Bug 723206

Summary: PRD32 - Ability to install/activate RHEV-H / RHEL-H hosts without the use of https (443).
Product: [oVirt] ovirt-host-deploy Reporter: Chris Williams <cww>
Component: Plugins.nodeAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED ERRATA QA Contact: Tareq Alayan <talayan>
Severity: medium Docs Contact:
Priority: medium    
Version: ---CC: acathrow, alonbl, bazulay, dfediuck, dougsland, dyasny, gouyang, iheim, jentrena, leiwang, lpeer, lyarwood, mburns, Rhev-m-bugs, sgordon, thildred, ycui, ykaul, yzaslavs
Target Milestone: ---Keywords: FutureFeature, Improvement
Target Release: 1.0.0Flags: bazulay: devel_ack+
Hardware: All   
OS: Linux   
Whiteboard: infra
Fixed In Version: Doc Type: Enhancement
Doc Text:
Previously the vdsm-reg component must be used when registering the hypervisor to the manager. vdsm-reg acquires resources from the manager using unsecured protocols. Now, when users add a hypervisor from the manager, the SSH protocol is used.
 Story Points: ---
Clone Of:
: 891778 (view as bug list) Environment:
Last Closed: 2013-06-10 20:58:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 866889    
Bug Blocks: 875920, 891778, 915537    

Description Chris Williams 2011-07-19 12:18:50 UTC 
Proposed title of this feature request
Ability to install/activate RHEV-H / RHEL-H hosts without the use of https (443).

Who is the customer behind the request?
Thomas Krieger

Account name:
Cortal Consors S.A.

Customer segment:
1

TAM/SRM customer yes/no:
Yes

VHT score:
N/A

What is the nature and description of the request?
The customer would like to remove the https requests made from a newly installed or activated host to the RHEV-M host in order to gather certificates etc. These should be replaced with SCP transfers or transfers over the common vdsm ports. 

Why does the customer need this? (List the business requirements here)
By removing the https requests the customer is able to secure a common port between their DMZ and corp network where their RHEV-M systems are hosted.

How would the customer like to achieve this? (List the functional
requirements here)
Fix to the installation / activation code used by hosts and RHEV-M.

For each functional requirement listed in question 4, specify how Red Hat
and the customer can test to confirm the requirement is successfully
implemented.
Simply by monitoring the requests made from a host during installation / activation.

Is there already an existing RFE upstream or in Red Hat bugzilla?
No.

How quickly does this need resolved? (desired target release)
RHEV 3.0 Z-Stream or minor update.

Does this request meet the RHEL Bug and Feature Inclusion Criteria
(please review)
Yes.

List the affected packages
RHEV-H, RHEV-M, vdsm

Would the customer be able to assist in testing this functionality if
implemented?
Yes.
Comment 2 Alon Bar-Lev 2012-11-25 11:47:30 UTC 
After bootstrap rewrite, if initiated by the engine, host and node may be added without use HTTP protocol.

Registration of nodes still uses HTTP protocol, but this is optional process now.
Comment 4 Stephen Gordon 2012-12-18 19:45:58 UTC 
Hi Alon, to clarify are we saying that in 3.2 when users add a host from the management console HTTP(S) won't be required but that it will still be required if you register to the manager from the node side?
Comment 5 Alon Bar-Lev 2012-12-18 19:49:10 UTC 
(In reply to comment #4)
> Hi Alon, to clarify are we saying that in 3.2 when users add a host from the
> management console HTTP(S) won't be required but that it will still be
> required if you register to the manager from the node side?

Exactly.
Comment 6 Tareq Alayan 2013-02-18 11:20:08 UTC 
Verified.

Added the following rules to iptables of the engine:
REJECT tcp -- {IP_OF_HOST} anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable 
REJECT tcp -- {IP_OF_HOST} anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable

adding rhel-like host - PASS
adding rhevh host from rhevm - PASS
adding rhevh host (addition initiated by rhevh) - FAILED
Comment 7 Cheryn Tan 2013-04-03 06:52:16 UTC 
This bug is currently attached to errata RHEA-2013:14491. If this change is not to be documented in the text for this errata please either remove it from the errata, set the requires_doc_text flag to minus (-), or leave a "Doc Text" value of "--no tech note required" if you do not have permission to alter the flag.

Otherwise to aid in the development of relevant and accurate release documentation, please fill out the "Doc Text" field above with these four (4) pieces of information:

* Cause: What actions or circumstances cause this bug to present.

* Consequence: What happens when the bug presents.

* Fix: What was done to fix the bug.

* Result: What now happens when the actions or circumstances above occur. (NB: this is not the same as 'the bug doesn't present anymore')

Once filled out, please set the "Doc Type" field to the appropriate value for the type of change made and submit your edits to the bug.

For further details on the Cause, Consequence, Fix, Result format please refer to:

https://bugzilla.redhat.com/page.cgi?id=fields.html#cf_release_notes

Thanks in advance.
Comment 8 errata-xmlrpc 2013-06-10 20:58:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0888.html