<div dir="ltr"><div>That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf<br>
<br>I also noted engine setup generated:<br>/etc/pki/ovirt-engine/certs/websocket-proxy.cer<br>/etc/pki/ovirt-engine/keys/websocket-proxy.p12<br>/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass<br>/etc/pki/ovirt-engine/requests/websocket-proxy.req<br>
<br>None the less still neither spice nor novnc will connect. I tried changing Engine:6100 to EngineIP:6100 so that IP would be used instead. However using either the FQDN or IP still yielded the same results.<br><br></div>
<div>There was nothing interesting in the logs either. I do notice that whilst the websocket-proxy service is running I never see an websockify processes but instead in /var/log/messages I see:<br>Aug 1 13:44:10 ovirtfoo ovirt-websocket-proxy.py[435]: 11: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<br>
<br></div><div>Thus I changed SSL_ONLY=True to SSL_ONLY=False in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf and restarted engine and websocket-proxy<br></div><div>No dice it still generated the same error as above during an attempted connection to /var/log/messages<br>
</div><div><br></div><div>I also not the following error message at VM power off (albeit I am guessing it has nothing to do with this issue): <br>2013-08-01 13:41:03,742 ERROR [org.ovirt.engine.core.vdsbroker.DestroyVmVDSCommand] (pool-6-thread-50) [304efb3e] VDS::destroy Failed destroying vm fec3260c-871a-4fbe-a006-9eee4fbfbbcc in vds = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57 : ovirtnodefoo, error = org.ovirt.engine.core.vdsbroker.vdsbroker.VDSErrorException: VDSGenericException: VDSErrorException: Failed to DestroyVDS, error = Unexpected exception<br>
<br></div><div>- DHC<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Aug 1, 2013 at 1:07 PM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If you install the proxy on the engine machine you just need:<br>
<br>
# yum install ovirt-engine-websocket-proxy<br>
# engine-setup<br>
<br>
then answer yes when prompt if you like to configure websocket proxy.<br>
<br>
you can execute engine-setup again even if you already installed.<br>
<div><div class="h5"><br>
----- Original Message -----<br>
> From: "Dead Horse" <<a href="mailto:deadhorseconsulting@gmail.com">deadhorseconsulting@gmail.com</a>><br>
> To: "<<a href="mailto:users@ovirt.org">users@ovirt.org</a>>" <<a href="mailto:users@ovirt.org">users@ovirt.org</a>><br>
> Sent: Thursday, August 1, 2013 9:01:47 PM<br>
> Subject: [Users] Questions on ovirt 3.3 browser based spice/novnc working<br>
><br>
> After Referencing:<br>
> <a href="http://www.ovirt.org/Features/noVNC_console" target="_blank">http://www.ovirt.org/Features/noVNC_console</a><br>
> <a href="http://www.ovirt.org/Features/SpiceHTML5" target="_blank">http://www.ovirt.org/Features/SpiceHTML5</a><br>
><br>
> and looking at some of the related engine code.<br>
><br>
> I am still attempting to get the spice/novnc browser based consoles to work.<br>
><br>
> I am working from a build from master yesterday I used to upgrade over a<br>
> previous 3.3 master build from about a month back.<br>
><br>
> VDSM version on host is 4.12.0 built minutes ago.<br>
><br>
> I have installed and configured the websocket proxy like so:<br>
><br>
> Set WebSocketProxy to engine ENGINEIP port 6100<br>
> engine-config -s WebSocketProxy=ENGINEIP:6100<br>
><br>
> /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=websocket-proxy<br>
> --password=install --subject="/C=US/O=DHC/CN=ENGINEFQDN"<br>
><br>
> This generates:<br>
> /etc/pki/ovirt-engine/keys/websocket-proxy.p12<br>
> /etc/pki/ovirt-engine/certs/websocket-proxy.cer<br>
> /etc/pki/ovirt-engine/requests/websocket-proxy.req<br>
><br>
> However it does not generate the key that websockify wants so we do:<br>
> openssl pkcs12 -in websocket-proxy.p12 -nocerts -nodes -out<br>
> /etc/pki/ovirt-engine/keys/websocket-proxy.key<br>
><br>
> The configuration of ovirt-websocket-proxy:<br>
> PROXY_HOST=*<br>
> PROXY_PORT=6100<br>
> SOURCE_IS_IPV6=False<br>
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer<br>
> SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key<br>
> FORCE_DATA_VERIFICATION=False<br>
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer<br>
> SSL_ONLY=True<br>
> TRACE_ENABLE=False<br>
> TRACE_FILE=<br>
> ENGINE_USR="/usr/share/ovirt-engine"<br>
><br>
> Install spice-html5<br>
