Configuring the ssh tunnel for spice
Heres a hacky way to setup the tunnel for spice to be used when clicking the engine spice button on fedora based machines.
Requirements
You'll need the following extra packages:
$ sudo yum install -y tsocks ssh remote-viewer
Tunnel Configuration
Then you must setup the stunnel configuration like this:
$ cat /etc/tsocks.conf
server = 127.0.0.1
server_port = 8181
Getting the Engine Certificate
Download the engine ssl certificate:
$ openssl s_client -connect monitoring.ovirt.org:443 \
2>/dev/null </dev/null \
| openssl x509 > engine.cert
Replace the remote-viewer
Now replace the remote-viewer binary by the following custom script:
$ remote_viewer_path="$(which remote-viewer)"
$ mv "${remote_viewer_path}"{,.orig}
$ cat >>"$remote_viewer_path" <<EOS
#!/bin/bash
tsocks \
"${remote_viewer_path}".orig \
--spice-ca-file=engine.cert \
"\$@"
EOS
Make sure that the certificate points to the certificate you downloaded previously.
Starting the Tunnel
Once done that, you'll have to start the ssh tunnel (you can do it automatically form bashrc or similar):
$ ssh -fND 8181 youruser@foreman.ovirt.org
That will start the SSH tunnel in the background with a SOCKS proxy listening on 127.0.0.1:8181, where the tsocks connections will connect to.
Bussines as Usual
So after all this hacky setup, you'll be able to connect to any vm in the phx engine using the spice link in the UI. Hopefully that will not be needed i the future once we have a better solution (vpn?).