Hi Gianluca, Finally it worked for me! Thanks a lot for help! The doc is little vague in terms of all the things you need to do. I will try to write something up based on my own experience and share with everyone here. David ----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi@gmail.com> To: "users@ovirt.org" <users@ovirt.org> Cc: David Li <david_li@sbcglobal.net> Sent: Tuesday, January 28, 2014 9:21 AM Subject: Re: [Users] Spice-proxy questions
On Tue, Jan 28, 2014 at 9:49 AM, David Jaša wrote:
On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
Do I need to generate and install a x509 key pair for the squid proxy? How can I find out if the key pair has already been done?
No. Spice channels are encrypted end-to-end so if you configure squid to forward the connections just to the display network range of the hosts, you anly allow connections that are encrypted anyway - so the TLS would be here quite redundant.
Have you made sure that you have opened port 3128 in iptables? If the box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora must be configured to disable firewalld but I presume that engine-setup does that), add the port definition among other opened ports in /etc/sysconfig/iptables.
David
PS: I'm mangling reply-to: header for a reason. Please don't hog my inbox, I can very well read your messages on-list. Thank you.
I made a test setting proxy on engine and it seems it is ok. I have no other ports than 80 and 443 allowed so I have to use environment with all the servers in 10.4.4.0 network
client 10.4.4.61 engine 10.4.4.60 test VM 10.4.4.63 host (where test VM is running on) 10.4.4.59
# engine-config -s SpiceProxyDefault="http://10.4.4.60:3128" # systemctl restart ovirt-engine
configured squid on engine on its default port 3128
I have firewalld configured on engine, so that I have this in /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="mdns"/> <service name="ovirt-nfs"/> <service name="ovirt-http"/> <service name="dhcpv6-client"/> <service name="ovirt-websocket-proxy"/> <service name="ovirt-https"/> <service name="ssh"/> <service name="ovirt-postgres"/> <port protocol="tcp" port="6100"/> <port protocol="tcp" port="3128"/> </zone>
On client CentOS 6.5 (10.4.4.61): I run firefox and connect to webadmin gui of engine (https://10.4.4.60) I have enabled spice proxy for the test VM I select console and specify to run /usr/bin/remote-viewer at popup window, enabling popups in firefox I successfully get the console
$ ps -ef|grep remote g.cecchi 23897 23726 0 15:50 pts/0 00:00:00 /usr/bin/remote-viewer /tmp/console.vv g.cecchi 23923 23704 0 15:52 pts/0 00:00:00 grep remote
$ sudo lsof -Pp 23897 | grep TCP remote-vi 23897 g.cecchi 4u IPv6 498441 0t0 TCP localhost:45817->localhost:6010 (ESTABLISHED) remote-vi 23897 g.cecchi 14u IPv4 498447 0t0 TCP 10.4.4.61:36909->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 20u IPv4 498449 0t0 TCP 10.4.4.61:36910->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 24u IPv4 498451 0t0 TCP 10.4.4.61:36911->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 25u IPv4 498452 0t0 TCP 10.4.4.61:36912->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 60u IPv4 497799 0t0 TCP 10.4.4.61:44961->10.4.4.60:443 (ESTABLISHED)
On engine (10.4.4.60) # netstat -an|grep 3128 tcp6 0 0 :::3128 :::* LISTEN tcp6 0 0 10.4.4.60:3128 10.4.4.61:36912 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36911 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36910 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36909 ESTABLISHED
On hypervisor (10.4.4.59) $ netstat -an|grep 5901 tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN tcp 0 0 10.4.4.59:5901 10.4.4.60:38879 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38881 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38880 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38882 ESTABLISHED
So all seems ok. Gianluca