Hi Marian, Thanks a lot for the clarification!
Another question: In my spice-xpi console window, I can't get out of it by SHIFT+F12. Should I use something else? David ----- Original Message ----- > From: Marian Krcmarik <mkrcm...@redhat.com> > To: David Li <david...@sbcglobal.net> > Cc: users@ovirt.org > Sent: Tuesday, January 28, 2014 11:14 AM > Subject: Re: [Users] Notes on setting spice-proxy console option > > > > ----- Original Message ----- >> From: "David Li" <david...@sbcglobal.net> >> To: users@ovirt.org >> Cc: "david li" <david...@sbcglobal.net> >> Sent: Tuesday, January 28, 2014 7:41:26 PM >> Subject: [Users] Notes on setting spice-proxy console option >> >> Hi, >> >> I have struggled quite a bit to get it up and running. Over the time, I > have >> accumulated some notes on various things I did so to share with everyone > who >> is interested in doing this. This complements the online doc in a way that >> might give me a complete picture in one place. However I need some >> clarifications as I might have forgotten to document certain steps or >> certain steps I did turn out to be not necessary in the end. It will be >> great if experts here can help me get the things straight. >> >> >> My setup is like: >> >> Browser (firefox 24.2 on RHEL6) ------------ ovirt-engine (3.3.2) >> ------------ ovirt-node (3.0.3) >> >> No direct network connectivity from the browser machine to the node > machine. >> >> These are the major things I installed for spice-proxy to work: >> >> * On ovirt-engine: >> yum install spice-gtk, virt-viewer, spice-xpi > These components are client components (what you call Browser machine). >> yum-install squid >> /etc/squid/squid.conf updates: >> acl localhost src <browser IP addr> >> #http_access deny CONNECT !SSL_ports > I would rather allow CONNECT to specific Spice ports only 5634-6166: > acl Spice_ports port 5634-6166 > http_access denny CONNECT !Spice_ports >> http_access deny !Safe_ports >> http_port 3128 >> >> service squid restart >> make sure iptables allow 3128 >> >> engine-config -s SpiceProxyDefault= > http://<ovirt-engine-IP>:3128 >> service ovirt-engine restart >> >> * On browser machine running firefox 24.2.0 on RHEL6 for running > browser >> console plugin client >> yum install spice-xpi. > spice-xpi should bring its dependencies virt-viewer -> spice-gtk -> etc. > but If you do not wish to use the plugin launch type, you may install only > virt-viewer (without spice-xpi) and use what I guess is called "Native > client" launch type. >> make sure VM's console option is set to SPICE >> >> Are the above steps reasonable? any missing or redundant? > Seems fine, just no need the client packages on the engine. >> >> Additional questions: >> >> 1. Will spice-proxy work with the Spice HTML5 client in the browser? > Probably, but you would need to set the websocket proxy which is part of > installation steps for engine as well (I believe). >> 2. Is the spice-proxy architecture diagram like: browser --------- squid >> proxy - spice-proxy ---------------------- VM > Browser plugin spice-xpi invokes start of Spice client (virt-viewer) which > makes > CONNECT to Host machine (where the VM is hosted) through the HTTP proxy (in > your > case squid). > Client machine ---> Squid ---> Host (where the VM is hosted). >> 3. I didn't explicitly install any certs for the squid proxy. Is it >> automatically taken care of? > No, no authentication to Squid is supported with Spice now. So If It is > publicly > visible proxy It's important to set careful proxy rules. >> >> >> References: >> >> http://www.ovirt.org/Console_Client_Resources >> >> http://www.ovirt.org/Features/Spice_Proxy >> >> > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.3/pdf/Installation_Guide/Red_Hat_Enterprise_Virtualization-3.3-Installation_Guide-en-US.pdf >> >> >> Thanks. >> >> David >> >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users