6:21 p.m.
SELinux status: disabled
[root@ovirt2 test ~]# ls -rtl /etc/pki/vdsm/libvirt-spice|grep -v 2016|tail
total 84
-rw-r--r-- 1 root kvm 1379 Feb 19 17:09 ca-cert.pem
-rw-r--r-- 1 root kvm 1570 Mar 7 09:44 server-cert.pem
-r--r----- 1 vdsm kvm 1675 Mar 7 09:44 server-key.pem
Now I modify them to get spice to work:
[root@ovirt2 dmz.test ~]# ls -rtl /etc/pki/vdsm/libvirt-spice
total 12
-rw-r--r-- 1 root kvm 1379 Mar 22 13:09 ca-cert.pem
-rw-r--r-- 1 root kvm 1570 Mar 22 13:09 server-cert.pem
-r--r--r-- 1 vdsm kvm 1675 Mar 22 13:09 server-key.pem
The only thing I do now out of basic install is adding 'user = "root"'
to /etc/libvirt/qemu.conf and then reboot the box.
This is for import-to-ovirt.pl to work.
I have tried host reploy, remove/install. The only thing I found that
worked, other than change file perms is to re-kickstart the server.
Not sure what user other than vdsm or root would be accessing the file.
On 4/1/16 1:48 AM, Michal Skrivanek wrote:
> On 26 Mar 2016, at 01:19, Bill James <bill.james(a)j2.com>
wrote:
>
> I'm very interested in this too as I have same problem with spice private keys.
can you please paste permissions and selinux status, security context of that
qemu&libvirt process and the inaccessible key file(ps -Z, ls -lZ)?
I wonder if host redeploy would help..did you try to reinstall the host? It should go
through the certificate enrollment again and shouldn’t mess with anything else.
Thanks,
michal
>
>
> On 3/24/16 2:02 AM, Fabrice Bacchella wrote:
>> I' m running on a brand new Centos 7.2 an up to date ovirt 3.6.3.4.
>>
>> The host is new too and dedicated to ovirt.
>>
>> When I try to launch a vm, I get :
>>
>> Thread-9407::ERROR::2016-03-24
09:16:18,301::vm::759::virt.vm::(_startUnderlyingVm)
vmId=`a32e1043-a5a5-4e4c-8436-f7b7a4ff644c`::The vm start process failed
>> Traceback (most recent call last):
>> File "/usr/share/vdsm/virt/vm.py", line 703, in _startUnderlyingVm
>> self._run()
>> File "/usr/share/vdsm/virt/vm.py", line 1941, in _run
>> self._connection.createXML(domxml, flags),
>> File "/usr/lib/python2.7/site-packages/vdsm/libvirtconnection.py",
line 124, in wrapper
>> ret = f(*args, **kwargs)
>> File "/usr/lib/python2.7/site-packages/vdsm/utils.py", line 1313, in
wrapper
>> return func(inst, *args, **kwargs)
>> File "/usr/lib64/python2.7/site-packages/libvirt.py", line 3611, in
createXML
>> if ret is None:raise libvirtError('virDomainCreateXML() failed',
conn=self)
>> libvirtError: internal error: process exited while connecting to monitor:
((null):23672): Spice-Warning **: reds.c:3311:reds_init_ssl: Could not use private key
file
>> 2016-03-24T08:16:18.005359Z qemu-kvm: failed to initialize spice server
>>
>>
>> /var/log/libvirt/qemu/test.log says
>>
>> 2016-03-24 08:55:48.214+0000: starting up libvirt version: 1.2.17, package:
13.el7_2.3 (CentOS BuildSystem <http://bugs.centos.org>;, 2016-02-16-17:06:00,
worker1.bsys.centos.org), qemu version: 2.3.0 (qemu-kvm-ev-2.3.0-31.el7_2.7.1)
>> LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -name test -S -machine
pc-i440fx-rhel7.2.0,accel=kvm,usb=off -cpu Haswell-noTSX -m
size=2097152k,slots=16,maxmem=4294967296k -realtime mlock=off -smp
2,maxcpus=16,sockets=16,cores=1,threads=1 -numa node,nodeid=0,cpus=0-1,mem=2048 -uuid
a32e1043-a5a5-4e4c-8436-f7b7a4ff644c -smbios type=1,manufacturer=oVirt,product=oVirt
Node,version=7-2.1511.el7.centos.2.10,serial=30373237-3132-5A43-3235-343233333937,uuid=a32e1043-a5a5-4e4c-8436-f7b7a4ff644c
