
Hi, It looks like my only option to get a console is using spice-proxy as in http://www.ovirt.org/Features/Spice_Proxy However I am not sure how to make it work. I have installed all three required packages on the engine (3.3.2). And my engine-config shows: [root@xyz ~]# engine-config -a | grep Spice EnableSpiceRootCertificateValidation: true version: general SpiceReleaseCursorKeys: shift+f12 version: general SpiceSecureChannels: smain,sinputs version: 3.0 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3 SpiceToggleFullScreenKeys: shift+f11 version: general SpiceUsbAutoShare: true version: general SpiceProxyDefault: version: general ClientModeSpiceDefault: Auto version: general The problem is that on my web portal, I don't see any "Enable SPICE Proxy" box that I can check. Anyone knows why? Thanks. David

On 01/23/2014 10:05 PM, David Li wrote:
Hi,
It looks like my only option to get a console is using spice-proxy as in http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all three required packages on the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice EnableSpiceRootCertificateValidation: true version: general SpiceReleaseCursorKeys: shift+f12 version: general SpiceSecureChannels: smain,sinputs version: 3.0 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3 SpiceToggleFullScreenKeys: shift+f11 version: general SpiceUsbAutoShare: true version: general SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not be empty, set it with engine-config -s SpiceProxyDefault engine-config.properties:SpiceProxyDefault.description='Default proxy used by SPICE client to connect to the
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy" box that I can check.
Anyone knows why?
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Itamar, The web page isn't very clear how to set this. What's the "someProxy" supposed to be? engine-config -s SpiceProxyDefault=someProxy ----- Original Message -----
From: Itamar Heim <iheim@redhat.com> To: David Li <david_li@sbcglobal.net>; "users@ovirt.org" <users@ovirt.org> Cc: Sent: Thursday, January 23, 2014 1:01 PM Subject: Re: [Users] Spice-proxy questions
On 01/23/2014 10:05 PM, David Li wrote:
Hi,
It looks like my only option to get a console is using spice-proxy as in http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all three required packages on the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice EnableSpiceRootCertificateValidation: true version: general SpiceReleaseCursorKeys: shift+f12 version: general SpiceSecureChannels: smain,sinputs version: 3.0 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3 SpiceToggleFullScreenKeys: shift+f11 version: general SpiceUsbAutoShare: true version: general SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default proxy used by SPICE client to connect to the
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy" box that I can check.
Anyone knows why?
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On Čt, 2014-01-23 at 13:42 -0800, David Li wrote:
Itamar,
The web page isn't very clear how to set this.
What's the "someProxy" supposed to be?
SpiceProxyDefaut=http://proxy_ip_or_fqdn:port/ David
engine-config -s SpiceProxyDefault=someProxy
----- Original Message -----
From: Itamar Heim <iheim@redhat.com> To: David Li <david_li@sbcglobal.net>; "users@ovirt.org" <users@ovirt.org> Cc: Sent: Thursday, January 23, 2014 1:01 PM Subject: Re: [Users] Spice-proxy questions
On 01/23/2014 10:05 PM, David Li wrote:
Hi,
It looks like my only option to get a console is using spice-proxy as in http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all three required packages on the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice EnableSpiceRootCertificateValidation: true version: general SpiceReleaseCursorKeys: shift+f12 version: general SpiceSecureChannels: smain,sinputs version: 3.0 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3 SpiceToggleFullScreenKeys: shift+f11 version: general SpiceUsbAutoShare: true version: general SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default proxy used by SPICE client to connect to the
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy" box that I can check.
Anyone knows why?
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

David, With SpiceProxy, should I point my admin portal browser to http://proxy_ip_or_fqdn:port? Does it matter which port number to use? ----- Original Message -----
From: David Jaša <djasa@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: Itamar Heim <iheim@redhat.com>; "users@ovirt.org" <users@ovirt.org> Sent: Friday, January 24, 2014 1:48 AM Subject: Re: [Users] Spice-proxy questions
On Čt, 2014-01-23 at 13:42 -0800, David Li wrote:
Itamar,
The web page isn't very clear how to set this.
What's the "someProxy" supposed to be?
SpiceProxyDefaut=http://proxy_ip_or_fqdn:port/
David
engine-config -s SpiceProxyDefault=someProxy
----- Original Message -----
From: Itamar Heim <iheim@redhat.com> To: David Li <david_li@sbcglobal.net>;
Cc: Sent: Thursday, January 23, 2014 1:01 PM Subject: Re: [Users] Spice-proxy questions
On 01/23/2014 10:05 PM, David Li wrote:
Hi,
It looks like my only option to get a console is using spice-proxy as in http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all
required packages on the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice EnableSpiceRootCertificateValidation: true version: general SpiceReleaseCursorKeys: shift+f12 version: general SpiceSecureChannels: smain,sinputs version: 3.0 SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1
SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3 SpiceToggleFullScreenKeys: shift+f11 version: general SpiceUsbAutoShare: true version: general SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default
"users@ovirt.org" <users@ovirt.org> three proxy
used by SPICE client to connect to the
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy" box that I can check.
