Re: [ovirt-users] accessing SPICE console when host not on management network

That's why I recommend squid. Without that you should make port forwarding on your network's gateway (router). But Spice consoles working on the same port and you can't make port forwarding to few different hosts on the same port. I gave you a complete working solution. If you don't like to use VPN like me, just change all 10.25.x addresses to your public address and make port forwarding on router from public_ip:3128 to squid_server_lan_ip:3128. That's it ;) 2015-04-02 20:57 GMT+02:00 Jason Keltz <jas(a)cse.yorku.ca&gt;: You call all of that configuration for accessing consoles, easy? :) :) Engine should be able to set up the proxy automatically... I haven't used squid, so I have to look in more detail at the configuration that you've provided. I did find some other functionality which would have been much much (much!) easier for me to use had it worked. I was able to Edit each host, go to the "Console" tab, then click "Override display address", and for display address enter the name of the node. I did this for each of my 3 nodes. In theory, this should solve the problem. Now, when accessing the console via remote viewer, the file that is sent from the engine includes the external IP of the node, so everything should work, but it does not... Here's what I see: > (remote-viewer:20327): remote-viewer-DEBUG: Couldn't load configuration: File is empty > > (remote-viewer:20327): GSpice-WARNING **: Connection refused > > (firefox:20235): Gtk-WARNING **: Unable to retrieve the file info for `file:///tmp/console.vv': Error stating file '/tmp/console.vv': No such file or directory > If I choose to save the file instead of opening it directly via remote viewer, it does contain the proper hostname. I can't telnet to port 5900 on the virt host though, which is odd. I thought it might be because the hypervisor firewall restricted the access, so I temporarily cleared all the firewall rules on the one host. That didn't work either. If I could make this work, it would solve the problem for me. Jason. On 04/02/2015 01:59 PM, shimano wrote: > You can use Spice Proxy. The easiest way is to run proxy on Squid. I recommend connect via VPN. > > Here is a part of my Squid's configuration to connect Spice consoles from VPN 10.25.0.0/16 and LAN 192.168.0.0/16 to oVirt's hosts on 192.168.2.0/24: > > acl manager proto cache_object > acl localhost src 127.0.0.1/32 ::1 > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 > acl localnet src 192.168.0.0/16 > acl localnet src 10.25.0.0/16 > acl Safe_ports port 80 # http > acl CONNECT method CONNECT > http_access allow localnet > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > acl spice_servers dst 192.168.2.0/24 > http_access allow spice_servers > http_access allow localnet > http_access allow localhost > http_access allow all > http_port 3128 > hierarchy_stoplist cgi-bin ? > cache_dir ufs /var/spool/squid 100 16 256 > cache_mem 32 MB > coredump_dir /var/spool/squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > cache_effective_user squid > cache_effective_group squid > > You have to configure Spice Proxy on oVirt Engine by `engine-config -s SpiceProxyDefault=someProxy`. Here is my solution: > > root@host021:~ engine-config -a |grep SpiceProxyDefault > SpiceProxyDefault: http://10.25.2.21:3128/ version: general > > You can use Proxy on your public IP if you don't like to use VPN, but remember to make sure that your machines are secured enough. > > 2015-04-02 18:06 GMT+02:00 Jason Keltz <jas(a)cse.yorku.ca&gt;: > I'm trying to figure out the most reasonable method for me to access the console on my ovirt installation. > Each node has ovirtmgmt, storage, and external network connectivity. > The standalone engine host has ovirtmgmt, and external network. > I connect to engine via the external network, right click on a VM and try to access the console. If I use the "Remote Viewer" method, the connection fails. This is because my client on the external network doesn't have access to ovirtmgmt. > I can access the spice-html5 client, and that "basically" works, though it's crashed more than once. I suspect that Remote Viewer will be more stable.

> So my question is - what is the best way for me to connect to the console from the external network? > Either, I have to start up my client on a machine that has an IP on ovirtmgmt (eg. remote login to engine, and run firefox there?) > or I have to route external packets from my host to say, the engine host, and run IP forwarding there? probably not too secure... > or I have to figure out a way to make ovirt use the external network for display traffic... that would probably be best (?) but I can't seem to figure out whether it's possible. > In particular since the external network is a VM network (it's actually 2 x 1 G links bound via LACP), and not part of ovirt infrastructure, it's not clear if I can use it for display and VM external connectivity as well. > > Any thoughts would be much appreciated. > > Jason. > > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > _______________________________________________ > Users mailing list > > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users