[Users] Spice-proxy questions

David Li david_li at sbcglobal.net
Tue Jan 28 17:51:48 UTC 2014 

Hi Gianluca,

Finally it worked for me! Thanks a lot for help!

The doc is little vague in terms of all the things you need to do. I will try to write something up based on my own experience and share with everyone here. 

David



----- Original Message -----
> From: Gianluca Cecchi <gianluca.cecchi at gmail.com>
> To: "users at ovirt.org" <users at ovirt.org>
> Cc: David Li <david_li at sbcglobal.net>
> Sent: Tuesday, January 28, 2014 9:21 AM
> Subject: Re: [Users] Spice-proxy questions
> 
> On Tue, Jan 28, 2014 at 9:49 AM, David Jaša wrote:
>>  On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
>>>  Do I need to generate and install a x509 key pair for the squid proxy?  
> How can I find out if the key pair has already been done?
>> 
>>  No. Spice channels are encrypted end-to-end so if you configure squid to
>>  forward the connections just to the display network range of the hosts,
>>  you anly allow connections that are encrypted anyway - so the TLS would
>>  be here quite redundant.
>> 
>>  Have you made sure that you have opened port 3128 in iptables? If the
>>  box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora 
> must
>>  be configured to disable firewalld but I presume that engine-setup does
>>  that), add the port definition among other opened ports
>>  in /etc/sysconfig/iptables.
>> 
>>  David
>> 
>>  PS: I'm mangling reply-to: header for a reason. Please don't hog my
>>  inbox, I can very well read your messages on-list. Thank you.
> 
> 
> I made a test setting proxy on engine and it seems it is ok.
> I have no other ports than 80 and 443 allowed so I have to use
> environment with all the servers in 10.4.4.0 network
> 
> client 10.4.4.61
> engine 10.4.4.60
> test VM 10.4.4.63
> host (where test VM is running on) 10.4.4.59
> 
> 
> # engine-config -s SpiceProxyDefault="http://10.4.4.60:3128"
> # systemctl restart ovirt-engine
> 
> configured squid on engine on its default port 3128
> 
> I have firewalld configured on engine, so that I have this in
> /etc/firewalld/zones/public.xml
> 
> <?xml version="1.0" encoding="utf-8"?>
> <zone>
>   <short>Public</short>
>   <description>For use in public areas. You do not trust the other
> computers on networks to not harm your computer. Only selected
> incoming connections are accepted.</description>
>   <service name="mdns"/>
>   <service name="ovirt-nfs"/>
>   <service name="ovirt-http"/>
>   <service name="dhcpv6-client"/>
>   <service name="ovirt-websocket-proxy"/>
>   <service name="ovirt-https"/>
>   <service name="ssh"/>
>   <service name="ovirt-postgres"/>
>   <port protocol="tcp" port="6100"/>
>   <port protocol="tcp" port="3128"/>
> </zone>
> 
> 
> On client CentOS 6.5 (10.4.4.61):
> I run firefox and connect to webadmin gui of engine (https://10.4.4.60)
> I have enabled spice proxy for the test VM
> I select console and specify to run /usr/bin/remote-viewer at popup
> window, enabling popups in firefox
> I successfully get the console
> 
> $ ps -ef|grep remote
> g.cecchi 23897 23726  0 15:50 pts/0    00:00:00 /usr/bin/remote-viewer
> /tmp/console.vv
> g.cecchi 23923 23704  0 15:52 pts/0    00:00:00 grep remote
> 
> $ sudo lsof -Pp 23897 | grep TCP
> remote-vi 23897 g.cecchi    4u  IPv6 498441      0t0    TCP
> localhost:45817->localhost:6010 (ESTABLISHED)
> remote-vi 23897 g.cecchi   14u  IPv4 498447      0t0    TCP
> 10.4.4.61:36909->10.4.4.60:3128 (ESTABLISHED)
> remote-vi 23897 g.cecchi   20u  IPv4 498449      0t0    TCP
> 10.4.4.61:36910->10.4.4.60:3128 (ESTABLISHED)
> remote-vi 23897 g.cecchi   24u  IPv4 498451      0t0    TCP
> 10.4.4.61:36911->10.4.4.60:3128 (ESTABLISHED)
> remote-vi 23897 g.cecchi   25u  IPv4 498452      0t0    TCP
> 10.4.4.61:36912->10.4.4.60:3128 (ESTABLISHED)
> remote-vi 23897 g.cecchi   60u  IPv4 497799      0t0    TCP
> 10.4.4.61:44961->10.4.4.60:443 (ESTABLISHED)
> 
> 
> On engine (10.4.4.60)
> # netstat -an|grep 3128
> tcp6       0      0 :::3128                 :::*                    LISTEN
> tcp6       0      0 10.4.4.60:3128          10.4.4.61:36912         ESTABLISHED
> tcp6       0      0 10.4.4.60:3128          10.4.4.61:36911         ESTABLISHED
> tcp6       0      0 10.4.4.60:3128          10.4.4.61:36910         ESTABLISHED
> tcp6       0      0 10.4.4.60:3128          10.4.4.61:36909         ESTABLISHED
> 
> 
> On hypervisor (10.4.4.59)
> $ netstat -an|grep 5901
> tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN
> tcp        0      0 10.4.4.59:5901          10.4.4.60:38879         ESTABLISHED
> tcp        0      0 10.4.4.59:5901          10.4.4.60:38881         ESTABLISHED
> tcp        0      0 10.4.4.59:5901          10.4.4.60:38880         ESTABLISHED
> tcp        0      0 10.4.4.59:5901          10.4.4.60:38882         ESTABLISHED
> 
> So all seems ok.
> Gianluca
>

More information about the Users mailing list