Re: [Users] Notes on setting up spice-proxy console option

From: "David Li" <david_li(a)sbcglobal.net&gt; To: "Marian Krcmarik" <mkrcmari(a)redhat.com&gt; Cc: users(a)ovirt.org Sent: Tuesday, January 28, 2014 10:37:18 PM Subject: Re: [Users] Notes on setting up spice-proxy console option Hi Marian, Thanks a lot for the clarification! Another question: In my spice-xpi console window, I can't get out of it by SHIFT+F12.  Should I use something else?

David ----- Original Message ----- > From: Marian Krcmarik <mkrcmari(a)redhat.com&gt; > To: David Li <david_li(a)sbcglobal.net&gt; > Cc: users(a)ovirt.org > Sent: Tuesday, January 28, 2014 11:14 AM > Subject: Re: [Users] Notes on setting spice-proxy console option > > > > ----- Original Message ----- >> From: "David Li" <david_li(a)sbcglobal.net&gt; >> To: users(a)ovirt.org >> Cc: "david li" <david_li(a)sbcglobal.net&gt; >> Sent: Tuesday, January 28, 2014 7:41:26 PM >> Subject: [Users] Notes on setting spice-proxy console option >> >> Hi, >> >> I have struggled quite a bit to get it up and running. Over the time, I > have >> accumulated some notes on various things I did so to share with everyone > who >> is interested in doing this. This complements the online doc in a way >> that >> might give me a complete picture in one place. However I need some >> clarifications as I might have forgotten to document certain steps or >> certain steps I did turn out to be not necessary in the end. It will be >> great if experts here can help me get the things straight. >> >> >> My setup is like: >> >> Browser (firefox 24.2 on RHEL6) ------------ ovirt-engine (3.3.2) >> ------------ ovirt-node (3.0.3) >> >> No direct network connectivity from the browser machine to the node > machine. >> >> These are the major things I installed for spice-proxy to work: >> >>     * On ovirt-engine: >>        yum install spice-gtk, virt-viewer, spice-xpi > These components are client components (what you call Browser machine). >>        yum-install squid >>       /etc/squid/squid.conf updates: >>     acl localhost src <browser IP addr> >>         #http_access deny CONNECT !SSL_ports > I would rather allow CONNECT to specific Spice ports only 5634-6166: > acl Spice_ports port 5634-6166 > http_access denny CONNECT !Spice_ports >>         http_access deny !Safe_ports >>         http_port 3128 >>      >>        service squid restart >>        make sure iptables allow 3128 >> >>        engine-config -s SpiceProxyDefault= > http://<ovirt-engine-IP>:3128 >>        service ovirt-engine restart >>     >>    *  On browser machine running firefox 24.2.0 on RHEL6 for running > browser >>    console plugin client >>       yum install spice-xpi. > spice-xpi should bring its dependencies virt-viewer -> spice-gtk -> etc. > but If you do not wish to use the plugin launch type, you may install only > virt-viewer (without spice-xpi) and use what I guess is called "Native > client" launch type. >>       make sure VM's console option is set to SPICE >>        >> Are the above steps reasonable? any missing or redundant? > Seems fine, just no need the client packages on the engine. >> >> Additional questions: >> >> 1. Will spice-proxy work with the Spice HTML5 client in the browser? > Probably, but you would need to set the websocket proxy which is part of > installation steps for engine as well (I believe). >> 2. Is the spice-proxy architecture diagram like:  browser --------- squid >> proxy - spice-proxy ---------------------- VM > Browser plugin spice-xpi invokes start of Spice client (virt-viewer) which > makes > CONNECT to Host machine (where the VM is hosted) through the HTTP proxy (in > your > case squid). > Client machine ---> Squid ---> Host (where the VM is hosted). >> 3. I didn't explicitly install any certs for the squid proxy. Is it >> automatically taken care of? > No, no authentication to Squid is supported with Spice now. So If It is > publicly > visible proxy It's important to set careful proxy rules. >> >> >> References: >> >> http://www.ovirt.org/Console_Client_Resources >> >> http://www.ovirt.org/Features/Spice_Proxy >> >> > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Vir... >> >> >> Thanks. >> >> David >> >> _______________________________________________ >> Users mailing list >> Users(a)ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> >