--_000_BLUPR02MB100BB5C2B1AFB1CB8A19904FAC80BLUPR02MB100namprd_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Tomas, To answer your question, yes I am really trying to use aSpice. I appreciate your suggestion. I'm not sure if it meets my objective. Mayb= e our goals are different? It seems to me that movirt is built around port= able management of the ovirt environment. I am attempting to provide a VDI= type experience for running a vm. My goal is to run a lab environment wit= h 30 chromebooks loaded with a spice clent. The spice client would of cour= se connect to the 30 vms running Kali and each session would be independent= of each other. I did a little further testing with a different client. (spice plugin for= chrome). When I attempted to connect using that client I got a slightly d= ifferent error message. The message still seemed to be of the same nature-= i.e.: there is a problem with SSL protocol and communication. Are you suggesting that movirt can help set up the proper certficates and c= onfig the vms to use spice? Thanks! ________________________________ From: Tomas Jelinek <tjelinek@redhat.com> Sent: Monday, February 19, 2018 4:19 AM To: Jeremy Tourville Cc: users@ovirt.org Subject: Re: [ovirt-users] Spice Client Connection Issues Using aSpice On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville@hotmail= .com<mailto:Jeremy_Tourville@hotmail.com>> wrote: Hello, I am having trouble connecting to my guest vm (Kali Linux) which is running= spice. My engine is running version: 4.2.1.7-1.el7.centos. I am using oVirt Node as my host running version: 4.2.1.1. I have taken the following steps to try and get everything running properly= . 1. Download the root CA certificate https://ovirtengine.lan/ovirt-engine= /services/pki-resource?resource=3Dca-certificate&format=3DX509-PEM-CA 2. Edit the vm and define the graphical console entries. Video type is = set to QXL, Graphics protocol is spice, USB support is enabled. 3. Install the guest agent in Debian per the instructions here - https:/= /www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-agent-in-= debian/ It is my understanding that installing the guest agent will also i= nstall the virt IO device drivers. 4. Install the spice-vdagent per the instructions here - https://www.ovi= rt.org/documentation/how-to/guest-agent/install-the-spice-guest-agent/ 5. On the aSpice client I have imported the CA certficate from step 1 a= bove. I defined the connection using the IP of my Node and TLS port 5901. are you really using aSPICE client (e.g. the android SPICE client?). If yes= , maybe you want to try to open it using moVirt (https://play.google.com/st= ore/apps/details?id=3Dorg.ovirt.mobile.movirt&hl=3Den) which delegates the = console to aSPICE but configures everything including the certificates on i= t. Should be much simpler than configuring it by hand.. To troubleshoot my connection issues I confirmed the port being used to lis= ten. virsh # domdisplay Kali spice://172.30.42.12?tls-port=3D5901<http://172.30.42.12?tls-port=3D5901> I see the following when attempting to connect. tail -f /var/log/libvirt/qemu/Kali.log 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert int= ernal error:s3_pkt.c:1493:SSL alert number 80 ((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept:= SSL_accept failed, error=3D1 I came across some documentation that states in the caveat section "Certifi= cate of spice SSL should be separate certificate." https://www.ovirt.org/develop/release-management/features/infra/pki/ Is this still the case for version 4? The document references version 3.2 = and 3.3. If so, how do I generate a new certificate for use with spice? P= lease let me know if you require further info to troubleshoot, I am happy t= o provide it. Many thanks in advance. <https://www.ovirt.org/develop/release-management/features/infra/pki/> _______________________________________________ Users mailing list Users@ovirt.org<mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users --_000_BLUPR02MB100BB5C2B1AFB1CB8A19904FAC80BLUPR02MB100namprd_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi= n-bottom:0;} --></style> </head> <body dir=3D"ltr"> <div id=3D"divtagdefaultwrapper" style=3D"font-size: 12pt; color: rgb(0, 0,= 0); font-family: Calibri, Helvetica, sans-serif, "EmojiFont", &q= uot;Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, &q= uot;Segoe UI Symbol", "Android Emoji", EmojiSymbols;" dir=3D= "ltr"> <p style=3D"margin-top:0;margin-bottom:0">Hi Tomas, <br> </p> <p style=3D"margin-top:0;margin-bottom:0">To answer your question, yes I am= really trying to use aSpice.</p> <p style=3D"margin-top:0;margin-bottom:0"><br> </p> <p style=3D"margin-top:0;margin-bottom:0">I appreciate your suggestion.&nbs= p; I'm not sure if it meets my objective. <span>Maybe our goals are different?</span> It seems to me that movir= t is built around portable management of the ovirt environment. I am = attempting to provide a VDI type experience for running a vm. My goal= is to run a lab environment with 30 chromebooks loaded with a spice clent. The spice client would of course connect = to the 30 vms running Kali and each session would be independent of each ot= her. <br> </p> <p style=3D"margin-top:0;margin-bottom:0"><br> </p> <p style=3D"margin-top:0;margin-bottom:0">I did a little further test= ing with a different client. (spice plugin for chrome). When I = attempted to connect using that client I got a slightly different error mes= sage. The message still seemed to be of the same nature- i.e.: there is a problem with SSL protocol and communication. &nbs= p; <br> </p> <p style=3D"margin-top:0;margin-bottom:0"><br> </p> <p style=3D"margin-top:0;margin-bottom:0">Are you suggesting that movirt ca= n help set up the proper certficates and config the vms to use spice? = Thanks!<br> </p> <br> <br> <div style=3D"color: rgb(0, 0, 0);"> <hr style=3D"display:inline-block;width:98%" tabindex=3D"-1"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font style=3D"font-size:11pt" face= =3D"Calibri, sans-serif" color=3D"#000000"><b>From:</b> Tomas Jelinek <t= jelinek@redhat.com><br> <b>Sent:</b> Monday, February 19, 2018 4:19 AM<br> <b>To:</b> Jeremy Tourville<br> <b>Cc:</b> users@ovirt.org<br> <b>Subject:</b> Re: [ovirt-users] Spice Client Connection Issues Using aSpi= ce</font> <div> </div> </div> <div> <div dir=3D"ltr"><br> <div class=3D"x_gmail_extra"><br> <div class=3D"x_gmail_quote">On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourvi= lle <span dir=3D"ltr"> <<a href=3D"mailto:Jeremy_Tourville@hotmail.com" target=3D"_blank">Jerem= y_Tourville@hotmail.com</a>></span> wrote:<br> <blockquote class=3D"x_gmail_quote" style=3D"margin:0px 0px 0px 0.8ex; bord= er-left:1px solid rgb(204,204,204); padding-left:1ex"> <div dir=3D"ltr"> <div id=3D"x_gmail-m_4314768941515087156divtagdefaultwrapper" dir=3D"ltr" s= tyle=3D"font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helveti= ca, sans-serif, "EmojiFont", "Apple Color Emoji", "= ;Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "A= ndroid Emoji", EmojiSymbols;"> <p style=3D"margin-top:0px; margin-bottom:0px">Hello,</p> <p style=3D"margin-top:0px; margin-bottom:0px">I am having trouble connecti= ng to my guest vm (Kali Linux) which is running spice. My engine is running= version: <span class=3D"x_gmail-m_4314768941515087156gwt-InlineLabel = x_gmail-m_4314768941515087156GNEKTHVBIXB"></span><span class=3D"x_gmail-m_4= 314768941515087156gwt-InlineLabel">4.2.1.7-1.el7.centos</span>.</p> <p style=3D"margin-top:0px; margin-bottom:0px">I am using oVirt Node as my = host running version:<span> 4.2.1.1. <br> </span></p> <p style=3D"margin-top:0px; margin-bottom:0px"><span><br> </span></p> <p style=3D"margin-top:0px; margin-bottom:0px"><span>I have taken the follo= wing steps to try and get everything running properly.</span></p> <ol style=3D"margin-bottom:0px; margin-top:0px"> <li><span>Download the root CA certificate <a href=3D"https://ovirteng= ine.lan/ovirt-engine/services/pki-resource?resource=3Dca-certificate&fo= rmat=3DX509-PEM-CA" class=3D"x_gmail-m_4314768941515087156OWAAutoLink" id= =3D"x_gmail-m_4314768941515087156LPlnk141717" target=3D"_blank">https://<wb= r>ovirtengine.lan/ovirt-engine/<wbr>services/pki-resource?<wbr>resource=3Dc= a-certificate&<wbr>format=3DX509-PEM-CA</a></span></li><li><span>Edit t= he vm and define the graphical console entries. Video type is set to = QXL, Graphics protocol is spice, USB support is enabled.