Sandro Bonazzola has uploaded a new change for review. Change subject: packaging: setup: enforcing Apache proxy on new install ......................................................................
packaging: setup: enforcing Apache proxy on new install Always override Apache configuration for enabling Apache proxy on new install. Dropped any check on freeipa-server and ipaserver packages. We are requiring mod_ssl that conflicts with freeipa-server and I've added a conflict with ipaserver in spec file. Align legacy installer to engine-setup-2 behavior in non developer mode for Apache configuration. Change-Id: Iedce53634b3d20867fbb6b07efd82ea8bebed5e7 Bug-Url: https://bugzilla.redhat.com/905754 Signed-off-by: Sandro Bonazzola <sbona...@redhat.com> --- M ovirt-engine.spec.in M packaging/fedora/setup/basedefs.py M packaging/fedora/setup/common_utils.py M packaging/fedora/setup/engine-setup.py M packaging/fedora/setup/engine_validators.py M packaging/fedora/setup/output_messages.py 6 files changed, 35 insertions(+), 128 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/38/15038/1 diff --git a/ovirt-engine.spec.in b/ovirt-engine.spec.in index fe7d6c3..87f4439 100644 --- a/ovirt-engine.spec.in +++ b/ovirt-engine.spec.in @@ -158,6 +158,9 @@ Requires: ovirt-host-deploy-java Requires: xz Requires: yum-plugin-versionlock +# We could drop these conflicts when we'll drop Requires: mod_ssl +Conflicts: ipa-server +Conflicts: freeipa-server # For local database: Requires: postgresql-server >= 8.4.7 diff --git a/packaging/fedora/setup/basedefs.py b/packaging/fedora/setup/basedefs.py index 375aad4..ea6069e 100644 --- a/packaging/fedora/setup/basedefs.py +++ b/packaging/fedora/setup/basedefs.py @@ -22,8 +22,6 @@ NOTIFIER_SERVICE_NAME = "ovirt-engine-notifier" NOTIFIER_SERVICE_OLD_NAME = "engine-notifierd" ETL_SERVICE_NAME = "ovirt-engine-dwhd" -FREEIPA_RPM = "freeipa-server" -IPA_RPM = "ipa-server" PGPASS_FILE_HEADER_LINE = "# This section was created during %s setup.\n\ # DO NOT CHANGE IT MANUALLY - OTHER UTILITIES AND TOOLS DEPEND ON ITS STRUCTURE." % APP_NAME PGPASS_FILE_OPENING_LINE = "# Beginning of the oVirt Engine DB settings section" diff --git a/packaging/fedora/setup/common_utils.py b/packaging/fedora/setup/common_utils.py index eeab3c4..b0a0cb5 100755 --- a/packaging/fedora/setup/common_utils.py +++ b/packaging/fedora/setup/common_utils.py @@ -1234,7 +1234,7 @@ return basedefs.CONST_DEFAULT_MAC_RANGE -def editEngineSysconfigProtocols(proxyEnabled, fqdn, http, https): +def editEngineSysconfigProtocols(fqdn, http, https): # Load the file: logging.debug("Loading text file handler") handler = TextConfigFileHandler(basedefs.FILE_ENGINE_CONF_PROTOCOLS, readExisting=False) @@ -1244,21 +1244,13 @@ handler.editParam("ENGINE_FQDN", fqdn) # Save port numbers and enabled/disabled state: - if proxyEnabled: - handler.editParam("ENGINE_PROXY_ENABLED", "true") - handler.editParam("ENGINE_PROXY_HTTP_PORT", http) - handler.editParam("ENGINE_PROXY_HTTPS_PORT", https) - handler.editParam("ENGINE_HTTP_ENABLED", "false") - handler.editParam("ENGINE_HTTPS_ENABLED", "false") - handler.editParam("ENGINE_AJP_ENABLED", "true") - handler.editParam("ENGINE_AJP_PORT", basedefs.JBOSS_AJP_PORT) - else: - handler.editParam("ENGINE_PROXY_ENABLED", "false") - handler.editParam("ENGINE_HTTP_ENABLED", "true") - handler.editParam("ENGINE_HTTP_PORT", http) - handler.editParam("ENGINE_HTTPS_ENABLED", "true") - handler.editParam("ENGINE_HTTPS_PORT", https) - handler.editParam("ENGINE_AJP_ENABLED", "false") + handler.editParam("ENGINE_PROXY_ENABLED", "true") + handler.editParam("ENGINE_PROXY_HTTP_PORT", http) + handler.editParam("ENGINE_PROXY_HTTPS_PORT", https) + handler.editParam("ENGINE_HTTP_ENABLED", "false") + handler.editParam("ENGINE_HTTPS_ENABLED", "false") + handler.editParam("ENGINE_AJP_ENABLED", "true") + handler.editParam("ENGINE_AJP_PORT", basedefs.JBOSS_AJP_PORT) # Save and close the file: logging.debug("Engine has been configured") @@ -1477,12 +1469,6 @@ with open(basedefs.FILE_YUM_VERSION_LOCK, 'a') as yumlock: yumlock.write("\n".join(pkgs) + "\n") -def setHttpPortsToNonProxyDefault(controller): - logging.debug("Changing HTTP_PORT & HTTPS_PORT to the default non-proxy values (8700 & 8701)") - httpParam = controller.getParamByName("HTTP_PORT") - httpParam.setKey("DEFAULT_VALUE", basedefs.JBOSS_HTTP_PORT) - httpParam = controller.getParamByName("HTTPS_PORT") - httpParam.setKey("DEFAULT_VALUE", basedefs.JBOSS_HTTPS_PORT) def checkJavaVersion(version): # Check that the version is supported: diff --git a/packaging/fedora/setup/engine-setup.py b/packaging/fedora/setup/engine-setup.py index 613e4cc..9715923 100755 --- a/packaging/fedora/setup/engine-setup.py +++ b/packaging/fedora/setup/engine-setup.py @@ -172,7 +172,7 @@ 'functions' : [_setupVarPrivileges, _startEngine] } ] }, { 'description' : 'Handling httpd', - 'condition' : [utils.compareStrIgnoreCase, controller.CONF["OVERRIDE_HTTPD_CONFIG"], "yes"], + 'condition' : [], 'condition_match' : [True], 'steps' : [ { 'title' : output_messages.INFO_CONFIG_HTTPD, 'functions' : [_configureSelinuxBoolean, _backupOldHttpdConfig, _configureHttpdSslKeys, _configureHttpdPort, _configureHttpdSslPort, _redirectUrl, _startHttpd]}] @@ -235,19 +235,6 @@ "CONDITION" : False} ] , "PORTS" : [ - { "CMD_OPTION" :"override-httpd-config", - "USAGE" :output_messages.INFO_CONF_PARAMS_OVERRIDE_HTTPD_CONF_USAGE, - "PROMPT" :output_messages.INFO_CONF_PARAMS_OVERRIDE_HTTPD_CONF_PROMPT, - "OPTION_LIST" :["yes","no"], - "VALIDATION_FUNC" :validate.validateOverrideHttpdConfAndChangePortsAccordingly, - "DEFAULT_VALUE" :"yes", - "MASK_INPUT" : False, - "LOOSE_VALIDATION": False, - "CONF_NAME" : "OVERRIDE_HTTPD_CONFIG", - "USE_DEFAULT" : True, - "NEED_CONFIRM" : False, - "CONDITION" : False}, - { "CMD_OPTION" :"http-port", "USAGE" :output_messages.INFO_CONF_PARAMS_HTTP_PORT_USAGE, "PROMPT" :output_messages.INFO_CONF_PARAMS_HTTP_PORT_PROMPT, @@ -526,13 +513,13 @@ conf_groups = ( { "GROUP_NAME" : "PORTS", "DESCRIPTION" : output_messages.INFO_GRP_PORTS, - "PRE_CONDITION" : validate.validateIpaAndHttpdStatus, + "PRE_CONDITION" : validate.checkSelinuxStatus, "PRE_CONDITION_MATCH" : True, "POST_CONDITION" : False, "POST_CONDITION_MATCH" : True}, { "GROUP_NAME" : "REDIRECTION", "DESCRIPTION" : output_messages.INFO_GRP_REDIRECTION, - "PRE_CONDITION" : validate.validatePortsRedirection, + "PRE_CONDITION" : True, "PRE_CONDITION_MATCH" : True, "POST_CONDITION" : False, "POST_CONDITION_MATCH" : True}, @@ -2139,15 +2126,17 @@ logging.error(traceback.format_exc()) raise Exception(output_messages.ERR_EXP_FAILED_CONFIG_ENGINE) + def _editSysconfigProtocols(): """ Update the local configuration file. """ - proxyEnabled = utils.compareStrIgnoreCase(controller.CONF["OVERRIDE_HTTPD_CONFIG"], "yes") - utils.editEngineSysconfigProtocols(proxyEnabled=proxyEnabled, - fqdn=controller.CONF["HOST_FQDN"], - http=controller.CONF["HTTP_PORT"], - https=controller.CONF["HTTPS_PORT"]) + utils.editEngineSysconfigProtocols( + fqdn=controller.CONF["HOST_FQDN"], + http=controller.CONF["HTTP_PORT"], + https=controller.CONF["HTTPS_PORT"], + ) + def _editSysconfigJava(): utils.editEngineSysconfigJava(javaHome=controller.CONF["JAVA_HOME"]) diff --git a/packaging/fedora/setup/engine_validators.py b/packaging/fedora/setup/engine_validators.py index a649128..b6555fd 100644 --- a/packaging/fedora/setup/engine_validators.py +++ b/packaging/fedora/setup/engine_validators.py @@ -15,7 +15,6 @@ import uuid import socket -from setup_controller import Controller def validateNFSMountPoint(param, options=[]): """ Validates the correct mount point for NFS local storage """ @@ -76,10 +75,6 @@ #TODO: add actual port check with socket open logging.debug("Validating %s as a valid TCP Port" % (param)) minVal = 0 - controller = Controller() - isProxyEnabled = utils.compareStrIgnoreCase(controller.CONF["OVERRIDE_HTTPD_CONFIG"], "yes") - if not isProxyEnabled: - minVal = 1024 if not validateInteger(param, options): return False port = int(param) @@ -88,7 +83,7 @@ print output_messages.INFO_VAL_PORT_NOT_RANGE %(minVal) print output_messages.INFO_VAL_CHOOSE_PORT return False - if isProxyEnabled and param in[basedefs.JBOSS_HTTP_PORT, basedefs.JBOSS_HTTPS_PORT, basedefs.JBOSS_AJP_PORT]: + if param in[basedefs.JBOSS_HTTP_PORT, basedefs.JBOSS_HTTPS_PORT, basedefs.JBOSS_AJP_PORT]: logging.warn(output_messages.INFO_VAL_PORT_OCCUPIED_BY_JBOSS %(param)) print output_messages.INFO_VAL_PORT_OCCUPIED_BY_JBOSS %(param) print output_messages.INFO_VAL_CHOOSE_PORT @@ -99,7 +94,7 @@ print output_messages.INFO_VAL_PORT_OCCUPIED % (param, process, pid) print output_messages.INFO_VAL_CHOOSE_PORT return False - if isProxyEnabled and not checkAndSetHttpdPortPolicy(param): + if not checkAndSetHttpdPortPolicy(param): logging.warn(output_messages.INFO_VAL_FAILED_ADD_PORT_TO_HTTP_POLICY, port) print output_messages.INFO_VAL_FAILED_ADD_PORT_TO_HTTP_POLICY % port print output_messages.INFO_VAL_CHOOSE_PORT @@ -206,34 +201,19 @@ print output_messages.INFO_VAL_NOT_IN_OPTIONS % (", ".join(options)) return False -def validateOverrideHttpdConfAndChangePortsAccordingly(param, options=[]): - """ - This validation function is specific for the OVERRIDE_HTTPD_CONF param and it does more than validating the answer. - It actually changes the default HTTP/S ports in case the user choose not to override the httpd configuration. - """ - logging.info("validateOverrideHttpdConfAndChangePortsAccordingly %s as part of %s"%(param, options)) - retval = validateOptions(param, options) - if retval and param.lower() == "no": - logging.debug("Changing HTTP_PORT & HTTPS_PORT to the default jboss values (8700 & 8701)") - controller = Controller() - utils.setHttpPortsToNonProxyDefault(controller) - elif retval: - # check if selinux enabled. If not - ask a user to enable it first, and - # exit if user doesn't want to. - logging.debug("Checking SELINUX status") - cmd = [ - basedefs.EXEC_GETENFORCE, - ] - (out, rc) = utils.execCmd(cmdList=cmd, failOnError=True) - if "Disabled" in out: - logging.debug("SELINUX was found in disabled mode") - print output_messages.MSG_ENABLE_SELINUX - return False - #stopping httpd service (in case it's up) when the configuration can be overridden - logging.debug("stopping httpd service") - utils.Service(basedefs.HTTPD_SERVICE_NAME).stop() - return retval +def checkSelinuxEnabled(param, options=[]): + # check if selinux is enabled. exit if not enabled. + logging.debug("Checking SELINUX status") + cmd = [ + basedefs.EXEC_GETENFORCE, + ] + (out, rc) = utils.execCmd(cmdList=cmd, failOnError=True) + if "Disabled" in out: + logging.debug("SELINUX was found in disabled mode") + print