2:05 p.m.
Hi,
It looks like my only option to get a console is using spice-proxy as
in http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all three required packages on
the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice
EnableSpiceRootCertificateValidation: true version: general
SpiceReleaseCursorKeys: shift+f12 version: general
SpiceSecureChannels: smain,sinputs version: 3.0
SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
version: 3.1
SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
version: 3.2
SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
version: 3.3
SpiceToggleFullScreenKeys: shift+f11 version: general
SpiceUsbAutoShare: true version: general
SpiceProxyDefault: version: general
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy"
box that I can check.
Anyone knows why?
Thanks.
David
3:01 p.m.
On 01/23/2014 10:05 PM, David Li wrote:
Hi,
It looks like my only option to get a console is using spice-proxy as in
http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all three required packages
on the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice
EnableSpiceRootCertificateValidation: true version: general
SpiceReleaseCursorKeys: shift+f12 version: general
SpiceSecureChannels: smain,sinputs version: 3.0
SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1
SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2
SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3
SpiceToggleFullScreenKeys: shift+f11 version: general
SpiceUsbAutoShare: true version: general
SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not
be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default proxy
used by SPICE client to connect to the
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy"
box that I can check.
Anyone knows why?
Thanks.
David
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
3:42 p.m.
Itamar,
The web page isn't very clear how to set this.
What's the "someProxy" supposed to be?
engine-config -s SpiceProxyDefault=someProxy
----- Original Message -----
From: Itamar Heim <iheim(a)redhat.com>
To: David Li <david_li(a)sbcglobal.net>; "users(a)ovirt.org"
<users(a)ovirt.org>
Cc:
Sent: Thursday, January 23, 2014 1:01 PM
Subject: Re: [Users] Spice-proxy questions
On 01/23/2014 10:05 PM, David Li wrote:
> Hi,
>
> It looks like my only option to get a console is using spice-proxy as in
http://www.ovirt.org/Features/Spice_Proxy
>
> However I am not sure how to make it work. I have installed all three
required packages on the engine (3.3.2). And my engine-config shows:
>
>
> [root@xyz ~]# engine-config -a | grep Spice
> EnableSpiceRootCertificateValidation: true version: general
> SpiceReleaseCursorKeys: shift+f12 version: general
> SpiceSecureChannels: smain,sinputs version: 3.0
> SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version:
3.1
> SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version:
3.2
> SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version:
3.3
> SpiceToggleFullScreenKeys: shift+f11 version: general
> SpiceUsbAutoShare: true version: general
> SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not
be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default proxy
used by SPICE client to connect to the
> ClientModeSpiceDefault: Auto version: general
>
>
> The problem is that on my web portal, I don't see any "Enable
SPICE Proxy" box that I can check.
>
> Anyone knows why?
>
> Thanks.
>
> David
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
3:48 a.m.
On Čt, 2014-01-23 at 13:42 -0800, David Li wrote:
Itamar,
The web page isn't very clear how to set this.
What's the "someProxy" supposed to be?
SpiceProxyDefaut=http://proxy_ip_or_fqdn:port/
David
engine-config -s SpiceProxyDefault=someProxy
----- Original Message -----
> From: Itamar Heim <iheim(a)redhat.com>
> To: David Li <david_li(a)sbcglobal.net>; "users(a)ovirt.org"
<users(a)ovirt.org>
> Cc:
> Sent: Thursday, January 23, 2014 1:01 PM
> Subject: Re: [Users] Spice-proxy questions
>
> On 01/23/2014 10:05 PM, David Li wrote:
>> Hi,
>>
>> It looks like my only option to get a console is using spice-proxy as in
> http://www.ovirt.org/Features/Spice_Proxy
>>
>> However I am not sure how to make it work. I have installed all three
> required packages on the engine (3.3.2). And my engine-config shows:
>>
>>
>> [root@xyz ~]# engine-config -a | grep Spice
>> EnableSpiceRootCertificateValidation: true version: general
>> SpiceReleaseCursorKeys: shift+f12 version: general
>> SpiceSecureChannels: smain,sinputs version: 3.0
>> SpiceSecureChannels:
> smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version:
> 3.1
>> SpiceSecureChannels:
> smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version:
> 3.2
>> SpiceSecureChannels:
> smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version:
> 3.3
>> SpiceToggleFullScreenKeys: shift+f11 version: general
>> SpiceUsbAutoShare: true version: general
>> SpiceProxyDefault: version: general
>
> i don't remember the details, but i assume SpiceProxyDefault should not
> be empty, set it with engine-config -s SpiceProxyDefault
>
> engine-config.properties:SpiceProxyDefault.description='Default proxy
> used by SPICE client to connect to the
>
>
>> ClientModeSpiceDefault: Auto version: general
>>
>>
>> The problem is that on my web portal, I don't see any "Enable
> SPICE Proxy" box that I can check.
>>
>> Anyone knows why?
>>
>> Thanks.
>>
>> David
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
11:39 a.m.
David,
With SpiceProxy, should I point my admin portal browser to http://proxy_ip_or_fqdn:port?
Does it matter which port number to use?
----- Original Message -----
From: David Jaša <djasa(a)redhat.com>
To: David Li <david_li(a)sbcglobal.net>
Cc: Itamar Heim <iheim(a)redhat.com>; "users(a)ovirt.org"
<users(a)ovirt.org>
Sent: Friday, January 24, 2014 1:48 AM
Subject: Re: [Users] Spice-proxy questions
On Čt, 2014-01-23 at 13:42 -0800, David Li wrote:
> Itamar,
>
> The web page isn't very clear how to set this.
>
> What's the "someProxy" supposed to be?
