Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1364189 - Docs: add release note on Apache configuration changes and upcoming fixes.
Summary: Docs: add release note on Apache configuration changes and upcoming fixes.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Documentation
Version: 4.0.1.1
Hardware: Unspecified
OS: Unspecified
medium
high vote
Target Milestone: ovirt-4.0.3
: 4.0.3
Assignee: Sandro Bonazzola
QA Contact: Aleksei Slaikovskii
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-04 16:26 UTC by Fabrice Bacchella
Modified: 2016-08-29 14:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Users upgrading from 3.6 should be aware of following 4.0 changes around authentication and certificates handling: 1. Single Sign-On using OAUTH2 protocol has been implemented in engine to allow SSO between webadmin, userportal and RESTAPI. More information can be found at https://bugzilla.redhat.com/1092744 2. Due to SSO it's required to access engine only using the same FQDN which was specified during engine-setup invocation. If your engine FQDN is not accessible from all engine clients, you will not be able to login. Please use ovirt-engine-rename tool to fix your FQDN, more information can be found at https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostname/ . If you try to access engine using IP or DNS alias, an error will be thrown. Please consult following bugs targeted to oVirt 4.0.4 which should fix this limitation: https://bugzilla.redhat.com/1325746 https://bugzilla.redhat.com/1362196 3. If you have used Kerberos SSO to access engine, please consult https://bugzilla.redhat.com/1342192 how to update your Apache configuration after upgrade to 4.0 4. If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with virt-viewer clients.
Clone Of:
Environment:
Last Closed: 2016-08-29 14:51:34 UTC
oVirt Team: Integration
ylavi: ovirt-4.0.z?
rule-engine: planning_ack?
sbonazzo: devel_ack+
lsvaty: testing_ack+


Attachments (Terms of Use)

Description Fabrice Bacchella 2016-08-04 16:26:36 UTC
When switching from ovirt 3.6.6 to 4.0, I read the release notes.

It says :
If you're upgrading from a previous release on Enterprise Linux 7 you just need to execute:

  # yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
  # yum update "ovirt-engine-setup*"
  # engine-setup

This is quite an understatement.

I needed to create a new database, the authentication modele is totally changed, and in a incompatible way. The new SSO is not an optional feature that can be added later. So any one who tweaked it's apache configuration ends up with a broken ovirt.

A critical note saying that would have be welcome.

Comment 1 Fabrice Bacchella 2016-08-04 16:35:13 UTC
In previous version, I could configure Apache with a vhost that was not known to ovirt: http://ovirt.mydomain running on myserver.mydomain worked fine.

It's not the case any more and I needed to follows the procedure given in https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostname/ even if I didn't rename my hosts.
Another incompatible change that I would like to have be warned off.

Comment 2 Yaniv Lavi 2016-08-11 08:28:09 UTC
Fabrice, why did you need to create a new database?

Martin, what should the release notes write regarding the upgrade?

Comment 3 Fabrice Bacchella 2016-08-11 08:36:44 UTC
for dwh of course:

2016-08-03 11:46:16 DEBUG otopi.context context.dumpEnvironment:770 ENV OVESETUP_DWH_DB/database=str:'ovirt_engine_history'

Comment 4 Fabrice Bacchella 2016-08-12 09:15:09 UTC
The problem is the new OAUTH authentication that was added in version 4.

It broke all my apache setup.

- it broke my virtual host configuration, as it needs to know the exact URL to talk to.
- it broke our internal PKI, because it uses it's own.
- it broke our internal SSO, because it embedd it's own.

Comment 5 Martin Perina 2016-08-15 08:53:47 UTC
(In reply to Yaniv Dary from comment #2)
> Martin, what should the release notes write regarding the upgrade?

Well SSO introduction (tracked by BZ1092744) was one of the infra pillar features for 4.0 and it's part of 4.0 release notes:
https://www.ovirt.org/release/4.0.0/

BZ1336838 was fixed in 4.0.1 and it's also part of 4.0.1 release notes:
https://www.ovirt.org/release/4.0.1/

BZ1325746 and BZ1362196 are targeted to 4.0.4 so I expect them to be part of 4.0.4 release notes.

Comment 6 Fabrice Bacchella 2016-08-15 09:05:22 UTC
In the release notes, I see:

BZ 1092744 [RFE][AAA] Introduce uniform login services
A single sign on module has been added that authenticates the user once and allows access to webadmin and userportal. Signing off from one portal closes the session on SSO and the user is logged out of all portals.

It don't say it's mandatory. Is someone expected to read each bug description to understand what this one is about ?

It says nothing about breaking on-site SSO, PKI, and event simple virtual host, what is does.

There is not a word about it on 4.0.1, so some one upgrading from 3.6 to 4.0.1 (what I did) will not know about that.

It should be at least listed on Known Issues and repeated on each release notes.

Comment 7 Yaniv Lavi 2016-08-21 11:06:19 UTC
Would the fixes for BZ1325746 and BZ1362196 are targeted to 4.0.4 fix your issues?

Comment 8 Fabrice Bacchella 2016-08-21 11:15:51 UTC
It would perhaps only have solved my virtual host problem.

I explained all my problems in https://bugzilla.redhat.com/show_bug.cgi?id=1342192

Comment 9 Yaniv Lavi 2016-08-21 12:07:14 UTC
(In reply to Fabrice Bacchella from comment #8)
> It would perhaps only have solved my virtual host problem.
> 
> I explained all my problems in
> https://bugzilla.redhat.com/show_bug.cgi?id=1342192

I see that Martin replied that all of the issues are fixed 4.0.4. I'm closing this as next release and I hope users will not hit the same issues. Thanks for your testing and helping us make the upgrade smoother.

Comment 10 Fabrice Bacchella 2016-08-21 12:17:09 UTC
It's a bug problem but a documentation one.

The issue will only be solved when a warning note is added in the release notes that explain that authentication is rewritten and every people who tweaks the Apache configuration should be very careful.

Comment 11 Sandro Bonazzola 2016-08-22 07:10:11 UTC
Martin, can you please fill Doc-Text with the text to be published in 4.0.3 release notes?

Comment 12 Sandro Bonazzola 2016-08-24 12:32:08 UTC
Thanks Martin, moving this to modified to be picked up on 4.0.3 release notes.

Comment 13 Aleksei Slaikovskii 2016-08-29 12:53:48 UTC
http://www.ovirt.org/release/4.0.3/ now contains "Install / Upgrade from previous versions" section with this changes.


Note You need to log in before you can comment on or make changes to this bug.