> git clone <a href="http://anongit.freedesktop.org/git/spice/spice-html5.git" target="_blank">http://anongit.freedesktop.org/git/spice/spice-html5.git</a><br>
> mv spice-html5 /usr/share<br>
><br>
> Test spice:<br>
> In Webadmin UI we set create a VM, set display as spice, start it and set<br>
> it's console to spice-html5.<br>
> Result spice-html client opens in a new tab but does not connect.<br>
><br>
> From engine.log:<br>
> 2013-08-01 12:49:52,352 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand]<br>
> (ajp--127.0.0.1-8702-9) Running command: SetVmTicketCommand internal: false.<br>
> Entities affected : ID: fec3260c-871a-4fbe-a006-9eee4fbfbbcc Type: VM<br>
> 2013-08-01 12:49:52,371 INFO<br>
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]<br>
> (ajp--127.0.0.1-8702-9) START, SetVmTicketVDSCommand(HostName =<br>
> ovirtnodefoo, HostId = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57,<br>
> vmId=fec3260c-871a-4fbe-a006-9eee4fbfbbcc, ticket=TKfzUQJLLrUI,<br>
> validTime=120,m userName=admin@internal,<br>
> userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: 5d258049<br>
> 2013-08-01 12:49:52,445 INFO<br>
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]<br>
> (ajp--127.0.0.1-8702-9) FINISH, SetVmTicketVDSCommand, log id: 5d258049<br>
><br>
> Test novnc:<br>
> In Webadmin UI we set create a VM, set display as VNC, start it and set it's<br>
> console to novnc.<br>
> Result novnc client opens in a new tab but does not connect, but does display<br>
> error: "Server disconnected (code: 1006)<br>
><br>
> From engine.log:<br>
> 2013-08-01 12:50:44,800 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand]<br>
> (ajp--127.0.0.1-8702-9) Running command: SetVmTicketCommand internal: false.<br>
> Entities affected : ID: fec3260c-871a-4fbe-a006-9eee4fbfbbcc Type: VM<br>
> 2013-08-01 12:50:44,833 INFO<br>
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]<br>
> (ajp--127.0.0.1-8702-9) START, SetVmTicketVDSCommand(HostName =<br>
> ovirtnodefoo, HostId = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57,<br>
> vmId=fec3260c-871a-4fbe-a006-9eee4fbfbbcc, ticket=IPWOWh6U9erd,<br>
> validTime=120,m userName=admin@internal,<br>
> userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: bff6161<br>
> 2013-08-01 12:50:44,917 INFO<br>
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]<br>
> (ajp--127.0.0.1-8702-9) FINISH, SetVmTicketVDSCommand, log id: bff6161<br>
><br>
> I verified connection of both the spice/vnc console directly at the host<br>
> level with a quick connect via virt-viewer.<br>
><br>
> A quick scan with nmap of engine and host to verify sockets are open:<br>
><br>
> Nmap scan report for engine<br>
> Host is up (0.0042s latency).<br>
> Not shown: 995 closed ports<br>
> PORT STATE SERVICE<br>
> 22/tcp open ssh<br>
> 80/tcp open http<br>
> 111/tcp open rpcbind<br>
> 443/tcp open https<br>
> 6100/tcp open synchronet-db<br>
><br>
> Nmap scan report for host<br>
> Host is up (0.0045s latency).<br>
> Not shown: 997 closed ports<br>
> PORT STATE SERVICE<br>
> 22/tcp open ssh<br>
> 111/tcp open rpcbind<br>
> 5900/tcp open vnc<br>
><br>
> For grins I stopped the websocket proxy and manually started a websockify<br>
> like so:<br>
> websockify <a href="http://3.57.111.11:6100" target="_blank">3.57.111.11:6100</a> <a href="http://3.57.111.12:5900" target="_blank">3.57.111.12:5900</a><br>
> --cert=/etc/pki/ovirt-engine/certs/websocket-proxy.cer<br>
> --key=/etc/pki/ovirt-engine/keys/websocket-proxy.key<br>
><br>
> WARNING: no 'numpy' module, HyBi protocol is slower or disabled<br>
> WebSocket server settings:<br>
> - Listen on ENGINEIP:6100<br>
> - Flash security policy server<br>
> - SSL/TLS support<br>
> - proxying from ENGINEIP:6100 to HOSTIP:5900<br>
><br>
> Attempting another connection via<br>
> <a href="https://ENGINEFQDN//ovirt-engine-novnc-main.html?host=ENGINEIP&port=6100" target="_blank">https://ENGINEFQDN//ovirt-engine-novnc-main.html?host=ENGINEIP&port=6100</a><br>
> results in:<br>
><br>
> 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL<br>
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<br>
><br>
><br>
> I should also note in case it matters that the SSLEnabled=false, and<br>
> EnableSpiceRootCertificateValidation are both set as false are set in my<br>
> engine options.<br>
><br>
> Am I doing something wrong here, I don't see any reason this should not work?<br>
><br>
> - DHC<br>
><br>
</div></div>> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
><br>
</blockquote></div><br></div>