Configuring Spice to use a Squid proxy in RHEV

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Virtualization 3.2
  • Red Hat Enterprise Linux 6.5

Issue

  • Spice needs to be configured to use a proxy between the host and the client. How is this accomplished?

Resolution

Important: This is one method of proxying the Spice console to the client. Another method is available in RHEV 3.3 (rhevm-websockets-proxy) that will display the Spice or VNC console using HTML5.

  1. The following is a reference squid.conf file that provides a minimal squid configuration to support a RHEV-M Spice Proxy. Red Hat does not provide any official recommendations for squid proxy timeout or acl settings explicitly and these settings may vary depending on client environment & business requirements. Please test this thoroughly before deploying in a production environment.

    # Minimal Squid configuration to support RHEV-M and Spice Proxy
    #
    # Only services requests to RHEV sub-nets
    # The line below defines management and display sub-nets
    # Uncomment the next line to include guest sub-nets for RDP use
    
    acl CONNECT method CONNECT
    
    http_access allow all < here instead of allowing all customer can specify just the ip addresses of spice client which are going using this proxy. in short create access control list
    
    # deny all other use of this proxy
    #http_access deny all
    
    # Squid normally listens to port 3128
    http_port 3128
    
    # Disable all disk caching
    cache deny all
    
    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid
    
    # RHEV and Spice may leave connections idle for long periods
    pconn_timeout   12 hours
    request_timeout 12 hours
    read_timeout    12 hours
    
    # We need approx 20 open filehandles per spice client
    max_filedesc 16384
    
  2. On the RHEV-M system, the proxy can be set by using the engine-config tool (The proxy_address has the form: protocol://[host]:[port]):

    engine-config -s SpiceProxyDefault=<proxy_address>
    

    For example:

    engine-config -s SpiceProxyDefault=https://proxy.example.com:3128
    
  3. Restart the RHEV-M service:

    service ovirt-engine restart
    
  4. Once this has been set and ovirt-engine has been restarted, the virtual machine's "Console Options" menu will have a checkbox to enable the proxy. By default, it is enabled on all VMs, but this can be turned off on a per-VM basis (preferences stored in a browser cookie). This information has also been added to the official RHEV documentation.

Compatibility Note: This proxy functionality is not supported in the Linux version of Remote Viewer until RHEL 6.5 or later. It is also not supported in the spicec client that is shipped in RHEL 5. Fedora requires at least virt-viewer-0.5.4-3 and spice-xpi-2.8-1 packages. A note indicating this has been added to the RHEV Installation Guide as requested in Red Hat Bug #988172.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments