CP-309847: Make HTTP/80 configurable #6770
Conversation
liulinC
commented
Nov 27, 2025
liulinC
commented
- Introduce https_only argument for Host.create
- Set https_only from configuration for installation
- Keep https_only from joining host during pool join
|
The configuration file is added in the spec repo. |
| } | ||
| ; { | ||
| param_type= Bool | ||
| ; param_name= "https_only" |
There was a problem hiding this comment.
don't we already have an option like this?
There was a problem hiding this comment.
It has been introduced in XAPI 22.27.0
There was a problem hiding this comment.
Hmm there is some duplication between create_params and the fields, looks like this was missing from create_params before.
It'd be good if the list of fields in create_params wouldn't have to be repeated when creating the object itself, otherwise we have to declare some fields twice, as here.
There was a problem hiding this comment.
Doesn't they means two different things? One is DB field, and one is API argument?
I presume not all field needs to be exposed during create API?
There was a problem hiding this comment.
The host.create API call does not include all fields indeed. It is not a public call and only used by xapi internally, for pool join.
|
What is the connection with let set_https_only =
call ~name:"set_https_only"
~doc:
"updates the host firewall to open or close port 80 depending on the \
value"
~lifecycle:[]
~params:
[
(Ref _host, "self", "The Host")
; ( Bool
, "value"
, "true - http port 80 will be blocked, false - http port 80 will be \
open"
)
]
~allowed_roles:_R_POOL_OP ()This appears to serve the same purpose and this field will have a default. So why is it not enough to change the default? I looked at the ticket and it is not obvious. Also, if this is a policy, should this not be tied to the pool? |
That is an API call to change firewall. This PR is about making the installation default configurable (not obvious from the PR title "Make HTTP/80 configurable"). It also preserves the configuration on pool join. |
|
What is the problem being solved by this PR compared to the existing solution and could it not be extended? Is the difference not rather small and thus risks confusion? |
The background here is we want to disable(not expose) http on XS9 while keep it open for XS8 by default. Another way is we use some first boot service to set the value after xapi startup with |
liulinC
force-pushed
the
private/linl/http
branch
from
a62221d to
711e79b
Compare
This changes 8 files whereas that would re-use an existing mechanism. Anyway, thanks for providing some background. |
- Introduce https_only argument for Host.create - Set https_only from configuration for installation - Keep https_only from joining host during pool join Signed-off-by: Lin Liu <[email protected]>
liulinC
force-pushed
the
private/linl/http
branch
from
711e79b to
c1b1311
Compare
|
|
changlei-li
left a comment
changlei-li
left a comment
There was a problem hiding this comment.
When host joins pool, the host will use pool master's https_only value, am I right?
| create_or_get_sr_on_master __context rpc session_id | ||
| (my_local_cache_sr, my_local_cache_sr_rec) | ||
| in | ||
|
|
There was a problem hiding this comment.
I added a line of code here and then remove it, which cause this empty line.
make format does not care about this.
Before joining the pool, the check would make sure the https_only field is the same with pool master, |
6 participants