Anyone knows why?
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On Pá, 2014-01-24 at 09:39 -0800, David Li wrote:
David,
With SpiceProxy, should I point my admin portal browser to http://proxy_ip_or_fqdn:port? Does it matter which port number to use?
Both FQDN/IP and port do matter. You have to set them so they point to a running http proxy server instance (e.g. squid). Engine won't set up a spice-capable http proxy for you, you have to take care of it yoursef. What engine can do for you is to configure websocket proxy that allows connections by html5 client (the one that runs entirely in browser). David
----- Original Message -----
From: David Jaša <djasa@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: Itamar Heim <iheim@redhat.com>; "users@ovirt.org" <users@ovirt.org> Sent: Friday, January 24, 2014 1:48 AM Subject: Re: [Users] Spice-proxy questions
On Čt, 2014-01-23 at 13:42 -0800, David Li wrote:
Itamar,
The web page isn't very clear how to set this.
What's the "someProxy" supposed to be?
SpiceProxyDefaut=http://proxy_ip_or_fqdn:port/
David
engine-config -s SpiceProxyDefault=someProxy
----- Original Message -----
From: Itamar Heim <iheim@redhat.com> To: David Li <david_li@sbcglobal.net>;
Cc: Sent: Thursday, January 23, 2014 1:01 PM Subject: Re: [Users] Spice-proxy questions
On 01/23/2014 10:05 PM, David Li wrote:
Hi,
It looks like my only option to get a console is using spice-proxy as in http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all
required packages on the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice EnableSpiceRootCertificateValidation: true version: general SpiceReleaseCursorKeys: shift+f12 version: general SpiceSecureChannels: smain,sinputs version: 3.0 SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1
SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3 SpiceToggleFullScreenKeys: shift+f11 version: general SpiceUsbAutoShare: true version: general SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default
"users@ovirt.org" <users@ovirt.org> three proxy
used by SPICE client to connect to the
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy" box that I can check.
Anyone knows why?
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On Pá, 2014-01-24 at 18:45 +0100, David Jaša wrote:
On Pá, 2014-01-24 at 09:39 -0800, David Li wrote:
David,
With SpiceProxy, should I point my admin portal browser to http://proxy_ip_or_fqdn:port? Does it matter which port number to use?
Both FQDN/IP and port do matter. You have to set them so they point to a running http proxy server instance (e.g. squid). Engine won't set up a spice-capable http proxy
Just to clarify: you need to tell squid to permit connections to spice port range (5900-6144 IIRC). It only allows connections to http ports by default. David
for you, you have to take care of it yoursef.
What engine can do for you is to configure websocket proxy that allows connections by html5 client (the one that runs entirely in browser).
David
----- Original Message -----
From: David Jaša <djasa@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: Itamar Heim <iheim@redhat.com>; "users@ovirt.org" <users@ovirt.org> Sent: Friday, January 24, 2014 1:48 AM Subject: Re: [Users] Spice-proxy questions
On Čt, 2014-01-23 at 13:42 -0800, David Li wrote:
Itamar,
The web page isn't very clear how to set this.
What's the "someProxy" supposed to be?
SpiceProxyDefaut=http://proxy_ip_or_fqdn:port/
David
engine-config -s SpiceProxyDefault=someProxy
----- Original Message -----
From: Itamar Heim <iheim@redhat.com> To: David Li <david_li@sbcglobal.net>;
Cc: Sent: Thursday, January 23, 2014 1:01 PM Subject: Re: [Users] Spice-proxy questions
On 01/23/2014 10:05 PM, David Li wrote:
Hi,
It looks like my only option to get a console is using spice-proxy as in http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all
required packages on the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice EnableSpiceRootCertificateValidation: true version: general SpiceReleaseCursorKeys: shift+f12 version: general SpiceSecureChannels: smain,sinputs version: 3.0 SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1
SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3 SpiceToggleFullScreenKeys: shift+f11 version: general SpiceUsbAutoShare: true version: general SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default
"users@ovirt.org" <users@ovirt.org> three proxy
used by SPICE client to connect to the
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy" box that I can check.
Anyone knows why?
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On Fri, Jan 24, 2014 at 6:58 PM, David Jaša wrote:
On Pá, 2014-01-24 at 18:45 +0100, David Jaša wrote:
On Pá, 2014-01-24 at 09:39 -0800, David Li wrote:
David,
With SpiceProxy, should I point my admin portal browser to http://proxy_ip_or_fqdn:port? Does it matter which port number to use?
Both FQDN/IP and port do matter. You have to set them so they point to a running http proxy server instance (e.g. squid). Engine won't set up a spice-capable http proxy
Just to clarify: you need to tell squid to permit connections to spice port range (5900-6144 IIRC). It only allows connections to http ports by default.
David
for you, you have to take care of it yoursef.
What engine can do for you is to configure websocket proxy that allows connections by html5 client (the one that runs entirely in browser).
