Michael DeHaan wrote:
Justin Sherrill wrote:
> ---
> koan/app.py | 13 ++++++++++---
> 1 files changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/koan/app.py b/koan/app.py
> index f5f982f..e2b8e12 100755
> --- a/koan/app.py
> +++ b/koan/app.py
> @@ -297,9 +297,16 @@ class Koan:
> if uses_avahi:
> print "- connecting to: %s" % server
> try:
> - # first try port 80
> - self.xmlrpc_server = ServerProxy(url)
> - self.xmlrpc_server.get_profiles()
> + try:
> + #first try port 443
> + url = "https://%s:443/cobbler_api" % (server)
> + self.xmlrpc_server = ServerProxy(url)
> + self.xmlrpc_server.get_profiles()
> + except:
> + #then try port 80
> + url = "http://%s:80/cobbler_api" % (server)
> + self.xmlrpc_server = ServerProxy(url)
> + self.xmlrpc_server.get_profiles()
> except:
> # now try specified port in case Apache proxying
> # is not configured
>
>
Hi Justin,
Thanks for submitting this. Ideally we want the following. It's a
bit more involved but should cover all of the possible options of the
koan XMLRPC being proxied through Apache or not, in case folks mess up
their Apache configurations or want more flexibility.
* If COBBLER_PORT is in the environment, put that port and only that
port in the try_list, unless --port is defined, in which case, just use
that instead
* By default, always try ports 443 and then 80, in that order (call
this the port_try_list or something)
* If --port is specified, try only that port (put only that port in the
port try list, and not 443 or 80)
Then use the following logic to determine the try_url_list:
* If --server is supplied, try
http://server:port/cobbler_api and then
http://server:port for any ports we need to try
For completeness:
https://server:port/cobbler_api
http://server:port/cobbler_api
https://server:port
http://server:port
Probably in that order.
I'd also be curious as to whether enabling an additional SSL port for
Cobbler XMLRPC can be done /functionally/ with just using the Apache
self-signed certs, that is, what validation is enforced by the Python
XMLRPC client. I know for instance some language libraries are quite bad
about this and require decent certificates and importing things client
side, and are quite a hassle to get anonymous SSL going.
(Previous comments about this benefit having marginal value still
apply... we ultimately would want to see the kickstart transferred over
a secure channel and Anaconda to do SSL for packages for this to
actually be "secure").
* If --server=DISCOVER, use Avahi to find the server address and then
try ports we need to try for that server.
* If --server is not set, see if we can load COBBLER_SERVER from the
environment, and then try as above.
I think the above patch you sent will never treat the "--port" value as
a possible https:// port, so if someone were to move their https://
install to port 303 (for instance), they would not be able to use --port
to talk to it unless it were http://.
FYI -- Newer cobbler installs will automatically set up the
COBBLER_SERVER environment variable in profiles.d, but I would recommend
Spacewalk still being explicit and not relying on this, as it's easy for
someone to remove this from their kickstart template either by design or
unintentionally, so it is best that it would still pass --server and
possibly --port to koan and not rely on that variable being present.
Sound good?
--Michael
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler