On Thu, Dec 13, 2012 at 1:21 PM, David Jaša <djasa@redhat.com> wrote:
Cristian Falcas píše v Čt 13. 12. 2012 v 12:43 +0200:
>
>
>
> On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
>
>
>         ----- Original Message -----
>         > From: "Cristian Falcas" <cristi.falcas@gmail.com>
>
>         > To: "Alon Bar-Lev" <alonbl@redhat.com>
>         > Cc: "Roy Golan" <rgolan@redhat.com>, users@ovirt.org, "Juan Antonio Hernandez Fernandez" <jhernand@redhat.com>,
>         > "David Jaša" <djasa@redhat.com>, "Itamar Heim" <iheim@redhat.com>
>         > Sent: Thursday, December 13, 2012 2:01:22 AM
>         > Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot find suitable CPU model for given data)
>         >
>         >
>         >
>         >
>         >
>         >
>
>         > On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev < alonbl@redhat.com >
>         > wrote:
>         >
>         >
>         >
>         >
>         >
>         > ----- Original Message -----
>         > > From: "Cristian Falcas" < cristi.falcas@gmail.com >
>         > > To: "Itamar Heim" < iheim@redhat.com >
>
>         > > Cc: "Roy Golan" < rgolan@redhat.com >, users@ovirt.org , "Alon
>         > > Bar-Lev" < alonbl@redhat.com >, "Juan Antonio Hernandez
>         > > Fernandez" < jhernand@redhat.com >, "David Jaša" < djasa@redhat.com
>         > > >
>         > > Sent: Wednesday, December 12, 2012 11:21:32 PM
>         > > Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot
>         > > find suitable CPU model for given data)
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>         > > On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim < iheim@redhat.com >
>         > > wrote:
>         > >
>         > >
>         > > On 12/12/2012 10:39 PM, Cristian Falcas wrote:
>         > >
>         > >
>         > > Hi,
>         > >
>         > > i don't know if I should start a new thread for the spice problems.
>         > > Here
>         > > goes some improvements:
>         > >
>         > > I created the certificates like per https://gist.github.com/
>         > > 1655511
>         > > . i
>         > > copied the public one to my home:
>         > > cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem
>         > > ~cristi/.spice/spice_ truststore.pem
>         > >
>         > > I had the same problem as in
>         > > https://bugzilla.redhat.com/ show_bug.cgi?id=880182 . For this I
>         >
>         > > needed
>         > > to downgrade libcacard twice (until I had the same version as in
>         > > the
>         > > bug)
>         > >
>         > > Now spice works with virt-manager.
>         > >
>         > > Can someone tell me where do I need to copy the certificate on
>         > > ovirt
>         > > in
>         > > order to make spice working over there also?
>         > >
>         > > with which version of boostrap on the engine did you add this host.
>         > >
>         > >
>         > > vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch
>         > >
>         > > And otopi packages installed:
>         > >
>         > > otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
>         > > otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
>         > >
>         > >
>         >
>         > Any reason to perform certificate enrollment manually?
>         >
>         > Alon
>         >
>         >
>         > It's still not working with the handmade certificates.
>         >
>         > I tried to create them because of those errors:
>         >
>         > libvirt log:
>         >
>         > ((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not
>         > load certificates from /etc/pki/vdsm/libvirt-spice/
>         > server-cert.pem
>         > ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not
>         > use private key file
>         > ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not
>         > use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>         >
>         > [root@localhost Ovirt]# ls -la
>         > /etc/pki/vdsm/libvirt-spice/server-cert.pem
>         > ls: cannot access /etc/pki/vdsm/libvirt-spice/server-cert.pem: No
>         > such file or directory
>         > [root@localhost Ovirt]# ls -la
>         > /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>         > ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No such
>         > file or directory
>         >
>         >
>         > Spice log:
>         >
>         > 1355334879 INFO [8950:8950] Application::main: starting 0.12.0
>         > 1355334879 INFO [8950:8950] Application::main: command line: spicec
>         > --controller
>         > 1355334879 INFO [8950:8950] init_key_map: using evdev mapping
>         > 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen:
>         > platform_win: 77594625
>         > 1355334879 INFO [8950:8950] GUI::GUI:
>         > 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu: Creating a
>         > foreign menu connection /tmp/SpiceForeignMenu-8950.uds
>         > 1355334879 INFO [8950:8950] Controller::Controller: Creating a
>         > controller connection /tmp/spicec-9GS5mA/spice-xpi
>         > 1355334882 INFO [8950:8952] RedPeer::connect_secure: Connected to
>         > cristifalcas.no-ip.org 5902
>         > 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed to
>         > connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
>         > 1355334882 WARN [8950:8952] RedChannel::run: SSL Error:
>         > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
>         > failure
>         > 1355334882 INFO [8950:8950] main: Spice client terminated (exitcode =
>         > 7)
>         >
>         >
>         >
>         >
>         > I've done this without an improvment:
>         >
>         > [root@localhost Ovirt]# /lib/systemd/systemd-vdsmd reconfigure
>         > Configuring libvirt for vdsm...
>         > [root@localhost Ovirt]# systemctl restart libvirtd.service
>         > vdsmd.service
>         >
>
>
>         Why don't you deply the host again? It should create the certificate correctly.
>
>         But before you can do this, you must remove whatever certificates you put including symlinks at /etc/pki /etc/libvirt as libvirt will not start if there are invalid certificates.
>
>         Alon.
>
> I already did this. Also, i removed all configuration files from host and ovirt, reinstalled ovirt-engine, removed vdsm,libvirt,qemu on host.
>
> I still got this when I start the machine:
> ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /etc/pki/vdsm/libvirt-spice/server-cert.pem
> ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file
> ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>
> And this when I try to connect:
>
> ((null):5004): Spice-Warning **: reds.c:2913:reds_handle_ssl_accept: SSL_accept failed, error=1

Didn't you disable encryption on engine or in vdsm.conf? Unfortunately, it is still interdependent with spice encryption setup.

(and a side question: if so, why did you disable it? oVirt takes care of it without any extra work so I see no benefit in it)

David

PS: please send mails in plain text

>
> Best regards,
> Cristian falcas
>
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

--

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24




I didn't touched anything this time.

[cristi@localhost ~]$ cat /etc/vdsm/vdsm.conf
[vars]
ssl = true

[addresses]
management_port = 54321


qemu:
## beginning of configuration section by vdsm-4.9.11
dynamic_ownership=0
spice_tls=1
save_image_format="lzop"
spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
lock_manager="sanlock"
auto_dump_path="/var/log/core"
## end of configuration section by vdsm-4.9.11

libvirtd:
## beginning of configuration section by vdsm-4.9.11
listen_addr="0.0.0.0"
unix_sock_group="kvm"
unix_sock_rw_perms="0770"
auth_unix_rw="sasl"
host_uuid="ac7ce924-3da8-41a5-9fa5-03af184b0437"
log_outputs="1:file:/var/log/libvirtd.log"
log_filters="1:libvirt 3:event 3:json 1:util 1:qemu"
ca_file="/etc/pki/vdsm/certs/cacert.pem"
cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
## end of configuration section by vdsm-4.9.11