Il 19/05/2013 14:11, Alon Bar-Lev ha scritto: > > ----- Original Message ----- >> From: "Sandro Bonazzola" <[email protected]> >> To: "Alon Bar-Lev" <[email protected]> >> Cc: "Barak Azulay" <[email protected]>, "engine-devel" >> <[email protected]>, "Alex Lourie" <[email protected]> >> Sent: Friday, May 17, 2013 11:11:54 AM >> Subject: Re: [Engine-devel] 3.3 scratch or upgraded installation must use >> Apache proxy >> (https://bugzilla.redhat.com/905754) >> >> Il 08/05/2013 21:18, Alon Bar-Lev ha scritto: >>> Right. >>> First, we need to support any installation not just rhel. >>> Second, we can support only other well behaved products. >>> Until recently we were not well behaved... well we still not fully because >>> we do not have our own configurable URI namespace. >>> >>> We cannot control which applications are installed on the same host, >>> however we can: >>> >>> 1. postgresql: support skipping the automatic provisioning [supported in >>> the otopi setup] >>> 2. apache: do not enforce specific apache SSL implementation [to be done]. >>> 3. apache: support skipping the automatic SSL configuration [supported]. >>> 4. apache: support skipping the root redirect to ovirt application >>> [supported in otopi setup] >>> 5. apache: move application to own name space, example /ovirt-engine [to be >>> done, I will be happy if you can help pushing this] >>> 6. firewall: support skipping configuration [supported] >>> 7. packaging: remove the versionlock usage. >>> 8. packaging: support proper upgrade path, compatible with packaging best >>> practices. >>> 9. files: rename all utilities and public artifacts from engine-* to >>> ovirt-engine-* >>> [more?] >>> >>> If we do the above we are acting as well behaved application, and can >>> co-exist with other well behaved applications. >> >> Trying to set the point on this issue in order to start coding. >> >> We split the http configuration into three: >> 1. Install ajp proxy per our URIs[1][2]. >> 2. Optionally set root redirection from / to /ovirt-engine >> 3. Optionally configure mod_ssl with our certificate. >> >> The mandatory apache configuration[1] does not alter any configuration file. >> [1] http://gerrit.ovirt.org/13318 >> [2] http://gerrit.ovirt.org/14304 >> >> So there is no reason for checking if user has changed the http >> configuration for just forcing proxy. >> >> About IPA conflicts if I've understood correctly there is only collision >> between mod_nss used by IPA and mod_ssl used if we enable mod_ssl >> configuration. >> It seems there was an issue with mod_proxy and using 2 different SSL >> certificates (IPA & RHEV) on the same apache server. >> >> So, I can force proxy enabled and I can force SSL configuration disabled >> if IPA is detected. >> I can leave root redirection optional in any case. >> >> otopi implementation already force proxy enabled so there should be just >> to disable ssl if IPA is detected. >> >> During the discussion about this bug it was suggested also to avoid to >> force dependency on mod_ssl or force migration to mod_nss during upgrade >> allowing ipa and engine to coexist. I don't think that that issue should >> be tracked by https://bugzilla.redhat.com/905754 so if there is the will >> to either drop dependency on mod_ssl or migrate to mod_nss please open a >> new bug about that. > Right. I just mentioned that so all will be aware of this abnormality. > >> That could solve also another question: what if IPA is installed after >> ovirt-engine? >> >> In order to act as well behaved application, and co-exist with other >> well behaved applications there is more to do as Alon pointed out. >> I think that any point not satisfied in order to behave correctly need a >> bug to be opened. >> >> When we'll behave correctly I'll remove any check on IPA presence, >> totally ignoring it and removing any enforcement about its presence. >> >> Am I missing something? > I don't think so... just am not sure what is the answer in the past for post > IPA installation... > > Thanks! > Alon
I think I was missing something. I don't know if other distro do the same, but on Fedora 18 freeipa-server has a package conflict with mod_ssl. So it is not possible having both IPA and the oVirt engine on the same host. This should answer also for post IPA installation for Fedora. I think the best thing to do here is just warn that we are requiring mod_ssl when enabling SSL support so any service that has conflicts like freeipa-server will have issues and let the administrator decide what to do. -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com _______________________________________________ Engine-devel mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-devel
