Bug 1000049 - RHEV installer should install and configure rhevm-websocket-proxy
RHEV installer should install and configure rhevm-websocket-proxy
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-setup (Show other bugs)
3.3.0
Unspecified Unspecified
high Severity high
: ---
: 3.3.0
Assigned To: Alon Bar-Lev
sefi litmanovich
integration
:
Depends On:
Blocks: 976172
  Show dependency treegraph
 
Reported: 2013-08-22 10:53 EDT by Andrew Cathrow
Modified: 2015-09-22 09 EDT (History)
13 users (show)

See Also:
Fixed In Version: is16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-21 17:16:44 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 16014 None None None Never
oVirt gerrit 19344 None None None Never

  None (edit)
Description Andrew Cathrow 2013-08-22 10:53:00 EDT
rhevm-websocket-proxy should be installed and configured by rhev installer.

Add a question "Install VNC WebSocket Proxy" - Default to YES

If Yes we should prompt for the port number
This port number should be configured in vdc_options (WebSocketProxy)
This port should be opened in firewall.

rhevm-websocket-proxy should be chkconfig'd on and started.
Comment 1 Andrew Cathrow 2013-08-22 11:02:29 EDT
Michal,
What do we need to do for Spice html?
Comment 2 Alon Bar-Lev 2013-08-22 22:52:37 EDT
Was this bug opened after actual test?

1. If ovirt-engine-websocket-proxy is installed the user will be prompted for:

 Configure WebSocket Proxy on this machine?

2. This is not 'VNC' as the same service is also used for spice.

3. We do not prompt for port number and use default port 6100

4. Overriding this port can be done using answer file/configuration file or:

 engine-setup --otopi-environment="OVESETUP_CONFIG/websocketProxyPort=int:XXXX"

5. Service will be started and mark to start at boot.

If you did not have ovirt-engine-websocket-proxy installed and you already setup product, you can always install it and re-run engine-setup, you will be prompted for configuration of newly installed component.

---

Personally, I think we should install and configure this service as default for any engine setup.
Comment 3 Alon Bar-Lev 2013-08-22 22:59:53 EDT
commit 045d1e7a9e42c8a91756e64ee5d314d9842a21d6
Author: Alon Bar-Lev <alonbl@redhat.com>
Date:   Mon Jun 24 03:23:45 2013 +0300

    packaging: setup: add websocket proxy configuration
    
    configuration of websocket proxy on engine machine using setup.
    
    1. enroll certificate.
    2. enforce ssl.
    3. enforce ticket validation.
    
    Change-Id: I5d5fad4dc61d9c89c4165a74e9922eded483beac
    Signed-off-by: Alon Bar-Lev <alonbl@redhat.com>
Comment 4 Michal Skrivanek 2013-08-23 07:04:36 EDT
(In reply to Andrew Cathrow from comment #1)
> Michal,
> What do we need to do for Spice html?

exactly the same as for novnc
Comment 5 Andrew Cathrow 2013-08-23 07:24:52 EDT
(In reply to Alon Bar-Lev from comment #2)
> Was this bug opened after actual test?

Of course.
But since none of this is documented yet all that was seen was that the package wasn't installed. Running setup again isn't something anyone would know to do.

> 
>  engine-setup
> --otopi-environment="OVESETUP_CONFIG/websocketProxyPort=int:XXXX"

Let's make sure that all the (great) new setup options are documented.
Arthur Berezin can work with the team to gather all the ino


> 
> ---
> 
> Personally, I think we should install and configure this service as default
> for any engine setup.

Yes. Let's not make the user hunt around.
It sounds like we just have to add the package as a dependency of the meta package and then everything would happpen (like magic)
Comment 6 Michal Skrivanek 2013-08-23 07:50:42 EDT
yeah. except for the certificate. We should add it to the resource page...at least an information
Comment 7 Andrew Cathrow 2013-08-23 07:58:04 EDT
(In reply to Michal Skrivanek from comment #6)
> yeah. except for the certificate. We should add it to the resource page...at
> least an information

The CA certificate for the end users?
Will you be handling that or is that another BZ?
Comment 8 Alon Bar-Lev 2013-08-23 08:26:25 EDT
(In reply to Andrew Cathrow from comment #5)
> > Personally, I think we should install and configure this service as default
> > for any engine setup.
> 
> Yes. Let's not make the user hunt around.
> It sounds like we just have to add the package as a dependency of the meta
> package and then everything would happpen (like magic)

If we add this as dependency we should not ask the question if user wants to configure, but just configure the component.

User can always modify the configuration later.

Default engine configuration will include the websocket proxy configured and started on the engine machine.

No questions asked.

Please ACK.
Comment 9 Michal Skrivanek 2013-08-23 08:27:50 EDT
The problem is following - you either use a true proper certificate, but then the configuration of websocket-proxy is entirely manual (editing conf files, pointing to the right cert files)
- or we automatically on install generate a certificate signed by engine. But then you have to import that CA into the browser to be accepted. It's the same as for the regular https, but novnc and spice-html5 is considered a different thing and you have to confirm the exception (again)...but since we use jboss for serving client pages and the way it had to be done the popup doesn't show up so you wouldn't know what's wrong. Hence you need to import or confirm exception beforehand.
Comment 10 Alon Bar-Lev 2013-08-23 08:58:24 EDT
(In reply to Michal Skrivanek from comment #9)
> The problem is following - you either use a true proper certificate, but
> then the configuration of websocket-proxy is entirely manual (editing conf
> files, pointing to the right cert files)

This is the same issue with engine certificate.

Default installation should be simple, and use the internal CA.

Certificate can be replaced at any time, just like in the engine case.

The procedure should be part of the "Using 3rd party certificate".

What we need is to make it simpler for the user to trust the internal CA certificate, this can be achieved by most browser a simple link to:

 http://enigne/ca.crt

We can also try and use XMLHttpRequest to try and access the websocket proxy and see if we have an error or not.

However, I do not think this discussion belongs to the request to configure the websocket proxy during setup.
Comment 11 Alon Bar-Lev 2013-08-26 17:39:37 EDT
(In reply to Alon Bar-Lev from comment #8)
> (In reply to Andrew Cathrow from comment #5)
> > > Personally, I think we should install and configure this service as default
> > > for any engine setup.
> > 
> > Yes. Let's not make the user hunt around.
> > It sounds like we just have to add the package as a dependency of the meta
> > package and then everything would happpen (like magic)
> 
> If we add this as dependency we should not ask the question if user wants to
> configure, but just configure the component.
> 
> User can always modify the configuration later.
> 
> Default engine configuration will include the websocket proxy configured and
> started on the engine machine.
> 
> No questions asked.
> 
> Please ACK.
Comment 12 Andrew Cathrow 2013-08-29 19:35:29 EDT
(In reply to Alon Bar-Lev from comment #11)

ACK
Comment 13 Zac Dover 2013-09-03 00:35:17 EDT
> Let's make sure that all the (great) new setup options are documented
> Arthur Berezin can work with the team to gather all the ino

I am the Docs contact for NoVNC and, by extension, rhevm-websocket-proxy. I am commenting here to let you guys know that I would like to document this as thoroughly as possible. Please get me the information for the new setup options.

Thanks in advance.

Zac
Comment 14 Alon Bar-Lev 2013-09-17 18:30:09 EDT
OK, I decided to leave the question if websocket proxy should be configured. If someone think we should remove it please reopen.
Comment 15 sefi litmanovich 2013-09-29 04:19:40 EDT
Verified on rhevm 3.3 IS16.
Comment 18 Itamar Heim 2014-01-21 17:16:44 EST
Closing - RHEV 3.3 Released
Comment 19 Itamar Heim 2014-01-21 17:23:27 EST
Closing - RHEV 3.3 Released

Note You need to log in before you can comment on or make changes to this bug.