David
On my CentOS 5.10 server (10.4.4.63) that is the squid proxy for engine I have this configuration that works [root@c510 squid]# diff squid.conf squid.conf.orig 578,582d577 < < acl localnet src 10.4.3.0/24 # RFC1918 possible internal network < acl localnet src 10.4.23.0/24 # RFC1918 possible internal network < acl localnet src 10.4.4.0/24 # RFC1918 possible internal network < 625c620 < #http_access deny CONNECT !SSL_ports ---
http_access deny CONNECT !SSL_ports 639d633 < http_access allow localnet 927,928c921 < #http_port 3128 < http_port 80
http_port 3128
My clients where I run the browser that connects to engine (10.4.4.58) are on 10.4.3.0, 10.4.4.0 or 10.4.23.0 networks. No iptables on proxy server oVirt hosts are on 10.4.4.0 netowrk too. HIH, Gianluca

Hi Gianluca, Thanks for the pointer. They are really helpful. I didn't know about squid. But this is still not working for me after the squid setup as you can see in my email to David Jasa. I am really scratching my head now:). I hope I am getting close but... ----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi@gmail.com> To: "users@ovirt.org" <users@ovirt.org> Cc: David Li <david_li@sbcglobal.net> Sent: Friday, January 24, 2014 10:06 AM Subject: Re: [Users] Spice-proxy questions
On Fri, Jan 24, 2014 at 6:58 PM, David Jaša wrote:
On Pá, 2014-01-24 at 18:45 +0100, David Jaša wrote:
On Pá, 2014-01-24 at 09:39 -0800, David Li wrote:
David,
With SpiceProxy, should I point my admin portal browser to http://proxy_ip_or_fqdn:port? Does it matter which port number to use?
Both FQDN/IP and port do matter. You have to set them so they point to a running http proxy server instance (e.g. squid). Engine won't set up a spice-capable http proxy
Just to clarify: you need to tell squid to permit connections to spice port range (5900-6144 IIRC). It only allows connections to http ports by default.
David
for you, you have to take care of it yoursef.
What engine can do for you is to configure websocket proxy that allows connections by html5 client (the one that runs entirely in browser).
David
On my CentOS 5.10 server (10.4.4.63) that is the squid proxy for engine I have this configuration that works
[root@c510 squid]# diff squid.conf squid.conf.orig 578,582d577 < < acl localnet src 10.4.3.0/24 # RFC1918 possible internal network < acl localnet src 10.4.23.0/24 # RFC1918 possible internal network < acl localnet src 10.4.4.0/24 # RFC1918 possible internal network < 625c620 < #http_access deny CONNECT !SSL_ports ---
http_access deny CONNECT !SSL_ports 639d633 < http_access allow localnet 927,928c921 < #http_port 3128 < http_port 80
http_port 3128
My clients where I run the browser that connects to engine (10.4.4.58) are on 10.4.3.0, 10.4.4.0 or 10.4.23.0 networks. No iptables on proxy server oVirt hosts are on 10.4.4.0 netowrk too.
HIH, Gianluca

David I set up the squid proxy on the same machine as ovirt-engine. I have this in squid.conf: ------------------- acl localhost src 10.10.2.143/32 # for the machine running the browser #safe ports acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports <---------- will this allow connections to spice port range (5900-6144 IIRC).??? acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http # Squid normally listens to port 3128 http_port 3128 # Deny requests to certain unsafe ports http_access deny !Safe_ports ------------------------- and set my SpiceProxyDefault=http://10.10.2.143:3128 So far, this is still not working. The Spice popup window still fails to connect to the graphics server and html5 browser window remains blank. Are there any log files that can be used to debug this? Thanks. ----- Original Message -----
From: David Jaša <djasa@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: "users@ovirt.org" <users@ovirt.org> Sent: Friday, January 24, 2014 9:58 AM Subject: Re: [Users] Spice-proxy questions
On Pá, 2014-01-24 at 18:45 +0100, David Jaša wrote:
On Pá, 2014-01-24 at 09:39 -0800, David Li wrote:
David,
With SpiceProxy, should I point my admin portal browser to http://proxy_ip_or_fqdn:port? Does it matter which port number to use?
Both FQDN/IP and port do matter. You have to set them so they point to a running http proxy server instance (e.g. squid). Engine won't set up a spice-capable http proxy
Just to clarify: you need to tell squid to permit connections to spice port range (5900-6144 IIRC). It only allows connections to http ports by default.
David
for you, you have to take care of it yoursef.
What engine can do for you is to configure websocket proxy that allows connections by html5 client (the one that runs entirely in browser).
David
----- Original Message -----
From: David Jaša <djasa@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: Itamar Heim <iheim@redhat.com>;
"users@ovirt.org" <users@ovirt.org>
Sent: Friday, January 24, 2014 1:48 AM Subject: Re: [Users] Spice-proxy questions
On Čt, 2014-01-23 at 13:42 -0800, David Li wrote:
Itamar,
The web page isn't very clear how to set this.
