[ovirt-users] accessing SPICE console when host not on management network

shimano shimano at go2.pl
Thu Apr 2 17:59:12 UTC 2015


You can use Spice Proxy. The easiest way is to run proxy on Squid. I
recommend connect via VPN.

Here is a part of my Squid's configuration to connect Spice consoles from
VPN 10.25.0.0/16 and LAN 192.168.0.0/16 to oVirt's hosts on 192.168.2.0/24:

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.0.0/16
acl localnet src 10.25.0.0/16
acl Safe_ports port 80         # http
acl CONNECT method CONNECT
http_access allow localnet
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
acl spice_servers dst 192.168.2.0/24
http_access allow spice_servers
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/spool/squid 100 16 256
cache_mem 32 MB
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cache_effective_user squid
cache_effective_group squid

You have to configure Spice Proxy on oVirt Engine by `engine-config -s
SpiceProxyDefault=someProxy`. Here is my solution:

root at host021:~ engine-config -a |grep SpiceProxyDefault
SpiceProxyDefault: http://10.25.2.21:3128/ version: general

You can use Proxy on your public IP if you don't like to use VPN, but
remember to make sure that your machines are secured enough.

2015-04-02 18:06 GMT+02:00 Jason Keltz <jas at cse.yorku.ca>:

> I'm trying to figure out the most reasonable method for me to access the
> console on my ovirt installation.
> Each node has ovirtmgmt, storage, and external network connectivity.
> The standalone engine host has ovirtmgmt, and external network.
> I connect to engine via the external network, right click on a VM and try
> to access the console.  If I use the "Remote Viewer" method, the connection
> fails.  This is because my client on the external network doesn't have
> access to ovirtmgmt.
> I can access the spice-html5 client, and that "basically" works, though
> it's crashed more than once.  I suspect that Remote Viewer will be more
> stable.
> So my question is - what is the best way for me to connect to the console
> from the external network?
> Either, I have to start up my client on a machine that has an IP on
> ovirtmgmt (eg. remote login to engine, and run firefox there?)
> or I have to route external packets from my host to say, the engine host,
> and run IP forwarding there? probably not too secure...
> or I have to figure out a way to make ovirt use the external network for
> display traffic... that would probably be best (?) but I can't seem to
> figure out whether it's possible.
> In particular since the external network is a VM network (it's actually 2
> x 1 G links bound via LACP), and not part of ovirt infrastructure, it's not
> clear if I can use it for display and VM external connectivity as well.
>
> Any thoughts would be much appreciated.
>
> Jason.
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150402/0ed7e9cd/attachment-0001.html>


More information about the Users mailing list