From mjames at media-node.com Tue Sep 16 09:50:21 2014
Content-Type: multipart/mixed; boundary="===============8732663506425406087=="
MIME-Version: 1.0
From: Maurice James <mjames at media-node.com>
To: users at ovirt.org
Subject: [ovirt-users] Spice client with engine portal
Date: Tue, 16 Sep 2014 09:50:18 -0400
Message-ID: <1924256176.5023.1410875418158.JavaMail.zimbra@media-node.com>
In-Reply-To: 1840312997.4999.1410875255708.JavaMail.zimbra@media-node.com

--===============8732663506425406087==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

------=3D_Part_5022_39979720.1410875418148
Content-Type: text/plain; charset=3Dutf-8
Content-Transfer-Encoding: 7bit

How do I get the spice client to connect to a VM through the portal instead=
 of attempting to connect directly to the VM? For example. I allow access t=
o the engine portal over our WAN to a NATed IP address. The users on the ot=
her side of the WAN do not have access to the real VM IP addresses. When th=
ey click on the console access button, they are unable to connect to the VM=
. I believe this is because it using attempting a direct connection instead=
 of proxying through the portal. =


------=3D_Part_5022_39979720.1410875418148
Content-Type: text/html; charset=3Dutf-8
Content-Transfer-Encoding: 7bit

<html><body><div style=3D"font-family: times new roman, new york, times, se=
rif; font-size: 12pt; color: #000000"><div>How do I get the spice client to=
 connect to a VM through the portal instead of attempting to connect direct=
ly to the VM? For example. I allow access to the engine portal over our WAN=
 to a NATed IP address. The users on the other side of the WAN do not have =
access to the real VM IP addresses. When they click on the console access b=
utton, they are unable to connect to the VM. I believe this is because it u=
sing attempting a direct connection instead of proxying through the portal.=
<br data-mce-bogus=3D"1"></div></div></body></html>
------=3D_Part_5022_39979720.1410875418148--

--===============8732663506425406087==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"

LS0tLS0tPV9QYXJ0XzUwMjJfMzk5Nzk3MjAuMTQxMDg3NTQxODE0OApDb250ZW50LVR5cGU6IHRl
eHQvcGxhaW47IGNoYXJzZXQ9dXRmLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAoK
SG93IGRvIEkgZ2V0IHRoZSBzcGljZSBjbGllbnQgdG8gY29ubmVjdCB0byBhIFZNIHRocm91Z2gg
dGhlIHBvcnRhbCBpbnN0ZWFkIG9mIGF0dGVtcHRpbmcgdG8gY29ubmVjdCBkaXJlY3RseSB0byB0
aGUgVk0/IEZvciBleGFtcGxlLiBJIGFsbG93IGFjY2VzcyB0byB0aGUgZW5naW5lIHBvcnRhbCBv
dmVyIG91ciBXQU4gdG8gYSBOQVRlZCBJUCBhZGRyZXNzLiBUaGUgdXNlcnMgb24gdGhlIG90aGVy
IHNpZGUgb2YgdGhlIFdBTiBkbyBub3QgaGF2ZSBhY2Nlc3MgdG8gdGhlIHJlYWwgVk0gSVAgYWRk
cmVzc2VzLiBXaGVuIHRoZXkgY2xpY2sgb24gdGhlIGNvbnNvbGUgYWNjZXNzIGJ1dHRvbiwgdGhl
eSBhcmUgdW5hYmxlIHRvIGNvbm5lY3QgdG8gdGhlIFZNLiBJIGJlbGlldmUgdGhpcyBpcyBiZWNh
dXNlIGl0IHVzaW5nIGF0dGVtcHRpbmcgYSBkaXJlY3QgY29ubmVjdGlvbiBpbnN0ZWFkIG9mIHBy
b3h5aW5nIHRocm91Z2ggdGhlIHBvcnRhbC4gCgotLS0tLS09X1BhcnRfNTAyMl8zOTk3OTcyMC4x
NDEwODc1NDE4MTQ4CkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04CkNvbnRl
bnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKCjxodG1sPjxib2R5PjxkaXYgc3R5bGU9ImZvbnQt
ZmFtaWx5OiB0aW1lcyBuZXcgcm9tYW4sIG5ldyB5b3JrLCB0aW1lcywgc2VyaWY7IGZvbnQtc2l6
ZTogMTJwdDsgY29sb3I6ICMwMDAwMDAiPjxkaXY+SG93IGRvIEkgZ2V0IHRoZSBzcGljZSBjbGll
bnQgdG8gY29ubmVjdCB0byBhIFZNIHRocm91Z2ggdGhlIHBvcnRhbCBpbnN0ZWFkIG9mIGF0dGVt
cHRpbmcgdG8gY29ubmVjdCBkaXJlY3RseSB0byB0aGUgVk0/IEZvciBleGFtcGxlLiBJIGFsbG93
IGFjY2VzcyB0byB0aGUgZW5naW5lIHBvcnRhbCBvdmVyIG91ciBXQU4gdG8gYSBOQVRlZCBJUCBh
ZGRyZXNzLiBUaGUgdXNlcnMgb24gdGhlIG90aGVyIHNpZGUgb2YgdGhlIFdBTiBkbyBub3QgaGF2
ZSBhY2Nlc3MgdG8gdGhlIHJlYWwgVk0gSVAgYWRkcmVzc2VzLiBXaGVuIHRoZXkgY2xpY2sgb24g
dGhlIGNvbnNvbGUgYWNjZXNzIGJ1dHRvbiwgdGhleSBhcmUgdW5hYmxlIHRvIGNvbm5lY3QgdG8g
dGhlIFZNLiBJIGJlbGlldmUgdGhpcyBpcyBiZWNhdXNlIGl0IHVzaW5nIGF0dGVtcHRpbmcgYSBk
aXJlY3QgY29ubmVjdGlvbiBpbnN0ZWFkIG9mIHByb3h5aW5nIHRocm91Z2ggdGhlIHBvcnRhbC48
YnIgZGF0YS1tY2UtYm9ndXM9IjEiPjwvZGl2PjwvZGl2PjwvYm9keT48L2h0bWw+Ci0tLS0tLT1f
UGFydF81MDIyXzM5OTc5NzIwLjE0MTA4NzU0MTgxNDgtLQo=

