Dear Greg, Here's my config, this is based on the original guide and some other stuff that i found to help make it work. Squid Cache: Version 3.5.20
https_port 443 accel key=/etc/squid/rescomp-vmgw.well.ox.ac.uk.proxy.key cert=/etc/squid/rescomp-vmgw.well.ox.ac.uk.proxy.crt defaultsite=<ovirt engine node> cache_peer <ovirt engine node> parent 443 0 no-query originserver ssl sslcafile=/etc/squid/ca.pem sslflags=DONT_VERIFY_PEER name=engine cache_peer_access engine allow all ssl_bump allow all http_port 3128 acl ovirt_nodes dst <ovirt engine hosts subnet> acl ovirt_engine dstdomain .<ovirt engine node> acl all_ips src 1.1.1.1/1 http_access allow ovirt_nodes ovirt_engine http_access allow all_ips http_access allow all # Following are from: # https://access.redhat.com/solutions/425693 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # RHEV and Spice may leave connections idle for long periods pconn_timeout 12 hours request_timeout 12 hours read_timeout 12 hours # We need approx 20 open filehandles per spice client max_filedesc 16384 Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> On 3 Oct 2018, at 00:39, Greg Sheremeta <gsher...@redhat.com<mailto:gsher...@redhat.com>> wrote: Hi Callum, I took a look at this, but got in the weeds pretty quickly with squid configuration. I can help more offline, but it might be a while. It'll probably be easier if you can provide me exact steps for how I could reproduce. Looks like I need to generate some keys. Can you create and share a simple reproducer? Greg On Thu, Sep 20, 2018 at 11:37 AM Callum Smith <cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>> wrote: Dear Greg, Did you manage to get any further with this, reverse proxy is rather critical to this project. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> On 6 Aug 2018, at 12:13, Greg Sheremeta <gsher...@redhat.com<mailto:gsher...@redhat.com>> wrote: I'll look into it and get back to you. On Mon, Aug 6, 2018 at 7:02 AM Callum Smith <cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>> wrote: Dear Greg, So what's the go-to here, it seems so close but something in the API ajax is failing. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> On 27 Jul 2018, at 12:21, Greg Sheremeta <gsher...@redhat.com<mailto:gsher...@redhat.com>> wrote: On Fri, Jul 27, 2018 at 4:39 AM Callum Smith <cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>> wrote: Dear Greg, Indeed, always the latest and greatest for us while trying to get this running. https://www.ovirt.org/documentation/security/squid-reverse-proxy/ Arrggghh, that is referring to the old GWT UserPortal and not the new react-based VM Portal. (I'll delete it / mark it obsolete. I apologize for the out-of-date state of our documentation. I am working on improving it.) Unfortunately we have never tested VM Portal with squid. @Lukas Svaty<mailto:lsv...@redhat.com> any chance you or someone on the team can assist? And the squid.conf file looks like this: https_port 443 accel key=/etc/squid/rescomp-vmgw.well.ox.ac.uk.proxy.key cert=/etc/squid/rescomp-vmgw.well.ox.ac.uk.proxy.crt defaultsite=ovirtengine.cluster cache_peer ovirtengine.cluster parent 443 0 no-query originserver ssl sslcafile=/etc/squid/ca.pem sslflags=DONT_VERIFY_PEER name=engine cache_peer_access engine allow all ssl_bump allow all http_port 3128 acl ovirt_nodes dst 192.168.64.0/24<http://192.168.64.0/24> acl ovirt_engine dstdomain .ovirtengine.cluster acl all_ips src 1.1.1.1/1<http://1.1.1.1/1> http_access allow ovirt_nodes ovirt_engine http_access allow all_ips http_access allow all # Following are from: # https://access.redhat.com/solutions/425693 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # RHEV and Spice may leave connections idle for long periods pconn_timeout 12 hours request_timeout 12 hours read_timeout 12 hours # We need approx 20 open filehandles per spice client max_filedesc 16384 Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> On 27 Jul 2018, at 01:15, Greg Sheremeta <gsher...@redhat.com<mailto:gsher...@redhat.com>> wrote: >From your other thread, I'm guessing 4.2.4. Can you send the link to the squid guide you used? On Wed, Jul 25, 2018 at 7:55 PM Greg Sheremeta <gsher...@redhat.com<mailto:gsher...@redhat.com>> wrote: Hi Callum, What version of ovirt-web-ui is this? Greg On Wed, Jul 18, 2018 at 7:12 AM Callum Smith <cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>> wrote: Dear All, Those error logs are relevant only to another issue, please ignore. There appears to be a problem to do with authentication through the squid proxy though, which presents differently in Safari and Firefox: [X][X] Sorry for the screenshots but its the only way i can extract this data due to the page-refresh. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> On 18 Jul 2018, at 10:54, Callum Smith <cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>> wrote: Dear All, Some relevant error logs: 2018-07-18 10:51:33,554+01 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-9) [557ca876] Running command : CreateUserSessionCommand internal: false. 2018-07-18 10:51:33,575+01 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-9) [557ca876] E VENT_ID: USER_VDC_LOGIN(30), User callum@Biomedical Research Computing connecting from '192.168.1.241' using session 'wiWA25wdaRP1zay iyTSGBJKpvi89LdzgKqeX12BcZhNVhpV2BIA+zkAnT50xOSDglxnhfAi3S2ZiODls8JYFUA==' logged in. 2018-07-18 10:51:34,135+01 ERROR [org.ovirt.engine.core.bll.GetSystemStatisticsQuery] (default task-5) [8d830cdb-fc11-4e68-94e6-73309 65c4488] Query execution failed due to insufficient permissions. 