[Users] SpiceHTML5, noVNC console and Spice Proxy mixable?
Hello, I already have a thread regarding SpiceHTML5 open and where I'm going to give further feedback as requested. In the mean time I would like to ask if the three features in the subject are completely mixable or not, as in the next days I'm going to test them all and I would like to start from consistent setup and not to give wrong answers based on wrong initial setup. If I understood correctly, both SpiceHTML5 and noVNC console are based on websocket proxy through the config parameter called WebSocketProxy and I can consolidate this proxy on the engine . SO that I can in the same environment use both. Correct? Coming then to Spice Proxy, managed by config parameter "SpiceProxyDefault", my questions are: - is it mixable with the two above or are they mutually exclusive? - can I configure the engine itself to be the proxy, installing squid on it? - If yes, what would be correct parameter for SpiceProxyDefault: localhost:3128 or engine_hostname.domainname:3128? If both are ok, I think it is more convenient to use localhost, correct? Thanks in advance, Gianluca
Hi, the answer to the 1st question is 'yes'. You can use both SPICE-HTML5 and noVNC with a single proxy setup. Coming to next questions: - is it mixable with the two above or are they mutually exclusive? - IMHO it should work. the data flow would look like this: client <--> websocket proxy <--> spice proxy <--> VM I'm not sure if this is what you want. - can I configure the engine itself to be the proxy, installing squid on it? I cannot tell for sure, but IMHO it shouldn't be a problem. - If yes, what would be correct parameter for SpiceProxyDefault (localhost vs. fqdn): I believe 'localhost' is wrong since this value is sent to the client. And this client can misinterpret this value and try to connect to itself. In short, the spice proxy value should be correctly resolvable from client machines. (Adding Tomas to verify the last answer.) Cheers, Frank. ----- Original Message ----- From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "users" <users@ovirt.org> Sent: Tuesday, December 10, 2013 4:15:38 PM Subject: [Users] SpiceHTML5, noVNC console and Spice Proxy mixable? Hello, I already have a thread regarding SpiceHTML5 open and where I'm going to give further feedback as requested. In the mean time I would like to ask if the three features in the subject are completely mixable or not, as in the next days I'm going to test them all and I would like to start from consistent setup and not to give wrong answers based on wrong initial setup. If I understood correctly, both SpiceHTML5 and noVNC console are based on websocket proxy through the config parameter called WebSocketProxy and I can consolidate this proxy on the engine. SO that I can in the same environment use both. Correct? Coming then to Spice Proxy, managed by config parameter "SpiceProxyDefault", my questions are: - is it mixable with the two above or are they mutually exclusive? - can I configure the engine itself to be the proxy, installing squid on it? - If yes, what would be correct parameter for SpiceProxyDefault: localhost:3128 or engine_hostname.domainname:3128? If both are ok, I think it is more convenient to use localhost, correct? Thanks in advance, Gianluca _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Frantisek Kobzik" <fkobzik@redhat.com> To: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> Cc: "users" <users@ovirt.org> Sent: Friday, December 13, 2013 12:08:58 PM Subject: Re: [Users] SpiceHTML5, noVNC console and Spice Proxy mixable?
Hi,
the answer to the 1st question is 'yes'. You can use both SPICE-HTML5 and noVNC with a single proxy setup.
Coming to next questions: - is it mixable with the two above or are they mutually exclusive? - IMHO it should work. the data flow would look like this: client <--> websocket proxy <--> spice proxy <--> VM I'm not sure if this is what you want.
I am unsure spice-html5 supports spice proxy[1], and it is not required as websocket protocol is http already. Gianluca, the engine-setup of 3.3.1 will setup the spice proxy per default on the engine, it should be sufficient to what you need. [1] http://cgit.freedesktop.org/spice/spice-html5/tree/spiceconn.js
- can I configure the engine itself to be the proxy, installing squid on it? I cannot tell for sure, but IMHO it shouldn't be a problem. - If yes, what would be correct parameter for SpiceProxyDefault (localhost vs. fqdn): I believe 'localhost' is wrong since this value is sent to the client. And this client can misinterpret this value and try to connect to itself. In short, the spice proxy value should be correctly resolvable from client machines.
(Adding Tomas to verify the last answer.)
Cheers, Frank.
----- Original Message ----- From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "users" <users@ovirt.org> Sent: Tuesday, December 10, 2013 4:15:38 PM Subject: [Users] SpiceHTML5, noVNC console and Spice Proxy mixable?
Hello, I already have a thread regarding SpiceHTML5 open and where I'm going to give further feedback as requested. In the mean time I would like to ask if the three features in the subject are completely mixable or not, as in the next days I'm going to test them all and I would like to start from consistent setup and not to give wrong answers based on wrong initial setup.
If I understood correctly, both SpiceHTML5 and noVNC console are based on websocket proxy through the config parameter called WebSocketProxy and I can consolidate this proxy on the engine. SO that I can in the same environment use both. Correct?
Coming then to Spice Proxy, managed by config parameter "SpiceProxyDefault", my questions are: - is it mixable with the two above or are they mutually exclusive? - can I configure the engine itself to be the proxy, installing squid on it? - If yes, what would be correct parameter for SpiceProxyDefault: localhost:3128 or engine_hostname.domainname:3128? If both are ok, I think it is more convenient to use localhost, correct?
Thanks in advance, Gianluca _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi, short question regarding this behaviour: What would be the recommended way to revert the spice proxy setup from the engine host? And how do you tell engine/ovirt later to use another machine as the proxy? (is this different for the webproxy?) Am 13.12.2013 11:24, schrieb Alon Bar-Lev:
Gianluca, the engine-setup of 3.3.1 will setup the spice proxy per default on the engine, it should be sufficient to what you need.
-- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: users@ovirt.org Sent: Friday, December 13, 2013 12:42:48 PM Subject: Re: [Users] SpiceHTML5, noVNC console and Spice Proxy mixable?
Hi,
short question regarding this behaviour: What would be the recommended way to revert the spice proxy setup from the engine host? And how do you tell engine/ovirt later to use another machine as the proxy? (is this different for the webproxy?)
yes, websocket proxy and http proxy are two different transports. SpiceProxyDefault - I guess it contains host:port or empty for no proxy. WebSocketProxy - Off, Engine:port, Host:port or specific ip/hostname:port of websockets proxy Use engine-config utility to set these.
Am 13.12.2013 11:24, schrieb Alon Bar-Lev:
Gianluca, the engine-setup of 3.3.1 will setup the spice proxy per default on the engine, it should be sufficient to what you need.
-- Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Fri, Dec 13, 2013 at 11:24 AM, Alon Bar-Lev wrote:
I am unsure spice-html5 supports spice proxy[1], and it is not required as websocket protocol is http already.
Gianluca, the engine-setup of 3.3.1 will setup the spice proxy per default on the engine, it should be sufficient to what you need.
[1] http://cgit.freedesktop.org/spice/spice-html5/tree/spiceconn.js
At the moment I'm only using websocket and no spice proxy for this initial test. I'm doing also some tests off list with Frank, but the probelm seems now that I have a problem with the ceritficate, as if I run websocket proxy from a terminal after creating some contents after the directory /tmp/test and changing web=None to to web='/tmp/test' inside the websocket-proxy python script I get this 3: handler exception: [Errno 336265225] _ssl.c:351: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 4: handler exception: [Errno 336265225] _ssl.c:351: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib But I don't know how to solve the situation. I'm also available to re-create my engine certificate and reimport it in my client step-by-step... only need to know how ;-) Thanks anyway for your patience.... Next item I need to certificate myself will be ..... certificates ;-) Gianluca
How have you installed your setup? Can you please start from scratch? It should just work out of the box with no additional configuration.
On Fri, Dec 13, 2013 at 3:43 PM, Alon Bar-Lev wrote:
How have you installed your setup? Can you please start from scratch? It should just work out of the box with no additional configuration.
setup was 3.3.0 then updated to 3.3.1 and then 3.3.2 beta websocket proxy was configured only after latest update from scratch in the sense that I loose all my environment?
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Frantisek Kobzik" <fkobzik@redhat.com>, "users" <users@ovirt.org> Sent: Friday, December 13, 2013 4:45:46 PM Subject: Re: [Users] SpiceHTML5, noVNC console and Spice Proxy mixable?
On Fri, Dec 13, 2013 at 3:43 PM, Alon Bar-Lev wrote:
How have you installed your setup? Can you please start from scratch? It should just work out of the box with no additional configuration.
setup was 3.3.0 then updated to 3.3.1 and then 3.3.2 beta websocket proxy was configured only after latest update
from scratch in the sense that I loose all my environment?
I thought this is a test environment... Do the following: 1. rm /etc/pki/ovirt-engine/keys/websocket-proxy.p12 2. run setup using: # engine-setup --otopi-environment="OVESETUP_CONFIG/websocketProxyConfig=bool:True" Now you should have the websocket configured correctly, if not, please send me: 1. setup log file. 2. /etc/pki/ovirt-engine/certs/websocket-proxy.cer 3. /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf 4. engine-config -g WebSocketProxy Thanks, Alon
On Fri, Dec 13, 2013 at 3:52 PM, Alon Bar-Lev wrote:
Do the following:
1. rm /etc/pki/ovirt-engine/keys/websocket-proxy.p12
2. run setup using:
# engine-setup --otopi-environment="OVESETUP_CONFIG/websocketProxyConfig=bool:True"
Now you should have the websocket configured correctly, if not, please send me:
1. setup log file.
