Hi Marian, Thanks a lot for the clarification! Another question: In my spice-xpi console window, I can't get out of it by SHIFT+F12. Should I use something else? David ----- Original Message -----
From: Marian Krcmarik <mkrcmari@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: users@ovirt.org Sent: Tuesday, January 28, 2014 11:14 AM Subject: Re: [Users] Notes on setting spice-proxy console option
----- Original Message -----
From: "David Li" <david_li@sbcglobal.net> To: users@ovirt.org Cc: "david li" <david_li@sbcglobal.net> Sent: Tuesday, January 28, 2014 7:41:26 PM Subject: [Users] Notes on setting spice-proxy console option
Hi,
I have struggled quite a bit to get it up and running. Over the time, I have accumulated some notes on various things I did so to share with everyone who is interested in doing this. This complements the online doc in a way that might give me a complete picture in one place. However I need some clarifications as I might have forgotten to document certain steps or certain steps I did turn out to be not necessary in the end. It will be great if experts here can help me get the things straight.
My setup is like:
Browser (firefox 24.2 on RHEL6) ------------ ovirt-engine (3.3.2) ------------ ovirt-node (3.0.3)
No direct network connectivity from the browser machine to the node machine.
These are the major things I installed for spice-proxy to work:
* On ovirt-engine: yum install spice-gtk, virt-viewer, spice-xpi These components are client components (what you call Browser machine). yum-install squid /etc/squid/squid.conf updates: acl localhost src <browser IP addr> #http_access deny CONNECT !SSL_ports I would rather allow CONNECT to specific Spice ports only 5634-6166: acl Spice_ports port 5634-6166 http_access denny CONNECT !Spice_ports http_access deny !Safe_ports http_port 3128 service squid restart make sure iptables allow 3128
engine-config -s SpiceProxyDefault= http://<ovirt-engine-IP>:3128 service ovirt-engine restart * On browser machine running firefox 24.2.0 on RHEL6 for running browser console plugin client yum install spice-xpi. spice-xpi should bring its dependencies virt-viewer -> spice-gtk -> etc. but If you do not wish to use the plugin launch type, you may install only virt-viewer (without spice-xpi) and use what I guess is called "Native client" launch type. make sure VM's console option is set to SPICE Are the above steps reasonable? any missing or redundant? Seems fine, just no need the client packages on the engine.
Additional questions:
1. Will spice-proxy work with the Spice HTML5 client in the browser? Probably, but you would need to set the websocket proxy which is part of installation steps for engine as well (I believe). 2. Is the spice-proxy architecture diagram like: browser --------- squid proxy - spice-proxy ---------------------- VM Browser plugin spice-xpi invokes start of Spice client (virt-viewer) which makes CONNECT to Host machine (where the VM is hosted) through the HTTP proxy (in your case squid). Client machine ---> Squid ---> Host (where the VM is hosted). 3. I didn't explicitly install any certs for the squid proxy. Is it automatically taken care of? No, no authentication to Squid is supported with Spice now. So If It is publicly visible proxy It's important to set careful proxy rules.
References:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua...
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users