2018-07-18 10:51:34,205+01 ERROR [org.ovirt.engine.core.bll.GetPermissionsForObjectQuery] (default task-26) [ba1825f1-60fb-44cd-8b57- ea701cf698c0] Query execution failed due to insufficient permissions. 2018-07-18 10:51:34,242+01 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default task-26) [] Operation Faile d: query execution failed due to insufficient permissions. 2018-07-18 10:51:34,389+01 ERROR [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] (default task-17) [02965366 -44b0-4370-ab83-4781065e46c2] Query execution failed due to insufficient permissions. 2018-07-18 10:51:34,393+01 ERROR [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] (default task-17) [02965366 -44b0-4370-ab83-4781065e46c2] Query execution failed due to insufficient permissions. 2018-07-18 10:51:34,394+01 ERROR [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] (default task-17) [02965366 -44b0-4370-ab83-4781065e46c2] Query execution failed due to insufficient permissions. 2018-07-18 10:51:34,396+01 ERROR [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] (default task-17) [02965366 -44b0-4370-ab83-4781065e46c2] Query execution failed due to insufficient permissions. 2018-07-18 10:51:59,195+01 WARN [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-18) [7881a832] User '9386d6f5-f172-4cdb -abca-62492a357888' is trying to take the console of virtual machine 'ddb23e0a-01d5-403c-89ab-37c400d2c938', but the console is alrea dy taken by user 'd021fc10-4f7c-11e8-88cb-00163e6a7aff'. 2018-07-18 10:51:59,197+01 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-18) [7881a832] No permission found for user '9386d6f5-f172-4cdb-abca-62492a357888' or one of the groups he is member of, when running action 'SetVmTicket', Required permiss ions are: Action type: 'USER' Action group: 'RECONNECT_TO_VM' Object type: 'VM' Object ID: 'ddb23e0a-01d5-403c-89ab-37c400d2c938'. 2018-07-18 10:51:59,197+01 WARN [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-18) [7881a832] Validation of action 'Se tVmTicket' failed for user callum@Biomedical Research Computing. Reasons: VAR__ACTION__SET,VAR__TYPE__VM_TICKET,USER_CANNOT_FORCE_REC ONNECT_TO_VM 2018-07-18 10:51:59,198+01 ERROR [org.ovirt.engine.api.restapi.resource.BackendVmGraphicsConsoleResource] (default task-18) [] Operat ion Failed: USER_CANNOT_FORCE_RECONNECT_TO_VM Seems like there's a permission missing in there - this is a newly attached LDAP group. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> On 17 Jul 2018, at 10:02, Callum Smith <cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>> wrote: Dear All, Does anyone know how to set such options in the web-ui? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> On 12 Jul 2018, at 11:09, Callum Smith <cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>> wrote: Dear oVirt Gurus, Using the oVirt user VM portal seems to not work through the squid proxy setup (configured as per the guide). The page loads and login works fine through the proxy, but the asynchronous requests just hang. I've attached a screenshot, but you can see the "api" endpoint just hanging in a web inspector: "https://proxyfqdn/ovirt-engine/api/"; <Screen Shot 2018-07-12 at 11.06.50.png> This works fine when not going through the proxy. Is there a way to force noVNC HTML as the console mode through the web-ui, or at least have it as an option if not default? The console seems not to work when logged in with a base 'user role'. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> _______________________________________________ Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> To unsubscribe send an email to users-le...@ovirt.org<mailto:users-le...@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VZIGGZZ2IIHBZ65QCX5PLB65DEMRQD4X/ _______________________________________________ Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> To unsubscribe send an email to users-le...@ovirt.org<mailto:users-le...@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7NBOGYVL4EAH4QQI6ETPMFNXC5VSTZCP/ _______________________________________________ Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> To unsubscribe send an email to users-le...@ovirt.org<mailto:users-le...@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/XSH4JVJPKMWWSOWVDMURWF6BXKBTYUCT/ _______________________________________________ Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> To unsubscribe send an email to users-le...@ovirt.org<mailto:users-le...@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/RYFQ2ZGCERCNSEUUPB62UEPATJ7R4URU/ -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gsher...@redhat.com<mailto:gsher...@redhat.com> IRC: gshereme [https://www.redhat.com/files/brand/email/sig-redhat.png]<https://red.ht/sig> -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gsher...@redhat.com<mailto:gsher...@redhat.com> IRC: gshereme [https://www.redhat.com/files/brand/email/sig-redhat.png]<https://red.ht/sig> -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gsher...@redhat.com<mailto:gsher...@redhat.com> IRC: gshereme [https://www.redhat.com/files/brand/email/sig-redhat.png]<https://red.ht/sig> -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gsher...@redhat.com<mailto:gsher...@redhat.com> IRC: gshereme [https://www.redhat.com/files/brand/email/sig-redhat.png]<https://red.ht/sig> -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gsher...@redhat.com<mailto:gsher...@redhat.com> IRC: gshereme [https://www.redhat.com/files/brand/email/sig-redhat.png]<https://red.ht/sig>
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3MZPZPBSW573I3WGNZKISFLCACDBF5X5/
