Description of problem: Any 3.2 should use apache and ports redirection on the default 80/443 ports.
shouldn't this be "any 3.3"?
(In reply to comment #0) > Any 3.2 should use apache and ports redirection on the default 80/443 ports. the above statement become: Any 3.3 instance must use apache and should use ports redirection. So, httpd proxy enabled (not an option) on scratch installation and forced migration to http proxy on upgrade. Port redirection must be still configurable by the user during setup (80/443 by default) engine-upgrade must keep the existing ports in non-interactive executions and prompt the user in interactive executions allowing to change them to 80/443.
I'm looking in the code and I've found a point where I'm in doubt about how to handle the case. The current engine-setup implementation perform some checks that change the behavior of the installer documented as: 1. Check whether the relevant httpd configuration files were changed, As it's an indication for the setup that the httpd application is being actively used, Therefore we may need to ask (dynamic change) the user whether to override this configuration. 2. Check if IPA is installed and drop port 80/443 support. What the script really do is setting OVERRIDE_HTTPD_CONFIG default to False in both cases and just for case 2 call also setHttpPortsToNonProxyDefault. How have I to handle those 2 cases which conflict with the forced proxy policy?
We split the http configuration into three: 1. Install ajp proxy per our URIs[1][2]. 2. Optionally set root redirection from / to /ovirt-engine 3. Optionally configure mod_ssl with our certificate. The mandatory apache configuration[1] does not alter any configuration file. [1] http://gerrit.ovirt.org/13318 [2] http://gerrit.ovirt.org/14304 So there is no reason for checking if user has changed the http configuration for just forcing proxy. About IPA conflicts if I've understood correctly there is only collision between mod_nss used by IPA and mod_ssl used if we enable mod_ssl configuration. It seems there was an issue with mod_proxy and using 2 different SSL certificates (IPA & RHEV) on the same apache server. So, I can force proxy enabled and I can force SSL configuration disabled if IPA is detected. I can leave root redirection optional in any case. otopi implementation already force proxy enabled so there should be just to disable ssl if IPA is detected.
patches pushed upstream for legacy engine-setup and engine-upgrade. engine-upgrade verified only upgrading from nightly because it seems that engine-upgrade from master fails on fkvalidator_sp.sql when upgrading from 3.2.2 stable. otopi implementation of engine-setup-2 doesn't need any change for the setup mode. It may need some changes in upgrading mode.
patch 15038 merged upstream master: http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=3c8dd89c3226f276eb1d821ebbbdc158d3f76a2d patch 15051 merged upstream master: http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=38c0a408c0e71d2fc5d83808343eb1837b78f806
doesn't honor the existing ports and set them to 80/443
Created attachment 777805 [details] engine-upgrade output 3.2 setup was using port 8887 as http and 8888 as https, no iptables or firewalld was selected during original 3.2 installation
(In reply to Michal Skrivanek from comment #8) > Created attachment 777805 [details] > engine-upgrade output > > 3.2 setup was using port 8887 as http and 8888 as https, no iptables or > firewalld was selected during original 3.2 installation I do not understand. Did you have jboss without apache or with apache at non standard port?
Created attachment 777817 [details] engine upgrade log
(In reply to Alon Bar-Lev from comment #9) > Did you have jboss without apache or with apache at non standard port? jboss without apache at non standard ports
(In reply to Michal Skrivanek from comment #11) > (In reply to Alon Bar-Lev from comment #9) > > Did you have jboss without apache or with apache at non standard port? > jboss without apache at non standard ports Right. Apache will be served using standard ports. You should be still able to access the legacy ports directly to jboss.
and that's not correct anymore as jboss is running on different ports. It was originally 8887,8888 (http and httpd I configured in 3.2 in engine-setup) and 8703 listening on localhost only. Now after upgrade I see: [root@dhcp131-154 ~]# netstat -lpnt|egrep 'ovir|htt' tcp 0 0 127.0.0.1:8706 0.0.0.0:* LISTEN 743/ovirt-engine tcp 0 0 127.0.0.1:8702 0.0.0.0:* LISTEN 743/ovirt-engine tcp 0 0 127.0.0.1:8703 0.0.0.0:* LISTEN 743/ovirt-engine tcp6 0 0 :::80 :::* LISTEN 400/httpd tcp6 0 0 :::443 :::* LISTEN 400/httpd
...8887,8888 (http and https I configured in 3.2 in engine-setup)...
(In reply to Alon Bar-Lev from comment #12) > (In reply to Michal Skrivanek from comment #11) > > (In reply to Alon Bar-Lev from comment #9) > > > Did you have jboss without apache or with apache at non standard port? > > jboss without apache at non standard ports > > Right. Apache will be served using standard ports. > You should be still able to access the legacy ports directly to jboss. We have done this in legacy setup, but not sync it into the new setup.
patch 17310 merged upstream master for 3.3.0
as RC is built, moving to ON_QA (hopefully did not catch incorrect bugs when doing this)
closing as this should be in 3.3 (doing so in bulk, so may be incorrect)