<br><br><br>On Thu, Dec 13, 2012 at 1:35 PM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>> wrote:<br>><br>><br>><br>> ----- Original Message -----<br>> > From: "Cristian Falcas" <<a href="mailto:cristi.falcas@gmail.com">cristi.falcas@gmail.com</a>><br>
> > To: <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>> > Sent: Thursday, December 13, 2012 1:27:09 PM<br>> > Subject: Re: [Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)<br>
> ><br>> ><br>> ><br>> ><br>> ><br>> ><br>> ><br>> > On Thu, Dec 13, 2012 at 1:21 PM, David Jaša < <a href="mailto:djasa@redhat.com">djasa@redhat.com</a> ><br>> > wrote:<br>
> ><br>> ><br>> > Cristian Falcas píše v Čt 13. 12. 2012 v 12:43 +0200:<br>> ><br>> ><br>> > ><br>> > ><br>> > ><br>> > > On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev < <a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a> ><br>
> > > wrote:<br>> > ><br>> > ><br>> > > ----- Original Message -----<br>> > > > From: "Cristian Falcas" < <a href="mailto:cristi.falcas@gmail.com">cristi.falcas@gmail.com</a> ><br>
> > ><br>> > > > To: "Alon Bar-Lev" < <a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a> ><br>> > > > Cc: "Roy Golan" < <a href="mailto:rgolan@redhat.com">rgolan@redhat.com</a> >, <a href="mailto:users@ovirt.org">users@ovirt.org</a> , "Juan<br>
> > > > Antonio Hernandez Fernandez" < <a href="mailto:jhernand@redhat.com">jhernand@redhat.com</a> >,<br>> > > > "David Jaša" < <a href="mailto:djasa@redhat.com">djasa@redhat.com</a> >, "Itamar Heim" <<br>
> > > > <a href="mailto:iheim@redhat.com">iheim@redhat.com</a> ><br>> > > > Sent: Thursday, December 13, 2012 2:01:22 AM<br>> > > > Subject: Re: Spice issues with latest vdsm (was Re: [Users]<br>
> > > > Cannot find suitable CPU model for given data)<br>> > > ><br>> > > ><br>> > > ><br>> > > ><br>> > > ><br>> > > ><br>> > ><br>
> > > > On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev <<br>> > > > <a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a> ><br>> > > > wrote:<br>> > > ><br>> > > ><br>
> > > ><br>> > > ><br>> > > ><br>> > > > ----- Original Message -----<br>> > > > > From: "Cristian Falcas" < <a href="mailto:cristi.falcas@gmail.com">cristi.falcas@gmail.com</a> ><br>
> > > > > To: "Itamar Heim" < <a href="mailto:iheim@redhat.com">iheim@redhat.com</a> ><br>> > ><br>> > > > > Cc: "Roy Golan" < <a href="mailto:rgolan@redhat.com">rgolan@redhat.com</a> >, <a href="mailto:users@ovirt.org">users@ovirt.org</a> , "Alon<br>
> > > > > Bar-Lev" < <a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a> >, "Juan Antonio Hernandez<br>> > > > > Fernandez" < <a href="mailto:jhernand@redhat.com">jhernand@redhat.com</a> >, "David Jaša" <<br>
> > > > > <a href="mailto:djasa@redhat.com">djasa@redhat.com</a><br>> > > > > ><br>> > > > > Sent: Wednesday, December 12, 2012 11:21:32 PM<br>> > > > > Subject: Re: Spice issues with latest vdsm (was Re: [Users]<br>
> > > > > Cannot<br>> > > > > find suitable CPU model for given data)<br>> > > > ><br>> > > > ><br>> > > > ><br>> > > > ><br>> > > > ><br>
> > > > ><br>> > > > > On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim <<br>> > > > > <a href="mailto:iheim@redhat.com">iheim@redhat.com</a> ><br>> > > > > wrote:<br>
> > > > ><br>> > > > ><br>> > > > > On 12/12/2012 10:39 PM, Cristian Falcas wrote:<br>> > > > ><br>> > > > ><br>> > > > > Hi,<br>> > > > ><br>
> > > > > i don't know if I should start a new thread for the spice<br>> > > > > problems.<br>> > > > > Here<br>> > > > > goes some improvements:<br>> > > > ><br>
> > > > > I created the certificates like per <a href="https://gist.github.com/">https://gist.github.com/</a><br>> > > > > 1655511<br>> > > > > . i<br>> > > > > copied the public one to my home:<br>
> > > > > cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem<br>> > > > > ~cristi/.spice/spice_ truststore.pem<br>> > > > ><br>> > > > > I had the same problem as in<br>