--===============8732663506425406087==--

From gianluca.cecchi at gmail.com Tue Sep 16 10:02:26 2014
Content-Type: multipart/mixed; boundary="===============3749735185260943543=="
MIME-Version: 1.0
From: Gianluca Cecchi <gianluca.cecchi at gmail.com>
To: users at ovirt.org
Subject: Re: [ovirt-users] Spice client with engine portal
Date: Tue, 16 Sep 2014 16:02:24 +0200
Message-ID: <CAG2kNCw1oPPwJF=ehK6uo710a2xQS6DD_k6gJ5ZOKbMa6QZhTQ@mail.gmail.com>
In-Reply-To: 1924256176.5023.1410875418158.JavaMail.zimbra@media-node.com

--===============3749735185260943543==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 16, 2014 at 3:50 PM, Maurice James <mjames(a)media-node.com>
wrote:

> How do I get the spice client to connect to a VM through the portal
> instead of attempting to connect directly to the VM? For example. I allow
> access to the engine portal over our WAN to a NATed IP address. The users
> on the other side of the WAN do not have access to the real VM IP
> addresses. When they click on the console access button, they are unable =
to
> connect to the VM. I believe this is because it using attempting a direct
> connection instead of proxying through the portal.
>
>
see:
http://www.ovirt.org/Features/Spice_Proxy

more tech details also from rhev docs:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualiza=
tion/3.4/html/Administration_Guide/chap-Proxies.html#sect-SPICE_Proxy

I don't remember if it is ok and works to set up the squid part on engine
itself.... but I think it would be cleaner design to put it on another
dedicated infrastructure host, perhaps already existing in your infra for
similar reasons.

Gianluca

--===============3749735185260943543==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZXh0cmEiPjxkaXYgY2xhc3M9ImdtYWls
X3F1b3RlIj5PbiBUdWUsIFNlcCAxNiwgMjAxNCBhdCAzOjUwIFBNLCBNYXVyaWNlIEphbWVzIDxz
cGFuIGRpcj0ibHRyIj4mbHQ7PGEgaHJlZj0ibWFpbHRvOm1qYW1lc0BtZWRpYS1ub2RlLmNvbSIg
dGFyZ2V0PSJfYmxhbmsiPm1qYW1lc0BtZWRpYS1ub2RlLmNvbTwvYT4mZ3Q7PC9zcGFuPiB3cm90
ZTo8YnI+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAw
cHggMHB4IDAuOGV4O2JvcmRlci1sZWZ0LXdpZHRoOjFweDtib3JkZXItbGVmdC1jb2xvcjpyZ2Io
MjA0LDIwNCwyMDQpO2JvcmRlci1sZWZ0LXN0eWxlOnNvbGlkO3BhZGRpbmctbGVmdDoxZXgiPjxk
aXY+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6JiMzOTt0aW1lcyBuZXcgcm9tYW4mIzM5OywmIzM5
O25ldyB5b3JrJiMzOTssdGltZXMsc2VyaWY7Zm9udC1zaXplOjEycHQ7Y29sb3I6cmdiKDAsMCww
KSI+PGRpdj5Ib3cgZG8gSSBnZXQgdGhlIHNwaWNlIGNsaWVudCB0byBjb25uZWN0IHRvIGEgVk0g
dGhyb3VnaCB0aGUgcG9ydGFsIGluc3RlYWQgb2YgYXR0ZW1wdGluZyB0byBjb25uZWN0IGRpcmVj
dGx5IHRvIHRoZSBWTT8gRm9yIGV4YW1wbGUuIEkgYWxsb3cgYWNjZXNzIHRvIHRoZSBlbmdpbmUg
cG9ydGFsIG92ZXIgb3VyIFdBTiB0byBhIE5BVGVkIElQIGFkZHJlc3MuIFRoZSB1c2VycyBvbiB0
aGUgb3RoZXIgc2lkZSBvZiB0aGUgV0FOIGRvIG5vdCBoYXZlIGFjY2VzcyB0byB0aGUgcmVhbCBW
TSBJUCBhZGRyZXNzZXMuIFdoZW4gdGhleSBjbGljayBvbiB0aGUgY29uc29sZSBhY2Nlc3MgYnV0
dG9uLCB0aGV5IGFyZSB1bmFibGUgdG8gY29ubmVjdCB0byB0aGUgVk0uIEkgYmVsaWV2ZSB0aGlz
IGlzIGJlY2F1c2UgaXQgdXNpbmcgYXR0ZW1wdGluZyBhIGRpcmVjdCBjb25uZWN0aW9uIGluc3Rl
YWQgb2YgcHJveHlpbmcgdGhyb3VnaCB0aGUgcG9ydGFsLjxicj48L2Rpdj48L2Rpdj48L2Rpdj48
YnI+PC9ibG9ja3F1b3RlPjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2V4dHJhIj48YnI+
PC9kaXY+PGRpdiBjbGFzcz0iZ21haWxfZXh0cmEiPnNlZTo8L2Rpdj48ZGl2IGNsYXNzPSJnbWFp
bF9leHRyYSI+PGEgaHJlZj0iaHR0cDovL3d3dy5vdmlydC5vcmcvRmVhdHVyZXMvU3BpY2VfUHJv
eHkiPmh0dHA6Ly93d3cub3ZpcnQub3JnL0ZlYXR1cmVzL1NwaWNlX1Byb3h5PC9hPjxicj48L2Rp
dj48ZGl2IGNsYXNzPSJnbWFpbF9leHRyYSI+PGJyPjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2V4
dHJhIj5tb3JlIHRlY2ggZGV0YWlscyBhbHNvIGZyb20gcmhldiBkb2NzOjwvZGl2PjxkaXYgY2xh
c3M9ImdtYWlsX2V4dHJhIj48YSBocmVmPSJodHRwczovL2FjY2Vzcy5yZWRoYXQuY29tL2RvY3Vt
ZW50YXRpb24vZW4tVVMvUmVkX0hhdF9FbnRlcnByaXNlX1ZpcnR1YWxpemF0aW9uLzMuNC9odG1s
L0FkbWluaXN0cmF0aW9uX0d1aWRlL2NoYXAtUHJveGllcy5odG1sI3NlY3QtU1BJQ0VfUHJveHki
Pmh0dHBzOi8vYWNjZXNzLnJlZGhhdC5jb20vZG9jdW1lbnRhdGlvbi9lbi1VUy9SZWRfSGF0X0Vu
dGVycHJpc2VfVmlydHVhbGl6YXRpb24vMy40L2h0bWwvQWRtaW5pc3RyYXRpb25fR3VpZGUvY2hh
cC1Qcm94aWVzLmh0bWwjc2VjdC1TUElDRV9Qcm94eTwvYT48YnI+PC9kaXY+PGRpdiBjbGFzcz0i
Z21haWxfZXh0cmEiPjxicj48L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9leHRyYSI+SSBkb24mIzM5
O3QgcmVtZW1iZXIgaWYgaXQgaXMgb2sgYW5kIHdvcmtzIHRvIHNldCB1cCB0aGUgc3F1aWQgcGFy
dCBvbiBlbmdpbmUgaXRzZWxmLi4uLiBidXQgSSB0aGluayBpdCB3b3VsZCBiZSBjbGVhbmVyIGRl
c2lnbiB0byBwdXQgaXQgb24gYW5vdGhlciBkZWRpY2F0ZWQgaW5mcmFzdHJ1Y3R1cmUgaG9zdCwg
cGVyaGFwcyBhbHJlYWR5IGV4aXN0aW5nIGluIHlvdXIgaW5mcmEgZm9yIHNpbWlsYXIgcmVhc29u
cy48L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9leHRyYSI+PGJyPjwvZGl2PjxkaXYgY2xhc3M9Imdt
YWlsX2V4dHJhIj5HaWFubHVjYTwvZGl2PjwvZGl2Pgo=

--===============3749735185260943543==--

From djasa at redhat.com Tue Sep 16 10:48:31 2014
Content-Type: multipart/mixed; boundary="===============5385172725410517911=="
MIME-Version: 1.0
From: =?utf-8?q?David_Ja=C5=A1a_=3Cdjasa_at_redhat=2Ecom=3E?=
To: users at ovirt.org
Subject: Re: [ovirt-users] Spice client with engine portal
Date: Tue, 16 Sep 2014 16:48:27 +0200
Message-ID: <1410878907.14375.8.camel@cihla.spice.brq.redhat.com>
In-Reply-To: CAG2kNCw1oPPwJF=ehK6uo710a2xQS6DD_k6gJ5ZOKbMa6QZhTQ@mail.gmail.com

--===============5385172725410517911==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On =C3=9At, 2014-09-16 at 16:02 +0200, Gianluca Cecchi wrote:
> On Tue, Sep 16, 2014 at 3:50 PM, Maurice James <mjames(a)media-node.com>
> wrote:
>         How do I get the spice client to connect to a VM through the
>         portal instead of attempting to connect directly to the VM?
>         For example. I allow access to the engine portal over our WAN
>         to a NATed IP address. The users on the other side of the WAN
>         do not have access to the real VM IP addresses. =


Please note that the client is actually connecting to _host_ IP, not to
VM IP address. The VM may be configured with no NIC (so w/o any network
connectivity) and you'll still be able to connect to it using Spice (or
VNC). Only RDP needs connectivity to the VM.

>         When they click on the console access button, they are unable
>         to connect to the VM. I believe this is because it using
>         attempting a direct connection instead of proxying through the
>         portal.
>         =

>         =

> =

> =

> see:
> http://www.ovirt.org/Features/Spice_Proxy
> =

> =

> =

> more tech details also from rhev docs:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali=
zation/3.4/html/Administration_Guide/chap-Proxies.html#sect-SPICE_Proxy
> =

> =

> =

> I don't remember if it is ok and works to set up the squid part on
> engine itself.... =


In principle, there's no reason why it shouldn't work. ovirt-engine &
friends don't care about squid and squid doesn't care about the rest of
the system as long as the machine has enough power/bandwidth to run
both.

> but I think it would be cleaner design to put it on another dedicated
> infrastructure host, perhaps already existing in your infra for
> similar reasons.

Agreed.

David

> =

> =

> Gianluca
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users



--===============5385172725410517911==--

From mjames at media-node.com Tue Sep 16 11:13:15 2014
Content-Type: multipart/mixed; boundary="===============4841762832689370055=="
MIME-Version: 1.0
From: Maurice James <mjames at media-node.com>
To: users at ovirt.org
Subject: Re: [ovirt-users] Spice client with engine portal
Date: Tue, 16 Sep 2014 11:13:12 -0400
Message-ID: <711812126.5245.1410880392493.JavaMail.zimbra@media-node.com>
In-Reply-To: 1410878907.14375.8.camel@cihla.spice.brq.redhat.com

--===============4841762832689370055==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

So I only need to make sure that the users on the other side of the WAN can=
 connect on the spice ports?

----- Original Message -----
From: "David Ja=C5=A1a" <djasa(a)redhat.com>
To: "Maurice James" <mjames(a)media-node.com>
Cc: "users" <users(a)ovirt.org>
Sent: Tuesday, September 16, 2014 10:48:27 AM
Subject: Re: [ovirt-users] Spice client with engine portal

On =C3=9At, 2014-09-16 at 16:02 +0200, Gianluca Cecchi wrote:
> On Tue, Sep 16, 2014 at 3:50 PM, Maurice James <mjames(a)media-node.com>
> wrote:
>         How do I get the spice client to connect to a VM through the
>         portal instead of attempting to connect directly to the VM?
>         For example. I allow access to the engine portal over our WAN
>         to a NATed IP address. The users on the other side of the WAN
>         do not have access to the real VM IP addresses. =


Please note that the client is actually connecting to _host_ IP, not to
VM IP address. The VM may be configured with no NIC (so w/o any network
connectivity) and you'll still be able to connect to it using Spice (or
VNC). Only RDP needs connectivity to the VM.