SpiceProxyDefaut=http://proxy_ip_or_fqdn:port/
David
>
> engine-config -s SpiceProxyDefault=someProxy
>
>
>
> ----- Original Message -----
> > From: Itamar Heim <iheim(a)redhat.com>
> > To: David Li <david_li(a)sbcglobal.net>;
"users(a)ovirt.org" <users(a)ovirt.org>
> > Cc:
> > Sent: Thursday, January 23, 2014 1:01 PM
> > Subject: Re: [Users] Spice-proxy questions
> >
> > On 01/23/2014 10:05 PM, David Li wrote:
> >> Hi,
> >>
> >> It looks like my only option to get a console is using
spice-proxy as in
> > http://www.ovirt.org/Features/Spice_Proxy
> >>
> >> However I am not sure how to make it work. I have installed all
three
> > required packages on the engine (3.3.2). And my engine-config shows:
> >>
> >>
> >> [root@xyz ~]# engine-config -a | grep Spice
> >> EnableSpiceRootCertificateValidation: true version: general
> >> SpiceReleaseCursorKeys: shift+f12 version: general
> >> SpiceSecureChannels: smain,sinputs version: 3.0
> >> SpiceSecureChannels:
> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
version:
> > 3.1
> >> SpiceSecureChannels:
> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
version:
> > 3.2
> >> SpiceSecureChannels:
> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
version:
> > 3.3
> >> SpiceToggleFullScreenKeys: shift+f11 version: general
> >> SpiceUsbAutoShare: true version: general
> >> SpiceProxyDefault: version: general
> >
> > i don't remember the details, but i assume SpiceProxyDefault
should not
> > be empty, set it with engine-config -s SpiceProxyDefault
> >
> > engine-config.properties:SpiceProxyDefault.description='Default
proxy
> > used by SPICE client to connect to the
> >
> >
> >> ClientModeSpiceDefault: Auto version: general
> >>
> >>
> >> The problem is that on my web portal, I don't see any
"Enable
> > SPICE Proxy" box that I can check.
> >>
> >> Anyone knows why?
> >>
> >> Thanks.
> >>
> >> David
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users(a)ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> >
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
11:45 a.m.
On Pá, 2014-01-24 at 09:39 -0800, David Li wrote:
David,
With SpiceProxy, should I point my admin portal browser to http://proxy_ip_or_fqdn:port?
Does it matter which port number to use?
Both FQDN/IP and port do matter. You have to set them so they point to a
running http proxy server instance (e.g. squid). Engine won't set up a
spice-capable http proxy for you, you have to take care of it yoursef.
What engine can do for you is to configure websocket proxy that allows
connections by html5 client (the one that runs entirely in browser).
David
----- Original Message -----
> From: David Jaša <djasa(a)redhat.com>
> To: David Li <david_li(a)sbcglobal.net>
> Cc: Itamar Heim <iheim(a)redhat.com>; "users(a)ovirt.org"
<users(a)ovirt.org>
> Sent: Friday, January 24, 2014 1:48 AM
> Subject: Re: [Users] Spice-proxy questions
>
> On Čt, 2014-01-23 at 13:42 -0800, David Li wrote:
>> Itamar,
>>
>> The web page isn't very clear how to set this.
>>
>> What's the "someProxy" supposed to be?
>
> SpiceProxyDefaut=http://proxy_ip_or_fqdn:port/
>
> David
>
>>
>> engine-config -s SpiceProxyDefault=someProxy
>>
>>
>>
>> ----- Original Message -----
>> > From: Itamar Heim <iheim(a)redhat.com>
>> > To: David Li <david_li(a)sbcglobal.net>;
> "users(a)ovirt.org" <users(a)ovirt.org>
>> > Cc:
>> > Sent: Thursday, January 23, 2014 1:01 PM
>> > Subject: Re: [Users] Spice-proxy questions
>> >
>> > On 01/23/2014 10:05 PM, David Li wrote:
>> >> Hi,
>> >>
>> >> It looks like my only option to get a console is using
> spice-proxy as in
>> > http://www.ovirt.org/Features/Spice_Proxy
>> >>
>> >> However I am not sure how to make it work. I have installed all
> three
>> > required packages on the engine (3.3.2). And my engine-config shows:
>> >>
>> >>
>> >> [root@xyz ~]# engine-config -a | grep Spice
>> >> EnableSpiceRootCertificateValidation: true version: general
>> >> SpiceReleaseCursorKeys: shift+f12 version: general
>> >> SpiceSecureChannels: smain,sinputs version: 3.0
>> >> SpiceSecureChannels:
>> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> version:
>> > 3.1
>> >> SpiceSecureChannels:
>> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> version:
>> > 3.2
>> >> SpiceSecureChannels:
>> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> version:
>> > 3.3
>> >> SpiceToggleFullScreenKeys: shift+f11 version: general
>> >> SpiceUsbAutoShare: true version: general
>> >> SpiceProxyDefault: version: general
>> >
>> > i don't remember the details, but i assume SpiceProxyDefault
> should not
>> > be empty, set it with engine-config -s SpiceProxyDefault
>> >
>> > engine-config.properties:SpiceProxyDefault.description='Default
> proxy
>> > used by SPICE client to connect to the
>> >
>> >
>> >> ClientModeSpiceDefault: Auto version: general
>> >>
>> >>
>> >> The problem is that on my web portal, I don't see any
> "Enable
>> > SPICE Proxy" box that I can check.
>> >>
>> >> Anyone knows why?
>> >>
>> >> Thanks.
>> >>
>> >> David
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users(a)ovirt.org
>> >> http://lists.ovirt.org/mailman/listinfo/users
>> >>
>> >
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
11:58 a.m.
On Pá, 2014-01-24 at 18:45 +0100, David Jaša wrote:
On Pá, 2014-01-24 at 09:39 -0800, David Li wrote:
> David,
>
> With SpiceProxy, should I point my admin portal browser to
http://proxy_ip_or_fqdn:port? Does it matter which port number to use?
Both FQDN/IP and port do matter. You have to set them so they point to a
running http proxy server instance (e.g. squid). Engine won't set up a
spice-capable http proxy
Just to clarify: you need to tell squid to permit connections to spice
port range (5900-6144 IIRC). It only allows connections to http ports by
default.
David
for you, you have to take care of it yoursef.
What engine can do for you is to configure websocket proxy that allows
connections by html5 client (the one that runs entirely in browser).
David
>
>
>
>
> ----- Original Message -----
> > From: David Jaša <djasa(a)redhat.com>
> > To: David Li <david_li(a)sbcglobal.net>
> > Cc: Itamar Heim <iheim(a)redhat.com>; "users(a)ovirt.org"
<users(a)ovirt.org>
> > Sent: Friday, January 24, 2014 1:48 AM
> > Subject: Re: [Users] Spice-proxy questions
> >
> > On Čt, 2014-01-23 at 13:42 -0800, David Li wrote:
> >> Itamar,
> >>
> >> The web page isn't very clear how to set this.
> >>
> >> What's the "someProxy" supposed to be?
