Hide Forgot
Description of problem: RHEV user reports that proxying SPICE using Squid fails as a result of a bug whereby the Squid automatically pulls the connection every 15 minutes: http://bugs.squid-cache.org/show_bug.cgi?id=3659 This is problematic as Squid is the proxying solution recommended in the RHEV documentation: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Installation_Guide/SPICE_Proxy_Machine_Setup.html Please confirm whether or not the linked fix is in Squid for RHEL 6.5, and if not please determine whether it would be appropriate for inclusion in a future RHEL 6 update. Additional info: <pere> Someone might be interested in knowing that SPICE via Squid is close to useless thanks to <URL: http://bugs.squid-cache.org/show_bug.cgi?id=3659 >, causing all SPICE connections to disconnect automatically after 15 minutes.
Created attachment 876828 [details] Modified patch from upstream 3.1 branch to apply on 3.1.10 tarball
I am not able to verify the bug with the original reproducer this bug was reported with. If I open Spice SSL session through squid proxy which tunnels spice traffic to the hosts with configuration item "read_timeout 30 seconds" then connection is terminated after the 30 seconds - on both current shipped and the new brew squid builds.
I am adding Spice related reproducer (not sure how much it is related to the proposed patch, but here the reproducer described in description is): 1. Install qemu-kvm and virt-viewer package on your physical box (I use F20). If you do not have squid install possible squid package as well. 2. Start qemu-kvm process with this command line: qemu-kvm -smp 1 -m 512 -vga qxl -spice tls-port=5901,disable-ticketing,tls-channel=main,tls-channel=display,tls-channel=cursor,tls-channel=inputs,tls-channel=record,tls-channel=playback,x509-dir=/home/mkrcmari/certs - where "/home/mkrcmari/certs" is a directory with certs from attachment. 3. In new shell export SPICE_PROXY variable pointing to squid proxy ("export SPICE_PROXY=http://$IP:3128"), The proxy must allow CONNECT method to the 5901 port of your machine where qemu-kvm runs. As well as set read timeout variable to speed the process up (default is 15 mins) in your squid.conf, add this line - "read_timeout 30 seconds". 4. In the same shell where the SPICE_PROXY variable is exported, start spice client to establish Spice connection over SSL, remote-viewer command line: remote-viewer spice://$IP_OF_QEMU?tls-port=5901 --spice-ca-file=/home/mkrcmari/certs/ca-cert.pem --spice-host-subject="C=CZ,L=SPICEQA,O=RedHat,CN=myServer" - where "/home/mkrcmari/certs/ca-cert.pem" is path to the ca-cert from attachment. and "C=CZ,L=SPICEQA,O=RedHat,CN=myServer" is subject of server cert and $IP_OF_QEMU is ip address of the machine (could be localhost) where qemu process runs. 5. Once the connection is established, wait for 30 seconds -> connection is terminated
The reproducer with Spice ssl connection is not valid, It actually works as expected If the spice connection is idle there is no data transfer and squid closes the connection in default 15 minutes timetout, so the solution for Spice is to increase the "read_timeout" in squid config to higher value.
(In reply to Marian Krcmarik from comment #20) > The reproducer with Spice ssl connection is not valid, It actually works as > expected If the spice connection is idle there is no data transfer and squid > closes the connection in default 15 minutes timetout, so the solution for > Spice is to increase the "read_timeout" in squid config to higher value. Thanks for the information! What exactly it means for this bug, should it be closed?
I'm sorry about changing bug state, I wanted to switch another bug,... returning
Correct me if I am wrong, but I don think that this one can be closed. The patch was removed from errata(comment #13) => this is still an issue in current rhel-6 version.
(In reply to Marian Krcmarik from comment #20) > The reproducer with Spice ssl connection is not valid, It actually works as > expected If the spice connection is idle there is no data transfer and squid > closes the connection in default 15 minutes timetout, so the solution for > Spice is to increase the "read_timeout" in squid config to higher value. Just for to be sure, you actually confirmed that the proposed patch was correct and it fixes connection dropping after 15 minutes. Am I right?
(In reply to Michal Luscon from comment #24) > (In reply to Marian Krcmarik from comment #20) > > The reproducer with Spice ssl connection is not valid, It actually works as > > expected If the spice connection is idle there is no data transfer and squid > > closes the connection in default 15 minutes timetout, so the solution for > > Spice is to increase the "read_timeout" in squid config to higher value. > > Just for to be sure, you actually confirmed that the proposed patch was > correct and it fixes connection dropping after 15 minutes. Am I right? Not really, just saying that the Spice problem is not related to the original bug reported in http://bugs.squid-cache.org/show_bug.cgi?id=3659 so the 'reproducer" with Spice ssl connection over Squid cannot be used. I believe It should drop connection when there is no data transfer for 15 minutes which squid does, and spice connection can idle, there is no data transfer to keep it alive, over vpnc it dies after 2 hours which is vpnc default. The original upstream bug is about connection dying even though there is some data transfer afaik but I do not know how to reproduce that.
(In reply to Marian Krcmarik from comment #25) > The original upstream bug is about connection dying even though there is > some data transfer afaik but I do not know how to reproduce that. So what to do now that we don't have any reproducer?
Closing for now, please reopen if there is a proper reproducer.