> > > > > <a href="https://bugzilla.redhat.com/">https://bugzilla.redhat.com/</a> show_bug.cgi?id=880182 . For this<br>> > > > > I<br>> > > ><br>> > > > > needed<br>
> > > > > to downgrade libcacard twice (until I had the same version as<br>> > > > > in<br>> > > > > the<br>> > > > > bug)<br>> > > > ><br>> > > > > Now spice works with virt-manager.<br>
> > > > ><br>> > > > > Can someone tell me where do I need to copy the certificate on<br>> > > > > ovirt<br>> > > > > in<br>> > > > > order to make spice working over there also?<br>
> > > > ><br>> > > > > with which version of boostrap on the engine did you add this<br>> > > > > host.<br>> > > > ><br>> > > > ><br>> > > > > vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch<br>
> > > > ><br>> > > > > And otopi packages installed:<br>> > > > ><br>> > > > > otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch<br>> > > > > otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch<br>
> > > > ><br>> > > > ><br>> > > ><br>> > > > Any reason to perform certificate enrollment manually?<br>> > > ><br>> > > > Alon<br>> > > ><br>
> > > ><br>> > > > It's still not working with the handmade certificates.<br>> > > ><br>> > > > I tried to create them because of those errors:<br>> > > ><br>
> > > > libvirt log:<br>> > > ><br>> > > > ((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl: Could<br>> > > > not<br>> > > > load certificates from /etc/pki/vdsm/libvirt-spice/<br>
> > > > server-cert.pem<br>> > > > ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl: Could<br>> > > > not<br>> > > > use private key file<br>> > > > ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl: Could<br>
> > > > not<br>> > > > use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem<br>> > > ><br>> > > > [root@localhost Ovirt]# ls -la<br>> > > > /etc/pki/vdsm/libvirt-spice/server-cert.pem<br>
> > > > ls: cannot access /etc/pki/vdsm/libvirt-spice/server-cert.pem: No<br>> > > > such file or directory<br>> > > > [root@localhost Ovirt]# ls -la<br>> > > > /etc/pki/vdsm/libvirt-spice/ca-cert.pem<br>
> > > > ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No<br>> > > > such<br>> > > > file or directory<br>> > > ><br>> > > ><br>> > > > Spice log:<br>
> > > ><br>> > > > 1355334879 INFO [8950:8950] Application::main: starting 0.12.0<br>> > > > 1355334879 INFO [8950:8950] Application::main: command line:<br>> > > > spicec<br>
> > > > --controller<br>> > > > 1355334879 INFO [8950:8950] init_key_map: using evdev mapping<br>> > > > 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen:<br>> > > > platform_win: 77594625<br>
> > > > 1355334879 INFO [8950:8950] GUI::GUI:<br>> > > > 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu: Creating a<br>> > > > foreign menu connection /tmp/SpiceForeignMenu-8950.uds<br>
> > > > 1355334879 INFO [8950:8950] Controller::Controller: Creating a<br>> > > > controller connection /tmp/spicec-9GS5mA/spice-xpi<br>> > > > 1355334882 INFO [8950:8952] RedPeer::connect_secure: Connected to<br>
> > > > <a href="http://cristifalcas.no-ip.org">cristifalcas.no-ip.org</a> 5902<br>> > > > 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed to<br>> > > > connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)<br>
> > > > 1355334882 WARN [8950:8952] RedChannel::run: SSL Error:<br>> > > > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake<br>> > > > failure<br>> > > > 1355334882 INFO [8950:8950] main: Spice client terminated<br>
> > > > (exitcode =<br>> > > > 7)<br>> > > ><br>> > > ><br>> > > ><br>> > > ><br>> > > > I've done this without an improvment:<br>> > > ><br>
> > > > [root@localhost Ovirt]# /lib/systemd/systemd-vdsmd reconfigure<br>> > > > Configuring libvirt for vdsm...<br>> > > > [root@localhost Ovirt]# systemctl restart libvirtd.service<br>