> >
> > SpiceProxyDefaut=http://proxy_ip_or_fqdn:port/
> >
> > David
> >
> >>
> >> engine-config -s SpiceProxyDefault=someProxy
> >>
> >>
> >>
> >> ----- Original Message -----
> >> > From: Itamar Heim <iheim(a)redhat.com>
> >> > To: David Li <david_li(a)sbcglobal.net>;
> > "users(a)ovirt.org" <users(a)ovirt.org>
> >> > Cc:
> >> > Sent: Thursday, January 23, 2014 1:01 PM
> >> > Subject: Re: [Users] Spice-proxy questions
> >> >
> >> > On 01/23/2014 10:05 PM, David Li wrote:
> >> >> Hi,
> >> >>
> >> >> It looks like my only option to get a console is using
> > spice-proxy as in
> >> > http://www.ovirt.org/Features/Spice_Proxy
> >> >>
> >> >> However I am not sure how to make it work. I have installed all
> > three
> >> > required packages on the engine (3.3.2). And my engine-config shows:
> >> >>
> >> >>
> >> >> [root@xyz ~]# engine-config -a | grep Spice
> >> >> EnableSpiceRootCertificateValidation: true version: general
> >> >> SpiceReleaseCursorKeys: shift+f12 version: general
> >> >> SpiceSecureChannels: smain,sinputs version: 3.0
> >> >> SpiceSecureChannels:
> >> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> > version:
> >> > 3.1
> >> >> SpiceSecureChannels:
> >> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> > version:
> >> > 3.2
> >> >> SpiceSecureChannels:
> >> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> > version:
> >> > 3.3
> >> >> SpiceToggleFullScreenKeys: shift+f11 version: general
> >> >> SpiceUsbAutoShare: true version: general
> >> >> SpiceProxyDefault: version: general
> >> >
> >> > i don't remember the details, but i assume SpiceProxyDefault
> > should not
> >> > be empty, set it with engine-config -s SpiceProxyDefault
> >> >
> >> > engine-config.properties:SpiceProxyDefault.description='Default
> > proxy
> >> > used by SPICE client to connect to the
> >> >
> >> >
> >> >> ClientModeSpiceDefault: Auto version: general
> >> >>
> >> >>
> >> >> The problem is that on my web portal, I don't see any
> > "Enable
> >> > SPICE Proxy" box that I can check.
> >> >>
> >> >> Anyone knows why?
> >> >>
> >> >> Thanks.
> >> >>
> >> >> David
> >> >>
> >> >> _______________________________________________
> >> >> Users mailing list
> >> >> Users(a)ovirt.org
> >> >> http://lists.ovirt.org/mailman/listinfo/users
> >> >>
> >> >
> >> _______________________________________________
> >> Users mailing list
> >> Users(a)ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
12:06 p.m.
On Fri, Jan 24, 2014 at 6:58 PM, David Jaša wrote:
On Pá, 2014-01-24 at 18:45 +0100, David Jaša wrote:
> On Pá, 2014-01-24 at 09:39 -0800, David Li wrote:
> > David,
> >
> > With SpiceProxy, should I point my admin portal browser to
http://proxy_ip_or_fqdn:port? Does it matter which port number to use?
>
> Both FQDN/IP and port do matter. You have to set them so they point to a
> running http proxy server instance (e.g. squid). Engine won't set up a
> spice-capable http proxy
Just to clarify: you need to tell squid to permit connections to spice
port range (5900-6144 IIRC). It only allows connections to http ports by
default.
David
> for you, you have to take care of it yoursef.
>
> What engine can do for you is to configure websocket proxy that allows
> connections by html5 client (the one that runs entirely in browser).
>
> David
On my CentOS 5.10 server (10.4.4.63) that is the squid proxy for
engine I have this configuration that works
[root@c510 squid]# diff squid.conf squid.conf.orig
578,582d577
<
< acl localnet src 10.4.3.0/24 # RFC1918 possible internal network
< acl localnet src 10.4.23.0/24 # RFC1918 possible internal network
< acl localnet src 10.4.4.0/24 # RFC1918 possible internal network
<
625c620
< #http_access deny CONNECT !SSL_ports
---
http_access deny CONNECT !SSL_ports
639d633
< http_access allow localnet
927,928c921
< #http_port 3128
< http_port 80
---
http_port 3128
My clients where I run the browser that connects to engine (10.4.4.58)
are on 10.4.3.0, 10.4.4.0 or 10.4.23.0 networks.
No iptables on proxy server
oVirt hosts are on 10.4.4.0 netowrk too.
HIH,
Gianluca
1:47 p.m.
Hi Gianluca,
Thanks for the pointer. They are really helpful. I didn't know about squid. But this
is still not working for me after the squid setup as you can see in my email to David
Jasa.
I am really scratching my head now:). I hope I am getting close but...
----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
To: "users(a)ovirt.org" <users(a)ovirt.org>
Cc: David Li <david_li(a)sbcglobal.net>
Sent: Friday, January 24, 2014 10:06 AM
Subject: Re: [Users] Spice-proxy questions
On Fri, Jan 24, 2014 at 6:58 PM, David Jaša wrote:
> On Pá, 2014-01-24 at 18:45 +0100, David Jaša wrote:
>> On Pá, 2014-01-24 at 09:39 -0800, David Li wrote:
>> > David,
>> >
>> > With SpiceProxy, should I point my admin portal browser to
http://proxy_ip_or_fqdn:port? Does it matter which port number to use?
>>
>> Both FQDN/IP and port do matter. You have to set them so they point to
a
>> running http proxy server instance (e.g. squid). Engine won't set
up a
>> spice-capable http proxy
>
> Just to clarify: you need to tell squid to permit connections to spice
> port range (5900-6144 IIRC). It only allows connections to http ports by
> default.
>
> David
>
>> for you, you have to take care of it yoursef.
>>
>> What engine can do for you is to configure websocket proxy that allows
>> connections by html5 client (the one that runs entirely in browser).
>>
>> David
On my CentOS 5.10 server (10.4.4.63) that is the squid proxy for
engine I have this configuration that works
[root@c510 squid]# diff squid.conf squid.conf.orig
578,582d577
<
< acl localnet src 10.4.3.0/24 # RFC1918 possible internal network
< acl localnet src 10.4.23.0/24 # RFC1918 possible internal network
< acl localnet src 10.4.4.0/24 # RFC1918 possible internal network
<
625c620
< #http_access deny CONNECT !SSL_ports
---
> http_access deny CONNECT !SSL_ports
639d633
< http_access allow localnet
927,928c921
< #http_port 3128
< http_port 80
---
> http_port 3128
My clients where I run the browser that connects to engine (10.4.4.58)
are on 10.4.3.0, 10.4.4.0 or 10.4.23.0 networks.
