On Thu, Dec 13, 2012 at 1:21 PM, David Jaša <djasa@redhat.com> wrote:
Cristian Falcas píše v Čt 13. 12. 2012 v 12:43 +0200:
On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message ----- > From: "Cristian Falcas" <cristi.falcas@gmail.com>
> To: "Alon Bar-Lev" <alonbl@redhat.com> > Cc: "Roy Golan" <rgolan@redhat.com>, users@ovirt.org, "Juan
Antonio Hernandez Fernandez" <jhernand@redhat.com>,
> "David Jaša" <djasa@redhat.com>, "Itamar Heim" <
iheim@redhat.com>
> Sent: Thursday, December 13, 2012 2:01:22 AM > Subject: Re: Spice issues with latest vdsm (was Re: [Users]
Cannot find suitable CPU model for given data)
> > > > > >
> On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev <
alonbl@redhat.com >
> wrote: > > > > > > ----- Original Message ----- > > From: "Cristian Falcas" < cristi.falcas@gmail.com > > > To: "Itamar Heim" < iheim@redhat.com >
> > Cc: "Roy Golan" < rgolan@redhat.com >, users@ovirt.org ,
"Alon
> > Bar-Lev" < alonbl@redhat.com >, "Juan Antonio Hernandez > > Fernandez" < jhernand@redhat.com >, "David Jaša" <
djasa@redhat.com
> > > > > Sent: Wednesday, December 12, 2012 11:21:32 PM > > Subject: Re: Spice issues with latest vdsm (was Re: [Users]
Cannot
> > find suitable CPU model for given data) > > > > > > > > > > > > > > On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim <
iheim@redhat.com >
> > wrote: > > > > > > On 12/12/2012 10:39 PM, Cristian Falcas wrote: > > > > > > Hi, > > > > i don't know if I should start a new thread for the spice
problems.
> > Here > > goes some improvements: > > > > I created the certificates like per https://gist.github.com/ > > 1655511 > > . i > > copied the public one to my home: > > cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem > > ~cristi/.spice/spice_ truststore.pem > > > > I had the same problem as in > > https://bugzilla.redhat.com/ show_bug.cgi?id=880182 . For
this I
> > > needed > > to downgrade libcacard twice (until I had the same version
as in
> > the > > bug) > > > > Now spice works with virt-manager. > > > > Can someone tell me where do I need to copy the certificate
on
> > ovirt > > in > > order to make spice working over there also? > > > > with which version of boostrap on the engine did you add
this host.
> > > > > > vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch > > > > And otopi packages installed: > > > > otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch > > otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch > > > > > > Any reason to perform certificate enrollment manually? > > Alon > > > It's still not working with the handmade certificates. > > I tried to create them because of those errors: > > libvirt log: > > ((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl:
Could not
> load certificates from /etc/pki/vdsm/libvirt-spice/ > server-cert.pem > ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl:
Could not
> use private key file > ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl:
Could not
> use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem > > [root@localhost Ovirt]# ls -la > /etc/pki/vdsm/libvirt-spice/server-cert.pem > ls: cannot access /etc/pki/vdsm/libvirt-spice/server-cert.pem:
No
> such file or directory > [root@localhost Ovirt]# ls -la > /etc/pki/vdsm/libvirt-spice/ca-cert.pem > ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No
such
> file or directory > > > Spice log: > > 1355334879 INFO [8950:8950] Application::main: starting 0.12.0 > 1355334879 INFO [8950:8950] Application::main: command line:
spicec
> --controller > 1355334879 INFO [8950:8950] init_key_map: using evdev mapping > 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen: > platform_win: 77594625 > 1355334879 INFO [8950:8950] GUI::GUI: > 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu: Creating
a
> foreign menu connection /tmp/SpiceForeignMenu-8950.uds > 1355334879 INFO [8950:8950] Controller::Controller: Creating a > controller connection /tmp/spicec-9GS5mA/spice-xpi > 1355334882 INFO [8950:8952] RedPeer::connect_secure: Connected
to
> cristifalcas.no-ip.org 5902 > 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed to > connect w/SSL, ssl_error
error:00000001:lib(0):func(0):reason(1)
> 1355334882 WARN [8950:8952] RedChannel::run: SSL Error: > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake
> failure > 1355334882 INFO [8950:8950] main: Spice client terminated
(exitcode =
> 7) > > > > > I've done this without an improvment: > > [root@localhost Ovirt]# /lib/systemd/systemd-vdsmd reconfigure > Configuring libvirt for vdsm... > [root@localhost Ovirt]# systemctl restart libvirtd.service > vdsmd.service >
Why don't you deply the host again? It should create the
certificate correctly.
But before you can do this, you must remove whatever
certificates you put including symlinks at /etc/pki /etc/libvirt as libvirt will not start if there are invalid certificates.
Alon.
I already did this. Also, i removed all configuration files from host
and ovirt, reinstalled ovirt-engine, removed vdsm,libvirt,qemu on host.
I still got this when I start the machine: ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not
load certificates from /etc/pki/vdsm/libvirt-spice/server-cert.pem
((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
And this when I try to connect:
((null):5004): Spice-Warning **: reds.c:2913:reds_handle_ssl_accept: SSL_accept failed, error=1
Didn't you disable encryption on engine or in vdsm.conf? Unfortunately, it is still interdependent with spice encryption setup.
(and a side question: if so, why did you disable it? oVirt takes care of it without any extra work so I see no benefit in it)
David
PS: please send mails in plain text
Best regards, Cristian falcas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
I didn't touched anything this time. [cristi@localhost ~]$ cat /etc/vdsm/vdsm.conf [vars] ssl = true [addresses] management_port = 54321 qemu: ## beginning of configuration section by vdsm-4.9.11 dynamic_ownership=0 spice_tls=1 save_image_format="lzop" spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice" lock_manager="sanlock" auto_dump_path="/var/log/core" ## end of configuration section by vdsm-4.9.11 libvirtd: ## beginning of configuration section by vdsm-4.9.11 listen_addr="0.0.0.0" unix_sock_group="kvm" unix_sock_rw_perms="0770" auth_unix_rw="sasl" host_uuid="ac7ce924-3da8-41a5-9fa5-03af184b0437" log_outputs="1:file:/var/log/libvirtd.log" log_filters="1:libvirt 3:event 3:json 1:util 1:qemu" ca_file="/etc/pki/vdsm/certs/cacert.pem" cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" key_file="/etc/pki/vdsm/keys/vdsmkey.pem" ## end of configuration section by vdsm-4.9.11