What's the "someProxy" supposed to be?
SpiceProxyDefaut=http://proxy_ip_or_fqdn:port/
David
engine-config -s SpiceProxyDefault=someProxy
----- Original Message ----- > From: Itamar Heim <iheim@redhat.com> > To: David Li <david_li@sbcglobal.net>;
> Cc: > Sent: Thursday, January 23, 2014 1:01 PM > Subject: Re: [Users] Spice-proxy questions > > On 01/23/2014 10:05 PM, David Li wrote: >> Hi, >> >> It looks like my only option to get a console is using spice-proxy as in > http://www.ovirt.org/Features/Spice_Proxy >> >> However I am not sure how to make it work. I have installed all
> required packages on the engine (3.3.2). And my engine-config shows: >> >> >> [root@xyz ~]# engine-config -a | grep Spice >> EnableSpiceRootCertificateValidation: true version: general >> SpiceReleaseCursorKeys: shift+f12 version: general >> SpiceSecureChannels: smain,sinputs version: 3.0 >> SpiceSecureChannels: > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: > 3.1 >> SpiceSecureChannels: > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: > 3.2 >> SpiceSecureChannels: > smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: > 3.3 >> SpiceToggleFullScreenKeys: shift+f11 version: general >> SpiceUsbAutoShare: true version: general >> SpiceProxyDefault: version: general > > i don't remember the details, but i assume SpiceProxyDefault should not > be empty, set it with engine-config -s SpiceProxyDefault > > engine-config.properties:SpiceProxyDefault.description='Default
"users@ovirt.org" <users@ovirt.org> three proxy
> used by SPICE client to connect to the > > >> ClientModeSpiceDefault: Auto version: general >> >> >> The problem is that on my web portal, I don't see any "Enable > SPICE Proxy" box that I can check. >> >> Anyone knows why? >> >> Thanks. >> >> David >> >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote:
David
I set up the squid proxy on the same machine as ovirt-engine. I have this in squid.conf:
------------------- acl localhost src 10.10.2.143/32 # for the machine running the browser
#safe ports acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports <---------- will this allow connections to spice port range (5900-6144 IIRC).??? acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http
# Squid normally listens to port 3128 http_port 3128
# Deny requests to certain unsafe ports http_access deny !Safe_ports
-------------------------
and set my SpiceProxyDefault=http://10.10.2.143:3128
So far, this is still not working. The Spice popup window still fails to connect to the graphics server and html5 browser window remains blank. Are there any log files that can be used to debug this?
Thanks.
There is something I don't understand or that you are doing incorrectly.
From what you write it seems that:
- your engine has ip 10.10.2.143 - From which ip do you run your browser? - Can this ip connect to engine on port 3128? Perhaps your engine setup already configured iptables (or firewalld) and it is blocking you? You can easily verify at runtime by putting this line on engine: iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT where xxx.yyy.www.zzz is the ip of the client from where you run the browser so that you put this accept rule on top of INPUT chain and retry to connect to VM console - Which ip have the hosts where VMs are running? - Is engine (so your proxy in your configuration) capable to reach ip of your hosts on spice ports (5900-..)? ALso see my previous thread here: http://lists.ovirt.org/pipermail/users/2013-December/018554.html and the useful answers. I cannot test your config, because I have no control on my network and network admins only allow 80 and 443 so that they are already taken by engine itself and I can't test putting the proxy on engine itself... HIH anyway, Gianluca

Hi Gianluca, Here is my testbed setup: Browser (firefox 24.2.0) ovirt-engine (3.3.2) host (ovirt-node) 10.10.2.143 ------------------- eth0: 10.10.36.103 eth1: 169.254.11.13 ------------------- 169.254.103.2 (I stopped iptables in testing) Which log files are needed to examine what's wrong? ----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi@gmail.com> To: David Li <david_li@sbcglobal.net> Cc: "users@ovirt.org" <users@ovirt.org>; "djasa@redhat.com" <djasa@redhat.com> Sent: Friday, January 24, 2014 2:25 PM Subject: Re: [Users] Spice-proxy questions
David
I set up the squid proxy on the same machine as ovirt-engine. I have this in squid.conf:
------------------- acl localhost src 10.10.2.143/32 # for the machine running the browser
#safe ports acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports <---------- will
On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote: this allow connections to spice port range (5900-6144 IIRC).???
acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http
# Squid normally listens to port 3128 http_port 3128
# Deny requests to certain unsafe ports http_access deny !Safe_ports
-------------------------
and set my SpiceProxyDefault=http://10.10.2.143:3128
So far, this is still not working. The Spice popup window still fails to connect to the graphics server and html5 browser window remains blank. Are there any log files that can be used to debug this?
Thanks.
There is something I don't understand or that you are doing incorrectly.
From what you write it seems that:
- your engine has ip 10.10.2.143
- From which ip do you run your browser?
