Configuring Spice and VNC to use the HTML5 websocket proxy in RHEV 3.3

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Virtualization (RHEV) 3.3
  • rhevm-websocket-proxy
  • Client: browser-based SPICE-HTML5 or noVNC

Issue

  • What is the websocket proxy in RHEV 3.3?
  • What is the procedure to configure the Web Based(HTML5) console for Spice in RHEV 3.3?
  • Attempting to open up any console using noVNC produces the following error:

    Server disconnected (code: 1006)
    
  • For SPICE HTML5, a grey/blank console is observed in the browser.
  • Is it possible to install and configure rhevm-websocket-proxy after doing the 3.2 -> 3.3 upgrade?
  • The installation guide says "Make sure that the ovirt-engine-websocket-proxy package was installed prior to installing the engine, otherwise it won't be correctly configured." Does this mean that it can't be done, or just that it requires more configuration if doing it afterwards?

Resolution

Important: This solution discusses one method of proxying the Spice console which allows users to connect to a SPICE console directly from their browser without additional software. Another method of proxying uses Squid.

Documentation is available in the RHEV 3.3 Installation Guide for configuring the websockets proxy.

Supportability: The SPICE-HTML5 and noVNC console features (provided by the WebSocket Proxy) is in "Tech Preview" status.

Additional requirements are listed in the RHEV-M 3.3 Release Notes:

  • On the engine host:

    • The WebSocket proxy must be set up and running in the environment.
    • The engine must be aware of the WebSocket proxy - use engine-config to set the WebSocketProxy option.
  • On the client:

    • The client must have a browser with WebSocket and postMessage support.
    • If SSL is enabled, the engine's Certificate Authority must be imported in the client browser.

Please note: Installation of the rhevm-websocket-proxy is required *prior* to installing or updating to RHEV 3.3. During installation, engine-setup will ask if it should configure the WebSocket Proxy. If the answer is "Yes" (the default) and the aforementioned package is installed on the engine host, no additional configuration is needed. A note indicating this is being added to the documentation in Red Hat Bug #1062795.

Custom WebSocket proxy configuration

One can deploy the WebSocket proxy on a system other than engine host as well. The default can be restored by:

     engine-config -s WebSocketProxy=Engine:6100
     service ovirt-engine restart
  • A non-default configuration can use a custom host, e.g. WebSocketProxy=engine.example.com:6100
  • Note: In the case of custom host or port, adjust the rhevm-websocket-proxy configuration accordingly and make sure the service runs.

Diagnostic Steps

  • Verify that there are ca.crt certificates installed for the web browsers.
  • Was rhevm-websocket-proxy installed when the RHEV-M was upgraded or installed with RHEV 3.3?

    ls /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
    
    If the file is NOT there, enable WebSocketProxy by running
    engine-setup --otopi-environment="OVESETUP_CONFIG/websocketProxyConfig=bool:True"
    
  • Is the WebSocketProxy value set in rhevm-config? Default installs should look like below.

    engine-config -g WebSocketProxy
    WebSocketProxy: Engine:6100 version: general
    
  • Is the that port open on the RHEV-M firewall?

     -A INPUT -p tcp -m state --state NEW -m tcp --dport 6100 -j ACCEPT
    
  • Is the service running and chkconfig'd on?

     service ovirt-websocket-proxy start
     chkconfig ovirt-websocket-proxy on
    
  • Has the RHEV-M CA certificate been imported into the operating system keychain or the browser certificate store? Here's steps for Firefox, steps for Internet Explorer and (unsupported) steps for Google Chrome.
    If the certificate was NOT imported browser will only show grey screen like this with no further warnings: grey.jpg

  • Verify that websocket proxy certs has correct CN name.

e.g.

# openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/websocket-proxy.cer
notBefore=Jun  4 04:48:48 2014
notAfter=May 10 04:48:48 2019 GMT
subject= /C=US/O=localdomain/CN=rhevm.localdomain
issuer= /C=US/O=localdomain/CN=rhevm.localdomain.64625
  • If the CN name is incorrect then refer Kbase-1289423 to regenerate websocket proxy certificate .

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

Relevant article: https://access.redhat.com/solutions/2844021