3.3 scratch or upgraded installation must use Apache proxy (https://bugzilla.redhat.com/905754)

Alon Bar-Lev alonbl at redhat.com
Mon May 6 20:11:58 UTC 2013 


----- Original Message -----
> From: "Barak Azulay" <bazulay at redhat.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "Sandro Bonazzola" <sbonazzo at redhat.com>, "engine-devel" <engine-devel at ovirt.org>, "users" <users at ovirt.org>
> Sent: Monday, May 6, 2013 10:42:02 PM
> Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use Apache	proxy
> (https://bugzilla.redhat.com/905754)
> 
> 
> 
> 
> 
> On May 6, 2013, at 19:45, Alon Bar-Lev <alonbl at redhat.com> wrote:
> 
> > Hello,
> > 
> > I don't understand why you start discussion from start... there were some
> > additional facts.
> > 
> > So first answer:
> > No we cannot assume we own the machine nor own the apache, nor own the
> > postgresql. These assumptions made in the past were plain wrong and cause
> > more harm than good, and eventually saved no resources nor efforts.
> > 
> > At master we altered the ajp proxy configuration to be less
> > intrusive[1][2].
> > 
> > We split the http configuration into three:
> > 1. Install ajp proxy per our URIs[1].
> > 2. Optionally set root redirection from / to /ovirt-engine
> > 3. Optionally configure mod_ssl with our certificate.
> 
> I don't know if this was already brought up,
> 
> There is a conflict between our configuration and IPA's
> IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a
> conflict.
> 
> We can try move to mod_nss on upgrade and solve all issues
> 
> Barak

The fact that ovirt-engine depends on mod_ssl is a mistake... well, at least I think so.
The product should not care how ssl is provided as long as it is provided.

Personally, I think that product should not attempt to configure ssl at all, but provide the instructions of how to do so... But never the less, let's try to keep this to avoid argument.

In case IPA is installed (and I really don't understand why should we care about IPA specifically, well, I actually do... as IPA makes the same faulty assumptions of 'owning' resources), the admin should just avoid selecting the 'set ovirt-engine as default page' and 'configure apache ssl', user should access ovirt-engine using:
http://host/ovirt-engine

It should work as long as there are no URI conflicts between products as I listed in previous message.

Regards,
Alon

> > 
> > The mandatory apache configuration[1] does not alter any configuration
> > file, hence the chance of conflict is the chance of conflict between
> > ovirt-engine URIs and other product URIs.
> > 
> > ovirt-engine URIs:
> > ---
> > /UserPortal
> > /OvirtEngineWeb
> > /webadmin
> > /docs
> > /spice
> > /ca.crt
> > /engine.ssh.key.txt
> > /rhevm.ssh.key.txt
> > /ovirt-engine-style.css
> > /console.vv
> > /api
> > /ovirt-engine
> > ---
> > 
> > As we have done this without cooperation of developers we kept URIs as-is.
> > 
> > URIs that cannot be changed until next major:
> > /engine.ssh.key.txt
> > /rhevm.ssh.key.txt
> > /ca.crt
> > /api [I guess, although we can provide migration path alternative]
> > 
> > All the other can be moved into /ovirt-engine with cooperation of
> > developers, especially UI and Virt developers, it should be easy to do
> > this, and reduce the chance of conflict.
> > 
> > Regards,
> > Alon Bar-Lev.
> > 
> > [1] http://gerrit.ovirt.org/#/c/13318/
> > [2] http://gerrit.ovirt.org/#/c/14304/
> > 
> > ----- Original Message -----
> >> From: "Sandro Bonazzola" <sbonazzo at redhat.com>
> >> To: "engine-devel" <engine-devel at ovirt.org>
> >> Cc: "users" <users at ovirt.org>
> >> Sent: Monday, May 6, 2013 6:32:08 PM
> >> Subject: [Engine-devel] 3.3 scratch or upgraded installation must use
> >> Apache    proxy
> >> (https://bugzilla.redhat.com/905754)
> >> 
> >> Hi,
> >> I'm working on https://bugzilla.redhat.com/905754, trying to have Apache
> >> proxy in all 3.3 installations.
> >> 
> >> I'm looking in the code and I've found a point where I'm in doubt about
> >> how to handle the case.
> >> The current engine-setup implementation perform some checks that change
> >> the behavior of the installer documented as:
> >> 
> >> 1. Check whether the relevant httpd configuration files were changed, as
> >> it's an indication for the setup that the httpd application is being
> >> actively used, Therefore we may need to ask (dynamic change) the user
> >> whether to override this configuration.
> >> 
> >> 2. Check if IPA is installed and drop port 80/443 support. What the
> >> script really do is setting OVERRIDE_HTTPD_CONFIG default to False in
> >> both cases and just for case 2 call also setHttpPortsToNonProxyDefault.
> >> 
> >> 
> >> About 1, if we can consider Apache "owned" by the engine we can drop any
> >> question to the user, else I think we need to ask what to do or abort
> >> the setup considering the configuration as unsupported.
> >> 
> >> About 2, it seems that the best solution for that is to abort the setup
> >> if IPA is found on the same system where
> >> we're installing the engine.
> >> As far I've understood having IPA and engine on the same host is not a
> >> supported configuration.
> >> 
> >> 
> >> What do you think about this?
> >> 
> >> 
> >> --
> >> Sandro Bonazzola
> >> Better technology. Faster innovation. Powered by community collaboration.
> >> See how it works at redhat.com
> >> 
> >> _______________________________________________
> >> Engine-devel mailing list
> >> Engine-devel at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/engine-devel
> >> 
> > _______________________________________________
> > Engine-devel mailing list
> > Engine-devel at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > 
> > 
>

More information about the Users mailing list