Hello,
Apperently, VNC with TLS enabled is the default. At the very
least I don't remember ever enabling it.
Attempting to disable it as a quick test, by altering
/etc/libvirt/qemu.conf and setting vlc_tls=0 fixes it. So I guess, I'll
need to disable it at the cluster level for a permanent fix. (And then
reinstall the hosts....)
After seeing the previous reply, I figured that the "direct
connection to the VM host" meant the VNC connection would be using TLS.
SPICE "Just Works(TM)" with TLS enabled, but for VNC it requires a TLS
cert to be installed on the ovirt host servers. And of course, the
default is the internal engine CA. With no easy way to override it.
(I.e. The new cert config won't survive a host reinstall / upgrade.)
Which defeats the entire purpose of having a third party CA for end-
user connections. I guess we'll have to disable this method of VM
console access for now, and rely on noVNC until the cert issue gets
fixed.
I'm not sure that the user mailing list is the place for
feature requests, but just in case and to avoid criticizing without
offering a solution, I would love some mechanism in the web interface
to upload a new third party CA cert for the hosts to use with end-user
requests. (VNC, image io proxy, cockpit, etc.) The internal engine CA
could even be used to secure those cert updates. (As the engine itself
could prompt the hosts to install the new cert via VDSM or something.
Even better that method wouldn't require a host reinstall to finish.)
That would simplify managment and renewal of the certs. As the
operation could be delegated / restricted to users with a specific
permission, (like with the VM permissions), and prevent us from needing
to manually configure things in a text file. (The engine host could use
this also.)
Thanks for the suggestions everyone.
-Patrick Hibbs
On Wed, 2021-12-15 at 00:05 +0000, Staniforth, Paul wrote:
Hi Patrick,
The ovirt-vmconsole is a for emulated serial connections (via a ssh
tunnel).
The VNC ports are the same range as spice5900 - 6923.
Do you have encryption enabled for VNC?
Regards,
Paul S.
From: Patrick Hibbs <hibbsncc1701(a)gmail.com>
Sent: 14 December 2021 22:53
To: Staniforth, Paul <P.Staniforth(a)leedsbeckett.ac.uk>
Cc: oVirt Users Mailing List <users(a)ovirt.org>
Subject: Re: [ovirt-users] Re: remote-viewer VNC mode issue
Caution External Mail: Do not click any links or open any attachments
unless you trust the sender and know that the content is safe.
Hello,
Well a quick check of the hosts say that they have ovirt-vmconsole
enabled on their firewall, but there doesn't seem to be any logs for
the vmconsoles on them. Running wireshark on one of the end-user
machines shows that the host does send packets back and forth but
then the end-user machine TCP resets the connection. (I assume due to
the credential failure.) So it doesn't seem to be a firewall issue.
Is there anything I can do to get some more logs from the vmconsoles
on the Host?
Thanks.
-Patrick Hibbs
On Tue, 2021-12-14 at 12:56 +0000, Staniforth, Paul wrote:
> Hello Patrick,
> with noVNC the connection is made via the
> websocket-poxy service (probably on the engine server).
> The remote-viewer connects directly from the client machine to the
> virtual host the VM is running on. Maybe check the network/firewall
> between the client and the host, also the OTP expires after 120
> seconds.
>
>
> Regards,
>
> Paul S.
> From: Strahil Nikolov via Users <users(a)ovirt.org>
> Sent: 14 December 2021 12:12
> To: hibbsncc1701(a)gmail.com <hibbsncc1701(a)gmail.com>; oVirt Users
> Mailing List <users(a)ovirt.org>
> Subject: [ovirt-users] Re: remote-viewer VNC mode issue
>
> Caution External Mail: Do not click any links or open any
> attachments unless you trust the sender and know that the content
> is safe.
> The most common problem is the CA of oVirt not trusted in the web
> browser of the client.
>
>
> Best Regards,
> Strahil Nikolov
>
> > On Sun, Dec 12, 2021 at 0:00, Patrick Hibbs
> > <hibbsncc1701(a)gmail.com> wrote:
> > Hello,
> >
> > As oVirt unfortuately now requires VNC for the VM consoles,
> > I've been attempting to get VNC mode working on my end user
> > clients.
