<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Dec 13, 2012 at 1:21 PM, David Jaša <span dir="ltr"><<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Cristian Falcas píše v Čt 13. 12. 2012 v 12:43 +0200:<br>
<div><div class="h5">><br>
><br>
><br>
> On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>> wrote:<br>
><br>
><br>
> ----- Original Message -----<br>
> > From: "Cristian Falcas" <<a href="mailto:cristi.falcas@gmail.com">cristi.falcas@gmail.com</a>><br>
><br>
> > To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> > Cc: "Roy Golan" <<a href="mailto:rgolan@redhat.com">rgolan@redhat.com</a>>, <a href="mailto:users@ovirt.org">users@ovirt.org</a>, "Juan Antonio Hernandez Fernandez" <<a href="mailto:jhernand@redhat.com">jhernand@redhat.com</a>>,<br>
> > "David Jaša" <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>>, "Itamar Heim" <<a href="mailto:iheim@redhat.com">iheim@redhat.com</a>><br>
> > Sent: Thursday, December 13, 2012 2:01:22 AM<br>
> > Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot find suitable CPU model for given data)<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
> > On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev < <a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a> ><br>
> > wrote:<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Cristian Falcas" < <a href="mailto:cristi.falcas@gmail.com">cristi.falcas@gmail.com</a> ><br>
> > > To: "Itamar Heim" < <a href="mailto:iheim@redhat.com">iheim@redhat.com</a> ><br>
><br>
> > > Cc: "Roy Golan" < <a href="mailto:rgolan@redhat.com">rgolan@redhat.com</a> >, <a href="mailto:users@ovirt.org">users@ovirt.org</a> , "Alon<br>
> > > Bar-Lev" < <a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a> >, "Juan Antonio Hernandez<br>
> > > Fernandez" < <a href="mailto:jhernand@redhat.com">jhernand@redhat.com</a> >, "David Jaša" < <a href="mailto:djasa@redhat.com">djasa@redhat.com</a><br>
> > > ><br>
> > > Sent: Wednesday, December 12, 2012 11:21:32 PM<br>
> > > Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot<br>
> > > find suitable CPU model for given data)<br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim < <a href="mailto:iheim@redhat.com">iheim@redhat.com</a> ><br>
> > > wrote:<br>
> > ><br>
> > ><br>
> > > On 12/12/2012 10:39 PM, Cristian Falcas wrote:<br>
> > ><br>
> > ><br>
> > > Hi,<br>
> > ><br>
> > > i don't know if I should start a new thread for the spice problems.<br>
> > > Here<br>
> > > goes some improvements:<br>
> > ><br>
> > > I created the certificates like per <a href="https://gist.github.com/" target="_blank">https://gist.github.com/</a><br>
> > > 1655511<br>
> > > . i<br>
> > > copied the public one to my home:<br>
> > > cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem<br>
> > > ~cristi/.spice/spice_ truststore.pem<br>
> > ><br>
> > > I had the same problem as in<br>
> > > <a href="https://bugzilla.redhat.com/" target="_blank">https://bugzilla.redhat.com/</a> show_bug.cgi?id=880182 . For this I<br>
> ><br>
> > > needed<br>
> > > to downgrade libcacard twice (until I had the same version as in<br>
> > > the<br>
> > > bug)<br>
> > ><br>
> > > Now spice works with virt-manager.<br>
> > ><br>
> > > Can someone tell me where do I need to copy the certificate on<br>
> > > ovirt<br>
> > > in<br>
> > > order to make spice working over there also?<br>
> > ><br>
> > > with which version of boostrap on the engine did you add this host.<br>
> > ><br>
> > ><br>
> > > vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch<br>
> > ><br>
> > > And otopi packages installed:<br>
> > ><br>
> > > otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch<br>
> > > otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch<br>
> > ><br>
> > ><br>
> ><br>
> > Any reason to perform certificate enrollment manually?<br>
> ><br>
> > Alon<br>
> ><br>
> ><br>
> > It's still not working with the handmade certificates.<br>
> ><br>
> > I tried to create them because of those errors:<br>
> ><br>
> > libvirt log:<br>
> ><br>
> > ((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not<br>
> > load certificates from /etc/pki/vdsm/libvirt-spice/<br>
> > server-cert.pem<br>
> > ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not<br>
> > use private key file<br>
> > ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not<br>
> > use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem<br>
> ><br>
> > [root@localhost Ovirt]# ls -la<br>
