[Ovirt-devel] Some architecture diagrams

Simo Sorce ssorce at redhat.com
Fri Feb 15 17:43:56 UTC 2008 

On Fri, 2008-02-15 at 16:41 +0000, Daniel P. Berrange wrote:
> On Fri, Feb 15, 2008 at 11:34:16AM -0500, Simo Sorce wrote:
> > 
> > On Fri, 2008-02-15 at 15:40 +0000, Daniel P. Berrange wrote:
> > > On Fri, Feb 15, 2008 at 03:34:39PM +0000, Richard W.M. Jones wrote:
> > >  
> > > > Question (1) => we could make package ovirt depend on the parts of 
> > > > FreeIPA necessary (ipa-server & ipa-client I think).  _If_ we can 
> > > > persuade FreeIPA to be a good citizen and not require its own server.
> > > 
> > > Yes, i'd be good to have a vhost config file you can drop into the
> > > /etc/httpd/config.d  that would play nicely with the world - eg have
> > > everything under /freeipa  instead of taking over the entire apache
> > > server namespace.
> > 
> > Patches welcome :-)
> > 
> > Btw while I am reading this list, we are planning on using something
> > like rmanager to handle the FreeIPA components so that if one piece goes
> > down it is either restarted or all the (interdependent) pieces go down.
> 
> To be honest, that sounds like something that is more OS / integration
> policy rather than something which should be a fundamental part of
> the FreeIPA app.

The problem is that if FDS dies but the KDC is up bad things happen.
In a multimaster environment with multiple FreeIPA servers for
redundancy you really want to take a server down completely if one of
the pieces misbehave.

That's why I think this should be part of IPA, it's for reliability, as
it is a core network service that can break all the client if it
misbehave badly.

For example if FDS is down but the KDC is up, any client using that KDC
would get the bad surprise of getting all ticket request denied.

> > However to answer Richard question, FreeIPA itself does not require to
> > be the only thing running on the server (modulo the mentioned apache
> > configuration problem that can be probably solved).
> > But given its nature it is better, for security reasons, if it is. After
> > all it contains all the Keys to the REALM :-)
> 
> Yep, we're mainly wanting to do the shared apache server for purposes of
> development to reduce the number of machines required for developers.
> Obviously a production deployment would take FreeIPA sercurity much
> more seriously and use a separate machine.

Yeah the only concern is making sure that the service then works
correctly even if it is on another machine. Its easy to take shortcuts,
or not notice network related effects when all is on the same machine,
but I see the value in that, so if you have specific requests to
accomodate the apache conf let us know.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the ovirt-devel mailing list