Hi Marian,
Thanks a lot for the clarification!
Another question: In my spice-xpi console window, I can't get out of it by SHIFT+F12.
Should I use something else?
David
----- Original Message -----
From: Marian Krcmarik <mkrcmari(a)redhat.com>
To: David Li <david_li(a)sbcglobal.net>
Cc: users(a)ovirt.org
Sent: Tuesday, January 28, 2014 11:14 AM
Subject: Re: [Users] Notes on setting spice-proxy console option
----- Original Message -----
> From: "David Li" <david_li(a)sbcglobal.net>
> To: users(a)ovirt.org
> Cc: "david li" <david_li(a)sbcglobal.net>
> Sent: Tuesday, January 28, 2014 7:41:26 PM
> Subject: [Users] Notes on setting spice-proxy console option
>
> Hi,
>
> I have struggled quite a bit to get it up and running. Over the time, I
have
> accumulated some notes on various things I did so to share with everyone
who
> is interested in doing this. This complements the online doc in a way that
> might give me a complete picture in one place. However I need some
> clarifications as I might have forgotten to document certain steps or
> certain steps I did turn out to be not necessary in the end. It will be
> great if experts here can help me get the things straight.
>
>
> My setup is like:
>
> Browser (firefox 24.2 on RHEL6) ------------ ovirt-engine (3.3.2)
> ------------ ovirt-node (3.0.3)
>
> No direct network connectivity from the browser machine to the node
machine.
>
> These are the major things I installed for spice-proxy to work:
>
> * On ovirt-engine:
> yum install spice-gtk, virt-viewer, spice-xpi
These components are client components (what you call Browser machine).
> yum-install squid
> /etc/squid/squid.conf updates:
> acl localhost src <browser IP addr>
> #http_access deny CONNECT !SSL_ports
I would rather allow CONNECT to specific Spice ports only 5634-6166:
acl Spice_ports port 5634-6166
http_access denny CONNECT !Spice_ports
> http_access deny !Safe_ports
> http_port 3128
>
> service squid restart
> make sure iptables allow 3128
>
> engine-config -s SpiceProxyDefault=
http://<ovirt-engine-IP>:3128
> service ovirt-engine restart
>
> * On browser machine running firefox 24.2.0 on RHEL6 for running
browser
> console plugin client
> yum install spice-xpi.
spice-xpi should bring its dependencies virt-viewer -> spice-gtk -> etc.
but If you do not wish to use the plugin launch type, you may install only
virt-viewer (without spice-xpi) and use what I guess is called "Native
client" launch type.
> make sure VM's console option is set to SPICE
>
> Are the above steps reasonable? any missing or redundant?
Seems fine, just no need the client packages on the engine.
>
> Additional questions:
>
> 1. Will spice-proxy work with the Spice HTML5 client in the browser?
Probably, but you would need to set the websocket proxy which is part of
installation steps for engine as well (I believe).
> 2. Is the spice-proxy architecture diagram like: browser --------- squid
> proxy - spice-proxy ---------------------- VM
Browser plugin spice-xpi invokes start of Spice client (virt-viewer) which makes
CONNECT to Host machine (where the VM is hosted) through the HTTP proxy (in your
case squid).
Client machine ---> Squid ---> Host (where the VM is hosted).
> 3. I didn't explicitly install any certs for the squid proxy. Is it
> automatically taken care of?
No, no authentication to Squid is supported with Spice now. So If It is publicly
visible proxy It's important to set careful proxy rules.
>
>
> References:
>
>
http://www.ovirt.org/Console_Client_Resources
>
>
http://www.ovirt.org/Features/Spice_Proxy
>
>
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Vir...
>
>
> Thanks.
>
> David
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/users
>