Basic Flow
Obtain an URL for the web based spice console
openstack console url show –spice UUID
+-------+-----------------------------------------------------------------------------------------------------+| Field | Value |+-------+-----------------------------------------------------------------------------------------------------+| type | spice-html5 || url | http://yyy.xxx.com/spice_auto.html?token=9654cb37-000-000-000-fbf30f17293b |+-------+-----------------------------------------------------------------------------------------------------+ |
Stick the above url into a browser which will load spice console written in javascript, connecting back to spicehtml5proxy, which in turn forward traffics to the corresponding HV.
Obtain access url and token
request path
Client → Nova API → RPC (get_spice_console)→ Cell → RPC (get_spice_console) → HV
response path
Client ←(url+Token) ← Nova API ← Cell (Save token → connection info into Console Auth Store with a TTL) ← (host, port, url+token, token ) ← HV
On browser:
URL allows loading app
round 1.
browser → (url with token) → vip → spicehtml5proxy ( from default.web)
browser ← vip ← (spice web based client) ← spicehtml5proxy
2.
browser ← → (websocket based spice traffics + token) ← →vip ← → spicehtml5proxy (obtain connection info by token from Console Auth) ← (forward traffics) → HV
* python >=2.74 is required on controller
Nova Controller setting
[default]web = /usr/share/spice-html5 (this is default location from where all web contents get loaded.)[vnc]enabled = False[spice]agent_enabled = True (optional)enabled = Truehtml5proxy_base_url = http://os-vnc-vip-b01.ccg23.paypalc3.com/spice_auto.html (URL end user can reach from browser, VIP etc...)#server_listen (used by HV only)#server_proxyclient_address (used by HV only)html5proxy_host = controller IP proxy listen at, should be reachable from VIPhtml5proxy_host = port proxy listening at[console]allowed_origins=http://os-vnc-vip-b01.ccg23.paypalc3.com (To be save in case LB modified Origin or Host)token_ttl = set up token ttl here |
Hypervisor setting
HV will return connection details like where to connect back from proxy including host and port.
Token is also generated on HV, and cell manager add it into console Auth later, so is full access url with token, so html5proxy_base_url is required on every HV as well.
[vnc]enabled = False[spice]agent_enabled = True (optional)enabled = Trueserver_listen = IP reachable form controllerserver_proxyclient_address = hostname or IP reachable form controllerserver_listen & server_proxyclient_address needs to be identicalhtml5proxy_base_url = (URL end user can reach from browser, VIP etc...) |
Console-auth & token store backend
By default Console-auth save everything in local dictionary. So each spicehtml5proxy or cell manager ( when authorize a new token) may talk to different console-auth which maintains it’s own independent token cache.
Fortunately token store is implemented with oslo_cache library with caching back-end configurable.
In production a memcachd should be used so that console-auth can scale.
[cache]enabled = Truememcache_servers = .....[consoleauth]token_ttl = set up token ttl here |
more details regarding oslo cache configuration
https://docs.openstack.org/oslo.cache/latest/configuration/index.html
3 VIP/LB
Last, but not the least, Vip/LB has to support either websocket, if doing L7, or just plain TCP, since spice traffics requires upgrading http to websocket.