----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Thursday, December 13, 2012 3:00:56 PM Subject: Re: [Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)
On Thu, Dec 13, 2012 at 1:57 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Thursday, December 13, 2012 1:52:10 PM Subject: Re: [Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)
On Thu, Dec 13, 2012 at 1:35 PM, Alon Bar-Lev < alonbl@redhat.com
wrote:
----- Original Message -----
From: "Cristian Falcas" < cristi.falcas@gmail.com > To: users@ovirt.org Sent: Thursday, December 13, 2012 1:27:09 PM Subject: Re: [Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)
On Thu, Dec 13, 2012 at 1:21 PM, David Jaša < djasa@redhat.com
wrote:
Cristian Falcas píše v Čt 13. 12. 2012 v 12:43 +0200:
On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev < alonbl@redhat.com > wrote:
----- Original Message ----- > From: "Cristian Falcas" < cristi.falcas@gmail.com >
> To: "Alon Bar-Lev" < alonbl@redhat.com > > Cc: "Roy Golan" < rgolan@redhat.com >, users@ovirt.org , > "Juan > Antonio Hernandez Fernandez" < jhernand@redhat.com >, > "David Jaša" < djasa@redhat.com >, "Itamar Heim" < > iheim@redhat.com > > Sent: Thursday, December 13, 2012 2:01:22 AM > Subject: Re: Spice issues with latest vdsm (was Re: > [Users] > Cannot find suitable CPU model for given data) > > > > > >
> On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev < > alonbl@redhat.com > > wrote: > > > > > > ----- Original Message ----- > > From: "Cristian Falcas" < cristi.falcas@gmail.com > > > To: "Itamar Heim" < iheim@redhat.com >
> > Cc: "Roy Golan" < rgolan@redhat.com >, users@ovirt.org , > > "Alon > > Bar-Lev" < alonbl@redhat.com >, "Juan Antonio Hernandez > > Fernandez" < jhernand@redhat.com >, "David Jaša" < > > djasa@redhat.com > > > > > Sent: Wednesday, December 12, 2012 11:21:32 PM > > Subject: Re: Spice issues with latest vdsm (was Re: > > [Users] > > Cannot > > find suitable CPU model for given data) > > > > > > > > > > > > > > On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim < > > iheim@redhat.com > > > wrote: > > > > > > On 12/12/2012 10:39 PM, Cristian Falcas wrote: > > > > > > Hi, > > > > i don't know if I should start a new thread for the > > spice > > problems. > > Here > > goes some improvements: > > > > I created the certificates like per > > https://gist.github.com/ > > 1655511 > > . i > > copied the public one to my home: > > cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem > > ~cristi/.spice/spice_ truststore.pem > > > > I had the same problem as in > > https://bugzilla.redhat.com/ show_bug.cgi?id=880182 . > > For > > this > > I > > > needed > > to downgrade libcacard twice (until I had the same > > version > > as > > in > > the > > bug) > > > > Now spice works with virt-manager. > > > > Can someone tell me where do I need to copy the > > certificate > > on > > ovirt > > in > > order to make spice working over there also? > > > > with which version of boostrap on the engine did you add > > this > > host. > > > > > > vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch > > > > And otopi packages installed: > > > > otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch > > otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch > > > > > > Any reason to perform certificate enrollment manually? > > Alon > > > It's still not working with the handmade certificates. > > I tried to create them because of those errors: > > libvirt log: > > ((null):9248): Spice-Warning **: > reds.c:3307:reds_init_ssl: > Could > not > load certificates from /etc/pki/vdsm/libvirt-spice/ > server-cert.pem > ((null):9248): Spice-Warning **: > reds.c:3317:reds_init_ssl: > Could > not > use private key file > ((null):9248): Spice-Warning **: > reds.c:3325:reds_init_ssl: > Could > not > use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem > > [root@localhost Ovirt]# ls -la > /etc/pki/vdsm/libvirt-spice/server-cert.pem > ls: cannot access > /etc/pki/vdsm/libvirt-spice/server-cert.pem: No > such file or directory > [root@localhost Ovirt]# ls -la > /etc/pki/vdsm/libvirt-spice/ca-cert.pem > ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: > No > such > file or directory > > > Spice log: > > 1355334879 INFO [8950:8950] Application::main: starting > 0.12.0 > 1355334879 INFO [8950:8950] Application::main: command > line: > spicec > --controller > 1355334879 INFO [8950:8950] init_key_map: using evdev > mapping > 1355334879 INFO [8950:8950] > MultyMonScreen::MultyMonScreen: > platform_win: 77594625 > 1355334879 INFO [8950:8950] GUI::GUI: > 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu: > Creating a > foreign menu connection /tmp/SpiceForeignMenu-8950.uds > 1355334879 INFO [8950:8950] Controller::Controller: > Creating > a > controller connection /tmp/spicec-9GS5mA/spice-xpi > 1355334882 INFO [8950:8952] RedPeer::connect_secure: > Connected to > cristifalcas.no-ip.org 5902 > 1355334882 ERROR [8950:8952] RedPeer::connect_secure: > failed > to > connect w/SSL, ssl_error > error:00000001:lib(0):func(0):reason(1) > 1355334882 WARN [8950:8952] RedChannel::run: SSL Error: > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert > handshake > failure > 1355334882 INFO [8950:8950] main: Spice client terminated > (exitcode = > 7) > > > > > I've done this without an improvment: > > [root@localhost Ovirt]# /lib/systemd/systemd-vdsmd > reconfigure > Configuring libvirt for vdsm... > [root@localhost Ovirt]# systemctl restart libvirtd.service > vdsmd.service >
Why don't you deply the host again? It should create the certificate correctly.
But before you can do this, you must remove whatever certificates you put including symlinks at /etc/pki /etc/libvirt as libvirt will not start if there are invalid certificates.
Alon.
I already did this. Also, i removed all configuration files from host and ovirt, reinstalled ovirt-engine, removed vdsm,libvirt,qemu on host.
I still got this when I start the machine: ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /etc/pki/vdsm/libvirt-spice/server-cert.pem ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
And this when I try to connect:
((null):5004): Spice-Warning **: reds.c:2913:reds_handle_ssl_accept: SSL_accept failed, error=1
Didn't you disable encryption on engine or in vdsm.conf? Unfortunately, it is still interdependent with spice encryption setup.
(and a side question: if so, why did you disable it? oVirt takes care of it without any extra work so I see no benefit in it)
David
PS: please send mails in plain text
Best regards, Cristian falcas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
I didn't touched anything this time.
[cristi@localhost ~]$ cat /etc/vdsm/vdsm.conf [vars] ssl = true
[addresses] management_port = 54321
qemu: ## beginning of configuration section by vdsm-4.9.11 dynamic_ownership=0 spice_tls=1 save_image_format="lzop" spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice" lock_manager="sanlock" auto_dump_path="/var/log/core" ## end of configuration section by vdsm-4.9.11
libvirtd: ## beginning of configuration section by vdsm-4.9.11 listen_addr="0.0.0.0" unix_sock_group="kvm" unix_sock_rw_perms="0770" auth_unix_rw="sasl" host_uuid="ac7ce924-3da8-41a5-9fa5-03af184b0437" log_outputs="1:file:/var/log/libvirtd.log" log_filters="1:libvirt 3:event 3:json 1:util 1:qemu" ca_file="/etc/pki/vdsm/certs/cacert.pem" cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" key_file="/etc/pki/vdsm/keys/vdsmkey.pem" ## end of configuration section by vdsm-4.9.11
BTW: it will be easier if you use plain text mail messages to list :)
Can you please try to create the following sym links manually and see if it works?
/etc/pki/vdsm/libvirt-spice/ca-cert.pem -> /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem -> /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-spice/server-key.pem -> /etc/pki/vdsm/keys/vdsmkey.pem
It worked. Thank you.
Regarding the html email: I'm using gmail as the email client and I don't know how to set it to send text emails only. I removed all formatting from this replay, maybe it's better now?
gmail: new interface: right left arrow(menu) -> plain text mode. gmail: old interface: above message -> plain text
I will fix this for next nightly.
Alon.
thank you for the explanation
Should be fixed now in master, nightly should provide this. Thank you for the report, Alon