> > > > vdsmd.service<br>> > > ><br>> > ><br>> > ><br>> > > Why don't you deply the host again? It should create the<br>> > > certificate correctly.<br>> > ><br>
> > > But before you can do this, you must remove whatever certificates<br>> > > you put including symlinks at /etc/pki /etc/libvirt as libvirt<br>> > > will not start if there are invalid certificates.<br>
> > ><br>> > > Alon.<br>> > ><br>> > > I already did this. Also, i removed all configuration files from<br>> > > host and ovirt, reinstalled ovirt-engine, removed<br>> > > vdsm,libvirt,qemu on host.<br>
> > ><br>> > > I still got this when I start the machine:<br>> > > ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl: Could<br>> > > not load certificates from<br>> > > /etc/pki/vdsm/libvirt-spice/server-cert.pem<br>
> > > ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl: Could<br>> > > not use private key file<br>> > > ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl: Could<br>> > > not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem<br>
> > ><br>> > > And this when I try to connect:<br>> > ><br>> > > ((null):5004): Spice-Warning **:<br>> > > reds.c:2913:reds_handle_ssl_accept: SSL_accept failed, error=1<br>> ><br>
> > Didn't you disable encryption on engine or in vdsm.conf?<br>> > Unfortunately, it is still interdependent with spice encryption<br>> > setup.<br>> ><br>> > (and a side question: if so, why did you disable it? oVirt takes care<br>
> > of it without any extra work so I see no benefit in it)<br>> ><br>> > David<br>> ><br>> > PS: please send mails in plain text<br>> ><br>> > ><br>> > > Best regards,<br>
> > > Cristian falcas<br>> > ><br>> > > _______________________________________________<br>> > > Users mailing list<br>> > > <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> > > <a href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a><br>> ><br>> > --<br>> ><br>> > David Jaša, RHCE<br>> ><br>> > SPICE QE based in Brno<br>
> > GPG Key: 22C33E24<br>> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24<br>> ><br>> ><br>> ><br>> ><br>> > I didn't touched anything this time.<br>> ><br>
> > [cristi@localhost ~]$ cat /etc/vdsm/vdsm.conf<br>> > [vars]<br>> > ssl = true<br>> ><br>> > [addresses]<br>> > management_port = 54321<br>> ><br>> ><br>> > qemu:<br>
> > ## beginning of configuration section by vdsm-4.9.11<br>> > dynamic_ownership=0<br>> > spice_tls=1<br>> > save_image_format="lzop"<br>> > spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"<br>
> > lock_manager="sanlock"<br>> > auto_dump_path="/var/log/core"<br>> > ## end of configuration section by vdsm-4.9.11<br>> ><br>> > libvirtd:<br>> > ## beginning of configuration section by vdsm-4.9.11<br>
> > listen_addr="0.0.0.0"<br>> > unix_sock_group="kvm"<br>> > unix_sock_rw_perms="0770"<br>> > auth_unix_rw="sasl"<br>> > host_uuid="ac7ce924-3da8-41a5-9fa5-03af184b0437"<br>
> > log_outputs="1:file:/var/log/libvirtd.log"<br>> > log_filters="1:libvirt 3:event 3:json 1:util 1:qemu"<br>> > ca_file="/etc/pki/vdsm/certs/cacert.pem"<br>> > cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"<br>
> > key_file="/etc/pki/vdsm/keys/vdsmkey.pem"<br>> > ## end of configuration section by vdsm-4.9.11<br>><br>> BTW: it will be easier if you use plain text mail messages to list :)<br>><br>> Can you please try to create the following sym links manually and see if it works?<br>
><br>> /etc/pki/vdsm/libvirt-spice/ca-cert.pem -> /etc/pki/vdsm/certs/cacert.pem<br>> /etc/pki/vdsm/libvirt-spice/server-cert.pem -> /etc/pki/vdsm/certs/vdsmcert.pem<br>> /etc/pki/vdsm/libvirt-spice/server-key.pem -> /etc/pki/vdsm/keys/vdsmkey.pem<br>
<br><br>It worked. Thank you.<br><br>Regarding the html email: I'm using gmail as the email client and I don't know how to set it to send text emails only. I removed all formatting from this replay, maybe it's better now?<br>
<br>Best regards,<br>Cristian Falcas<br>