No iptables on proxy server
oVirt hosts are on 10.4.4.0 netowrk too.
HIH,
Gianluca
1:45 p.m.
David
I set up the squid proxy on the same machine as ovirt-engine. I have this in squid.conf:
-------------------
acl localhost src 10.10.2.143/32 # for the machine running the browser
#safe ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports <---------- will this
allow connections to spice port range (5900-6144 IIRC).???
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
# Squid normally listens to port 3128
http_port 3128
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
-------------------------
and set my SpiceProxyDefault=http://10.10.2.143:3128
So far, this is still not working. The Spice popup window still fails to connect to the
graphics server and html5 browser window remains blank.
Are there any log files that can be used to debug this?
Thanks.
----- Original Message -----
From: David Jaša <djasa(a)redhat.com>
To: David Li <david_li(a)sbcglobal.net>
Cc: "users(a)ovirt.org" <users(a)ovirt.org>
Sent: Friday, January 24, 2014 9:58 AM
Subject: Re: [Users] Spice-proxy questions
On Pá, 2014-01-24 at 18:45 +0100, David Jaša wrote:
> On Pá, 2014-01-24 at 09:39 -0800, David Li wrote:
> > David,
> >
> > With SpiceProxy, should I point my admin portal browser to
http://proxy_ip_or_fqdn:port? Does it matter which port number to use?
>
> Both FQDN/IP and port do matter. You have to set them so they point to a
> running http proxy server instance (e.g. squid). Engine won't set up a
> spice-capable http proxy
Just to clarify: you need to tell squid to permit connections to spice
port range (5900-6144 IIRC). It only allows connections to http ports by
default.
David
> for you, you have to take care of it yoursef.
>
> What engine can do for you is to configure websocket proxy that allows
> connections by html5 client (the one that runs entirely in browser).
>
> David
>
> >
> >
> >
> >
> > ----- Original Message -----
> > > From: David Jaša <djasa(a)redhat.com>
> > > To: David Li <david_li(a)sbcglobal.net>
> > > Cc: Itamar Heim <iheim(a)redhat.com>;
"users(a)ovirt.org" <users(a)ovirt.org>
> > > Sent: Friday, January 24, 2014 1:48 AM
> > > Subject: Re: [Users] Spice-proxy questions
> > >
> > > On Čt, 2014-01-23 at 13:42 -0800, David Li wrote:
> > >> Itamar,
> > >>
> > >> The web page isn't very clear how to set this.
> > >>
> > >> What's the "someProxy" supposed to be?
> > >
> > > SpiceProxyDefaut=http://proxy_ip_or_fqdn:port/
> > >
> > > David
> > >
> > >>
> > >> engine-config -s SpiceProxyDefault=someProxy
> > >>
> > >>
> > >>
> > >> ----- Original Message -----
> > >> > From: Itamar Heim <iheim(a)redhat.com>
> > >> > To: David Li <david_li(a)sbcglobal.net>;
> > > "users(a)ovirt.org" <users(a)ovirt.org>
> > >> > Cc:
> > >> > Sent: Thursday, January 23, 2014 1:01 PM
> > >> > Subject: Re: [Users] Spice-proxy questions
> > >> >
> > >> > On 01/23/2014 10:05 PM, David Li wrote:
> > >> >> Hi,
> > >> >>
> > >> >> It looks like my only option to get a console is
using
> > > spice-proxy as in
> > >> > http://www.ovirt.org/Features/Spice_Proxy
> > >> >>
> > >> >> However I am not sure how to make it work. I have
installed all
> > > three
> > >> > required packages on the engine (3.3.2). And my
engine-config shows:
> > >> >>
> > >> >>
> > >> >> [root@xyz ~]# engine-config -a | grep Spice
> > >> >> EnableSpiceRootCertificateValidation: true
version: general
> > >> >> SpiceReleaseCursorKeys: shift+f12 version: general
> > >> >> SpiceSecureChannels: smain,sinputs version: 3.0
> > >> >> SpiceSecureChannels:
> > >> >
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> > > version:
> > >> > 3.1
> > >> >> SpiceSecureChannels:
> > >> >
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> > > version:
> > >> > 3.2
> > >> >> SpiceSecureChannels:
> > >> >
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> > > version:
> > >> > 3.3
> > >> >> SpiceToggleFullScreenKeys: shift+f11 version:
general
> > >> >> SpiceUsbAutoShare: true version: general
> > >> >> SpiceProxyDefault: version: general
> > >> >
> > >> > i don't remember the details, but i assume
SpiceProxyDefault
> > > should not
> > >> > be empty, set it with engine-config -s
SpiceProxyDefault
> > >> >
> > >> >
engine-config.properties:SpiceProxyDefault.description='Default
> > > proxy
> > >> > used by SPICE client to connect to the
> > >> >
> > >> >
> > >> >> ClientModeSpiceDefault: Auto version: general
> > >> >>
> > >> >>
> > >> >> The problem is that on my web portal, I don't
see any
> > > "Enable
> > >> > SPICE Proxy" box that I can check.
> > >> >>
> > >> >> Anyone knows why?
> > >> >>
> > >> >> Thanks.
> > >> >>
> > >> >> David
> > >> >>
> > >> >> _______________________________________________
> > >> >> Users mailing list
> > >> >> Users(a)ovirt.org
> > >> >> http://lists.ovirt.org/mailman/listinfo/users
> > >> >>
> > >> >
> > >> _______________________________________________
> > >> Users mailing list
> > >> Users(a)ovirt.org
> > >> http://lists.ovirt.org/mailman/listinfo/users
> > >
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
4:25 p.m.
On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote:
David
I set up the squid proxy on the same machine as ovirt-engine. I have this in squid.conf:
-------------------
acl localhost src 10.10.2.143/32 # for the machine running the browser
#safe ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports <---------- will this allow
connections to spice port range (5900-6144 IIRC).???
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
# Squid normally listens to port 3128
http_port 3128
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
-------------------------
and set my SpiceProxyDefault=http://10.10.2.143:3128
So far, this is still not working. The Spice popup window still fails to connect to the
graphics server and html5 browser window remains blank.
Are there any log files that can be used to debug this?
Thanks.
There is something I don't understand or that you are doing incorrectly.
From what you write it seems that:
- your engine has ip 10.10.2.143
- From which ip do you run your browser?
