Michael DeHaan wrote: > Justin Sherrill wrote: > >> --- >> koan/app.py | 13 ++++++++++--- >> 1 files changed, 10 insertions(+), 3 deletions(-) >> >> diff --git a/koan/app.py b/koan/app.py >> index f5f982f..e2b8e12 100755 >> --- a/koan/app.py >> +++ b/koan/app.py >> @@ -297,9 +297,16 @@ class Koan: >> if uses_avahi: >> print "- connecting to: %s" % server >> try: >> - # first try port 80 >> - self.xmlrpc_server = ServerProxy(url) >> - self.xmlrpc_server.get_profiles() >> + try: >> + #first try port 443 >> + url = "https://%s:443/cobbler_api"; % (server) >> + self.xmlrpc_server = ServerProxy(url) >> + self.xmlrpc_server.get_profiles() >> + except: >> + #then try port 80 >> + url = "http://%s:80/cobbler_api"; % (server) >> + self.xmlrpc_server = ServerProxy(url) >> + self.xmlrpc_server.get_profiles() >> except: >> # now try specified port in case Apache proxying >> # is not configured >> >> > > Hi Justin, > > Thanks for submitting this. Ideally we want the following. It's a > bit more involved but should cover all of the possible options of the > koan XMLRPC being proxied through Apache or not, in case folks mess up > their Apache configurations or want more flexibility. > > * If COBBLER_PORT is in the environment, put that port and only that > port in the try_list, unless --port is defined, in which case, just use > that instead > * By default, always try ports 443 and then 80, in that order (call > this the port_try_list or something) > * If --port is specified, try only that port (put only that port in the > port try list, and not 443 or 80) > > Then use the following logic to determine the try_url_list: > > * If --server is supplied, try http://server:port/cobbler_api and then > http://server:port for any ports we need to try >
For completeness: https://server:port/cobbler_api http://server:port/cobbler_api https://server:port http://server:port Probably in that order. I'd also be curious as to whether enabling an additional SSL port for Cobbler XMLRPC can be done /functionally/ with just using the Apache self-signed certs, that is, what validation is enforced by the Python XMLRPC client. I know for instance some language libraries are quite bad about this and require decent certificates and importing things client side, and are quite a hassle to get anonymous SSL going. (Previous comments about this benefit having marginal value still apply... we ultimately would want to see the kickstart transferred over a secure channel and Anaconda to do SSL for packages for this to actually be "secure"). > * If --server=DISCOVER, use Avahi to find the server address and then > try ports we need to try for that server. > * If --server is not set, see if we can load COBBLER_SERVER from the > environment, and then try as above. > > I think the above patch you sent will never treat the "--port" value as > a possible https:// port, so if someone were to move their https:// > install to port 303 (for instance), they would not be able to use --port > to talk to it unless it were http://. > > FYI -- Newer cobbler installs will automatically set up the > COBBLER_SERVER environment variable in profiles.d, but I would recommend > Spacewalk still being explicit and not relying on this, as it's easy for > someone to remove this from their kickstart template either by design or > unintentionally, so it is best that it would still pass --server and > possibly --port to koan and not rely on that variable being present. > > Sound good? > > --Michael > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler > _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
