Red Hat Bugzilla – Bug 985945
PRD35 - [RFE] rhevm-websocket-proxy - using as standalone service - automatic configuration
Last modified: 2015-02-11 12:53:41 EST
Description of problem:
No ssl configuration is done after rpm is installed and there is no system specific conf file in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/
rpm --scripts -q rhevm-websocket-proxy
postinstall program: /bin/sh
preuninstall scriptlet (using /bin/sh):
if [ $1 -eq 0 ] ; then
service ovirt-websocket-proxy stop > /dev/null 2>&1 || true
postuninstall program: /bin/sh
See for my work to make it work:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install rpm
2. check /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/
3. start websocket proxy
4. check if ssl handshake works - openssl s_client -connect $engine:6100
does not work via ssl by default
should work out of box
please add little README in the rpm to let users know how to configure it manually, there for sure would be sysadmins how would like to generate the key themselves and sign it with their own corporate CA
This package is configured using engine-setup, and it will be configured as ssl, firewall will be opened, ticket trust is established and service will be started after setup is executed.
I did not succeeded in performing the split of service and setup into own package. So this package is now available at engine computer only for now.
Now that all is feature freeze I think having this service on different computer will get in only for next version.
Even after the split, rpm package installation should not effect system state, such as modifying /etc/sysconfig/iptables. So I don't think such request will be followed.
Also, having self-signed certificate auto generated is not usable solution, as the websocket connection will just fail.
*** Bug 985927 has been marked as a duplicate of this bug. ***
ovirt-engine-websocket-proxy can now be installed on separate host without pulling the entire engine into that host.
in this mode manual configuration is required.
when we split the setup core we may provide some interactive setup. I am not sure this is required as a simple README.websocket-proxy will be as simple as generating certificate at engine host and perform some config file modifications.
Do we want to add README for this service or wiki is enough?
Per discussion with reporter, the original request was to configure the websocket proxy automatically on standalone machine.
Moving to 3.4 as we are working to allow this for dwh and reports.
ok but it's horrible - no user friendly.
A previous attempt was more "magic" cause it asked to the user the root's password of the engine host in order to copy the CSR via SCP and execute there, via an ssh connection, the commands to sign it and register the websocket proxy.
It was judged not so secure due to the need for the root password of the other host and so we can simply prepare the commands asking to the user to execute them on the other host.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.