- Can this ip connect to engine on port 3128? Perhaps your engine setup already configured iptables (or firewalld) and it is blocking you? You can easily verify at runtime by putting this line on engine:
iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT where xxx.yyy.www.zzz is the ip of the client from where you run the browser so that you put this accept rule on top of INPUT chain and retry to connect to VM console
- Which ip have the hosts where VMs are running? - Is engine (so your proxy in your configuration) capable to reach ip of your hosts on spice ports (5900-..)?
ALso see my previous thread here: http://lists.ovirt.org/pipermail/users/2013-December/018554.html
and the useful answers.
I cannot test your config, because I have no control on my network and network admins only allow 80 and 443 so that they are already taken by engine itself and I can't test putting the proxy on engine itself...
HIH anyway, Gianluca

Do I need to generate and install a x509 key pair for the squid proxy? How can I find out if the key pair has already been done? ----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi@gmail.com> To: David Li <david_li@sbcglobal.net> Cc: "users@ovirt.org" <users@ovirt.org>; "djasa@redhat.com" <djasa@redhat.com> Sent: Friday, January 24, 2014 2:25 PM Subject: Re: [Users] Spice-proxy questions
David
I set up the squid proxy on the same machine as ovirt-engine. I have this in squid.conf:
------------------- acl localhost src 10.10.2.143/32 # for the machine running the browser
#safe ports acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports <---------- will
On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote: this allow connections to spice port range (5900-6144 IIRC).???
acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http
# Squid normally listens to port 3128 http_port 3128
# Deny requests to certain unsafe ports http_access deny !Safe_ports
-------------------------
and set my SpiceProxyDefault=http://10.10.2.143:3128
So far, this is still not working. The Spice popup window still fails to connect to the graphics server and html5 browser window remains blank. Are there any log files that can be used to debug this?
Thanks.
There is something I don't understand or that you are doing incorrectly.
From what you write it seems that:
- your engine has ip 10.10.2.143
- From which ip do you run your browser?
- Can this ip connect to engine on port 3128? Perhaps your engine setup already configured iptables (or firewalld) and it is blocking you? You can easily verify at runtime by putting this line on engine:
iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT where xxx.yyy.www.zzz is the ip of the client from where you run the browser so that you put this accept rule on top of INPUT chain and retry to connect to VM console
- Which ip have the hosts where VMs are running? - Is engine (so your proxy in your configuration) capable to reach ip of your hosts on spice ports (5900-..)?
ALso see my previous thread here: http://lists.ovirt.org/pipermail/users/2013-December/018554.html
and the useful answers.
I cannot test your config, because I have no control on my network and network admins only allow 80 and 443 so that they are already taken by engine itself and I can't test putting the proxy on engine itself...
HIH anyway, Gianluca

On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
Do I need to generate and install a x509 key pair for the squid proxy? How can I find out if the key pair has already been done?
No. Spice channels are encrypted end-to-end so if you configure squid to forward the connections just to the display network range of the hosts, you anly allow connections that are encrypted anyway - so the TLS would be here quite redundant. Have you made sure that you have opened port 3128 in iptables? If the box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora must be configured to disable firewalld but I presume that engine-setup does that), add the port definition among other opened ports in /etc/sysconfig/iptables. David PS: I'm mangling reply-to: header for a reason. Please don't hog my inbox, I can very well read your messages on-list. Thank you.
----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi@gmail.com> To: David Li <david_li@sbcglobal.net> Cc: "users@ovirt.org" <users@ovirt.org>; "djasa@redhat.com" <djasa@redhat.com> Sent: Friday, January 24, 2014 2:25 PM Subject: Re: [Users] Spice-proxy questions
David
I set up the squid proxy on the same machine as ovirt-engine. I have this in squid.conf:
------------------- acl localhost src 10.10.2.143/32 # for the machine running the browser
#safe ports acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports <---------- will
On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote: this allow connections to spice port range (5900-6144 IIRC).???
acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http
# Squid normally listens to port 3128 http_port 3128
# Deny requests to certain unsafe ports http_access deny !Safe_ports
-------------------------
and set my SpiceProxyDefault=http://10.10.2.143:3128
So far, this is still not working. The Spice popup window still fails to connect to the graphics server and html5 browser window remains blank. Are there any log files that can be used to debug this?
Thanks.
There is something I don't understand or that you are doing incorrectly.
From what you write it seems that:
- your engine has ip 10.10.2.143
- From which ip do you run your browser?
- Can this ip connect to engine on port 3128? Perhaps your engine setup already configured iptables (or firewalld) and it is blocking you? You can easily verify at runtime by putting this line on engine:
iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT where xxx.yyy.www.zzz is the ip of the client from where you run the browser so that you put this accept rule on top of INPUT chain and retry to connect to VM console
- Which ip have the hosts where VMs are running? - Is engine (so your proxy in your configuration) capable to reach ip of your hosts on spice ports (5900-..)?
ALso see my previous thread here: http://lists.ovirt.org/pipermail/users/2013-December/018554.html
and the useful answers.