- Can this ip connect to engine on port 3128? Perhaps your engine
setup already configured iptables (or firewalld) and it is blocking
you?
You can easily verify at runtime by putting this line on engine:
iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT
where xxx.yyy.www.zzz is the ip of the client from where you run the browser
so that you put this accept rule on top of INPUT chain and retry to
connect to VM console
- Which ip have the hosts where VMs are running?
- Is engine (so your proxy in your configuration) capable to reach ip
of your hosts on spice ports (5900-..)?
ALso see my previous thread here:
http://lists.ovirt.org/pipermail/users/2013-December/018554.html
and the useful answers.
I cannot test your config, because I have no control on my network and
network admins only allow 80 and 443 so that they are already taken by
engine itself and I can't test putting the proxy on engine itself...
HIH anyway,
Gianluca
5:12 p.m.
Hi Gianluca,
Here is my testbed setup:
Browser (firefox 24.2.0) ovirt-engine (3.3.2)
host (ovirt-node)
10.10.2.143 ------------------- eth0: 10.10.36.103 eth1: 169.254.11.13
------------------- 169.254.103.2
(I stopped iptables in testing)
Which log files are needed to examine what's wrong?
----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
To: David Li <david_li(a)sbcglobal.net>
Cc: "users(a)ovirt.org" <users(a)ovirt.org>; "djasa(a)redhat.com"
<djasa(a)redhat.com>
Sent: Friday, January 24, 2014 2:25 PM
Subject: Re: [Users] Spice-proxy questions
On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote:
> David
>
> I set up the squid proxy on the same machine as ovirt-engine. I have this
in squid.conf:
>
>
>
> -------------------
> acl localhost src 10.10.2.143/32 # for the machine running the browser
>
>
> #safe ports
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports <---------- will
this allow connections to spice port range (5900-6144 IIRC).???
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
>
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> -------------------------
>
> and set my SpiceProxyDefault=http://10.10.2.143:3128
>
>
>
> So far, this is still not working. The Spice popup window still fails to
connect to the graphics server and html5 browser window remains blank.
> Are there any log files that can be used to debug this?
>
> Thanks.
>
>
There is something I don't understand or that you are doing incorrectly.
From what you write it seems that:
- your engine has ip 10.10.2.143
- From which ip do you run your browser?
- Can this ip connect to engine on port 3128? Perhaps your engine
setup already configured iptables (or firewalld) and it is blocking
you?
You can easily verify at runtime by putting this line on engine:
iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT
where xxx.yyy.www.zzz is the ip of the client from where you run the browser
so that you put this accept rule on top of INPUT chain and retry to
connect to VM console
- Which ip have the hosts where VMs are running?
- Is engine (so your proxy in your configuration) capable to reach ip
of your hosts on spice ports (5900-..)?
ALso see my previous thread here:
http://lists.ovirt.org/pipermail/users/2013-December/018554.html
and the useful answers.
I cannot test your config, because I have no control on my network and
network admins only allow 80 and 443 so that they are already taken by
engine itself and I can't test putting the proxy on engine itself...
HIH anyway,
Gianluca
1:21 p.m.
Do I need to generate and install a x509 key pair for the squid proxy? How can I find out
if the key pair has already been done?
----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
To: David Li <david_li(a)sbcglobal.net>
Cc: "users(a)ovirt.org" <users(a)ovirt.org>; "djasa(a)redhat.com"
<djasa(a)redhat.com>
Sent: Friday, January 24, 2014 2:25 PM
Subject: Re: [Users] Spice-proxy questions
On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote:
> David
>
> I set up the squid proxy on the same machine as ovirt-engine. I have this
in squid.conf:
>
>
>
> -------------------
> acl localhost src 10.10.2.143/32 # for the machine running the browser
>
>
> #safe ports
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports <---------- will
this allow connections to spice port range (5900-6144 IIRC).???
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
>
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> -------------------------
>
> and set my SpiceProxyDefault=http://10.10.2.143:3128
>
>
>
> So far, this is still not working. The Spice popup window still fails to
connect to the graphics server and html5 browser window remains blank.
> Are there any log files that can be used to debug this?
>
> Thanks.
>
>
There is something I don't understand or that you are doing incorrectly.
From what you write it seems that:
- your engine has ip 10.10.2.143
- From which ip do you run your browser?
- Can this ip connect to engine on port 3128? Perhaps your engine
setup already configured iptables (or firewalld) and it is blocking
you?
You can easily verify at runtime by putting this line on engine:
iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT
where xxx.yyy.www.zzz is the ip of the client from where you run the browser
so that you put this accept rule on top of INPUT chain and retry to
connect to VM console
- Which ip have the hosts where VMs are running?
- Is engine (so your proxy in your configuration) capable to reach ip
of your hosts on spice ports (5900-..)?
ALso see my previous thread here:
http://lists.ovirt.org/pipermail/users/2013-December/018554.html
and the useful answers.
I cannot test your config, because I have no control on my network and
network admins only allow 80 and 443 so that they are already taken by
engine itself and I can't test putting the proxy on engine itself...
HIH anyway,
Gianluca
2:49 a.m.
On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
Do I need to generate and install a x509 key pair for the squid
proxy? How can I find out if the key pair has already been done?
No. Spice channels are encrypted end-to-end so if you configure squid to
forward the connections just to the display network range of the hosts,
you anly allow connections that are encrypted anyway - so the TLS would
be here quite redundant.
Have you made sure that you have opened port 3128 in iptables? If the
box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora must
be configured to disable firewalld but I presume that engine-setup does
that), add the port definition among other opened ports
in /etc/sysconfig/iptables.
David
PS: I'm mangling reply-to: header for a reason. Please don't hog my
inbox, I can very well read your messages on-list. Thank you.
----- Original Message -----
> From: Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
> To: David Li <david_li(a)sbcglobal.net>
> Cc: "users(a)ovirt.org" <users(a)ovirt.org>;
"djasa(a)redhat.com" <djasa(a)redhat.com>
> Sent: Friday, January 24, 2014 2:25 PM
> Subject: Re: [Users] Spice-proxy questions
>
> On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote:
>> David
>>
>> I set up the squid proxy on the same machine as ovirt-engine. I have this
> in squid.conf:
>>
>>
>>
>> -------------------
>> acl localhost src 10.10.2.143/32 # for the machine running the browser
>>
>>
>> #safe ports
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports <---------- will
> this allow connections to spice port range (5900-6144 IIRC).???
