----- Original Message ----- > From: "Alon Bar-Lev" <[email protected]> > To: "Barak Azulay" <[email protected]> > Cc: "engine-devel" <[email protected]>, "users" <[email protected]> > Sent: Wednesday, May 8, 2013 5:20:51 PM > Subject: Re: [Users] [Engine-devel] 3.3 scratch or upgraded installation must > use Apache proxy > (https://bugzilla.redhat.com/905754) > > > > ----- Original Message ----- > > From: "Barak Azulay" <[email protected]> > > To: "Sandro Bonazzola" <[email protected]> > > Cc: "Alon Bar-Lev" <[email protected]>, "engine-devel" > > <[email protected]>, "users" <[email protected]> > > Sent: Wednesday, May 8, 2013 4:00:34 PM > > Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use > > Apache proxy > > (https://bugzilla.redhat.com/905754) > > > > > > > > ----- Original Message ----- > > > From: "Sandro Bonazzola" <[email protected]> > > > To: "Alon Bar-Lev" <[email protected]> > > > Cc: "engine-devel" <[email protected]>, "users" <[email protected]> > > > Sent: Wednesday, May 8, 2013 3:51:03 PM > > > Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use > > > Apache proxy > > > (https://bugzilla.redhat.com/905754) > > > > > > Hello, > > > if I've understood correctly then: > > > - there is no reason for checking if user altered http configuration > > > - proxy doesn't depend on any other related http configuration we do and > > > does not alter any other configuration file, so we can do it without > > > asking anything > > > - if ipa is installed, engine-setup should issue a warning about it and > > > default to No for 'set ovirt-engine as default page' and 'configure > > > apache ssl' > > > > > > AFAIU and I don't think it was changed, there is a conflict between IPA and > > mod_ssl (they did it ugly ... not in rpm level... that was the status a > > year > > ago) > > > > SO it will not work, as long we do not move to mod_nss. > > > > In addition there wad an issue with mod_proxy and using 2 different SSL > > certificates (IPA & RHEV) on the same apache server. > > > > > > please make sure all the above are solved. > > I just do not understand why we treat IPA in special way... it is as if we > need to have knowledge of very application out there that hacks the apache.
What if IPA is installed after ovirt-engine? > > Playing nice with mod_nss and not force mod_ssl or actually any is a positive > move. > > Thanks, > Alon > > > > > > > Thanks > > Barak > > > > > > I think I've enough info. > > > Thanks. > > > > > > > > > Il 06/05/2013 22:11, Alon Bar-Lev ha scritto: > > > > > > > > ----- Original Message ----- > > > >> From: "Barak Azulay" <[email protected]> > > > >> To: "Alon Bar-Lev" <[email protected]> > > > >> Cc: "Sandro Bonazzola" <[email protected]>, "engine-devel" > > > >> <[email protected]>, "users" <[email protected]> > > > >> Sent: Monday, May 6, 2013 10:42:02 PM > > > >> Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must > > > >> use > > > >> Apache proxy > > > >> (https://bugzilla.redhat.com/905754) > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> On May 6, 2013, at 19:45, Alon Bar-Lev <[email protected]> wrote: > > > >> > > > >>> Hello, > > > >>> > > > >>> I don't understand why you start discussion from start... there were > > > >>> some > > > >>> additional facts. > > > >>> > > > >>> So first answer: > > > >>> No we cannot assume we own the machine nor own the apache, nor own > > > >>> the > > > >>> postgresql. These assumptions made in the past were plain wrong and > > > >>> cause > > > >>> more harm than good, and eventually saved no resources nor efforts. > > > >>> > > > >>> At master we altered the ajp proxy configuration to be less > > > >>> intrusive[1][2]. > > > >>> > > > >>> We split the http configuration into three: > > > >>> 1. Install ajp proxy per our URIs[1]. > > > >>> 2. Optionally set root redirection from / to /ovirt-engine > > > >>> 3. Optionally configure mod_ssl with our certificate. > > > >> I don't know if this was already brought up, > > > >> > > > >> There is a conflict between our configuration and IPA's > > > >> IPA uses mod_nss and we use mod_proxy and mod_ssl , and this creates a > > > >> conflict. > > > >> > > > >> We can try move to mod_nss on upgrade and solve all issues > > > >> > > > >> Barak > > > > The fact that ovirt-engine depends on mod_ssl is a mistake... well, at > > > > least I think so. > > > > The product should not care how ssl is provided as long as it is > > > > provided. > > > > > > > > Personally, I think that product should not attempt to configure ssl at > > > > all, but provide the instructions of how to do so... But never the > > > > less, > > > > let's try to keep this to avoid argument. > > > > > > > > In case IPA is installed (and I really don't understand why should we > > > > care > > > > about IPA specifically, well, I actually do... as IPA makes the same > > > > faulty assumptions of 'owning' resources), the