----- Original Message ----- > From: "Sandro Bonazzola" <[email protected]> > To: "Alon Bar-Lev" <[email protected]> > Cc: "engine-devel" <[email protected]>, "users" <[email protected]> > Sent: Wednesday, May 8, 2013 3:51:03 PM > Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use > Apache proxy > (https://bugzilla.redhat.com/905754) > > Hello, > if I've understood correctly then: > - there is no reason for checking if user altered http configuration > - proxy doesn't depend on any other related http configuration we do and > does not alter any other configuration file, so we can do it without > asking anything > - if ipa is installed, engine-setup should issue a warning about it and > default to No for 'set ovirt-engine as default page' and 'configure > apache ssl'
AFAIU and I don't think it was changed, there is a conflict between IPA and mod_ssl (they did it ugly ... not in rpm level... that was the status a year ago) SO it will not work, as long we do not move to mod_nss. In addition there wad an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server. please make sure all the above are solved. Thanks Barak > > I think I've enough info. > Thanks. > > > Il 06/05/2013 22:11, Alon Bar-Lev ha scritto: > > > > ----- Original Message ----- > >> From: "Barak Azulay" <[email protected]> > >> To: "Alon Bar-Lev" <[email protected]> > >> Cc: "Sandro Bonazzola" <[email protected]>, "engine-devel" > >> <[email protected]>, "users" <[email protected]> > >> Sent: Monday, May 6, 2013 10:42:02 PM > >> Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use > >> Apache proxy > >> (https://bugzilla.redhat.com/905754) > >> > >> > >> > >> > >> > >> On May 6, 2013, at 19:45, Alon Bar-Lev <[email protected]> wrote: > >> > >>> Hello, > >>> > >>> I don't understand why you start discussion from start... there were some > >>> additional facts. > >>> > >>> So first answer: > >>> No we cannot assume we own the machine nor own the apache, nor own the > >>> postgresql. These assumptions made in the past were plain wrong and cause > >>> more harm than good, and eventually saved no resources nor efforts. > >>> > >>> At master we altered the ajp proxy configuration to be less > >>> intrusive[1][2]. > >>> > >>> We split the http configuration into three: > >>> 1. Install ajp proxy per our URIs[1]. > >>> 2. Optionally set root redirection from / to /ovirt-engine > >>> 3. Optionally configure mod_ssl with our certificate. > >> I don't know if this was already brought up, > >> > >> There is a conflict between our configuration and IPA's > >> IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a > >> conflict. > >> > >> We can try move to mod_nss on upgrade and solve all issues > >> > >> Barak > > The fact that ovirt-engine depends on mod_ssl is a mistake... well, at > > least I think so. > > The product should not care how ssl is provided as long as it is provided. > > > > Personally, I think that product should not attempt to configure ssl at > > all, but provide the instructions of how to do so... But never the less, > > let's try to keep this to avoid argument. > > > > In case IPA is installed (and I really don't understand why should we care > > about IPA specifically, well, I actually do... as IPA makes the same > > faulty assumptions of 'owning' resources), the admin should just avoid > > selecting the 'set ovirt-engine as default page' and 'configure apache > > ssl', user should access ovirt-engine using: > > http://host/ovirt-engine > > > > It should work as long as there are no URI conflicts between products as I > > listed in previous message. > > > > Regards, > > Alon > > > >>> The mandatory apache configuration[1] does not alter any configuration > >>> file, hence the chance of conflict is the chance of conflict between > >>> ovirt-engine URIs and other product URIs. > >>> > >>> ovirt-engine URIs: > >>> --- > >>> /UserPortal > >>> /OvirtEngineWeb > >>> /webadmin > >>> /docs > >>> /spice > >>> /ca.crt > >>> /engine.ssh.key.txt > >>> /rhevm.ssh.key.txt > >>> /ovirt-engine-style.css > >>> /console.vv > >>> /api > >>> /ovirt-engine > >>> --- > >>> > >>> As we have done this without cooperation of developers we kept URIs > >>> as-is. > >>> > >>> URIs that cannot be changed until next major: > >>> /engine.ssh.key.txt > >>> /rhevm.ssh.key.txt > >>> /ca.crt > >>> /api [I guess, although we can provide migration path alternative] > >>> > >>> All the other can be moved into /ovirt-engine with cooperation of > >>> developers, especially UI and Virt developers, it should be easy to do > >>> this, and reduce the chance of conflict. > >>> > >>> Regards, > >>> Alon Bar-Lev. > >>> > >>> [1] http://gerrit.ovirt.org/#/c/13318/ > >>> [2] http://gerrit.ovirt.org/#/c/14304/ > >>> > >>> ----- Original Message ----- > >>>> From: "Sandro Bonazzola" <[email protected]> > >>>> To: "engine-devel" <[email protected]> > >>>> Cc: "users" <[email protected]> > >>>> Sent: Monday, May 6, 2013 6:32:08 PM > >>>> Subject: [Engine-devel] 3.3 scratch or upgraded installation must use > >>>> Apache proxy > >>>> (https://bugzilla.redhat.com/905754) > >>>> > >>>> Hi, > >>>> I'm working on https://bugzilla.redhat.com/905754, trying to have Apache > >>>> proxy in all 3.3 installations. > >>>> > >>>> I'm looking in the code and I've found a point where I'm in doubt about > >>>> how to handle the case. > >>>> The current engine-setup implementation perform some checks that change > >>>> the behavior of the installer documented as: > >>>> > >>>> 1. Check whether the relevant httpd configuration files were changed, as > >>>> it's an indication for the setup that the httpd application is being > >>>> actively used, Therefore we may need to ask (dynamic change) the user > >>>> whether to override this configuration. > >>>> > >>>> 2. Check if IPA is installed and drop port 80/443 support. What the > >>>> script really do is setting OVERRIDE_HTTPD_CONFIG default to False in > >>>> both cases and just for case 2 call also setHttpPortsToNonProxyDefault. > >>>> > >>>> > >>>> About 1, if we can consider Apache "owned" by the engine we can drop any > >>>> question to the user, else I think we need to ask what to do or abort > >>>> the setup considering the configuration as unsupported. > >>>> > >>>> About 2, it seems that the best solution for that is to abort the setup > >>>> if IPA is found on the same system where > >>>> we're installing the engine. > >>>> As far I've understood having IPA and engine on the same host is not a > >>>> supported configuration. > >>>> > >>>> > >>>> What do you think about this? > >>>> > >>>> > >>>> -- > >>>> Sandro Bonazzola > >>>> Better technology. Faster innovation. Powered by community > >>>> collaboration. > >>>> See how it works at redhat.com > >>>> > >>>> _______________________________________________ > >>>> Engine-devel mailing list > >>>> [email protected] > >>>> http://lists.ovirt.org/mailman/listinfo/engine-devel > >>>> > >>> _______________________________________________ > >>> Engine-devel mailing list > >>> [email protected] > >>> http://lists.ovirt.org/mailman/listinfo/engine-devel > >>> > >>> > > > -- > Sandro Bonazzola > Better technology. Faster innovation. Powered by community collaboration. > See how it works at redhat.com > > _______________________________________________ > Engine-devel mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > _______________________________________________ Engine-devel mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-devel