I cannot test your config, because I have no control on my network and network admins only allow 80 and 443 so that they are already taken by engine itself and I can't test putting the proxy on engine itself...
HIH anyway, Gianluca

On Tue, Jan 28, 2014 at 9:49 AM, David Jaša wrote:
On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
Do I need to generate and install a x509 key pair for the squid proxy? How can I find out if the key pair has already been done?
No. Spice channels are encrypted end-to-end so if you configure squid to forward the connections just to the display network range of the hosts, you anly allow connections that are encrypted anyway - so the TLS would be here quite redundant.
Have you made sure that you have opened port 3128 in iptables? If the box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora must be configured to disable firewalld but I presume that engine-setup does that), add the port definition among other opened ports in /etc/sysconfig/iptables.
David
PS: I'm mangling reply-to: header for a reason. Please don't hog my inbox, I can very well read your messages on-list. Thank you.
I made a test setting proxy on engine and it seems it is ok. I have no other ports than 80 and 443 allowed so I have to use environment with all the servers in 10.4.4.0 network client 10.4.4.61 engine 10.4.4.60 test VM 10.4.4.63 host (where test VM is running on) 10.4.4.59 # engine-config -s SpiceProxyDefault="http://10.4.4.60:3128" # systemctl restart ovirt-engine configured squid on engine on its default port 3128 I have firewalld configured on engine, so that I have this in /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="mdns"/> <service name="ovirt-nfs"/> <service name="ovirt-http"/> <service name="dhcpv6-client"/> <service name="ovirt-websocket-proxy"/> <service name="ovirt-https"/> <service name="ssh"/> <service name="ovirt-postgres"/> <port protocol="tcp" port="6100"/> <port protocol="tcp" port="3128"/> </zone> On client CentOS 6.5 (10.4.4.61): I run firefox and connect to webadmin gui of engine (https://10.4.4.60) I have enabled spice proxy for the test VM I select console and specify to run /usr/bin/remote-viewer at popup window, enabling popups in firefox I successfully get the console $ ps -ef|grep remote g.cecchi 23897 23726 0 15:50 pts/0 00:00:00 /usr/bin/remote-viewer /tmp/console.vv g.cecchi 23923 23704 0 15:52 pts/0 00:00:00 grep remote $ sudo lsof -Pp 23897 | grep TCP remote-vi 23897 g.cecchi 4u IPv6 498441 0t0 TCP localhost:45817->localhost:6010 (ESTABLISHED) remote-vi 23897 g.cecchi 14u IPv4 498447 0t0 TCP 10.4.4.61:36909->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 20u IPv4 498449 0t0 TCP 10.4.4.61:36910->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 24u IPv4 498451 0t0 TCP 10.4.4.61:36911->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 25u IPv4 498452 0t0 TCP 10.4.4.61:36912->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 60u IPv4 497799 0t0 TCP 10.4.4.61:44961->10.4.4.60:443 (ESTABLISHED) On engine (10.4.4.60) # netstat -an|grep 3128 tcp6 0 0 :::3128 :::* LISTEN tcp6 0 0 10.4.4.60:3128 10.4.4.61:36912 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36911 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36910 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36909 ESTABLISHED On hypervisor (10.4.4.59) $ netstat -an|grep 5901 tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN tcp 0 0 10.4.4.59:5901 10.4.4.60:38879 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38881 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38880 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38882 ESTABLISHED So all seems ok. Gianluca

Hi Gianluca, Finally it worked for me! Thanks a lot for help! The doc is little vague in terms of all the things you need to do. I will try to write something up based on my own experience and share with everyone here. David ----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi@gmail.com> To: "users@ovirt.org" <users@ovirt.org> Cc: David Li <david_li@sbcglobal.net> Sent: Tuesday, January 28, 2014 9:21 AM Subject: Re: [Users] Spice-proxy questions
On Tue, Jan 28, 2014 at 9:49 AM, David Jaša wrote:
On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
Do I need to generate and install a x509 key pair for the squid proxy? How can I find out if the key pair has already been done?
No. Spice channels are encrypted end-to-end so if you configure squid to forward the connections just to the display network range of the hosts, you anly allow connections that are encrypted anyway - so the TLS would be here quite redundant.
Have you made sure that you have opened port 3128 in iptables? If the box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora must be configured to disable firewalld but I presume that engine-setup does that), add the port definition among other opened ports in /etc/sysconfig/iptables.
David
PS: I'm mangling reply-to: header for a reason. Please don't hog my inbox, I can very well read your messages on-list. Thank you.
