Ovirt devel - Mar 2008 - ports and hostnames for the ovirt server

In looking at the apache configuration for the ipa server and the
ovirt-wui, I had a few questions...

Right now the assumption being made is that the FreeIPA instance always
gets installed on the same host as the ovirt-wui.  And because of this, we
have to run the FreeIPA server on a non-standard port (8089) because it
currently does not coexist well with other apps on the same port.

Another configuration exists where the FreeIPA server is already installed
elsewhere in the network (maybe someone is already using it for other
purposes) and in this case it'll likely be running on port 80 on that
server.

Since by default FreeIPA runs on port 80, it makes more sense to always
keep it on port 80 so that the configuration is the same whether it is
hosted with the oVirt WUI or standalone.

If we agree on that (I'm open to objections here) then the next question
is how to run FreeIPA and oVirt on the same box without conflicts.  A few
options exist:
1. Run oVirt on a different port instead of FreeIPA
2. Use name virtual hosting so that IPA runs on the base hostname and
   oVirt runs on something like ovirt.domain.com.  For the developer
   install, this can be accomplished by mucking with /etc/hosts and
   for prod installs it'll involve DNS, but we already require that for
   other things.  This is tricky because once we start using https and
   FreeIPA does as well, NameVirtualHosting sort of breaks down...
3. Relocate the ipa server so that it's not at the root URL
4. Relocate the ovirt server so that it's not at the root URL

I don't like option 3, since that also changes the default configuration
for FreeIPA.  Option 2 will work for now, but we know it'll break later
when we start using https.

Option 1 is the easiest way to get things working, as long as people don't
object to running the mgmt ui on something other than port 80.

Option 4 might solve the problem, but I'm not sure if it'll work since
FreeIPA does URL rewriting (we can comment this out, but I'd like to not
muck with their stuff and leave things default if possible)

Thoughts?

Perry


-- 
|=-        Red Hat, Engineering, Emerging Technologies, Boston        -=|
|=-                     Email: pmyers at redhat.com                      -=|
|=-         Office: +1 412 474 3552   Mobile: +1 703 362 9622         -=|
|=- GnuPG: E65E4F3D 88F9 F1C9 C2F3 1303 01FE 817C C5D2 8B91 E65E 4F3D -=|

On Thu, Mar 27, 2008 at 11:16:13AM -0400, Perry N. Myers
wrote:
> In looking at the apache configuration for the ipa server and the
> ovirt-wui, I had a few questions...
> 
> Right now the assumption being made is that the FreeIPA instance always
> gets installed on the same host as the ovirt-wui.  And because of this, we
> have to run the FreeIPA server on a non-standard port (8089) because it
> currently does not coexist well with other apps on the same port.
> 
> Another configuration exists where the FreeIPA server is already installed
> elsewhere in the network (maybe someone is already using it for other
> purposes) and in this case it'll likely be running on port 80 on that
server.
> 
> Since by default FreeIPA runs on port 80, it makes more sense to always
> keep it on port 80 so that the configuration is the same whether it is
> hosted with the oVirt WUI or standalone.
> 
> If we agree on that (I'm open to objections here) then the next
question
> is how to run FreeIPA and oVirt on the same box without conflicts.  A few
> options exist:
> 1. Run oVirt on a different port instead of FreeIPA
> 2. Use name virtual hosting so that IPA runs on the base hostname and
>    oVirt runs on something like ovirt.domain.com.  For the developer
>    install, this can be accomplished by mucking with /etc/hosts and
>    for prod installs it'll involve DNS, but we already require that for
>    other things.  This is tricky because once we start using https and
>    FreeIPA does as well, NameVirtualHosting sort of breaks down...
Name based virtual hosting breaks with Kerberos too, because the oVirt
server's CANME will resolve to an IP, and then reverse resolve to a
different name. All services using Kerberos need real A records AFAICT
> 3. Relocate the ipa server so that it's not at the root URL
> 4. Relocate the ovirt server so that it's not at the root URL
IMHO, both IPA & oVirt should *not* take over the root URL. All apps
should default to a private prefix,  /ipa/  and /ovirt/.  When deploying
in production a simple mod-rewrite  rule can make either app take over
use of /, simply redirecting to the either /ipa or /ovirt depending
on which the server admin decides should be the default.
> I don't like option 3, since that also changes the default
configuration
> for FreeIPA.  Option 2 will work for now, but we know it'll break later
> when we start using https.
> 
> Option 1 is the easiest way to get things working, as long as people
don't
> object to running the mgmt ui on something other than port 80.
> 
> Option 4 might solve the problem, but I'm not sure if it'll work
since
> FreeIPA does URL rewriting (we can comment this out, but I'd like to
not
> muck with their stuff and leave things default if possible)
The FreeIPA  config file is fundamentally broken since it assumes it is
the only app living in the apache server. This needs to be fixed so that
they play nicely with other apps. This means living under /ipa/ and having
an optional redirect from / at the site administrators discretion.

Dan.
-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

CCing freeipa-devel to make sure I am saying the right thing as Rob is
the one sending patches for it.

On Thu, 2008-03-27 at 11:16 -0400, Perry N. Myers wrote:
> In looking at the apache configuration for the ipa server and the
> ovirt-wui, I had a few questions...
> 
> Right now the assumption being made is that the FreeIPA instance always
> gets installed on the same host as the ovirt-wui.  And because of this, we
> have to run the FreeIPA server on a non-standard port (8089) because it
> currently does not coexist well with other apps on the same port.
FYI: We are working on fixing this.
> Another configuration exists where the FreeIPA server is already installed
> elsewhere in the network (maybe someone is already using it for other
> purposes) and in this case it'll likely be running on port 80 on that
server.
> 
> Since by default FreeIPA runs on port 80, it makes more sense to always
> keep it on port 80 so that the configuration is the same whether it is
> hosted with the oVirt WUI or standalone.
It would make sense yes.
> If we agree on that (I'm open to objections here) then the next
question
> is how to run FreeIPA and oVirt on the same box without conflicts.  A few
> options exist:
> 1. Run oVirt on a different port instead of FreeIPA
> 2. Use name virtual hosting so that IPA runs on the base hostname and
>    oVirt runs on something like ovirt.domain.com.  For the developer
>    install, this can be accomplished by mucking with /etc/hosts and
>    for prod installs it'll involve DNS, but we already require that for
>    other things.  This is tricky because once we start using https and
>    FreeIPA does as well, NameVirtualHosting sort of breaks down...
> 3. Relocate the ipa server so that it's not at the root URL
We are pursuing this solution in freeIPA itself. Hopefully, with some
help, we will have this soon.
> 4. Relocate the ovirt server so that it's not at the root URL
In general it would be wise to be able to use something like
http://server/service so that multiple services can be used on the same
server without clashes.

THe patches I've seen from Rob move all to
http(s)://server.name/ipa(xml), I guess ovirt could do something similar
and move to http(s)://server.name/ovirt ?
> I don't like option 3, since that also changes the default
configuration
> for FreeIPA.  Option 2 will work for now, but we know it'll break later
> when we start using https.
> 
> Option 1 is the easiest way to get things working, as long as people
don't
> object to running the mgmt ui on something other than port 80.
> 
> Option 4 might solve the problem, but I'm not sure if it'll work
since
> FreeIPA does URL rewriting (we can comment this out, but I'd like to
not
> muck with their stuff and leave things default if possible)
> 
> Thoughts?
I think opt 3 is the solution and should be adopted by both freeipa and
ovirt so that we can all be good citizens.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York