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>>
>>
>>
>> # Squid normally listens to port 3128
>> http_port 3128
>>
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>>
>> -------------------------
>>
>> and set my SpiceProxyDefault=http://10.10.2.143:3128
>>
>>
>>
>> So far, this is still not working. The Spice popup window still fails to
> connect to the graphics server and html5 browser window remains blank.
>> Are there any log files that can be used to debug this?
>>
>> Thanks.
>>
>>
>
> There is something I don't understand or that you are doing incorrectly.
>
> From what you write it seems that:
>
> - your engine has ip 10.10.2.143
>
> - From which ip do you run your browser?
>
> - Can this ip connect to engine on port 3128? Perhaps your engine
> setup already configured iptables (or firewalld) and it is blocking
> you?
> You can easily verify at runtime by putting this line on engine:
>
> iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT
> where xxx.yyy.www.zzz is the ip of the client from where you run the browser
> so that you put this accept rule on top of INPUT chain and retry to
> connect to VM console
>
> - Which ip have the hosts where VMs are running?
> - Is engine (so your proxy in your configuration) capable to reach ip
> of your hosts on spice ports (5900-..)?
>
> ALso see my previous thread here:
> http://lists.ovirt.org/pipermail/users/2013-December/018554.html
>
> and the useful answers.
>
> I cannot test your config, because I have no control on my network and
> network admins only allow 80 and 443 so that they are already taken by
> engine itself and I can't test putting the proxy on engine itself...
>
> HIH anyway,
> Gianluca
>
11:21 a.m.
On Tue, Jan 28, 2014 at 9:49 AM, David Jaša wrote:
On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
> Do I need to generate and install a x509 key pair for the squid proxy? How can I
find out if the key pair has already been done?
No. Spice channels are encrypted end-to-end so if you configure squid to
forward the connections just to the display network range of the hosts,
you anly allow connections that are encrypted anyway - so the TLS would
be here quite redundant.
Have you made sure that you have opened port 3128 in iptables? If the
box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora must
be configured to disable firewalld but I presume that engine-setup does
that), add the port definition among other opened ports
in /etc/sysconfig/iptables.
David
PS: I'm mangling reply-to: header for a reason. Please don't hog my
inbox, I can very well read your messages on-list. Thank you.
I made a test setting proxy on engine and it seems it is ok.
I have no other ports than 80 and 443 allowed so I have to use
environment with all the servers in 10.4.4.0 network
client 10.4.4.61
engine 10.4.4.60
test VM 10.4.4.63
host (where test VM is running on) 10.4.4.59
# engine-config -s SpiceProxyDefault="http://10.4.4.60:3128"
# systemctl restart ovirt-engine
configured squid on engine on its default port 3128
I have firewalld configured on engine, so that I have this in
/etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other
computers on networks to not harm your computer. Only selected
incoming connections are accepted.</description>
<service name="mdns"/>
<service name="ovirt-nfs"/>
<service name="ovirt-http"/>
<service name="dhcpv6-client"/>
<service name="ovirt-websocket-proxy"/>
<service name="ovirt-https"/>
<service name="ssh"/>
<service name="ovirt-postgres"/>
<port protocol="tcp" port="6100"/>
<port protocol="tcp" port="3128"/>
</zone>
On client CentOS 6.5 (10.4.4.61):
I run firefox and connect to webadmin gui of engine (https://10.4.4.60)
I have enabled spice proxy for the test VM
I select console and specify to run /usr/bin/remote-viewer at popup
window, enabling popups in firefox
I successfully get the console
$ ps -ef|grep remote
g.cecchi 23897 23726 0 15:50 pts/0 00:00:00 /usr/bin/remote-viewer
/tmp/console.vv
g.cecchi 23923 23704 0 15:52 pts/0 00:00:00 grep remote
$ sudo lsof -Pp 23897 | grep TCP
remote-vi 23897 g.cecchi 4u IPv6 498441 0t0 TCP
localhost:45817->localhost:6010 (ESTABLISHED)
remote-vi 23897 g.cecchi 14u IPv4 498447 0t0 TCP
10.4.4.61:36909->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 20u IPv4 498449 0t0 TCP
10.4.4.61:36910->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 24u IPv4 498451 0t0 TCP
10.4.4.61:36911->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 25u IPv4 498452 0t0 TCP
10.4.4.61:36912->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 60u IPv4 497799 0t0 TCP
10.4.4.61:44961->10.4.4.60:443 (ESTABLISHED)
On engine (10.4.4.60)
# netstat -an|grep 3128
tcp6 0 0 :::3128 :::* LISTEN
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36912 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36911 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36910 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36909 ESTABLISHED
On hypervisor (10.4.4.59)
$ netstat -an|grep 5901
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN
tcp 0 0 10.4.4.59:5901 10.4.4.60:38879 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38881 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38880 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38882 ESTABLISHED
So all seems ok.
Gianluca
11:51 a.m.
Hi Gianluca,
Finally it worked for me! Thanks a lot for help!
The doc is little vague in terms of all the things you need to do. I will try to write
something up based on my own experience and share with everyone here.
David
----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
To: "users(a)ovirt.org" <users(a)ovirt.org>
Cc: David Li <david_li(a)sbcglobal.net>
Sent: Tuesday, January 28, 2014 9:21 AM
Subject: Re: [Users] Spice-proxy questions
On Tue, Jan 28, 2014 at 9:49 AM, David Jaša wrote:
> On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
>> Do I need to generate and install a x509 key pair for the squid proxy?
How can I find out if the key pair has already been done?
>
> No. Spice channels are encrypted end-to-end so if you configure squid to
> forward the connections just to the display network range of the hosts,
> you anly allow connections that are encrypted anyway - so the TLS would
> be here quite redundant.
>
> Have you made sure that you have opened port 3128 in iptables? If the
> box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora
must
> be configured to disable firewalld but I presume that engine-setup does
> that), add the port definition among other opened ports
> in /etc/sysconfig/iptables.
>
> David
>
> PS: I'm mangling reply-to: header for a reason. Please don't hog my
> inbox, I can very well read your messages on-list. Thank you.
I made a test setting proxy on engine and it seems it is ok.
