Bug 985945 - PRD35 - [RFE] rhevm-websocket-proxy - using as standalone service - automatic configuration
PRD35 - [RFE] rhevm-websocket-proxy - using as standalone service - automatic...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-setup (Show other bugs)
3.4.0
Unspecified Unspecified
medium Severity low
: ---
: 3.5.0
Assigned To: Simone Tiraboschi
Jiri Belka
integration
: FutureFeature
: 985927 (view as bug list)
Depends On: 975680 1080992
Blocks: 1121840 rhev3.5beta 1156165
  Show dependency treegraph
 
Reported: 2013-07-18 10:46 EDT by Jiri Belka
Modified: 2015-02-11 12:53 EST (History)
15 users (show)

See Also:
Fixed In Version: ovirt-engine-3.5.0_beta
Doc Type: Enhancement
Doc Text:
The Red Hat Enterprise Virtualization Manager websocket proxy can now be installed and configured (via engine-setup) on a separate machine from the machine on which the Manager is installed.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-11 12:53:41 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 26898 master ABANDONED WebSocketProxy on a separate host Never
oVirt gerrit 28534 master MERGED packaging: setup: WebSocketProxy on a separate host Never

  None (edit)
Description Jiri Belka 2013-07-18 10:46:59 EDT
Description of problem:

No ssl configuration is done after rpm is installed and there is no system specific conf file in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/

rpm --scripts -q rhevm-websocket-proxy
postinstall program: /bin/sh
preuninstall scriptlet (using /bin/sh):

if [ $1 -eq 0 ] ; then
    service ovirt-websocket-proxy stop > /dev/null 2>&1 || true
fi
postuninstall program: /bin/sh

See for my work to make it work:

https://bugzilla.redhat.com/show_bug.cgi?id=838468#c29

Version-Release number of selected component (if applicable):
is6

How reproducible:
100%

Steps to Reproduce:
1. install rpm
2. check /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/
3. start websocket proxy
4. check if ssl handshake works - openssl s_client -connect $engine:6100

Actual results:
does not work via ssl by default

Expected results:
should work out of box

Additional info:
please add little README in the rpm to let users know how to configure it manually, there for sure would be sysadmins how would like to generate the key themselves and sign it with their own corporate CA
Comment 1 Alon Bar-Lev 2013-07-18 11:26:13 EDT
This package is configured using engine-setup, and it will be configured as ssl, firewall will be opened, ticket trust is established and service will be started after setup is executed.

I did not succeeded in performing the split of service and setup into own package. So this package is now available at engine computer only for now.

Now that all is feature freeze I think having this service on different computer will get in only for next version.

Even after the split, rpm package installation should not effect system state, such as modifying /etc/sysconfig/iptables. So I don't think such request will be followed.

Also, having self-signed certificate auto generated is not usable solution, as the websocket connection will just fail.
Comment 2 Alon Bar-Lev 2013-07-18 11:26:43 EDT
*** Bug 985927 has been marked as a duplicate of this bug. ***
Comment 3 Alon Bar-Lev 2013-07-19 19:15:33 EDT
ovirt-engine-websocket-proxy can now be installed on separate host without pulling the entire engine into that host.

in this mode manual configuration is required.

when we split the setup core we may provide some interactive setup. I am not sure this is required as a simple README.websocket-proxy will be as simple as generating certificate at engine host and perform some config file modifications.
Comment 6 Alon Bar-Lev 2013-10-29 06:56:03 EDT
Michal,

Do we want to add README for this service or wiki[1] is enough?

[1] http://www.ovirt.org/Features/noVNC_console#Setup
Comment 7 Alon Bar-Lev 2013-10-29 07:04:25 EDT
Per discussion with reporter, the original request was to configure the websocket proxy automatically on standalone machine.

Moving to 3.4 as we are working to allow this for dwh and reports.
Comment 8 Jiri Belka 2014-07-29 10:03:07 EDT
ok but it's horrible - no user friendly.

https://tcms.engineering.redhat.com/run/163679/
Comment 9 Simone Tiraboschi 2014-07-29 10:27:05 EDT
A previous attempt was more "magic" cause it asked to the user the root's password of the engine host in order to copy the CSR via SCP and execute there, via an ssh connection, the commands to sign it and register the websocket proxy.

It was judged not so secure due to the need for the root password of the other host and so we can simply prepare the commands asking to the user to execute them on the other host.
Comment 11 errata-xmlrpc 2015-02-11 12:53:41 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html

Note You need to log in before you can comment on or make changes to this bug.