I made a test setting proxy on engine and it seems it is ok. I have no other ports than 80 and 443 allowed so I have to use environment with all the servers in 10.4.4.0 network
client 10.4.4.61 engine 10.4.4.60 test VM 10.4.4.63 host (where test VM is running on) 10.4.4.59
# engine-config -s SpiceProxyDefault="http://10.4.4.60:3128" # systemctl restart ovirt-engine
configured squid on engine on its default port 3128
I have firewalld configured on engine, so that I have this in /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="mdns"/> <service name="ovirt-nfs"/> <service name="ovirt-http"/> <service name="dhcpv6-client"/> <service name="ovirt-websocket-proxy"/> <service name="ovirt-https"/> <service name="ssh"/> <service name="ovirt-postgres"/> <port protocol="tcp" port="6100"/> <port protocol="tcp" port="3128"/> </zone>
On client CentOS 6.5 (10.4.4.61): I run firefox and connect to webadmin gui of engine (https://10.4.4.60) I have enabled spice proxy for the test VM I select console and specify to run /usr/bin/remote-viewer at popup window, enabling popups in firefox I successfully get the console
$ ps -ef|grep remote g.cecchi 23897 23726 0 15:50 pts/0 00:00:00 /usr/bin/remote-viewer /tmp/console.vv g.cecchi 23923 23704 0 15:52 pts/0 00:00:00 grep remote
$ sudo lsof -Pp 23897 | grep TCP remote-vi 23897 g.cecchi 4u IPv6 498441 0t0 TCP localhost:45817->localhost:6010 (ESTABLISHED) remote-vi 23897 g.cecchi 14u IPv4 498447 0t0 TCP 10.4.4.61:36909->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 20u IPv4 498449 0t0 TCP 10.4.4.61:36910->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 24u IPv4 498451 0t0 TCP 10.4.4.61:36911->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 25u IPv4 498452 0t0 TCP 10.4.4.61:36912->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 60u IPv4 497799 0t0 TCP 10.4.4.61:44961->10.4.4.60:443 (ESTABLISHED)
On engine (10.4.4.60) # netstat -an|grep 3128 tcp6 0 0 :::3128 :::* LISTEN tcp6 0 0 10.4.4.60:3128 10.4.4.61:36912 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36911 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36910 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36909 ESTABLISHED
On hypervisor (10.4.4.59) $ netstat -an|grep 5901 tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN tcp 0 0 10.4.4.59:5901 10.4.4.60:38879 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38881 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38880 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38882 ESTABLISHED
So all seems ok. Gianluca

Still not working. I believe spice-proxy has setup on the engine: SpiceUsbAutoShare: true version: general SpiceProxyDefault: myProxy version: general ClientModeSpiceDefault: Auto version: general In the web portal, I also see "Enable SPICE Proxy" checked under "SPICE options". But no matter what method I use under "Console Invocation", nothing works. It's either fail to connect to the graphics server or show a blank browser window. David ----- Original Message -----
From: Itamar Heim <iheim@redhat.com> To: David Li <david_li@sbcglobal.net>; "users@ovirt.org" <users@ovirt.org> Cc: Sent: Thursday, January 23, 2014 1:01 PM Subject: Re: [Users] Spice-proxy questions
On 01/23/2014 10:05 PM, David Li wrote:
Hi,
It looks like my only option to get a console is using spice-proxy as in http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all three required packages on the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice EnableSpiceRootCertificateValidation: true version: general SpiceReleaseCursorKeys: shift+f12 version: general SpiceSecureChannels: smain,sinputs version: 3.0 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3 SpiceToggleFullScreenKeys: shift+f11 version: general SpiceUsbAutoShare: true version: general SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default proxy used by SPICE client to connect to the
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy" box that I can check.
Anyone knows why?
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Hi David, if you use the "Native client" option in the console options dialog and download the .vv file, it should contain something like: proxy=someProxy Does it? If it does, maybe it is some problem with the proxy configuration...
What's the "someProxy" supposed to be?
The proxy has to follow the following form: [protocol://]<host>[:port] The proxy string may be specified with a protocol:// prefix to specify alternative proxy protocols. If no protocol is specified in the proxy string or if the string doesn't match a supported one, the proxy will be treated as a HTTP proxy. Tomas ----- Original Message -----
From: "David Li" <david_li@sbcglobal.net> To: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Friday, January 24, 2014 12:37:48 AM Subject: Re: [Users] Spice-proxy questions
Still not working.
I believe spice-proxy has setup on the engine:
SpiceUsbAutoShare: true version: general SpiceProxyDefault: myProxy version: general ClientModeSpiceDefault: Auto version: general
In the web portal, I also see "Enable SPICE Proxy" checked under "SPICE options".
But no matter what method I use under "Console Invocation", nothing works. It's either fail to connect to the graphics server or show a blank browser window.
David
----- Original Message -----
From: Itamar Heim <iheim@redhat.com> To: David Li <david_li@sbcglobal.net>; "users@ovirt.org" <users@ovirt.org> Cc: Sent: Thursday, January 23, 2014 1:01 PM Subject: Re: [Users] Spice-proxy questions
On 01/23/2014 10:05 PM, David Li wrote:
Hi,
It looks like my only option to get a console is using spice-proxy as in http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all three required packages on the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice EnableSpiceRootCertificateValidation: true version: general SpiceReleaseCursorKeys: shift+f12 version: general SpiceSecureChannels: smain,sinputs version: 3.0 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3 SpiceToggleFullScreenKeys: shift+f11 version: general SpiceUsbAutoShare: true version: general SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default proxy used by SPICE client to connect to the
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy" box that I can check.
Anyone knows why?
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Hi Tomas, David: I set my SpiceProxyDefault to "http://<ovirt-engine-IP>:80 and my .vv file indeed reflects that. However this is still not working. The popup window still fails to connect to the graphic server. Any further suggestion how to debug? Thanks. David ----- Original Message -----
From: Tomas Jelinek <tjelinek@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: Itamar Heim <iheim@redhat.com>; users@ovirt.org Sent: Friday, January 24, 2014 12:22 AM Subject: Re: [Users] Spice-proxy questions
Hi David,
if you use the "Native client" option in the console options dialog and download the .vv file, it should contain something like: proxy=someProxy
Does it? If it does, maybe it is some problem with the proxy configuration...
What's the "someProxy" supposed to be?
The proxy has to follow the following form: [protocol://]<host>[:port]
The proxy string may be specified with a protocol:// prefix to specify alternative proxy protocols. If no protocol is specified in the proxy string or if the string doesn't match a supported one, the proxy will be treated as a HTTP proxy.
Tomas
From: "David Li" <david_li@sbcglobal.net> To: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Friday, January 24, 2014 12:37:48 AM Subject: Re: [Users] Spice-proxy questions
Still not working.
I believe spice-proxy has setup on the engine:
SpiceUsbAutoShare: true version: general SpiceProxyDefault: myProxy version: general ClientModeSpiceDefault: Auto version: general
In the web portal, I also see "Enable SPICE Proxy" checked under "SPICE options".
But no matter what method I use under "Console Invocation", nothing works. It's either fail to connect to the graphics server or show a blank browser window.
David
----- Original Message -----
From: Itamar Heim <iheim@redhat.com> To: David Li <david_li@sbcglobal.net>; "users@ovirt.org" <users@ovirt.org> Cc: Sent: Thursday, January 23, 2014 1:01 PM Subject: Re: [Users] Spice-proxy questions
On 01/23/2014 10:05 PM, David Li wrote:
Hi,
It looks like my only option to get a console is using spice-proxy as in http://www.ovirt.org/Features/Spice_Proxy
However I am not sure how to make it work. I have installed all
required packages on the engine (3.3.2). And my engine-config shows:
[root@xyz ~]# engine-config -a | grep Spice EnableSpiceRootCertificateValidation: true version: general SpiceReleaseCursorKeys: shift+f12 version: general SpiceSecureChannels: smain,sinputs version: 3.0 SpiceSecureChannels:
smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.1
SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.2 SpiceSecureChannels: smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard version: 3.3 SpiceToggleFullScreenKeys: shift+f11 version: general SpiceUsbAutoShare: true version: general SpiceProxyDefault: version: general
i don't remember the details, but i assume SpiceProxyDefault should not be empty, set it with engine-config -s SpiceProxyDefault
engine-config.properties:SpiceProxyDefault.description='Default
----- Original Message ----- three proxy
used by SPICE client to connect to the
ClientModeSpiceDefault: Auto version: general
The problem is that on my web portal, I don't see any "Enable SPICE Proxy" box that I can check.
Anyone knows why?
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On Fri, Jan 24, 2014 at 6:31 PM, David Li wrote:
Hi Tomas, David:
I set my SpiceProxyDefault to "http://<ovirt-engine-IP>:80 and my .vv file indeed reflects that.
However this is still not working. The popup window still fails to connect to the graphic server. Any further suggestion how to debug?
Thanks.
David
You have to configure a web Proxy server such as Squid. Port 80 on your engine is already occupied by engine web component itself On engine tipically # lsof -i :80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 8191 root 4u IPv6 49597 0t0 TCP *:http (LISTEN) httpd 8195 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN) httpd 8196 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN) httpd 8197 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN) httpd 8762 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN) httpd 8763 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN) httpd 8764 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN) httpd 8770 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN) httpd 9346 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN) httpd 10338 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN) httpd 10340 apache 4u IPv6 49597 0t0 TCP *:http (LISTEN) BTW I had problems to configure my engine to work both with SpiceProxy and WebSocketProxy, so I ended up to configure another server (10.4.4.63) with squid configured on port 80 so that now my engine (ip 10.4.4.58) has: # engine-config -g SpiceProxyDefault SpiceProxyDefault: http://10.4.4.63:80 version: general and I have both SpiceProxy and WebSocketProxy (where needed) working. In your case you should install squid on your engine and set it up with a port different than 80. Official and free documentation on just released (?) final RHEV 3.3 is better to read to configure Proxy: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua... (good advertising... ;-) it seems 3.3 has been released but no official announcement? https://www.redhat.com/about/news/press-archive/2014/1/rhev-3-3-enables-open... or did I loose anything? Gianluca
participantes (5)
-
David Jaša
-
David Li
-
Gianluca Cecchi
-
Itamar Heim
-
Tomas Jelinek