I have no other ports than 80 and 443 allowed so I have to use
environment with all the servers in 10.4.4.0 network
client 10.4.4.61
engine 10.4.4.60
test VM 10.4.4.63
host (where test VM is running on) 10.4.4.59
# engine-config -s SpiceProxyDefault="http://10.4.4.60:3128"
# systemctl restart ovirt-engine
configured squid on engine on its default port 3128
I have firewalld configured on engine, so that I have this in
/etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other
computers on networks to not harm your computer. Only selected
incoming connections are accepted.</description>
<service name="mdns"/>
<service name="ovirt-nfs"/>
<service name="ovirt-http"/>
<service name="dhcpv6-client"/>
<service name="ovirt-websocket-proxy"/>
<service name="ovirt-https"/>
<service name="ssh"/>
<service name="ovirt-postgres"/>
<port protocol="tcp" port="6100"/>
<port protocol="tcp" port="3128"/>
</zone>
On client CentOS 6.5 (10.4.4.61):
I run firefox and connect to webadmin gui of engine (https://10.4.4.60)
I have enabled spice proxy for the test VM
I select console and specify to run /usr/bin/remote-viewer at popup
window, enabling popups in firefox
I successfully get the console
$ ps -ef|grep remote
g.cecchi 23897 23726 0 15:50 pts/0 00:00:00 /usr/bin/remote-viewer
/tmp/console.vv
g.cecchi 23923 23704 0 15:52 pts/0 00:00:00 grep remote
$ sudo lsof -Pp 23897 | grep TCP
remote-vi 23897 g.cecchi 4u IPv6 498441 0t0 TCP
localhost:45817->localhost:6010 (ESTABLISHED)
remote-vi 23897 g.cecchi 14u IPv4 498447 0t0 TCP
10.4.4.61:36909->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 20u IPv4 498449 0t0 TCP
10.4.4.61:36910->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 24u IPv4 498451 0t0 TCP
10.4.4.61:36911->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 25u IPv4 498452 0t0 TCP
10.4.4.61:36912->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 60u IPv4 497799 0t0 TCP
10.4.4.61:44961->10.4.4.60:443 (ESTABLISHED)
On engine (10.4.4.60)
# netstat -an|grep 3128
tcp6 0 0 :::3128 :::* LISTEN
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36912 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36911 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36910 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36909 ESTABLISHED
On hypervisor (10.4.4.59)
$ netstat -an|grep 5901
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN
tcp 0 0 10.4.4.59:5901 10.4.4.60:38879 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38881 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38880 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38882 ESTABLISHED
So all seems ok.
Gianluca
5:37 p.m.
Still not working.
I believe spice-proxy has setup on the engine:
SpiceUsbAutoShare: true version: general
SpiceProxyDefault: myProxy version: general
ClientModeSpiceDefault: Auto version: general
In the web portal, I also see "Enable SPICE Proxy" checked under "SPICE
options".
But no matter what method I use under "Console Invocation", nothing works.
It's either fail to connect to the graphics server or show a blank browser window.
David
----- Original Message -----
From: Itamar Heim <iheim(a)redhat.com>
To: David Li <david_li(a)sbcglobal.net>; "users(a)ovirt.org"
<users(a)ovirt.org>
Cc:
Sent: Thursday, January 23, 2014 1:01 PM
Subject: Re: [Users] Spice-proxy questions
On 01/23/2014 10:05 PM, David Li wrote:
> Hi,
>
> It looks like my only option to get a console is using spice-proxy as in
http://www.ovirt.org/Features/Spice_Proxy
>
> However I am not sure how to make it work. I have installed all three
required packages on the engine (3.3.2). And my engine-config shows:
>
>
> [root@xyz ~]# engine-config -a | grep Spice
> EnableSpiceRootCertificateValidation: true version: general
> SpiceReleaseCursorKeys: shift+f12 version: general
> SpiceSecureChannels: smain,sinputs version: 3.0
> SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version:
3.1
> SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version:
3.2
> SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version:
3.3
> SpiceToggleFullScreenKeys: shift+f11 version: general
> SpiceUsbAutoShare: true version: general
> SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not
be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default proxy
used by SPICE client to connect to the
> ClientModeSpiceDefault: Auto version: general
>
>
> The problem is that on my web portal, I don't see any "Enable
SPICE Proxy" box that I can check.
>
> Anyone knows why?
>
> Thanks.
>
> David
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
2:22 a.m.
Hi David,
if you use the "Native client" option in the console options dialog and download
the .vv file,
it should contain something like:
proxy=someProxy
Does it? If it does, maybe it is some problem with the proxy configuration...
What's the "someProxy" supposed to be?
The proxy has to follow the following form: [protocol://]<host>[:port]
The proxy string may be specified with a protocol:// prefix to specify alternative proxy
protocols. If no protocol is specified in the proxy string or if the string doesn't
match a supported one, the proxy will be treated as a HTTP proxy.
Tomas
----- Original Message -----
From: "David Li" <david_li(a)sbcglobal.net>
To: "Itamar Heim" <iheim(a)redhat.com>, users(a)ovirt.org
Sent: Friday, January 24, 2014 12:37:48 AM
Subject: Re: [Users] Spice-proxy questions
Still not working.
I believe spice-proxy has setup on the engine:
SpiceUsbAutoShare: true version: general
SpiceProxyDefault: myProxy version: general
ClientModeSpiceDefault: Auto version: general
In the web portal, I also see "Enable SPICE Proxy" checked under "SPICE
options".
But no matter what method I use under "Console Invocation", nothing works.
It's either fail to connect to the graphics server or show a blank browser
window.
David
----- Original Message -----
> From: Itamar Heim <iheim(a)redhat.com>
> To: David Li <david_li(a)sbcglobal.net>; "users(a)ovirt.org"
<users(a)ovirt.org>
> Cc:
> Sent: Thursday, January 23, 2014 1:01 PM
> Subject: Re: [Users] Spice-proxy questions
>
> On 01/23/2014 10:05 PM, David Li wrote:
>> Hi,
>>
>> It looks like my only option to get a console is using spice-proxy as in
> http://www.ovirt.org/Features/Spice_Proxy
>>
>> However I am not sure how to make it work. I have installed all three
> required packages on the engine (3.3.2). And my engine-config shows:
>>
>>
>> [root@xyz ~]# engine-config -a | grep Spice
>> EnableSpiceRootCertificateValidation: true version: general
>> SpiceReleaseCursorKeys: shift+f12 version: general
>> SpiceSecureChannels: smain,sinputs version: 3.0
>> SpiceSecureChannels:
> smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> version:
> 3.1
>> SpiceSecureChannels:
> smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> version:
> 3.2
>> SpiceSecureChannels:
> smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> version:
> 3.3
>> SpiceToggleFullScreenKeys: shift+f11 version: general
>> SpiceUsbAutoShare: true version: general
>> SpiceProxyDefault: version: general
>
> i don't remember the details, but i assume SpiceProxyDefault should not
> be empty, set it with engine-config -s SpiceProxyDefault
>
> engine-config.properties:SpiceProxyDefault.description='Default proxy
> used by SPICE client to connect to the
>
>
>> ClientModeSpiceDefault: Auto version: general
>>
>>
>> The problem is that on my web portal, I don't see any "Enable
> SPICE Proxy" box that I can check.
