----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Thursday, December 13, 2012 1:52:10 PM Subject: Re: [Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)
On Thu, Dec 13, 2012 at 1:35 PM, Alon Bar-Lev < alonbl@redhat.com > wrote:
----- Original Message -----
From: "Cristian Falcas" < cristi.falcas@gmail.com > To: users@ovirt.org Sent: Thursday, December 13, 2012 1:27:09 PM Subject: Re: [Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)
On Thu, Dec 13, 2012 at 1:21 PM, David Jaša < djasa@redhat.com > wrote:
Cristian Falcas píše v Čt 13. 12. 2012 v 12:43 +0200:
On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev < alonbl@redhat.com > wrote:
----- Original Message -----
From: "Cristian Falcas" < cristi.falcas@gmail.com >
To: "Alon Bar-Lev" < alonbl@redhat.com > Cc: "Roy Golan" < rgolan@redhat.com >, users@ovirt.org , "Juan Antonio Hernandez Fernandez" < jhernand@redhat.com >, "David Jaša" < djasa@redhat.com >, "Itamar Heim" < iheim@redhat.com > Sent: Thursday, December 13, 2012 2:01:22 AM Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot find suitable CPU model for given data)
On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev < alonbl@redhat.com > wrote:
----- Original Message -----
From: "Cristian Falcas" < cristi.falcas@gmail.com > To: "Itamar Heim" < iheim@redhat.com >
Cc: "Roy Golan" < rgolan@redhat.com >, users@ovirt.org , "Alon Bar-Lev" < alonbl@redhat.com >, "Juan Antonio Hernandez Fernandez" < jhernand@redhat.com >, "David Jaša" < djasa@redhat.com > Sent: Wednesday, December 12, 2012 11:21:32 PM Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot find suitable CPU model for given data)
On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim < iheim@redhat.com > wrote:
On 12/12/2012 10:39 PM, Cristian Falcas wrote:
Hi,
i don't know if I should start a new thread for the spice problems. Here goes some improvements:
I created the certificates like per https://gist.github.com/ 1655511 . i copied the public one to my home: cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem ~cristi/.spice/spice_ truststore.pem
I had the same problem as in https://bugzilla.redhat.com/ show_bug.cgi?id=880182 . For this I
needed to downgrade libcacard twice (until I had the same version as in the bug)
Now spice works with virt-manager.
Can someone tell me where do I need to copy the certificate on ovirt in order to make spice working over there also?
with which version of boostrap on the engine did you add this host.
vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch
And otopi packages installed:
otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
Any reason to perform certificate enrollment manually?
Alon
It's still not working with the handmade certificates.
I tried to create them because of those errors:
libvirt log:
((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /etc/pki/vdsm/libvirt-spice/ server-cert.pem ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
[root@localhost Ovirt]# ls -la /etc/pki/vdsm/libvirt-spice/server-cert.pem ls: cannot access /etc/pki/vdsm/libvirt-spice/server-cert.pem: No such file or directory [root@localhost Ovirt]# ls -la /etc/pki/vdsm/libvirt-spice/ca-cert.pem ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No such file or directory
Spice log:
1355334879 INFO [8950:8950] Application::main: starting 0.12.0 1355334879 INFO [8950:8950] Application::main: command line: spicec --controller 1355334879 INFO [8950:8950] init_key_map: using evdev mapping 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen: platform_win: 77594625 1355334879 INFO [8950:8950] GUI::GUI: 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu: Creating a foreign menu connection /tmp/SpiceForeignMenu-8950.uds 1355334879 INFO [8950:8950] Controller::Controller: Creating a controller connection /tmp/spicec-9GS5mA/spice-xpi 1355334882 INFO [8950:8952] RedPeer::connect_secure: Connected to cristifalcas.no-ip.org 5902 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 1355334882 WARN [8950:8952] RedChannel::run: SSL Error: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure 1355334882 INFO [8950:8950] main: Spice client terminated (exitcode = 7)
I've done this without an improvment:
[root@localhost Ovirt]# /lib/systemd/systemd-vdsmd reconfigure Configuring libvirt for vdsm... [root@localhost Ovirt]# systemctl restart libvirtd.service vdsmd.service
Why don't you deply the host again? It should create the certificate correctly.
But before you can do this, you must remove whatever certificates you put including symlinks at /etc/pki /etc/libvirt as libvirt will not start if there are invalid certificates.
Alon.
I already did this. Also, i removed all configuration files from host and ovirt, reinstalled ovirt-engine, removed vdsm,libvirt,qemu on host.
I still got this when I start the machine: ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /etc/pki/vdsm/libvirt-spice/server-cert.pem ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
And this when I try to connect:
((null):5004): Spice-Warning **: reds.c:2913:reds_handle_ssl_accept: SSL_accept failed, error=1
Didn't you disable encryption on engine or in vdsm.conf? Unfortunately, it is still interdependent with spice encryption setup.
(and a side question: if so, why did you disable it? oVirt takes care of it without any extra work so I see no benefit in it)
David
PS: please send mails in plain text
Best regards, Cristian falcas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
I didn't touched anything this time.
[cristi@localhost ~]$ cat /etc/vdsm/vdsm.conf [vars] ssl = true
[addresses] management_port = 54321
qemu: ## beginning of configuration section by vdsm-4.9.11 dynamic_ownership=0 spice_tls=1 save_image_format="lzop" spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice" lock_manager="sanlock" auto_dump_path="/var/log/core" ## end of configuration section by vdsm-4.9.11
libvirtd: ## beginning of configuration section by vdsm-4.9.11 listen_addr="0.0.0.0" unix_sock_group="kvm" unix_sock_rw_perms="0770" auth_unix_rw="sasl" host_uuid="ac7ce924-3da8-41a5-9fa5-03af184b0437" log_outputs="1:file:/var/log/libvirtd.log" log_filters="1:libvirt 3:event 3:json 1:util 1:qemu" ca_file="/etc/pki/vdsm/certs/cacert.pem" cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" key_file="/etc/pki/vdsm/keys/vdsmkey.pem" ## end of configuration section by vdsm-4.9.11
BTW: it will be easier if you use plain text mail messages to list :)
Can you please try to create the following sym links manually and see if it works?
/etc/pki/vdsm/libvirt-spice/ca-cert.pem -> /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem -> /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-spice/server-key.pem -> /etc/pki/vdsm/keys/vdsmkey.pem
It worked. Thank you.
Regarding the html email: I'm using gmail as the email client and I don't know how to set it to send text emails only. I removed all formatting from this replay, maybe it's better now?
gmail: new interface: right left arrow(menu) -> plain text mode. gmail: old interface: above message -> plain text I will fix this for next nightly. Alon.