> >
> > The noVNC browser client works just fine, but for some reason
> > the default download to remote-viewer fails on the same hosts.
> >
> > All the end-user gets is a quick flash of the remote-viewer
> > window on
> > their screen.
> >
> > Running remote-viewer in debug mode I get this:
> >
> > ---log snip---
> >
> > $ remote-viewer -v --debug Downloads/console.vv
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.906: Opening
> > display
> > to Downloads/console.vv
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.906: Guest
> > (null) has
> > a vnc display
> > Guest (null) has a vnc display
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.952: Spice
> > foreign
> > menu updated
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.952: After open
> > connection callback fd=-1
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.952: Opening
> > connection to display at Downloads/console.vv
> > Opening connection to display at Downloads/console.vv
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.953: fullscreen
> > display 0: 0
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.953: notebook
> > show
> > status 0x560a419d2280
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.032: notebook
> > show
> > status 0x560a419d2280
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.032: Insert
> > display 0
> > 0x560a423fa1e0
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.032: notebook
> > show
> > status 0x560a419d2280
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.052: Allocated
> > 1024x740
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.052: Child
> > allocate
> > 1024x640
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.053: Got VNC
> > credential request for 1 credential(s)
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.067: Not
> > removing
> > main window 0 0x560a4195d910
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.067:
> > Disconnected
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.067: close
> > vnc=0x560a419fc220
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.068: notebook
> > show
> > status 0x560a419d2280
> > (remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.068: Guest
> > (null)
> > display has disconnected, shutting down
> > Guest (null) display has disconnected, shutting down
> >
> > ---log snip---
> >
> > It seems to be failing a credential request, but I'm not sure
> > why. The
> > engine logs only show the VM console ticket being created, but
> > does not
> > show any connection attempts unless noVNC is used.
> >
> > ---log snip---
> >
> > 2021-12-11 16:48:23,402-05 INFO
> > [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-16)
> > [68b90cfe] Running command: SetVmTicketCommand internal: false.
> > Entities affected : ID: bb05ab12-91e5-4ab6-92b1-b911ed78f64f
> > Type:
> > VMAction group CONNECT_TO_VM with role type USER
> > 2021-12-11 16:48:23,414-05 INFO
> > [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> > (default task-16) [68b90cfe] START,
> > SetVmTicketVDSCommand(HostName = --
> > REDACTED--, SetVmTicketVDSCommandParameters:{hostId='1fdd841b-
> > 477f-
> > 4d13-9935-7908924dd5a1', vmId='bb05ab12-91e5-4ab6-92b1-
> > b911ed78f64f',
> > protocol='VNC', ticket='ocziPsEOF4km',
validTime='120',
> > userName='--
> > REDACTED--@--REDACTED--', userId='e83ab2b3-c464-49a4-a0ab-
> > 4e62e8131304', disconnectAction='LOCK_SCREEN'}), log id: f6dccdd
> > 2021-12-11 16:48:23,435-05 INFO
> > [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> > (default task-16) [68b90cfe] FINISH, SetVmTicketVDSCommand,
> > return: ,
> > log id: f6dccdd
> > 2021-12-11 16:48:23,461-05 INFO
> > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDire
> > ctor]
> > (default task-16) [68b90cfe] EVENT_ID: VM_SET_TICKET(164), User --
> > REDACTED--@--REDACTED--@--REDACTED-- initiated console session
> > for VM
> > Test
> > #
> >
> > ---log snip---
> >
> > What else can I do to troubleshoot this?
> >
> > - Patrick Hibbs
> >
> > _______________________________________________
> > Users mailing list -- users(a)ovirt.org
> > To unsubscribe send an email to users-leave(a)ovirt.org
> > Privacy Statement:
https://www.ovirt.org/privacy-policy.html
> > oVirt Code of Conduct:
> >
https://www.ovirt.org/community/about/community-guidelines/
> > List Archives:
> >
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/Q5ENXJJU5V7...
> To view the terms under which this email is distributed, please go
> to:-
>
https://leedsbeckett.ac.uk/disclaimer/email
To view the terms under which this email is distributed, please go
to:-
https://leedsbeckett.ac.uk/disclaimer/email