> > /etc/pki/vdsm/libvirt-spice/server-cert.pem<br>
> > ls: cannot access /etc/pki/vdsm/libvirt-spice/server-cert.pem: No<br>
> > such file or directory<br>
> > [root@localhost Ovirt]# ls -la<br>
> > /etc/pki/vdsm/libvirt-spice/ca-cert.pem<br>
> > ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No such<br>
> > file or directory<br>
> ><br>
> ><br>
> > Spice log:<br>
> ><br>
> > 1355334879 INFO [8950:8950] Application::main: starting 0.12.0<br>
> > 1355334879 INFO [8950:8950] Application::main: command line: spicec<br>
> > --controller<br>
> > 1355334879 INFO [8950:8950] init_key_map: using evdev mapping<br>
> > 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen:<br>
> > platform_win: 77594625<br>
> > 1355334879 INFO [8950:8950] GUI::GUI:<br>
> > 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu: Creating a<br>
> > foreign menu connection /tmp/SpiceForeignMenu-8950.uds<br>
> > 1355334879 INFO [8950:8950] Controller::Controller: Creating a<br>
> > controller connection /tmp/spicec-9GS5mA/spice-xpi<br>
> > 1355334882 INFO [8950:8952] RedPeer::connect_secure: Connected to<br>
> > <a href="http://cristifalcas.no-ip.org" target="_blank">cristifalcas.no-ip.org</a> 5902<br>
> > 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed to<br>
> > connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)<br>
> > 1355334882 WARN [8950:8952] RedChannel::run: SSL Error:<br>
> > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake<br>
> > failure<br>
> > 1355334882 INFO [8950:8950] main: Spice client terminated (exitcode =<br>
> > 7)<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > I've done this without an improvment:<br>
> ><br>
> > [root@localhost Ovirt]# /lib/systemd/systemd-vdsmd reconfigure<br>
> > Configuring libvirt for vdsm...<br>
> > [root@localhost Ovirt]# systemctl restart libvirtd.service<br>
> > vdsmd.service<br>
> ><br>
><br>
><br>
> Why don't you deply the host again? It should create the certificate correctly.<br>
><br>
> But before you can do this, you must remove whatever certificates you put including symlinks at /etc/pki /etc/libvirt as libvirt will not start if there are invalid certificates.<br>
><br>
> Alon.<br>
><br>
> I already did this. Also, i removed all configuration files from host and ovirt, reinstalled ovirt-engine, removed vdsm,libvirt,qemu on host.<br>
><br>
> I still got this when I start the machine:<br>
> ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /etc/pki/vdsm/libvirt-spice/server-cert.pem<br>
> ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file<br>
> ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem<br>
><br>
> And this when I try to connect:<br>
><br>
> ((null):5004): Spice-Warning **: reds.c:2913:reds_handle_ssl_accept: SSL_accept failed, error=1<br>
<br>
</div></div>Didn't you disable encryption on engine or in vdsm.conf? Unfortunately, it is still interdependent with spice encryption setup.<br>
<br>
(and a side question: if so, why did you disable it? oVirt takes care of it without any extra work so I see no benefit in it)<br>
<br>
David<br>
<br>
PS: please send mails in plain text<br>
<br>
><br>
> Best regards,<br>
> Cristian falcas<br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<span class=""><font color="#888888"><br>
--<br>
<br>
David Jaša, RHCE<br>
<br>
SPICE QE based in Brno<br>
GPG Key: 22C33E24<br>
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24<br>
<br>
<br>
<br>
</font></span></blockquote></div><br>I didn't touched anything this time.<br><br>[cristi@localhost ~]$ cat /etc/vdsm/vdsm.conf<br>[vars]<br>ssl = true<br><br>[addresses]<br>management_port = 54321<br><br><br>qemu:<br>
## beginning of configuration section by vdsm-4.9.11<br>dynamic_ownership=0<br>spice_tls=1<br>save_image_format="lzop"<br>spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"<br>lock_manager="sanlock"<br>
auto_dump_path="/var/log/core"<br>## end of configuration section by vdsm-4.9.11<br><br>libvirtd:<br>## beginning of configuration section by vdsm-4.9.11<br>listen_addr="0.0.0.0"<br>unix_sock_group="kvm"<br>
unix_sock_rw_perms="0770"<br>auth_unix_rw="sasl"<br>host_uuid="ac7ce924-3da8-41a5-9fa5-03af184b0437"<br>log_outputs="1:file:/var/log/libvirtd.log"<br>log_filters="1:libvirt 3:event 3:json 1:util 1:qemu"<br>
ca_file="/etc/pki/vdsm/certs/cacert.pem"<br>cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"<br>key_file="/etc/pki/vdsm/keys/vdsmkey.pem"<br>## end of configuration section by vdsm-4.9.11<br><br>
</div>