2. /etc/pki/ovirt-engine/certs/websocket-proxy.cer
3. /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
4. engine-config -g WebSocketProxy
Thanks, Alon
Under /etc/pki/ovirt-engine/keys I only have these files: [root@tekkaman keys]# ll total 16 -rw-r-----. 1 apache apache 1828 Feb 10 2013 apache.key.nopass -rw-r-----. 1 apache apache 2677 Feb 10 2013 apache.p12 -rw-------. 1 root root 1828 Feb 10 2013 engine_id_rsa -rw-r-----. 1 ovirt ovirt 2677 Feb 10 2013 engine.p12 and for certs: [root@tekkaman old_logs]# ll /etc/pki/ovirt-engine/certs/ total 60 -rw-r--r--. 1 root root 4810 Feb 10 2013 01.pem -rw-r--r--. 1 root root 4957 Feb 10 2013 02.pem -rw-r--r--. 1 root root 4957 Feb 10 2013 03.pem -rw-r--r--. 1 ovirt ovirt 4931 Feb 10 2013 04.pem -rw-r-----. 1 apache apache 4957 Feb 10 2013 apache.cer -rw-r--r--. 1 root root 1480 Feb 10 2013 ca.der -rw-r--r--. 1 root root 4957 Feb 10 2013 engine.cer -rw-r--r--. 1 ovirt ovirt 4931 Feb 10 2013 tekkaman.localdomain.localcert.pem Can I directly proceed with step 2 or is it a problem that I have no /etc/pki/ovirt-engine/keys/websocket-proxy.p12 in place at the moment? Gianluca
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Frantisek Kobzik" <fkobzik@redhat.com>, "users" <users@ovirt.org> Sent: Friday, December 13, 2013 6:40:12 PM Subject: Re: [Users] SpiceHTML5, noVNC console and Spice Proxy mixable?
On Fri, Dec 13, 2013 at 3:52 PM, Alon Bar-Lev wrote:
Do the following:
1. rm /etc/pki/ovirt-engine/keys/websocket-proxy.p12
2. run setup using:
# engine-setup --otopi-environment="OVESETUP_CONFIG/websocketProxyConfig=bool:True"
Now you should have the websocket configured correctly, if not, please send me:
1. setup log file.
2. /etc/pki/ovirt-engine/certs/websocket-proxy.cer
3. /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
4. engine-config -g WebSocketProxy
Thanks, Alon
Under /etc/pki/ovirt-engine/keys I only have these files: [root@tekkaman keys]# ll total 16 -rw-r-----. 1 apache apache 1828 Feb 10 2013 apache.key.nopass -rw-r-----. 1 apache apache 2677 Feb 10 2013 apache.p12 -rw-------. 1 root root 1828 Feb 10 2013 engine_id_rsa -rw-r-----. 1 ovirt ovirt 2677 Feb 10 2013 engine.p12
and for certs:
[root@tekkaman old_logs]# ll /etc/pki/ovirt-engine/certs/ total 60 -rw-r--r--. 1 root root 4810 Feb 10 2013 01.pem -rw-r--r--. 1 root root 4957 Feb 10 2013 02.pem -rw-r--r--. 1 root root 4957 Feb 10 2013 03.pem -rw-r--r--. 1 ovirt ovirt 4931 Feb 10 2013 04.pem -rw-r-----. 1 apache apache 4957 Feb 10 2013 apache.cer -rw-r--r--. 1 root root 1480 Feb 10 2013 ca.der -rw-r--r--. 1 root root 4957 Feb 10 2013 engine.cer -rw-r--r--. 1 ovirt ovirt 4931 Feb 10 2013 tekkaman.localdomain.localcert.pem
Can I directly proceed with step 2 or is it a problem that I have no /etc/pki/ovirt-engine/keys/websocket-proxy.p12 in place at the moment?
Yes, after running setup you should notice these.
