[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Ovirt-devel] ports and hostnames for the ovirt server



On Thu, Mar 27, 2008 at 11:16:13AM -0400, Perry N. Myers wrote:
> In looking at the apache configuration for the ipa server and the
> ovirt-wui, I had a few questions...
> 
> Right now the assumption being made is that the FreeIPA instance always
> gets installed on the same host as the ovirt-wui.  And because of this, we
> have to run the FreeIPA server on a non-standard port (8089) because it
> currently does not coexist well with other apps on the same port.
> 
> Another configuration exists where the FreeIPA server is already installed
> elsewhere in the network (maybe someone is already using it for other
> purposes) and in this case it'll likely be running on port 80 on that server.
> 
> Since by default FreeIPA runs on port 80, it makes more sense to always
> keep it on port 80 so that the configuration is the same whether it is
> hosted with the oVirt WUI or standalone.
> 
> If we agree on that (I'm open to objections here) then the next question
> is how to run FreeIPA and oVirt on the same box without conflicts.  A few
> options exist:
> 1. Run oVirt on a different port instead of FreeIPA
> 2. Use name virtual hosting so that IPA runs on the base hostname and
>    oVirt runs on something like ovirt.domain.com.  For the developer
>    install, this can be accomplished by mucking with /etc/hosts and
>    for prod installs it'll involve DNS, but we already require that for
>    other things.  This is tricky because once we start using https and
>    FreeIPA does as well, NameVirtualHosting sort of breaks down...

Name based virtual hosting breaks with Kerberos too, because the oVirt
server's CANME will resolve to an IP, and then reverse resolve to a
different name. All services using Kerberos need real A records AFAICT

> 3. Relocate the ipa server so that it's not at the root URL
> 4. Relocate the ovirt server so that it's not at the root URL

IMHO, both IPA & oVirt should *not* take over the root URL. All apps
should default to a private prefix,  /ipa/  and /ovirt/.  When deploying
in production a simple mod-rewrite  rule can make either app take over
use of /, simply redirecting to the either /ipa or /ovirt depending
on which the server admin decides should be the default.

> I don't like option 3, since that also changes the default configuration
> for FreeIPA.  Option 2 will work for now, but we know it'll break later
> when we start using https.
> 
> Option 1 is the easiest way to get things working, as long as people don't
> object to running the mgmt ui on something other than port 80.
> 
> Option 4 might solve the problem, but I'm not sure if it'll work since
> FreeIPA does URL rewriting (we can comment this out, but I'd like to not
> muck with their stuff and leave things default if possible)

The FreeIPA  config file is fundamentally broken since it assumes it is
the only app living in the apache server. This needs to be fixed so that
they play nicely with other apps. This means living under /ipa/ and having
an optional redirect from / at the site administrators discretion.

Dan.
-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]