From: "Cristian Falcas" <cristi.falcas(a)gmail.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: users(a)ovirt.org
Sent: Thursday, December 13, 2012 1:52:10 PM
Subject: Re: [Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU
model for given data)
On Thu, Dec 13, 2012 at 1:35 PM, Alon Bar-Lev < alonbl(a)redhat.com >
wrote:
>
>
>
> ----- Original Message -----
> > From: "Cristian Falcas" < cristi.falcas(a)gmail.com >
> > To: users(a)ovirt.org
> > Sent: Thursday, December 13, 2012 1:27:09 PM
> > Subject: Re: [Users] Spice issues with latest vdsm (was Re:
> > Cannot find suitable CPU model for given data)
> >
> >
> >
> >
> >
> >
> >
> > On Thu, Dec 13, 2012 at 1:21 PM, David Jaša < djasa(a)redhat.com >
> > wrote:
> >
> >
> > Cristian Falcas píše v Čt 13. 12. 2012 v 12:43 +0200:
> >
> >
> > >
> > >
> > >
> > > On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev <
> > > alonbl(a)redhat.com >
> > > wrote:
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Cristian Falcas" < cristi.falcas(a)gmail.com >
> > >
> > > > To: "Alon Bar-Lev" < alonbl(a)redhat.com >
> > > > Cc: "Roy Golan" < rgolan(a)redhat.com >,
users(a)ovirt.org ,
> > > > "Juan
> > > > Antonio Hernandez Fernandez" < jhernand(a)redhat.com >,
> > > > "David Jaša" < djasa(a)redhat.com >, "Itamar
Heim" <
> > > > iheim(a)redhat.com >
> > > > Sent: Thursday, December 13, 2012 2:01:22 AM
> > > > Subject: Re: Spice issues with latest vdsm (was Re: [Users]
> > > > Cannot find suitable CPU model for given data)
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > > On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev <
> > > > alonbl(a)redhat.com >
> > > > wrote:
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Cristian Falcas" < cristi.falcas(a)gmail.com
>
> > > > > To: "Itamar Heim" < iheim(a)redhat.com >
> > >
> > > > > Cc: "Roy Golan" < rgolan(a)redhat.com >,
users(a)ovirt.org ,
> > > > > "Alon
> > > > > Bar-Lev" < alonbl(a)redhat.com >, "Juan Antonio
Hernandez
> > > > > Fernandez" < jhernand(a)redhat.com >, "David
Jaša" <
> > > > > djasa(a)redhat.com
> > > > > >
> > > > > Sent: Wednesday, December 12, 2012 11:21:32 PM
> > > > > Subject: Re: Spice issues with latest vdsm (was Re: [Users]
> > > > > Cannot
> > > > > find suitable CPU model for given data)
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim <
> > > > > iheim(a)redhat.com >
> > > > > wrote:
> > > > >
> > > > >
> > > > > On 12/12/2012 10:39 PM, Cristian Falcas wrote:
> > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > i don't know if I should start a new thread for the spice
> > > > > problems.
> > > > > Here
> > > > > goes some improvements:
> > > > >
> > > > > I created the certificates like per
> > > > >
https://gist.github.com/
> > > > > 1655511
> > > > > . i
> > > > > copied the public one to my home:
> > > > > cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem
> > > > > ~cristi/.spice/spice_ truststore.pem
> > > > >
> > > > > I had the same problem as in
> > > > >
https://bugzilla.redhat.com/ show_bug.cgi?id=880182 . For
> > > > > this
> > > > > I
> > > >
> > > > > needed
> > > > > to downgrade libcacard twice (until I had the same version
> > > > > as
> > > > > in
> > > > > the
> > > > > bug)
> > > > >
> > > > > Now spice works with virt-manager.
> > > > >
> > > > > Can someone tell me where do I need to copy the certificate
> > > > > on
> > > > > ovirt
> > > > > in
> > > > > order to make spice working over there also?
> > > > >
> > > > > with which version of boostrap on the engine did you add
> > > > > this
> > > > > host.
> > > > >
> > > > >
> > > > > vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch
> > > > >
> > > > > And otopi packages installed:
> > > > >
> > > > > otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
> > > > > otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
> > > > >
> > > > >
> > > >
> > > > Any reason to perform certificate enrollment manually?
> > > >
> > > > Alon
> > > >
> > > >
> > > > It's still not working with the handmade certificates.
