<div dir="ltr"><div>That's why I recommend squid. Without that you should make port forwarding on your network's gateway (router). But Spice consoles working on the same port and you can't make port forwarding to few different hosts on the same port.<br><br></div>I gave you a complete working solution. If you don't like to use VPN like me, just change all 10.25.x addresses to your public address and make port forwarding on router from public_ip:3128 to squid_server_lan_ip:3128. That's it ;)<br><br><div class="gmail_extra"><br><div class="gmail_quote">2015-04-02 20:57 GMT+02:00 Jason Keltz <span dir="ltr"><<a href="mailto:jas@cse.yorku.ca" target="_blank">jas@cse.yorku.ca</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
You call all of that configuration for accessing consoles, easy? :)
:) Engine should be able to set up the proxy automatically... I
haven't used squid, so I have to look in more detail at the
configuration that you've provided. <br>
<br>
I did find some other functionality which would have been much much
(much!) easier for me to use had it worked. I was able to Edit
each host, go to the "Console" tab, then click "Override display
address", and for display address enter the name of the node. I did
this for each of my 3 nodes. In theory, this should solve the
problem. Now, when accessing the console via remote viewer, the
file that is sent from the engine includes the external IP of the
node, so everything should work, but it does not...<br>
Here's what I see:<br>
<br>
<blockquote type="cite">(remote-viewer:20327): remote-viewer-DEBUG:
Couldn't load configuration: File is empty<br>
<br>
(remote-viewer:20327): GSpice-WARNING **: Connection refused<br>
<br>
(firefox:20235): Gtk-WARNING **: Unable to retrieve the file info
for `<a>file:///tmp/console.vv</a>': Error stating file
'/tmp/console.vv': No such file or directory<br>
<br>
</blockquote>
If I choose to save the file instead of opening it directly via
remote viewer, it does contain the proper hostname. I can't telnet
to port 5900 on the virt host though, which is odd. I thought it
might be because the hypervisor firewall restricted the access, so I
temporarily cleared all the firewall rules on the one host. That
didn't work either.<br>
<br>
If I could make this work, it would solve the problem for me.<span><font color="#888888"><br>
<br>
Jason.</font></span><div><div><br>
<br>
<br>
On 04/02/2015 01:59 PM, shimano wrote:<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>You can use Spice Proxy. The easiest way is to run
proxy on Squid. I recommend connect via VPN.<br>
<br>
</div>
Here is a part of my Squid's configuration to connect Spice
consoles from VPN <a href="http://10.25.0.0/16" target="_blank">10.25.0.0/16</a> and LAN <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a>
to oVirt's hosts on <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a>:<br>
<br>
acl manager proto cache_object<br>
acl localhost src <a href="http://127.0.0.1/32" target="_blank">127.0.0.1/32</a> ::1<br>
acl to_localhost dst <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a> <a href="http://0.0.0.0/32" target="_blank">0.0.0.0/32</a>
::1<br>
acl localnet src <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a><br>
acl localnet src <a href="http://10.25.0.0/16" target="_blank">10.25.0.0/16</a><br>
acl Safe_ports port 80 # http<br>
acl CONNECT method CONNECT<br>
http_access allow localnet<br>
http_access allow manager localhost<br>
http_access deny manager<br>
http_access deny !Safe_ports<br>
acl spice_servers dst <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a><br>
http_access allow spice_servers<br>
http_access allow localnet<br>
http_access allow localhost<br>
http_access allow all<br>
http_port 3128<br>
hierarchy_stoplist cgi-bin ?<br>
cache_dir ufs /var/spool/squid 100 16 256<br>
cache_mem 32 MB<br>
coredump_dir /var/spool/squid<br>
refresh_pattern ^ftp: 1440 20% 10080<br>
refresh_pattern ^gopher: 1440 0% 1440<br>
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
refresh_pattern . 0 20% 4320<br>
cache_effective_user squid<br>
cache_effective_group squid<br>
<br>
</div>
You have to configure Spice Proxy on oVirt Engine by
`engine-config -s SpiceProxyDefault=someProxy`. Here is my
solution:<br>
<br>
root@host021:~ engine-config -a |grep SpiceProxyDefault<br>
SpiceProxyDefault: <a href="http://10.25.2.21:3128/" target="_blank">http://10.25.2.21:3128/</a>
version: general<br>
<br>
</div>
You can use Proxy on your public IP if you don't like to use
VPN, but remember to make sure that your machines are secured
enough.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-04-02 18:06 GMT+02:00 Jason Keltz
<span dir="ltr"><<a href="mailto:jas@cse.yorku.ca" target="_blank">jas@cse.yorku.ca</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm trying
to figure out the most reasonable method for me to access
the console on my ovirt installation.<br>
Each node has ovirtmgmt, storage, and external network
connectivity.<br>
The standalone engine host has ovirtmgmt, and external
network.<br>
I connect to engine via the external network, right click on
a VM and try to access the console. If I use the "Remote
Viewer" method, the connection fails. This is because my
client on the external network doesn't have access to
ovirtmgmt.<br>
I can access the spice-html5 client, and that "basically"
works, though it's crashed more than once. I suspect that
Remote Viewer will be more stable.<br>
So my question is - what is the best way for me to connect
to the console from the external network?<br>
Either, I have to start up my client on a machine that has
an IP on ovirtmgmt (eg. remote login to engine, and run
firefox there?)<br>
or I have to route external packets from my host to say, the
engine host, and run IP forwarding there? probably not too
secure...<br>
or I have to figure out a way to make ovirt use the external
network for display traffic... that would probably be best
(?) but I can't seem to figure out whether it's possible.<br>
In particular since the external network is a VM network
(it's actually 2 x 1 G links bound via LACP), and not part
of ovirt infrastructure, it's not clear if I can use it for
display and VM external connectivity as well.<br>
<br>
Any thoughts would be much appreciated.<br>
<br>
Jason.<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div></div>