----- Original Message -----
From: "Justin Sherrill" <jsherril(a)redhat.com>
To: "cobbler mailing list" <cobbler(a)lists.fedorahosted.org>
Sent: Monday, December 1, 2008 11:01:23 AM GMT -05:00 US/Canada Eastern
Subject: Re: [PATCH] add support to try to connect to 443 if available
Michael DeHaan wrote:
Michael DeHaan wrote:
> Justin Sherrill wrote:
>
>
>> ---
>> koan/app.py | 13 ++++++++++---
>> 1 files changed, 10 insertions(+), 3 deletions(-)
>>
>> diff --git a/koan/app.py b/koan/app.py
>> index f5f982f..e2b8e12 100755
>> --- a/koan/app.py
>> +++ b/koan/app.py
>> @@ -297,9 +297,16 @@ class Koan:
>> if uses_avahi:
>> print "- connecting to: %s" % server
>> try:
>> - # first try port 80
>> - self.xmlrpc_server = ServerProxy(url)
>> - self.xmlrpc_server.get_profiles()
>> + try:
>> + #first try port 443
>> + url = "https://%s:443/cobbler_api" %
(server)
>> + self.xmlrpc_server = ServerProxy(url)
>> + self.xmlrpc_server.get_profiles()
>> + except:
>> + #then try port 80
>> + url = "http://%s:80/cobbler_api" %
(server)
>> + self.xmlrpc_server = ServerProxy(url)
>> + self.xmlrpc_server.get_profiles()
>> except:
>> # now try specified port in case Apache proxying
>> # is not configured
>>
>>
>>
> Hi Justin,
>
> Thanks for submitting this. Ideally we want the following. It's a
> bit more involved but should cover all of the possible options of the
> koan XMLRPC being proxied through Apache or not, in case folks mess up
> their Apache configurations or want more flexibility.
>
> * If COBBLER_PORT is in the environment, put that port and only that
> port in the try_list, unless --port is defined, in which case, just use
> that instead
> * By default, always try ports 443 and then 80, in that order (call
> this the port_try_list or something)
> * If --port is specified, try only that port (put only that port in the
> port try list, and not 443 or 80)
>
> Then use the following logic to determine the try_url_list:
>
> * If --server is supplied, try
http://server:port/cobbler_api and then
>
http://server:port for any ports we need to try
>
>
For completeness:
https://server:port/cobbler_api
http://server:port/cobbler_api
https://server:port
http://server:port
Probably in that order.
I'd also be curious as to whether enabling an additional SSL port for
Cobbler XMLRPC can be done /functionally/ with just using the Apache
self-signed certs, that is, what validation is enforced by the Python
XMLRPC client. I know for instance some language libraries are quite bad
about this and require decent certificates and importing things client
side, and are quite a hassle to get anonymous SSL going.
Doesn't appear that much validation is done. You do not have to specify
anything such as the CA cert or anything as you do with some xmlrpc clients.
(Previous comments about this benefit having marginal value still
apply... we ultimately would want to see the kickstart transferred over
a secure channel and Anaconda to do SSL for packages for this to
actually be "secure").
> * If --server=DISCOVER, use Avahi to find the server address and then
> try ports we need to try for that server.
> * If --server is not set, see if we can load COBBLER_SERVER from the
> environment, and then try as above.
>
> I think the above patch you sent will never treat the "--port" value as
> a possible https:// port, so if someone were to move their https://
> install to port 303 (for instance), they would not be able to use --port
> to talk to it unless it were http://.
>
That is correct. The reason I had done this was simply because if the
client tries to connect to the raw cobbler port (25151) it just
hangs.... Not sure why it's doing that, but it is. I'm starting to
think a '--ssl' option would be a better solution (whereby SSL is only
used if that is specified).
> FYI -- Newer cobbler installs will automatically set up the
> COBBLER_SERVER environment variable in profiles.d, but I would recommend
> Spacewalk still being explicit and not relying on this, as it's easy for
> someone to remove this from their kickstart template either by design or
> unintentionally, so it is best that it would still pass --server and
> possibly --port to koan and not rely on that variable being present
>
Ok.
I'll take the above patch and possibly make some modifications early this week.
We can probably refine the order at which things are tried without adding the --ssl
option. Keeping koan's arguments down to a minimum is one of my priorities, as
keeping
/significantly/ less arguments than something like virt-install is the point of managing
things centrally, so I am inclined against adding a --ssl.
--Michael
> Sound good?
>
> --Michael
>
> _______________________________________________
> cobbler mailing list
> cobbler(a)lists.fedorahosted.org
>
https://fedorahosted.org/mailman/listinfo/cobbler
>
>
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler