Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1364189 - Docs: add release note on Apache configuration changes and upcoming fixes.
Summary: Docs: add release note on Apache configuration changes and upcoming fixes.
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Documentation
Hardware: Unspecified
OS: Unspecified
high vote
Target Milestone: ovirt-4.0.3
: 4.0.3
Assignee: Sandro Bonazzola
QA Contact: Aleksei Slaikovskii
Depends On:
TreeView+ depends on / blocked
Reported: 2016-08-04 16:26 UTC by Fabrice Bacchella
Modified: 2016-08-29 14:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Users upgrading from 3.6 should be aware of following 4.0 changes around authentication and certificates handling: 1. Single Sign-On using OAUTH2 protocol has been implemented in engine to allow SSO between webadmin, userportal and RESTAPI. More information can be found at 2. Due to SSO it's required to access engine only using the same FQDN which was specified during engine-setup invocation. If your engine FQDN is not accessible from all engine clients, you will not be able to login. Please use ovirt-engine-rename tool to fix your FQDN, more information can be found at . If you try to access engine using IP or DNS alias, an error will be thrown. Please consult following bugs targeted to oVirt 4.0.4 which should fix this limitation: 3. If you have used Kerberos SSO to access engine, please consult how to update your Apache configuration after upgrade to 4.0 4. If you are using HTTPS certificate signed by custom certificate authority, please take a look at for steps which need to be done after migration to 4.0. Also please consult how to setup this custom CA for use with virt-viewer clients.
Clone Of:
Last Closed: 2016-08-29 14:51:34 UTC
oVirt Team: Integration
ylavi: ovirt-4.0.z?
rule-engine: planning_ack?
sbonazzo: devel_ack+
lsvaty: testing_ack+

Attachments (Terms of Use)

Description Fabrice Bacchella 2016-08-04 16:26:36 UTC
When switching from ovirt 3.6.6 to 4.0, I read the release notes.

It says :
If you're upgrading from a previous release on Enterprise Linux 7 you just need to execute:

  # yum install
  # yum update "ovirt-engine-setup*"
  # engine-setup

This is quite an understatement.

I needed to create a new database, the authentication modele is totally changed, and in a incompatible way. The new SSO is not an optional feature that can be added later. So any one who tweaked it's apache configuration ends up with a broken ovirt.

A critical note saying that would have be welcome.

Comment 1 Fabrice Bacchella 2016-08-04 16:35:13 UTC
In previous version, I could configure Apache with a vhost that was not known to ovirt: http://ovirt.mydomain running on myserver.mydomain worked fine.

It's not the case any more and I needed to follows the procedure given in even if I didn't rename my hosts.
Another incompatible change that I would like to have be warned off.

Comment 2 Yaniv Lavi 2016-08-11 08:28:09 UTC
Fabrice, why did you need to create a new database?

Martin, what should the release notes write regarding the upgrade?

Comment 3 Fabrice Bacchella 2016-08-11 08:36:44 UTC
for dwh of course:

2016-08-03 11:46:16 DEBUG otopi.context context.dumpEnvironment:770 ENV OVESETUP_DWH_DB/database=str:'ovirt_engine_history'

Comment 4 Fabrice Bacchella 2016-08-12 09:15:09 UTC
The problem is the new OAUTH authentication that was added in version 4.

It broke all my apache setup.

- it broke my virtual host configuration, as it needs to know the exact URL to talk to.
- it broke our internal PKI, because it uses it's own.
- it broke our internal SSO, because it embedd it's own.

Comment 5 Martin Perina 2016-08-15 08:53:47 UTC
(In reply to Yaniv Dary from comment #2)
> Martin, what should the release notes write regarding the upgrade?

Well SSO introduction (tracked by BZ1092744) was one of the infra pillar features for 4.0 and it's part of 4.0 release notes:

BZ1336838 was fixed in 4.0.1 and it's also part of 4.0.1 release notes:

BZ1325746 and BZ1362196 are targeted to 4.0.4 so I expect them to be part of 4.0.4 release notes.

Comment 6 Fabrice Bacchella 2016-08-15 09:05:22 UTC
In the release notes, I see:

BZ 1092744 [RFE][AAA] Introduce uniform login services
A single sign on module has been added that authenticates the user once and allows access to webadmin and userportal. Signing off from one portal closes the session on SSO and the user is logged out of all portals.

It don't say it's mandatory. Is someone expected to read each bug description to understand what this one is about ?

It says nothing about breaking on-site SSO, PKI, and event simple virtual host, what is does.

There is not a word about it on 4.0.1, so some one upgrading from 3.6 to 4.0.1 (what I did) will not know about that.

It should be at least listed on Known Issues and repeated on each release notes.

Comment 7 Yaniv Lavi 2016-08-21 11:06:19 UTC
Would the fixes for BZ1325746 and BZ1362196 are targeted to 4.0.4 fix your issues?

Comment 8 Fabrice Bacchella 2016-08-21 11:15:51 UTC
It would perhaps only have solved my virtual host problem.

I explained all my problems in

Comment 9 Yaniv Lavi 2016-08-21 12:07:14 UTC
(In reply to Fabrice Bacchella from comment #8)
> It would perhaps only have solved my virtual host problem.
> I explained all my problems in

I see that Martin replied that all of the issues are fixed 4.0.4. I'm closing this as next release and I hope users will not hit the same issues. Thanks for your testing and helping us make the upgrade smoother.

Comment 10 Fabrice Bacchella 2016-08-21 12:17:09 UTC
It's a bug problem but a documentation one.

The issue will only be solved when a warning note is added in the release notes that explain that authentication is rewritten and every people who tweaks the Apache configuration should be very careful.

Comment 11 Sandro Bonazzola 2016-08-22 07:10:11 UTC
Martin, can you please fill Doc-Text with the text to be published in 4.0.3 release notes?

Comment 12 Sandro Bonazzola 2016-08-24 12:32:08 UTC
Thanks Martin, moving this to modified to be picked up on 4.0.3 release notes.

Comment 13 Aleksei Slaikovskii 2016-08-29 12:53:48 UTC now contains "Install / Upgrade from previous versions" section with this changes.

Note You need to log in before you can comment on or make changes to this bug.