[ovirt-users] Re: Using the web-ui VM portal through a proxy failing

Hey, https://github.com/oVirt/ovirt-web-ui/issues/938 You can follow progress there. Thank you for reporting. Best wishes, Greg On Wed, Oct 24, 2018 at 11:41 AM Callum Smith <callum(a)well.ox.ac.uk&gt; wrote: > Dear Greg, > > Here's my config, this is based on the original guide and some other > stuff that i found to help make it work. > Squid Cache: Version 3.5.20 > > https_port 443 accel key=/etc/squid/rescomp-vmgw.well.ox.ac.uk.proxy.key > cert=/etc/squid/rescomp-vmgw.well.ox.ac.uk.proxy.crt defaultsite=<ovirt > engine node> > cache_peer <ovirt engine node> parent 443 0 no-query originserver ssl > sslcafile=/etc/squid/ca.pem sslflags=DONT_VERIFY_PEER name=engine > cache_peer_access engine allow all > ssl_bump allow all > http_port 3128 > acl ovirt_nodes dst <ovirt engine hosts subnet> > acl ovirt_engine dstdomain .<ovirt engine node> > acl all_ips src 1.1.1.1/1 > http_access allow ovirt_nodes ovirt_engine > http_access allow all_ips > http_access allow all > > > # Following are from: > # https://access.redhat.com/solutions/425693 > > # Leave coredumps in the first cache dir > coredump_dir /var/spool/squid > > # RHEV and Spice may leave connections idle for long periods > pconn_timeout 12 hours > request_timeout 12 hours > read_timeout 12 hours > > # We need approx 20 open filehandles per spice client > max_filedesc 16384 > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > e. callum(a)well.ox.ac.uk > > On 3 Oct 2018, at 00:39, Greg Sheremeta <gshereme(a)redhat.com&gt; wrote: > > Hi Callum, > > I took a look at this, but got in the weeds pretty quickly with squid > configuration. I can help more offline, but it might be a while. > > It'll probably be easier if you can provide me exact steps for how I > could reproduce. Looks like I need to generate some keys. Can you create > and share a simple reproducer? > > Greg > > > On Thu, Sep 20, 2018 at 11:37 AM Callum Smith <callum(a)well.ox.ac.uk&gt; > wrote: > >> Dear Greg, >> >> Did you manage to get any further with this, reverse proxy is rather >> critical to this project. >> >> Regards, >> Callum >> >> -- >> >> Callum Smith >> Research Computing Core >> Wellcome Trust Centre for Human Genetics >> University of Oxford >> e. callum(a)well.ox.ac.uk >> >> On 6 Aug 2018, at 12:13, Greg Sheremeta <gshereme(a)redhat.com&gt; wrote: >> >> I'll look into it and get back to you. >> >> On Mon, Aug 6, 2018 at 7:02 AM Callum Smith <callum(a)well.ox.ac.uk&gt; >> wrote: >> >>> Dear Greg, >>> >>> So what's the go-to here, it seems so close but something in the API >>> ajax is failing. >>> >>> Regards, >>> Callum >>> >>> -- >>> >>> Callum Smith >>> Research Computing Core >>> Wellcome Trust Centre for Human Genetics >>> University of Oxford >>> e. callum(a)well.ox.ac.uk >>> >>> On 27 Jul 2018, at 12:21, Greg Sheremeta <gshereme(a)redhat.com&gt; wrote: >>> >>> On Fri, Jul 27, 2018 at 4:39 AM Callum Smith <callum(a)well.ox.ac.uk&gt; >>> wrote: >>> >>>> Dear Greg, >>>> >>>> Indeed, always the latest and greatest for us while trying to get this >>>> running. >>>> >>>> https://www.ovirt.org/documentation/security/squid-reverse-proxy/ >>>> >>> >>> Arrggghh, that is referring to the old GWT UserPortal and not the new >>> react-based VM Portal. (I'll delete it / mark it obsolete. I apologize for >>> the out-of-date state of our documentation. I am working on improving it.) >>> >>> Unfortunately we have never tested VM Portal with