[Users] Notes on setting up spice-proxy console option

David Li david_li at sbcglobal.net
Tue Jan 28 21:37:18 UTC 2014 

Hi Marian, 

Thanks a lot for the clarification! 

Another question: In my spice-xpi console window, I can't get out of it by SHIFT+F12.  Should I use something else? 

David



----- Original Message -----
> From: Marian Krcmarik <mkrcmari at redhat.com>
> To: David Li <david_li at sbcglobal.net>
> Cc: users at ovirt.org
> Sent: Tuesday, January 28, 2014 11:14 AM
> Subject: Re: [Users] Notes on setting spice-proxy console option
> 
> 
> 
> ----- Original Message -----
>>  From: "David Li" <david_li at sbcglobal.net>
>>  To: users at ovirt.org
>>  Cc: "david li" <david_li at sbcglobal.net>
>>  Sent: Tuesday, January 28, 2014 7:41:26 PM
>>  Subject: [Users] Notes on setting spice-proxy console option
>> 
>>  Hi,
>> 
>>  I have struggled quite a bit to get it up and running. Over the time, I 
> have
>>  accumulated some notes on various things I did so to share with everyone 
> who
>>  is interested in doing this. This complements the online doc in a way that
>>  might give me a complete picture in one place. However I need some
>>  clarifications as I might have forgotten to document certain steps or
>>  certain steps I did turn out to be not necessary in the end. It will be
>>  great if experts here can help me get the things straight.
>> 
>> 
>>  My setup is like:
>> 
>>  Browser (firefox 24.2 on RHEL6) ------------ ovirt-engine (3.3.2)
>>  ------------ ovirt-node (3.0.3)
>> 
>>  No direct network connectivity from the browser machine to the node 
> machine.
>> 
>>  These are the major things I installed for spice-proxy to work:
>> 
>>      * On ovirt-engine:
>>         yum install spice-gtk, virt-viewer, spice-xpi
> These components are client components (what you call Browser machine).
>>         yum-install squid
>>        /etc/squid/squid.conf updates:
>>      acl localhost src <browser IP addr>
>>          #http_access deny CONNECT !SSL_ports
> I would rather allow CONNECT to specific Spice ports only 5634-6166:
> acl Spice_ports port 5634-6166
> http_access denny CONNECT !Spice_ports
>>          http_access deny !Safe_ports
>>          http_port 3128
>>      
>>         service squid restart
>>         make sure iptables allow 3128
>> 
>>         engine-config -s SpiceProxyDefault= 
> http://<ovirt-engine-IP>:3128
>>         service ovirt-engine restart
>>     
>>     *  On browser machine running firefox 24.2.0 on RHEL6 for running 
> browser
>>     console plugin client
>>        yum install spice-xpi.
> spice-xpi should bring its dependencies virt-viewer -> spice-gtk -> etc. 
> but If you do not wish to use the plugin launch type, you may install only 
> virt-viewer (without spice-xpi) and use what I guess is called "Native 
> client" launch type.
>>        make sure VM's console option is set to SPICE
>>        
>>  Are the above steps reasonable? any missing or redundant?
> Seems fine, just no need the client packages on the engine.
>> 
>>  Additional questions:
>> 
>>  1. Will spice-proxy work with the Spice HTML5 client in the browser?
> Probably, but you would need to set the websocket proxy which is part of 
> installation steps for engine as well (I believe).
>>  2. Is the spice-proxy architecture diagram like:  browser --------- squid
>>  proxy - spice-proxy ---------------------- VM
> Browser plugin spice-xpi invokes start of Spice client (virt-viewer) which makes 
> CONNECT to Host machine (where the VM is hosted) through the HTTP proxy (in your 
> case squid).
> Client machine ---> Squid ---> Host (where the VM is hosted).
>>  3. I didn't explicitly install any certs for the squid proxy. Is it
>>  automatically taken care of?
> No, no authentication to Squid is supported with Spice now. So If It is publicly 
> visible proxy It's important to set careful proxy rules.
>> 
>> 
>>  References:
>> 
>>  http://www.ovirt.org/Console_Client_Resources
>> 
>>  http://www.ovirt.org/Features/Spice_Proxy
>> 
>> 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.3/pdf/Installation_Guide/Red_Hat_Enterprise_Virtualization-3.3-Installation_Guide-en-US.pdf
>> 
>> 
>>  Thanks.
>> 
>>  David
>> 
>>  _______________________________________________
>>  Users mailing list
>>  Users at ovirt.org
>>  http://lists.ovirt.org/mailman/listinfo/users
>> 
>

More information about the Users mailing list