Spice Console Access to Instances
Documentation is a bit sparse on what configuration parameters to enable for SPICE console access. This article provides our notes for enabling SPICE on CentOS 7.1 with OpenStack Kilo.
Essentially, the Control node acts a proxy to the Compute node which has the SPICE server. Control node is client of the compute node.
On both Control & Compute:
yum install spice-html5
yum install openstack-nova-spicehtml5proxy
The file to modify is
in compute and control nodes.
In both config files, ensure vnc_enabled=False is explicitly set. If novnc is enabled, ensure that is disabled too.
Control IP = 192.168.1.100 Compute IP = 172.16.1.100 [Internal IP - ports may need to be opened if not already there]
On Control Node
[DEFAULT] web=/usr/share/spice-html5 . . . [spice] html5proxy_host=0.0.0.0 html5proxy_port=6082 html5proxy_base_url=https://192.168.1.100:6082/spice_auto.html # Enable spice related features (boolean value) enabled=True # Enable spice guest agent support (boolean value) agent_enabled=true # Keymap for spice (string value) keymap=en-us
Iptables rule on control node
Since we are allowing access to console via port 6082 on the control node, open this port in iptables.
iptables -I INPUT -p tcp -m multiport --dports 6082 -m comment --comment "Allow SPICE connections for console access " -j ACCEPT
You can make permanent by adding the above rule to /etc/sysconfig/iptables (before the reject rules) saving and restarting iptables.
Config Changes on Compute Node
[DEFAULT] web=/usr/share/spice-html5 . . . [spice] html5proxy_base_url=https://192.168.1.100:6082/spice_auto.html server_listen=0.0.0.0 server_proxyclient_address=172.16.10.100 # Enable spice related features (boolean value) enabled=True # Enable spice guest agent support (boolean value) agent_enabled=true # Keymap for spice (string value) keymap=en-us
# service openstack-nova-compute restart
# service httpd restart # service openstack-nova-spicehtml5proxy start # service openstack-nova-spicehtml5proxy status # systemctl enable openstack-nova-spicehtml5proxy
Here the control node is an HTML proxy that connects to the SPICE server+port that is running when a VM is instantiated.
Here are some notes on some of the unclear options:
This line indicates the HTML5 proxy should run on localhost without IP binding (0.0.0.0) – control node in this case.
This indicates the base URL to use when you click ‘console’ on the Horizon dashboard. Its noted that this URL must be accessible in the same network as the Horizon dashboard. In our case, this URL is the control node.
Server listen specifies where the VM instances should listen for SPICE connections. This is the local IP address (compute node)
Server_proxyclient_address is the address which clients such as HTML5 proxy will use to connect to the VMs running on the Compute Node. This is an internal address most likely not accessible to the outside world but accessible to the control node. This address is the internal IP address of the compute node.
Be sure about what config change goes in which node. Iptables is another to look out for, if you plan to use consoles regularly, make the iptables rules permanent.
“console is currently unavailable. Please try again later.”
Under the hood,
“ERROR: Invalid console type spice-html5 (HTTP 400)”
when you do
nova get-spice-console spice-html5
This generally means, the VM did not start with SPICE enabled. The causes for that could be one of the services did not restart after config change.
Double check the config file – make sure ‘enabled=true’ is set.
http://blog.felipe-alfaro.com/2014/05/13/html5-spice-console-in-openstack/ http://docs.openstack.org/admin-guide-cloud/content/spice-console.html http://docs.openstack.org/admin-guide-cloud/content/getting-started-with-vnc-proxy.html http://docs.openstack.org/developer/nova/runnova/vncconsole.html http://www.slideshare.net/YukihiroKawada/rdo-spice