<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>7 aug 2012 kl. 16.23 skrev Rami Vaknin:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>On 08/07/2012 05:10 PM, Karli Sjöberg wrote:<br><blockquote type="cite">Hi,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I seems very difficult to get this working. I have a Fedora 17 client, installed spice-xpi and tried to access console from User Portal but console never shows up. engine.log prints:<br></blockquote><blockquote type="cite">2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM<br></blockquote><blockquote type="cite">2012-08-07 15:56:18,771 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId = acfc94c0-d7e1-11e1-b35e-b38016c320bb, vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94<br></blockquote><blockquote type="cite">2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id: 3d61fa94<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"> From the F17 client with "ovirt-shell" installed from ovirt-3.1 repo:<br></blockquote><blockquote type="cite">$ console milli<br></blockquote><blockquote type="cite">(window briefly flashes and disappeares again)<br></blockquote><blockquote type="cite">warning: could not fetch host certificate info cause used backend/sdk does not support it.<br></blockquote><blockquote type="cite">warning: host identity will not be validated.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">And have also used "spicec" directly from F17 client:<br></blockquote><blockquote type="cite"># spicec -h <a href="http://cirrus2-1.slu.se">cirrus2-1.slu.se</a> -p 5900 -s 5901 -w v36BkUumraDG (The first ticket had by this time expired, so this is a new one)<br></blockquote><blockquote type="cite">(flashes)<br></blockquote><blockquote type="cite">Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)<br></blockquote><blockquote type="cite">140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:<br></blockquote><blockquote type="cite">Warning: SSL Error:<br></blockquote><blockquote type="cite"># spicec -h <a href="http://cirrus2-1.slu.se">cirrus2-1.slu.se</a> -p 5900 -w v36BkUumraDG<br></blockquote><blockquote type="cite">(flashes)<br></blockquote><blockquote type="cite">Warning: connect error 5 - need secured connection<br></blockquote><br>I wrote a simple script that collects the parameter needed to for spicec <br>in case of secure connection, I was using it on RHEL6, it probably will <br>be easy to convert it to Fedora if it does not already work OTB:<br><br>#!/bin/bash<br><br># Usage: ./spice_to_vm.sh host vm_name<br><br>PASSWORD="root_password_to_the_host"<br>SECONDS="1200"<br><br>ssh-copy-id root@$1 >& /dev/null<br><br>ID=`ssh root@$1 vdsClient -s 0 list table | awk '{print $1":"$3":"}' | <br>grep ":$2:" | sed -e 's/\:.*//g'`<br>ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD $SECONDS keep >& <br>/dev/null<br><br>PORT=`ssh root@$1 vdsClient -s 0 getVmStats $ID | grep displaySecurePort <br>| awk '{print $3}'`<br>SUBJECT=`ssh root@$1 openssl x509 -noout -text -in <br>/etc/pki/vdsm/certs/vdsmcert.pem | grep Subject: | cut -f 10- -d " " | <br>sed -e 's/\ //g'`<br><br>scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem >& /dev/null<br>COMMAND="sudo /usr/libexec/spicec --host-subject \"$SUBJECT\" --password <br>$PASSWORD --secure-channels all -h $1 --secure-port $PORT --ca-file <br>/tmp/cacert.pem"<br><br>echo $COMMAND<br></div></blockquote><div><br></div>Thank you so much, this helped me realize what the issue was. I had at first added the hosts to my engine with a "black" address on the storage network. But I changed the "display network" to the public network, so that you can connect to a console from anywhere. This made the certificate of the hosts invalid, as the "<span class="Apple-style-span" style="font-size: 12px; ">--host-subject" doesn´t match the address that you connect to:</span></div><div><br></div><div># <span class="Apple-style-span" style="font-size: 12px; ">spicec --host-subject "O=slu,CN=cirrus2-2.sto.slu.se" --password RFesfeuIGHhd -h </span><span class="Apple-style-span" style="font-size: 12px; "><a href="http://cirrus2-2.slu.se">cirrus2-2.slu.se</a></span><span class="Apple-style-span" style="font-size: 12px; "> -s 5903</span></div><div><br></div><div>So this means that changing your display network breaks SPICE consoles. Less than good, I would say.</div><div><br></div><div>I was able to solve this by removing the hosts from engine and adding them again, but with the public address instead, so now the connection address and host subject match. I logged in to the admin portal, clicked for console and voilá, console appears. BUT if I log in to the <b>user</b> portal with the same credentials and click for console on the same guest(or any other), a console screen briefly flashes and then disappears:( Bug.</div><div><br></div><div>/Karli</div><div><br><blockquote type="cite"><div><br><blockquote type="cite"><br></blockquote><blockquote type="cite"># rpm -qa | egrep '(ovirt|vdsm)'<br></blockquote><blockquote type="cite">ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch<br></blockquote><blockquote type="cite">vdsm-cli-4.10.0-5.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-config-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-userportal-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite">vdsm-4.10.0-5.fc17.x86_64<br></blockquote><blockquote type="cite">ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-sdk-3.1.0.4-1.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-restapi-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-backend-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-notification-service-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-dbscripts-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite">vdsm-python-4.10.0-5.fc17.x86_64<br></blockquote><blockquote type="cite">ovirt-engine-genericapi-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-tools-common-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-cli-3.1.0.6-1.fc17.noarch<br></blockquote><blockquote type="cite">vdsm-xmlrpc-4.10.0-5.fc17.noarch<br></blockquote><blockquote type="cite">vdsm-bootstrap-4.10.0-5.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch<br></blockquote><blockquote type="cite">ovirt-engine-setup-3.1.0-1.fc17.noarch<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">The engine is installed with SSL as enabled by default, the hosts too. VDSM and libvirt are all active and validate fine towards the engine; have status "UP" and so on, but can't get SPICE console working. VNC works of course, but SPICE would be much cooler:) How do I get console working with SPICE?<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Best Regards<br></blockquote><blockquote type="cite">Karli Sjöberg<br></blockquote><blockquote type="cite">_______________________________________________<br></blockquote><blockquote type="cite">Users mailing list<br></blockquote><blockquote type="cite"><a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br></blockquote><blockquote type="cite"><a href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a><br></blockquote><br><br>-- <br><br>Thanks,<br><br>Rami Vaknin, QE @ Red Hat, TLV, IL.<br><br></div></blockquote></div><br><div>
<div><br class="Apple-interchange-newline"><br></div><div>Med Vänliga Hälsningar<br>-------------------------------------------------------------------------------<br>Karli Sjöberg<br>Swedish University of Agricultural Sciences<br>Box 7079 (Visiting Address Kronåsvägen 8)<br>S-750 07 Uppsala, Sweden<br>Phone: +46-(0)18-67 15 66</div><div><a href="mailto:karli.sjoberg@adm.slu.se">karli.sjoberg@slu.se</a></div>
</div>
<br></body></html>