> > > >
> > > > I tried to create them because of those errors:
> > > >
> > > > libvirt log:
> > > >
> > > > ((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl:
> > > > Could
> > > > not
> > > > load certificates from /etc/pki/vdsm/libvirt-spice/
> > > > server-cert.pem
> > > > ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl:
> > > > Could
> > > > not
> > > > use private key file
> > > > ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl:
> > > > Could
> > > > not
> > > > use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
> > > >
> > > > [root@localhost Ovirt]# ls -la
> > > > /etc/pki/vdsm/libvirt-spice/server-cert.pem
> > > > ls: cannot access
> > > > /etc/pki/vdsm/libvirt-spice/server-cert.pem: No
> > > > such file or directory
> > > > [root@localhost Ovirt]# ls -la
> > > > /etc/pki/vdsm/libvirt-spice/ca-cert.pem
> > > > ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No
> > > > such
> > > > file or directory
> > > >
> > > >
> > > > Spice log:
> > > >
> > > > 1355334879 INFO [8950:8950] Application::main: starting
> > > > 0.12.0
> > > > 1355334879 INFO [8950:8950] Application::main: command line:
> > > > spicec
> > > > --controller
> > > > 1355334879 INFO [8950:8950] init_key_map: using evdev mapping
> > > > 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen:
> > > > platform_win: 77594625
> > > > 1355334879 INFO [8950:8950] GUI::GUI:
> > > > 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu:
> > > > Creating a
> > > > foreign menu connection /tmp/SpiceForeignMenu-8950.uds
> > > > 1355334879 INFO [8950:8950] Controller::Controller: Creating
> > > > a
> > > > controller connection /tmp/spicec-9GS5mA/spice-xpi
> > > > 1355334882 INFO [8950:8952] RedPeer::connect_secure:
> > > > Connected to
> > > >
cristifalcas.no-ip.org 5902
> > > > 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed
> > > > to
> > > > connect w/SSL, ssl_error
> > > > error:00000001:lib(0):func(0):reason(1)
> > > > 1355334882 WARN [8950:8952] RedChannel::run: SSL Error:
> > > > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> > > > handshake
> > > > failure
> > > > 1355334882 INFO [8950:8950] main: Spice client terminated
> > > > (exitcode =
> > > > 7)
> > > >
> > > >
> > > >
> > > >
> > > > I've done this without an improvment:
> > > >
> > > > [root@localhost Ovirt]# /lib/systemd/systemd-vdsmd
> > > > reconfigure
> > > > Configuring libvirt for vdsm...
> > > > [root@localhost Ovirt]# systemctl restart libvirtd.service
> > > > vdsmd.service
> > > >
> > >
> > >
> > > Why don't you deply the host again? It should create the
> > > certificate correctly.
> > >
> > > But before you can do this, you must remove whatever
> > > certificates
> > > you put including symlinks at /etc/pki /etc/libvirt as libvirt
> > > will not start if there are invalid certificates.
> > >
> > > Alon.
> > >
> > > I already did this. Also, i removed all configuration files
> > > from
> > > host and ovirt, reinstalled ovirt-engine, removed
> > > vdsm,libvirt,qemu on host.
> > >
> > > I still got this when I start the machine:
> > > ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl:
> > > Could
> > > not load certificates from
> > > /etc/pki/vdsm/libvirt-spice/server-cert.pem
> > > ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl:
> > > Could
> > > not use private key file
> > > ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl:
> > > Could
> > > not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
> > >
> > > And this when I try to connect:
> > >
> > > ((null):5004): Spice-Warning **:
> > > reds.c:2913:reds_handle_ssl_accept: SSL_accept failed, error=1
> >
> > Didn't you disable encryption on engine or in vdsm.conf?
> > Unfortunately, it is still interdependent with spice encryption
> > setup.
> >
> > (and a side question: if so, why did you disable it? oVirt takes
> > care
> > of it without any extra work so I see no benefit in it)
> >
> > David
> >
> > PS: please send mails in plain text
> >
> > >
> > > Best regards,
> > > Cristian falcas
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users(a)ovirt.org
> > >
http://lists.ovirt.org/mailman/listinfo/users
> >
> > --
> >
> > David Jaša, RHCE
> >
> > SPICE QE based in Brno
> > GPG Key: 22C33E24
> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
> >
> >
> >
> >
> > I didn't touched anything this time.
> >
> > [cristi@localhost ~]$ cat /etc/vdsm/vdsm.conf
> > [vars]
> > ssl = true
> >
> > [addresses]
> > management_port = 54321
> >
> >
> > qemu:
> > ## beginning of configuration section by vdsm-4.9.11
> > dynamic_ownership=0
> > spice_tls=1
> > save_image_format="lzop"
> > spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
> > lock_manager="sanlock"
> > auto_dump_path="/var/log/core"
> > ## end of configuration section by vdsm-4.9.11
> >
> > libvirtd:
> > ## beginning of configuration section by vdsm-4.9.11
> > listen_addr="0.0.0.0"
> > unix_sock_group="kvm"
> > unix_sock_rw_perms="0770"
> > auth_unix_rw="sasl"
> > host_uuid="ac7ce924-3da8-41a5-9fa5-03af184b0437"
> > log_outputs="1:file:/var/log/libvirtd.log"
> > log_filters="1:libvirt 3:event 3:json 1:util 1:qemu"
> > ca_file="/etc/pki/vdsm/certs/cacert.pem"
> > cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
> > key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
> > ## end of configuration section by vdsm-4.9.11
>
> BTW: it will be easier if you use plain text mail messages to list
> :)
>
> Can you please try to create the following sym links manually and
> see if it works?
>
> /etc/pki/vdsm/libvirt-spice/ca-cert.pem ->
> /etc/pki/vdsm/certs/cacert.pem
> /etc/pki/vdsm/libvirt-spice/server-cert.pem ->
> /etc/pki/vdsm/certs/vdsmcert.pem
> /etc/pki/vdsm/libvirt-spice/server-key.pem ->
> /etc/pki/vdsm/keys/vdsmkey.pem
It worked. Thank you.
Regarding the html email: I'm using gmail as the email client and I
don't know how to set it to send text emails only. I removed all
formatting from this replay, maybe it's better now?
gmail: new interface: right left arrow(menu) -> plain text mode.
gmail: old interface: above message -> plain text
I will fix this for next nightly.
Alon.