-no-user-config -nodefaults -chardev
socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-test/monitor.sock,server,nowait
-mon chardev=charmonitor,id=monitor,mode=control -rtc
base=2016-03-24T08:55:46,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet
-no-shutdown -boot menu=on,strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2
-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x4 -device virtio-serial-pci,
> id
>> =virtio-serial0,max_ports=16,bus=pci.0,addr=0x5 -drive
if=none,id=drive-ide0-1-0,readonly=on,format=raw,serial= -device
ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -drive
file=/rhev/data-center/00000001-0001-0001-0001-00000000022a/85d19e93-ee08-41bb-94c9-56adf17287b4/images/da6f49dd-8662-418b-a859-3523b4360c0e/930bbe74-7470-4b22-b096-fdb03276262d,if=none,id=drive-scsi0-0-0-0,format=raw,serial=da6f49dd-8662-418b-a859-3523b4360c0e,cache=none,werror=stop,rerror=stop,aio=native,iops=300
-device
scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1
-netdev tap,fd=27,id=hostnet0,vhost=on,vhostfd=28 -device
virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:16:01:51,bus=pci.0,addr=0x3,bootindex=2
-chardev
socket,id=charserial0,path=/var/run/ovirt-vmconsole-console/a32e1043-a5a5-4e4c-8436-f7b7a4ff644c.sock,server,nowait
-device isa-serial,chardev=charserial0,id=serial0 -chardev
socket,id=charchannel0,path=/var/lib/libvirt/q
> emu
>>
/channels/a32e1043-a5a5-4e4c-8436-f7b7a4ff644c.com.redhat.rhevm.vdsm,server,nowait -device
virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.rhevm.vdsm
-chardev
socket,id=charchannel1,path=/var/lib/libvirt/qemu/channels/a32e1043-a5a5-4e4c-8436-f7b7a4ff644c.org.qemu.guest_agent.0,server,nowait
-device
virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=org.qemu.guest_agent.0
-chardev spicevmc,id=charchannel2,name=vdagent -device
virtserialport,bus=virtio-serial0.0,nr=3,chardev=charchannel2,id=channel2,name=com.redhat.spice.0
-spice
port=5900,tls-port=5901,addr=0,x509-dir=/etc/pki/vdsm/libvirt-spice,seamless-migration=on
-device
qxl-vga,id=video0,ram_size=67108864,vram_size=8388608,vgamem_mb=16,bus=pci.0,addr=0x2
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on
>> ((null):29166): Spice-Warning **: reds.c:3311:reds_init_ssl: Could not use
private key file
>> 2016-03-24T08:55:48.329252Z qemu-kvm: failed to initialize spice server
>> 2016-03-24 08:55:48.479+0000: shutting down
>>
>> and indeed, when I try to strace libvirt :
>> open("/etc/pki/vdsm/libvirt-spice/server-key.pem", O_RDONLY) = -1
EACCES (Permission denied)
>>
>> chmod a+r /etc/pki/vdsm/libvirt-spice/server-key.pem solved the problem, but
it's obviously not a solution.
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
Cloud Services for Business www.j2.com
j2 | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | Onebox
This email, its contents and attachments contain information from j2 Global, Inc. and/or
its affiliates which may be privileged, confidential or otherwise protected from
disclosure. The information is intended to be for the addressee(s) only. If you are not an
addressee, any disclosure, copy, distribution, or use of the contents of this message is
prohibited. If you have received this email in error please notify the sender by reply
e-mail and delete the original message and any copies. (c) 2015 j2 Global, Inc. All rights
reserved. eFax, eVoice, Campaigner, FuseMail, KeepItSafe, and Onebox are registered
trademarks of j2 Global, Inc. and its affiliates.