>>
>> Anyone knows why?
>>
>> Thanks.
>>
>> David
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
11:31 a.m.
Hi Tomas, David:
I set my SpiceProxyDefault to "http://<ovirt-engine-IP>:80
and my .vv file indeed reflects that.
However this is still not working. The popup window still fails to connect to the graphic
server.
Any further suggestion how to debug?
Thanks.
David
----- Original Message -----
From: Tomas Jelinek <tjelinek(a)redhat.com>
To: David Li <david_li(a)sbcglobal.net>
Cc: Itamar Heim <iheim(a)redhat.com>; users(a)ovirt.org
Sent: Friday, January 24, 2014 12:22 AM
Subject: Re: [Users] Spice-proxy questions
Hi David,
if you use the "Native client" option in the console options dialog
and download the .vv file,
it should contain something like:
proxy=someProxy
Does it? If it does, maybe it is some problem with the proxy configuration...
> What's the "someProxy" supposed to be?
The proxy has to follow the following form: [protocol://]<host>[:port]
The proxy string may be specified with a protocol:// prefix to specify
alternative proxy protocols. If no protocol is specified in the proxy string or
if the string doesn't match a supported one, the proxy will be treated as a
HTTP proxy.
Tomas
----- Original Message -----
> From: "David Li" <david_li(a)sbcglobal.net>
> To: "Itamar Heim" <iheim(a)redhat.com>, users(a)ovirt.org
> Sent: Friday, January 24, 2014 12:37:48 AM
> Subject: Re: [Users] Spice-proxy questions
>
> Still not working.
>
> I believe spice-proxy has setup on the engine:
>
> SpiceUsbAutoShare: true version: general
> SpiceProxyDefault: myProxy version: general
> ClientModeSpiceDefault: Auto version: general
>
> In the web portal, I also see "Enable SPICE Proxy" checked under
"SPICE
> options".
>
> But no matter what method I use under "Console Invocation",
nothing works.
> It's either fail to connect to the graphics server or show a blank
browser
> window.
>
> David
>
>
> ----- Original Message -----
> > From: Itamar Heim <iheim(a)redhat.com>
> > To: David Li <david_li(a)sbcglobal.net>;
"users(a)ovirt.org" <users(a)ovirt.org>
> > Cc:
> > Sent: Thursday, January 23, 2014 1:01 PM
> > Subject: Re: [Users] Spice-proxy questions
> >
> > On 01/23/2014 10:05 PM, David Li wrote:
> >> Hi,
> >>
> >> It looks like my only option to get a console is using
spice-proxy as in
> > http://www.ovirt.org/Features/Spice_Proxy
> >>
> >> However I am not sure how to make it work. I have installed all
three
> > required packages on the engine (3.3.2). And my engine-config shows:
> >>
> >>
> >> [root@xyz ~]# engine-config -a | grep Spice
> >> EnableSpiceRootCertificateValidation: true version: general
> >> SpiceReleaseCursorKeys: shift+f12 version: general
> >> SpiceSecureChannels: smain,sinputs version: 3.0
> >> SpiceSecureChannels:
> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> > version:
> > 3.1
> >> SpiceSecureChannels:
> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> > version:
> > 3.2
> >> SpiceSecureChannels:
> > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard
> > version:
> > 3.3
> >> SpiceToggleFullScreenKeys: shift+f11 version: general
> >> SpiceUsbAutoShare: true version: general
> >> SpiceProxyDefault: version: general
> >
> > i don't remember the details, but i assume SpiceProxyDefault
should not
> > be empty, set it with engine-config -s SpiceProxyDefault
> >
> > engine-config.properties:SpiceProxyDefault.description='Default
proxy
> > used by SPICE client to connect to the
> >
> >
> >> ClientModeSpiceDefault: Auto version: general
> >>
> >>
> >> The problem is that on my web portal, I don't see any
"Enable
> > SPICE Proxy" box that I can check.
> >>
> >> Anyone knows why?
> >>
> >> Thanks.
> >>
> >> David
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users(a)ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> >
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
11:59 a.m.
On Fri, Jan 24, 2014 at 6:31 PM, David Li wrote:
Hi Tomas, David:
I set my SpiceProxyDefault to "http://<ovirt-engine-IP>:80
and my .vv file indeed reflects that.
However this is still not working. The popup window still fails to connect to the graphic
server.
Any further suggestion how to debug?
Thanks.
David
You have to configure a web Proxy server such as Squid.
Port 80 on your engine is already occupied by engine web component itself
On engine tipically
# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 8191 root 4u IPv6 49597 0t0 TCP *:http (LISTEN)
httpd 8195 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN)
httpd 8196 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN)
httpd 8197 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN)
httpd 8762 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN)
httpd 8763 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN)
httpd 8764 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN)
httpd 8770 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN)
httpd 9346 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN)
httpd 10338 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN)
httpd 10340 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN)
BTW I had problems to configure my engine to work both with SpiceProxy
and WebSocketProxy, so I ended up to configure another server
(10.4.4.63) with squid configured on port 80 so that now my engine (ip
10.4.4.58) has:
# engine-config -g SpiceProxyDefault
SpiceProxyDefault: http://10.4.4.63:80 version: general
and I have both SpiceProxy and WebSocketProxy (where needed) working.
In your case you should install squid on your engine and set it up
with a port different than 80.
Official and free documentation on just released (?) final RHEV 3.3 is
better to read to configure Proxy:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Vir...
(good advertising... ;-)
it seems 3.3 has been released but no official announcement?
https://www.redhat.com/about/news/press-archive/2014/1/rhev-3-3-enables-o...
or did I loose anything?
Gianluca
3963
days inactive
3968
days old
19 comments
5 participants
participants (5)
-
David Jaša -
David Li -
Gianluca Cecchi -
Itamar Heim -
Tomas Jelinek