>         When they click on the console access button, they are unable
>         to connect to the VM. I believe this is because it using
>         attempting a direct connection instead of proxying through the
>         portal.
>         =

>         =

> =

> =

> see:
> http://www.ovirt.org/Features/Spice_Proxy
> =

> =

> =

> more tech details also from rhev docs:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali=
zation/3.4/html/Administration_Guide/chap-Proxies.html#sect-SPICE_Proxy
> =

> =

> =

> I don't remember if it is ok and works to set up the squid part on
> engine itself.... =


In principle, there's no reason why it shouldn't work. ovirt-engine &
friends don't care about squid and squid doesn't care about the rest of
the system as long as the machine has enough power/bandwidth to run
both.

> but I think it would be cleaner design to put it on another dedicated
> infrastructure host, perhaps already existing in your infra for
> similar reasons.

Agreed.

David

> =

> =

> Gianluca
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users



--===============4841762832689370055==--

From djasa at redhat.com Wed Sep 17 04:13:54 2014
Content-Type: multipart/mixed; boundary="===============4754233383190564225=="
MIME-Version: 1.0
From: =?utf-8?q?David_Ja=C5=A1a_=3Cdjasa_at_redhat=2Ecom=3E?=
To: users at ovirt.org
Subject: Re: [ovirt-users] Spice client with engine portal
Date: Wed, 17 Sep 2014 10:13:49 +0200
Message-ID: <1410941629.14375.9.camel@cihla.spice.brq.redhat.com>
In-Reply-To: 711812126.5245.1410880392493.JavaMail.zimbra@media-node.com

--===============4754233383190564225==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On =C3=9At, 2014-09-16 at 11:13 -0400, Maurice James wrote:
> So I only need to make sure that the users on the other side of the WAN c=
an connect on the spice ports?

Yes, that's all you need.

David

> =

> ----- Original Message -----
> From: "David Ja=C5=A1a" <djasa(a)redhat.com>
> To: "Maurice James" <mjames(a)media-node.com>
> Cc: "users" <users(a)ovirt.org>
> Sent: Tuesday, September 16, 2014 10:48:27 AM
> Subject: Re: [ovirt-users] Spice client with engine portal
> =

> On =C3=9At, 2014-09-16 at 16:02 +0200, Gianluca Cecchi wrote:
> > On Tue, Sep 16, 2014 at 3:50 PM, Maurice James <mjames(a)media-node.com>
> > wrote:
> >         How do I get the spice client to connect to a VM through the
> >         portal instead of attempting to connect directly to the VM?
> >         For example. I allow access to the engine portal over our WAN
> >         to a NATed IP address. The users on the other side of the WAN
> >         do not have access to the real VM IP addresses. =

> =

> Please note that the client is actually connecting to _host_ IP, not to
> VM IP address. The VM may be configured with no NIC (so w/o any network
> connectivity) and you'll still be able to connect to it using Spice (or
> VNC). Only RDP needs connectivity to the VM.
> =

> >         When they click on the console access button, they are unable
> >         to connect to the VM. I believe this is because it using
> >         attempting a direct connection instead of proxying through the
> >         portal.
> >         =

> >         =

> > =

> > =

> > see:
> > http://www.ovirt.org/Features/Spice_Proxy
> > =

> > =

> > =

> > more tech details also from rhev docs:
> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtua=
lization/3.4/html/Administration_Guide/chap-Proxies.html#sect-SPICE_Proxy
> > =

> > =

> > =

> > I don't remember if it is ok and works to set up the squid part on
> > engine itself.... =

> =

> In principle, there's no reason why it shouldn't work. ovirt-engine &
> friends don't care about squid and squid doesn't care about the rest of
> the system as long as the machine has enough power/bandwidth to run
> both.
> =

> > but I think it would be cleaner design to put it on another dedicated
> > infrastructure host, perhaps already existing in your infra for
> > similar reasons.
> =

> Agreed.
> =

> David
> =

> > =

> > =

> > Gianluca
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> =

> =

> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users



--===============4754233383190564225==--