squid. >>> >>> @Lukas Svaty <lsvaty(a)redhat.com&gt; any chance you or someone on the team >>> can assist? >>> >>> >>>> >>>> And the squid.conf file looks like this: >>>> >>>> https_port 443 accel >>>> key=/etc/squid/rescomp-vmgw.well.ox.ac.uk.proxy.key >>>> cert=/etc/squid/rescomp-vmgw.well.ox.ac.uk.proxy.crt >>>> defaultsite=ovirtengine.cluster >>>> cache_peer ovirtengine.cluster parent 443 0 no-query originserver ssl >>>> sslcafile=/etc/squid/ca.pem sslflags=DONT_VERIFY_PEER name=engine >>>> cache_peer_access engine allow all >>>> ssl_bump allow all >>>> http_port 3128 >>>> acl ovirt_nodes dst 192.168.64.0/24 >>>> acl ovirt_engine dstdomain .ovirtengine.cluster >>>> acl all_ips src 1.1.1.1/1 >>>> http_access allow ovirt_nodes ovirt_engine >>>> http_access allow all_ips >>>> http_access allow all >>>> >>>> >>>> # Following are from: >>>> # https://access.redhat.com/solutions/425693 >>>> >>>> # Leave coredumps in the first cache dir >>>> coredump_dir /var/spool/squid >>>> >>>> # RHEV and Spice may leave connections idle for long periods >>>> pconn_timeout 12 hours >>>> request_timeout 12 hours >>>> read_timeout 12 hours >>>> >>>> # We need approx 20 open filehandles per spice client >>>> max_filedesc 16384 >>>> >>>> Regards, >>>> Callum >>>> >>>> -- >>>> >>>> Callum Smith >>>> Research Computing Core >>>> Wellcome Trust Centre for Human Genetics >>>> University of Oxford >>>> e. callum(a)well.ox.ac.uk >>>> >>>> On 27 Jul 2018, at 01:15, Greg Sheremeta <gshereme(a)redhat.com&gt; wrote: >>>> >>>> From your other thread, I'm guessing 4.2.4. >>>> >>>> Can you send the link to the squid guide you used? >>>> >>>> On Wed, Jul 25, 2018 at 7:55 PM Greg Sheremeta <gshereme(a)redhat.com&gt; >>>> wrote: >>>> >>>>> Hi Callum, >>>>> >>>>> What version of ovirt-web-ui is this? >>>>> >>>>> Greg >>>>> >>>>> On Wed, Jul 18, 2018 at 7:12 AM Callum Smith <callum(a)well.ox.ac.uk&gt; >>>>> wrote: >>>>> >>>>>> Dear All, >>>>>> >>>>>> Those error logs are relevant only to another issue, please ignore. >>>>>> >>>>>> There appears to be a problem to do with authentication through the >>>>>> squid proxy though, which presents differently in Safari and Firefox: >>>>>> >>>>>> >>>>>> Sorry for the screenshots but its the only way i can extract this >>>>>> data due to the page-refresh. >>>>>> >>>>>> Regards, >>>>>> Callum >>>>>> >>>>>> -- >>>>>> >>>>>> Callum Smith >>>>>> Research Computing Core >>>>>> Wellcome Trust Centre for Human Genetics >>>>>> University of Oxford >>>>>> e. callum(a)well.ox.ac.uk >>>>>> >>>>>> On 18 Jul 2018, at 10:54, Callum Smith <callum(a)well.ox.ac.uk&gt; wrote: >>>>>> >>>>>> Dear All, >>>>>> >>>>>> Some relevant error logs: >>>>>> >>>>>> 2018-07-18 10:51:33,554+01 INFO >>>>>> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-9) >>>>>> [557ca876] Running command >>>>>> : CreateUserSessionCommand internal: false. >>>>>> 2018-07-18 10:51:33,575+01 INFO >>>>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>>>>> (default task-9) [557ca876] E >>>>>> VENT_ID: USER_VDC_LOGIN(30), User callum@Biomedical Research >>>>>> Computing connecting from '192.168.1.241' using session 'wiWA25wdaRP1zay >>>>>> iyTSGBJKpvi89LdzgKqeX12BcZhNVhpV2BIA+zkAnT50xOSDglxnhfAi3S2ZiODls8JYFUA==' >>>>>> logged in. >>>>>> 2018-07-18 10:51:34,135+01 ERROR >>>>>> [org.ovirt.engine.core.bll.GetSystemStatisticsQuery] (default task-5) >>>>>> [8d830cdb-fc11-4e68-94e6-73309 >>>>>> 65c4488] Query execution failed due to insufficient permissions. >>>>>> 2018-07-18 