Gianluca
On Fri, Dec 13, 2013 at 5:57 PM, Alon Bar-Lev wrote:
Under /etc/pki/ovirt-engine/keys I only have these files: [root@tekkaman keys]# ll total 16 -rw-r-----. 1 apache apache 1828 Feb 10 2013 apache.key.nopass -rw-r-----. 1 apache apache 2677 Feb 10 2013 apache.p12 -rw-------. 1 root root 1828 Feb 10 2013 engine_id_rsa -rw-r-----. 1 ovirt ovirt 2677 Feb 10 2013 engine.p12
and for certs:
[root@tekkaman old_logs]# ll /etc/pki/ovirt-engine/certs/ total 60 -rw-r--r--. 1 root root 4810 Feb 10 2013 01.pem -rw-r--r--. 1 root root 4957 Feb 10 2013 02.pem -rw-r--r--. 1 root root 4957 Feb 10 2013 03.pem -rw-r--r--. 1 ovirt ovirt 4931 Feb 10 2013 04.pem -rw-r-----. 1 apache apache 4957 Feb 10 2013 apache.cer -rw-r--r--. 1 root root 1480 Feb 10 2013 ca.der -rw-r--r--. 1 root root 4957 Feb 10 2013 engine.cer -rw-r--r--. 1 ovirt ovirt 4931 Feb 10 2013 tekkaman.localdomain.localcert.pem
Can I directly proceed with step 2 or is it a problem that I have no /etc/pki/ovirt-engine/keys/websocket-proxy.p12 in place at the moment?
Yes, after running setup you should notice these.
Wow, finally! I got it at the end. Thanks! I verified both SpiceHTML5 and noVNC work now [root@tekkaman ~]# ll /etc/pki/ovirt-engine/keys total 24 -rw-r-----. 1 apache apache 1828 Feb 10 2013 apache.key.nopass -rw-r-----. 1 apache apache 2677 Feb 10 2013 apache.p12 -rw-------. 1 root root 1828 Feb 10 2013 engine_id_rsa -rw-r-----. 1 ovirt ovirt 2677 Feb 10 2013 engine.p12 -rw-------. 1 ovirt ovirt 1828 Dec 13 22:30 websocket-proxy.key.nopass -rw-------. 1 root root 2669 Dec 13 22:30 websocket-proxy.p12 [root@tekkaman ~]# ll /etc/pki/ovirt-engine/certs/ total 76 -rw-r--r--. 1 root root 4810 Feb 10 2013 01.pem -rw-r--r--. 1 root root 4957 Feb 10 2013 02.pem -rw-r--r--. 1 root root 4957 Feb 10 2013 03.pem -rw-r--r--. 1 ovirt ovirt 4931 Feb 10 2013 04.pem -rw-r--r--. 1 root root 4952 Dec 13 22:30 05.pem -rw-r-----. 1 apache apache 4957 Feb 10 2013 apache.cer -rw-r--r--. 1 root root 1480 Feb 10 2013 ca.der -rw-r--r--. 1 root root 4957 Feb 10 2013 engine.cer -rw-r--r--. 1 ovirt ovirt 4931 Feb 10 2013 tekkaman.localdomain.localcert.pem -rw-r--r--. 1 root root 4952 Dec 13 22:30 websocket-proxy.cer But this means that what documented here, that was what I followed some weeks ago, is incomplete: http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_the_Eng... ? Or simply that my initial ovirt engine version didn't have this feature at all so that websocket certificate part wasn't created on February 2013? BTW: initial test of my windows XP guest not usable... see this screencast where first half is with firefox 26 and second part with chrome 31.0.1650.63, both run from a fedora 19 client https://drive.google.com/file/d/0BwoPbcrMv8mvLUMyOWNPVUFOSkE/edit?usp=sharin... But I'm going to do more tests with more kind of guests and eventually post in separate thread. Thanks again Alon and Frank Gianluca
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Frantisek Kobzik" <fkobzik@redhat.com>, "users" <users@ovirt.org> Sent: Saturday, December 14, 2013 12:08:39 AM Subject: Re: [Users] SpiceHTML5, noVNC console and Spice Proxy mixable?
On Fri, Dec 13, 2013 at 5:57 PM, Alon Bar-Lev wrote:
<snip>
But this means that what documented here, that was what I followed some weeks ago, is incomplete: http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_the_Eng...
?
Hmmm... because of that I hate non formal wiki documentation... hard to chase all variant. I fixed it. Thanks! Alon
websocket-proxy python script I get this
In the sense that I get this inside the terminal if I try to connect to https://tekkaman.localdomain.local:6100 and in browser I get web page not available in chrome and connection was resest in firefox Instead going with http://tekkaman.localdomain.local:6100 I correctly get the directory listing as created under /tmp/test on engine Gianluca
participants (4)
-
Alon Bar-Lev -
Frantisek Kobzik -
Gianluca Cecchi -
Sven Kieske