</span></li><li><sp= an>Install the guest agent in Debian per the instructions here - <a href=3D= "https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-a= gent-in-debian/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink" id=3D"x= _gmail-m_4314768941515087156LPlnk263752" target=3D"_blank"> https://www.ovirt.org/<wbr>documentation/how-to/guest-<wbr>agent/install-th= e-guest-agent-<wbr>in-debian/</a> It is my understanding that install= ing the guest agent will also install the virt IO device drivers.<br> </span></li><li><span>Install the spice-vdagent per the instructions here -= <a href=3D"https://www.ovirt.org/documentation/how-to/guest-agent/install-= the-spice-guest-agent/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink" = id=3D"x_gmail-m_4314768941515087156LPlnk313725" target=3D"_blank"> https://www.ovirt.org/<wbr>documentation/how-to/guest-<wbr>agent/install-th= e-spice-guest-<wbr>agent/</a></span></li><li><span> On the aSpice clie= nt I have imported the CA certficate from step 1 above. I defined the= connection using the IP of my Node and TLS port 5901.</span></li></ol> </div> </div> </blockquote> <div><br> </div> <div>are you really using aSPICE client (e.g. the android SPICE client?). I= f yes, maybe you want to try to open it using moVirt (<a href=3D"https://pl= ay.google.com/store/apps/details?id=3Dorg.ovirt.mobile.movirt&hl=3Den">= https://play.google.com/store/apps/details?id=3Dorg.ovirt.mobile.movirt&= ;hl=3Den</a>) which delegates the console to aSPICE but configures everything including = the certificates on it. Should be much simpler than configuring it by hand.= .<br> </div> <div> </div> <blockquote class=3D"x_gmail_quote" style=3D"margin:0px 0px 0px 0.8ex; bord= er-left:1px solid rgb(204,204,204); padding-left:1ex"> <div dir=3D"ltr"> <div id=3D"x_gmail-m_4314768941515087156divtagdefaultwrapper" dir=3D"ltr" s= tyle=3D"font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helveti= ca, sans-serif, "EmojiFont", "Apple Color Emoji", "= ;Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "A= ndroid Emoji", EmojiSymbols;"> <span><br> To troubleshoot my connection issues I confirmed the port being used to lis= ten. <br> <div>virsh # domdisplay Kali<br> <span>spice://<a href=3D"http://172.30.42.12?tls-port=3D5901" target=3D"_bl= ank">172.30.42.12?tls-port=3D<wbr>5901</a></span></div> <br> I see the following when attempting to connect.<br> tail -f <span>/var/log/libvirt/qemu</span>/Kali.log<br> <br> <div> <div>140400191081600:error:<wbr>14094438:SSL routines:ssl3_read_bytes:tlsv1= alert internal error:s3_pkt.c:1493:SSL alert number 80<br> ((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_<wbr>ssl_ac= cept: SSL_accept failed, error=3D1<br> <br> I came across some documentation that states in the caveat section "<s= pan>Certificate of spice SSL should be separate certificate."</span><b= r> <a href=3D"https://www.ovirt.org/develop/release-management/features/infra/= pki/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink" id=3D"x_gmail-m_43= 14768941515087156LPlnk743161" target=3D"_blank">https://www.ovirt.org/devel= op/<wbr>release-management/features/<wbr>infra/pki/</a><br> <br> Is this still the case for version 4? The document references version= 3.2 and 3.3. If so, how do I generate a new certificate for use with= spice? Please let me know if you require further info to troubleshoo= t, I am happy to provide it. Many thanks in advance.<br> <a href=3D"https://www.ovirt.org/develop/release-management/features/infra/= pki/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink" id=3D"x_gmail-m_43= 14768941515087156LPlnk743161" target=3D"_blank"></a><br> <br> </div> <br> <br> </div> <br> </span><br> <span><br> <br> </span> <p style=3D"margin-top:0px; margin-bottom:0px"><br> </p> </div> </div> <br> ______________________________<wbr>_________________<br> Users mailing list<br> <a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br> <a href=3D"http://lists.ovirt.org/mailman/listinfo/users" rel=3D"noreferrer= " target=3D"_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><= br> <br> </blockquote> </div> <br> </div> </div> </div> </div> </div> </body> </html> --_000_BLUPR02MB100BB5C2B1AFB1CB8A19904FAC80BLUPR02MB100namprd_--