Bug 985945

Summary: PRD35 - [RFE] rhevm-websocket-proxy - using as standalone service - automatic configuration
Product: Red Hat Enterprise Virtualization Manager Reporter: Jiri Belka <jbelka>
Component: ovirt-engine-setupAssignee: Simone Tiraboschi <stirabos>
Status: CLOSED ERRATA QA Contact: Jiri Belka <jbelka>
Severity: low Docs Contact:
Priority: medium    
Version: 3.4.0CC: alonbl, bazulay, gklein, iheim, lbopf, lpeer, michal.skrivanek, oschreib, pstehlik, rbalakri, Rhev-m-bugs, sbonazzo, sherold, talayan, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: ovirt-engine-3.5.0_beta Doc Type: Enhancement
Doc Text:
The Red Hat Enterprise Virtualization Manager websocket proxy can now be installed and configured (via engine-setup) on a separate machine from the machine on which the Manager is installed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-11 17:53:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 975680, 1080992    
Bug Blocks: 1121840, 1142923, 1156165    

Description Jiri Belka 2013-07-18 14:46:59 UTC 
Description of problem:

No ssl configuration is done after rpm is installed and there is no system specific conf file in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/

rpm --scripts -q rhevm-websocket-proxy
postinstall program: /bin/sh
preuninstall scriptlet (using /bin/sh):

if [ $1 -eq 0 ] ; then
    service ovirt-websocket-proxy stop > /dev/null 2>&1 || true
fi
postuninstall program: /bin/sh

See for my work to make it work:

https://bugzilla.redhat.com/show_bug.cgi?id=838468#c29

Version-Release number of selected component (if applicable):
is6

How reproducible:
100%

Steps to Reproduce:
1. install rpm
2. check /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/
3. start websocket proxy
4. check if ssl handshake works - openssl s_client -connect $engine:6100

Actual results:
does not work via ssl by default

Expected results:
should work out of box

Additional info:
please add little README in the rpm to let users know how to configure it manually, there for sure would be sysadmins how would like to generate the key themselves and sign it with their own corporate CA
Comment 1 Alon Bar-Lev 2013-07-18 15:26:13 UTC 
This package is configured using engine-setup, and it will be configured as ssl, firewall will be opened, ticket trust is established and service will be started after setup is executed.

I did not succeeded in performing the split of service and setup into own package. So this package is now available at engine computer only for now.

Now that all is feature freeze I think having this service on different computer will get in only for next version.

Even after the split, rpm package installation should not effect system state, such as modifying /etc/sysconfig/iptables. So I don't think such request will be followed.

Also, having self-signed certificate auto generated is not usable solution, as the websocket connection will just fail.
Comment 2 Alon Bar-Lev 2013-07-18 15:26:43 UTC 
*** Bug 985927 has been marked as a duplicate of this bug. ***
Comment 3 Alon Bar-Lev 2013-07-19 23:15:33 UTC 
ovirt-engine-websocket-proxy can now be installed on separate host without pulling the entire engine into that host.

in this mode manual configuration is required.

when we split the setup core we may provide some interactive setup. I am not sure this is required as a simple README.websocket-proxy will be as simple as generating certificate at engine host and perform some config file modifications.
Comment 6 Alon Bar-Lev 2013-10-29 10:56:03 UTC 
Michal,

Do we want to add README for this service or wiki[1] is enough?

[1] http://www.ovirt.org/Features/noVNC_console#Setup
Comment 7 Alon Bar-Lev 2013-10-29 11:04:25 UTC 
Per discussion with reporter, the original request was to configure the websocket proxy automatically on standalone machine.

Moving to 3.4 as we are working to allow this for dwh and reports.
Comment 8 Jiri Belka 2014-07-29 14:03:07 UTC 
ok but it's horrible - no user friendly.

https://tcms.engineering.redhat.com/run/163679/
Comment 9 Simone Tiraboschi 2014-07-29 14:27:05 UTC 
A previous attempt was more "magic" cause it asked to the user the root's password of the engine host in order to copy the CSR via SCP and execute there, via an ssh connection, the commands to sign it and register the websocket proxy.

It was judged not so secure due to the need for the root password of the other host and so we can simply prepare the commands asking to the user to execute them on the other host.
Comment 11 errata-xmlrpc 2015-02-11 17:53:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html