[spice] Spice-proxy is not working

[kvaps]

Description After adding native remote-viewer support https://github.com/OpenNebula/one/issues/1262, I trying to connect using remote-viewer.

My virt-viewer file looks like:

[virt-viewer]
type=spice
title=ov299
host=m1c6
port=6526
proxy=https://opennebula-dev.example.org:29876?token=v90plm3qpp2qfssgf667
password=1abc421c9dd1e594759d52f1c2e8023a0caef6391b48f74a411f0e7d4b6e6e04
fullscreen=0
toggle-fullscreen=shift+f11
release-cursor=shift+f12
secure-attention=ctrl+alt+end

client debug log:

# remote-viewer --debug /home/kvaps/Downloads/ov299.vv
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:25.484: Opening display to /home/kvaps/Downloads/ov299.vv
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:25.484: Guest (null) has a spice display
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:25.504: ignoring [ovirt] section content as URL, VM GUID are missing from the .vv file
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:25.504: After open connection callback fd=-1
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:25.504: Opening connection to display at /home/kvaps/Downloads/ov299(6).vv

(remote-viewer:120738): GSpice-WARNING **: 16:20:25.504: Invalid uri port: 29876?token=iumb8aa2paa3jk316zv1
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:25.505: fullscreen display 0: 0
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:25.505: app is not in full screen
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:25.506: New spice channel 0x5562621748f0 SpiceMainChannel 0
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:25.506: notebook show status 0x55626205a350
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:35.602: main channel: failed to connect Could not connect to proxy server 10.0.15.50: Socket I/O timed out
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:35.602: Destroy SPICE channel SpiceMainChannel 0
(remote-viewer:120738): virt-viewer-DEBUG: 16:20:35.602: zap main channel

novnc server log:

127.0.0.1 - - [11/May/2021 15:56:38] code 501, message Unsupported method ('CONNECT')

To Reproduce

• Run sunstone and novnc behind the NAT
• Try to connect any VM via spice using remote-viewer client

Expected behavior Connection successfully established

Details

• Affected Component: Sunstone / novnc
• Hypervisor: KVM
• Version: 5.12

Additional context Obliviously remote-viewer expecting squid proxy https://www.spice-space.org/spice-proxy.html I don't see any changes for novnc server which would allow it to act as a spice-proxy server 🤷

Progress Status

• [ ] Branch created
• [ ] Code committed to development branch
• [ ] Testing - QA
• [ ] Documentation
• [ ] Release notes - resolved issues, compatibility, known issues
• [ ] Code committed to upstream release/hotfix branches
• [ ] Documentation committed to upstream release/hotfix branches

[kvaps]

Also please consider adding delete-this-file=1 for .vv files, as they should contain one-time access token, usually there is no sense to preserve them for longer time. Thank you!

[FrederickBor]

@tinova PR to be approved (adding delete-this-file):

• Code
• Docs

@kvaps noVNC acts as the virt-viewer proxy. You need to ensure that you can reach port 29876 and that this port is correctly redirected to the noVNC proxy. No need to give access to the individual hypervisors. Closing until additional details are provided to reproduce the problem.

[kvaps]

@kvaps noVNC acts as the virt-viewer proxy

@FrederickBor are you really sure about that fact? I'm trying to connect using remove-viewer and seeing the same picture:

Client is sending CONNECT method to the server, but websockify respond 501 Unsupported method ('CONNECT')

I checked novnc/websockify project and have not found any information about ability to work with remote-viewer as a proxy server.

The remote-viewer documentation says:

 At the time of writing this documentation, the only supported proxy method with Spice is HTTP CONNECT. 

[FrederickBor]

@kvaps Thanks for the feedback, we will take a look

[FrederickBor]

Hi @kvaps,

We just checked all the configurations and saw that you are right. Spice connections with .vv files are not compatible with the actual implementation.

However, I was able to establish a connection with spice with the HTML5 console with sunstone, so we offer you this option as a workaround.

See the novnc.log attached, where you can find the connections established and the picture of the HTML5 client working.

We will keep this ticket open to implement this feature for future releases. We've updated the documentation to state the limitation meanwhile

@tinova PRs to be approved:

1. Branches: one-6.0, one-6.0-maintenance, and master:
   • Docs
2. Branches: one-5.12, and one-5.12-maintenance:
   • Docs