[ovirt-users] VDI experience to share?

Wed Jun 15 15:15:05 UTC 2016

2016-06-15 12:56 GMT+02:00 Ondra Machacek <omachace at redhat.com>:
> On 06/15/2016 12:26 PM, Michal Skrivanek wrote:
>>
>>
>>> On 15 Jun 2016, at 12:18, Giorgio Bersano <giorgio.bersano at gmail.com>
>>> wrote:
>>>
>>> Hi everyone,
>>> I've been asked to deploy a VDI solution based on our oVirt
>>> infrastructure.
>>> What we have in production is a 3.6 manager (standalone, not HE) with
>>> a 3.5 cluster (CentOS 6) and a 3.6 cluster (CentOS 7), iSCSI storage,
>>> fully redundant networking.
>>>
>>> What is not clear to me is the client side, especially because we have
>>> been asked to implement a thin client solution but I've been almost
>>> unable to find suitable devices.
>>
>>
>> if that client can still be a PC, albeit diskless, it’s still easier and
>> probably cheaper than any other special hw.
>>
>>>
>>> Is there anyone in this list willing to share his/her experience on
>>> this topic? Probably my search skill is low but I've only seen
>>> references to IGEL. Other brands?
>>
>>
>> not that i know of, and even that one had (or still have?) some issues
>> with SPICE performance as it’s not kept up to date
>>
>>> There is another strong requirement: our network infrastructure makes
>>> use of 802.1x to authenticate client devices and it would be highly
>>> advisable to respect that constraint.
>>
>>
>> for the VDI connections? I don’t think SPICE supports that, but please
>> bring it up on spice list to make sure.
>> if it would be for oVirt user portal then, I guess with pluggable aaa we
>> can support anything. Ondro?
>>
>
> It depends on use case, if apache module which uses radius is ok, then yes
> it should work.
> The problem is that we currently support only ldap as authorization backend.

Hi, here I'm speaking of wired network authentication (and nothing more).
What we have in place now: network ports are confined in a VLAN only
useful to authenticate the PC (windows). When the PC boots it
interacts with the radius server (freeradius) using PEAP-MsChapv2. If
the PC is registered in the Active Directory and authenticates against
it (at machine level, not user level) the switch port  is given a VLAN
based on attributes stored in the AD and it is enabled to communicate
without restrictions.

With Thin Client we would like to have something similar but it would
be fine even to directly instruct freeradius to enable the port and
set the VLAN on the basis of the thin client MAC address.

I've just discovered that Wyse ThinOS thin clients (Dell) support
802.1x, I wonder if is compatible with oVirt...
Time to search on the spice lists, as Michal suggested.

Thanks,
Giorgio.