10:51:34,205+01 ERROR >>>>>> [org.ovirt.engine.core.bll.GetPermissionsForObjectQuery] (default task-26) >>>>>> [ba1825f1-60fb-44cd-8b57- >>>>>> ea701cf698c0] Query execution failed due to insufficient permissions. >>>>>> 2018-07-18 10:51:34,242+01 ERROR >>>>>> [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default >>>>>> task-26) [] Operation Faile >>>>>> d: query execution failed due to insufficient permissions. >>>>>> 2018-07-18 10:51:34,389+01 ERROR >>>>>> [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] >>>>>> (default task-17) [02965366 >>>>>> -44b0-4370-ab83-4781065e46c2] Query execution failed due to >>>>>> insufficient permissions. >>>>>> 2018-07-18 10:51:34,393+01 ERROR >>>>>> [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] >>>>>> (default task-17) [02965366 >>>>>> -44b0-4370-ab83-4781065e46c2] Query execution failed due to >>>>>> insufficient permissions. >>>>>> 2018-07-18 10:51:34,394+01 ERROR >>>>>> [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] >>>>>> (default task-17) [02965366 >>>>>> -44b0-4370-ab83-4781065e46c2] Query execution failed due to >>>>>> insufficient permissions. >>>>>> 2018-07-18 10:51:34,396+01 ERROR >>>>>> [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] >>>>>> (default task-17) [02965366 >>>>>> -44b0-4370-ab83-4781065e46c2] Query execution failed due to >>>>>> insufficient permissions. >>>>>> 2018-07-18 10:51:59,195+01 WARN >>>>>> [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-18) >>>>>> [7881a832] User '9386d6f5-f172-4cdb >>>>>> -abca-62492a357888' is trying to take the console of virtual machine >>>>>> 'ddb23e0a-01d5-403c-89ab-37c400d2c938', but the console is alrea >>>>>> dy taken by user 'd021fc10-4f7c-11e8-88cb-00163e6a7aff'. >>>>>> 2018-07-18 10:51:59,197+01 INFO >>>>>> [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-18) >>>>>> [7881a832] No permission found for >>>>>> user '9386d6f5-f172-4cdb-abca-62492a357888' or one of the groups he >>>>>> is member of, when running action 'SetVmTicket', Required permiss >>>>>> ions are: Action type: 'USER' Action group: 'RECONNECT_TO_VM' Object >>>>>> type: 'VM' Object ID: 'ddb23e0a-01d5-403c-89ab-37c400d2c938'. >>>>>> 2018-07-18 10:51:59,197+01 WARN >>>>>> [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-18) >>>>>> [7881a832] Validation of action 'Se >>>>>> tVmTicket' failed for user callum@Biomedical Research Computing. >>>>>> Reasons: VAR__ACTION__SET,VAR__TYPE__VM_TICKET,USER_CANNOT_FORCE_REC >>>>>> ONNECT_TO_VM >>>>>> 2018-07-18 10:51:59,198+01 ERROR >>>>>> [org.ovirt.engine.api.restapi.resource.BackendVmGraphicsConsoleResource] >>>>>> (default task-18) [] Operat >>>>>> ion Failed: USER_CANNOT_FORCE_RECONNECT_TO_VM >>>>>> >>>>>> Seems like there's a permission missing in there - this is a newly >>>>>> attached LDAP group. >>>>>> >>>>>> Regards, >>>>>> Callum >>>>>> >>>>>> -- >>>>>> >>>>>> Callum Smith >>>>>> Research Computing Core >>>>>> Wellcome Trust Centre for Human Genetics >>>>>> University of Oxford >>>>>> e. callum(a)well.ox.ac.uk >>>>>> >>>>>> On 17 Jul 2018, at 10:02, Callum Smith <callum(a)well.ox.ac.uk&gt; wrote: >>>>>> >>>>>> Dear All, >>>>>> >>>>>> Does anyone know how to set such options in the web-ui? >>>>>> >>>>>> Regards, >>>>>> Callum >>>>>> >>>>>> -- >>>>>> >>>>>> Callum Smith >>>>>> Research Computing Core >>>>>> Wellcome Trust Centre for Human Genetics >>>>>> University of Oxford >>>>>> e. callum(a)well.ox.ac.uk >>>>>> >>>>>> On 12 Jul 2018, at 11:09, Callum Smith <callum(a)well.ox.ac.uk&gt; wrote: >>>>>> >>>>>> Dear oVirt Gurus, >>>>>> >>>>>> Using the oVirt user VM portal seems to not work through the squid >>>>>> proxy setup (configured as per the guide). The page loads and login works >>>>>> fine through the proxy, but the asynchronous requests just hang. I've >>>>>> attached a screenshot, but you can see the "api" endpoint just hanging in a >>>>>> web inspector: >>>>>> "https://proxyfqdn/ovirt-engine/api/" >>>>>> >>>>>> <Screen Shot 2018-07-12 at 11.06.50.png> >>>>>> >>>>>> This works fine when not going through the proxy. >>>>>> >>>>>> Is there a way to force noVNC HTML as the console mode through the >>>>>> web-ui, or at least have it as an option if not default? >>>>>> >>>>>> The console seems not to work when logged in with a base 'user role'. >>>>>> >>>>>> Regards, >>>>>> Callum >>>>>> >>>>>> -- >>>>>> >>>>>> Callum Smith >>>>>> Research Computing Core >>>>>> Wellcome Trust Centre for Human Genetics >>>>>> University of Oxford >>>>>> e. callum(a)well.ox.ac.uk >>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list -- users(a)ovirt.org >>>>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>> oVirt Code of Conduct: >>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>> List Archives: >>>>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/VZIGGZZ2IIH... >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list -- users(a)ovirt.org >>>>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>> oVirt Code of Conduct: >>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>> List Archives: >>>>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/7NBOGYVL4EA... >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list -- users(a)ovirt.org >>>>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>> oVirt Code of Conduct: >>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>> List Archives: >>>>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/XSH4JVJPKMW... >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list -- users(a)ovirt.org >>>>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>> oVirt Code of Conduct: >>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>> List Archives: >>>>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/RYFQ2ZGCERC... >>>>>> >>>>> >>>>> >>>>> -- >>>>> GREG SHEREMETA >>>>> >>>>> SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX >>>>> Red Hat NA >>>>> >>>>> <https://www.redhat.com/> >>>>> >>>>> gshereme(a)redhat.com IRC: gshereme >>>>> <https://red.ht/sig> >>>>> >>>> >>>> >>>> -- >>>> GREG SHEREMETA >>>> >>>> SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX >>>> Red Hat NA >>>> >>>> <https://www.redhat.com/> >>>> >>>> gshereme(a)redhat.com IRC: gshereme >>>> <https://red.ht/sig> >>>> >>>> >>>> >>> >>> -- >>> GREG SHEREMETA >>> >>> SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX >>> Red Hat NA >>> >>> <https://www.redhat.com/> >>> >>> gshereme(a)redhat.com IRC: gshereme >>> <https://red.ht/sig> >>> >>> >>> >> >> -- >> GREG SHEREMETA >> >> SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX >> Red Hat NA >> >> <https://www.redhat.com/> >> >> gshereme(a)redhat.com IRC: gshereme >> <https://red.ht/sig> >> >> >> > > -- > GREG SHEREMETA > > SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX > Red Hat NA > > <https://www.redhat.com/> > > gshereme(a)redhat.com IRC: gshereme > <https://red.ht/sig> > > > -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gshereme(a)redhat.com IRC: gshereme <https://red.ht/sig>