Perry Myers
2008-Sep-26 03:26 UTC
[Ovirt-devel] [PATCH release] RFC: Helper script to allow access to ovirt WUI over SSH tunnel
The current way to access the oVirt WUI running on the appliance is to start Firefox on the host machine (i.e. the machine running the appliance) and then browse to http://192.168.50.2/ovirt. You then authenticate using ovirtadmin/ovirt. If you want to access the WUI from an outside machine not on the 192.168.50 network there are two problems to overcome. First, the .50 network is not routed to the upstream network so you need a tunnel. This can be done using a simple ssh tunnel. This works for general web-server access, but the mod-krb-auth plugin will not properly authenticate you. This is due to the fact that your http headers have a url that does not map to the service principal set up on the appliance for httpd. For example: HostA runs the Appliance HostB is the external host running Firefox What you want to do is create a tunnel from B to A like this: ssh -L 8080:192.168.50.2:80 HostA And use urls on Host B like this: http://localhost:8080/ovirt This won't work since when the request gets to the appliance the url doesn't resolve to match the service principal that was set up for httpd on the appliance. (192.168.50.2) Solution is to fudge the http header by creating mapping in /etc/hosts for 127.0.0.1 to management.priv.ovirt.org on HostB Then on host B, the following url will work: http://management.priv.ovirt.org:8080/ovirt But because the address is no longer localhost, the -g option in the ssh tunnel is needed. This script edits /etc/hosts and then sets up the ssh tunnel so that the above url works on HostB connecting to HostA. Arguments to the script are the hostname for HostA and the port that you want to bind locally (i.e. 8080) --- misc-scripts/ovirt-tunnel | 20 ++++++++++++++++++++ 1 files changed, 20 insertions(+), 0 deletions(-) create mode 100755 misc-scripts/ovirt-tunnel diff --git a/misc-scripts/ovirt-tunnel b/misc-scripts/ovirt-tunnel new file mode 100755 index 0000000..94d721b --- /dev/null +++ b/misc-scripts/ovirt-tunnel @@ -0,0 +1,20 @@ +#!/bin/bash + +APPHOST=management.priv.ovirt.org +APPIP=192.168.50.2 + +if [[ $# < 2 ]]; then + echo "usage: $0 host port" + exit 1 +fi + +HOST=$1 +PORT=$2 +SSH="ssh -N -f -g -L $PORT:$APPIP:80 $HOST" + +if ! grep $APPHOST /etc/hosts > /dev/null 2>&1 ; then + sudo sed -i "s/^127.0.0.1\(.*\)/127.0.0.1 \1 $APPHOST/" /etc/hosts +fi + +pkill -f "$SSH" +$SSH -- 1.5.5.1
Perry N. Myers
2008-Sep-26 03:36 UTC
[Ovirt-devel] Re: [PATCH release] RFC: Helper script to allow access to ovirt WUI over SSH tunnel
Perry Myers wrote:> This script edits /etc/hosts and then sets up the ssh tunnel so that > the above url works on HostB connecting to HostA. > > Arguments to the script are the hostname for HostA and the port > that you want to bind locally (i.e. 8080)Btw, this is an ugly hack that I don't condone being used for anything other than developer convenience. Perry