output_messages.MSG_ENABLE_SELINUX + return False + return True def validateDomain(param, options=[]): @@ -273,17 +253,6 @@ # It means returning True if remote, and False if local if "DB_REMOTE_INSTALL" in param.keys() and param["DB_REMOTE_INSTALL"] == "remote": - return True - else: - return False - -def validatePortsRedirection(param, options=[]): - """ Validate that the we are customizing apache - """ - # If we perform httpd redirection, return True. - # If not, return False - - if "OVERRIDE_HTTPD_CONFIG" in param.keys() and param["OVERRIDE_HTTPD_CONFIG"] == "yes": return True else: return False @@ -623,37 +592,6 @@ logging.warning("%s is not writeable" % path) return False -def validateIpaAndHttpdStatus(conf): - """" - This function serve as a pre-condition to the ports group. This function will always return True, - Therefore the ports group will always be handled, but this function may changes the flow dynamically - according to http & ipa rpm status. - So, there are two purposes for this function: - 1. check whether the relevant httpd configuration files were changed, - As it's an indication for the setup that the httpd application is being actively used, - Therefore we may need to ask (dynamic change) the user whether to override this configuration. - 2. Check if IPA is installed and drop port 80/443 support. - """ - controller = Controller() - - # Check if IPA installed - if utils.installed(basedefs.IPA_RPM) or utils.installed(basedefs.FREEIPA_RPM): - # Change default ports - logging.debug("IPA rpms detected, disabling http proxy") - print output_messages.WARN_IPA_INSTALLED - utils.setHttpPortsToNonProxyDefault(controller) - - # Don't use http proxy - paramToChange = controller.getParamByName("OVERRIDE_HTTPD_CONFIG") - paramToChange.setKey("DEFAULT_VALUE", "no") - else: - if wereHttpdConfFilesChanged(): - # If conf files were changed, the user should be asked if he really wants to use ports 80/443 - paramToChange = controller.getParamByName("OVERRIDE_HTTPD_CONFIG") - paramToChange.setKey("USE_DEFAULT", False) - - # This validator must return true, so ports will always be handled - return True def wereHttpdConfFilesChanged(): logging.debug("checking whether HTTPD config files were changed") diff --git a/packaging/fedora/setup/output_messages.py b/packaging/fedora/setup/output_messages.py index 30c496f..1d5c8dc 100644 --- a/packaging/fedora/setup/output_messages.py +++ b/packaging/fedora/setup/output_messages.py @@ -115,13 +115,6 @@ Which firewall manager do you wish to use?" -INFO_CONF_PARAMS_OVERRIDE_HTTPD_CONF_USAGE="Should the installer configure the ports, overriding the current httpd configuration" -INFO_CONF_PARAMS_OVERRIDE_HTTPD_CONF_PROMPT="%s uses httpd to proxy requests to the application server.\n\ -It looks like the httpd installed locally is being actively used.\n\ -The installer can override current configuration .\n\ -Alternatively you can use JBoss directly (on ports higher than 1024)\n\ -Do you wish to override current httpd configuration and restart the service?" % basedefs.APP_NAME - INFO_CONF_PARAMS_OVERRIDE_HTTPD_ROOT_USAGE = "Configure the apache root redirection" INFO_CONF_PARAMS_OVERRIDE_HTTPD_ROOT_PROMPT = 'Setup can configure server default page to \ launch %s. Do you wish to do so?' % basedefs.APP_NAME -- To view, visit http://gerrit.ovirt.org/15038 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iedce53634b3d20867fbb6b07efd82ea8bebed5e7 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Sandro Bonazzola <sbona...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