admin should just avoid > > > > selecting the 'set ovirt-engine as default page' and 'configure apache > > > > ssl', user should access ovirt-engine using: > > > > http://host/ovirt-engine > > > > > > > > It should work as long as there are no URI conflicts between products > > > > as > > > > I > > > > listed in previous message. > > > > > > > > Regards, > > > > Alon > > > > > > > >>> The mandatory apache configuration[1] does not alter any > > > >>> configuration > > > >>> file, hence the chance of conflict is the chance of conflict between > > > >>> ovirt-engine URIs and other product URIs. > > > >>> > > > >>> ovirt-engine URIs: > > > >>> --- > > > >>> /UserPortal > > > >>> /OvirtEngineWeb > > > >>> /webadmin > > > >>> /docs > > > >>> /spice > > > >>> /ca.crt > > > >>> /engine.ssh.key.txt > > > >>> /rhevm.ssh.key.txt > > > >>> /ovirt-engine-style.css > > > >>> /console.vv > > > >>> /api > > > >>> /ovirt-engine > > > >>> --- > > > >>> > > > >>> As we have done this without cooperation of developers we kept URIs > > > >>> as-is. > > > >>> > > > >>> URIs that cannot be changed until next major: > > > >>> /engine.ssh.key.txt > > > >>> /rhevm.ssh.key.txt > > > >>> /ca.crt > > > >>> /api [I guess, although we can provide migration path alternative] > > > >>> > > > >>> All the other can be moved into /ovirt-engine with cooperation of > > > >>> developers, especially UI and Virt developers, it should be easy to > > > >>> do > > > >>> this, and reduce the chance of conflict. > > > >>> > > > >>> Regards, > > > >>> Alon Bar-Lev. > > > >>> > > > >>> [1] http://gerrit.ovirt.org/#/c/13318/ > > > >>> [2] http://gerrit.ovirt.org/#/c/14304/ > > > >>> > > > >>> ----- Original Message ----- > > > >>>> From: "Sandro Bonazzola" <[email protected]> > > > >>>> To: "engine-devel" <[email protected]> > > > >>>> Cc: "users" <[email protected]> > > > >>>> Sent: Monday, May 6, 2013 6:32:08 PM > > > >>>> Subject: [Engine-devel] 3.3 scratch or upgraded installation must > > > >>>> use > > > >>>> Apache proxy > > > >>>> (https://bugzilla.redhat.com/905754) > > > >>>> > > > >>>> Hi, > > > >>>> I'm working on https://bugzilla.redhat.com/905754, trying to have > > > >>>> Apache > > > >>>> proxy in all 3.3 installations. > > > >>>> > > > >>>> I'm looking in the code and I've found a point where I'm in doubt > > > >>>> about > > > >>>> how to handle the case. > > > >>>> The current engine-setup implementation perform some checks that > > > >>>> change > > > >>>> the behavior of the installer documented as: > > > >>>> > > > >>>> 1. Check whether the relevant httpd configuration files were > > > >>>> changed, > > > >>>> as > > > >>>> it's an indication for the setup that the httpd application is being > > > >>>> actively used, Therefore we may need to ask (dynamic change) the > > > >>>> user > > > >>>> whether to override this configuration. > > > >>>> > > > >>>> 2. Check if IPA is installed and drop port 80/443 support. What the > > > >>>> script really do is setting OVERRIDE_HTTPD_CONFIG default to False > > > >>>> in > > > >>>> both cases and just for case 2 call also > > > >>>> setHttpPortsToNonProxyDefault. > > > >>>> > > > >>>> > > > >>>> About 1, if we can consider Apache "owned" by the engine we can drop > > > >>>> any > > > >>>> question to the user, else I think we need to ask what to do or > > > >>>> abort > > > >>>> the setup considering the configuration as unsupported. > > > >>>> > > > >>>> About 2, it seems that the best solution for that is to abort the > > > >>>> setup > > > >>>> if IPA is found on the same system where > > > >>>> we're installing the engine. > > > >>>> As far I've understood having IPA and engine on the same host is not > > > >>>> a > > > >>>> supported configuration. > > > >>>> > > > >>>> > > > >>>> What do you think about this? > > > >>>> > > > >>>> > > > >>>> -- > > > >>>> Sandro Bonazzola > > > >>>> Better technology. Faster innovation. Powered by community > > > >>>> collaboration. > > > >>>> See how it works at redhat.com > > > >>>> > > > >>>> _______________________________________________ > > > >>>> Engine-devel mailing list > > > >>>> [email protected] > > > >>>> http://lists.ovirt.org/mailman/listinfo/engine-devel > > > >>>> > > > >>> _______________________________________________ > > > >>> Engine-devel mailing list > > > >>> [email protected] > > > >>> http://lists.ovirt.org/mailman/listinfo/engine-devel > > > >>> > > > >>> > > > > > > > > > -- > > > Sandro Bonazzola > > > Better technology. Faster innovation. Powered by community collaboration. > > > See how it works at redhat.com > > > > > > _______________________________________________ > > > Engine-devel mailing list > > > [email protected] > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > > > > > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Engine-devel mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-devel
