12:10 p.m.
--_000_BLUPR02MB100BB5C2B1AFB1CB8A19904FAC80BLUPR02MB100namprd_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi Tomas,
To answer your question, yes I am really trying to use aSpice.
I appreciate your suggestion. I'm not sure if it meets my objective. Mayb=
e our goals are different? It seems to me that movirt is built around port=
able management of the ovirt environment. I am attempting to provide a VDI=
type experience for running a vm. My goal is to run a lab environment wit=
h 30 chromebooks loaded with a spice clent. The spice client would of cour=
se connect to the 30 vms running Kali and each session would be independent=
of each other.
I did a little further testing with a different client. (spice plugin for=
chrome). When I attempted to connect using that client I got a slightly d=
ifferent error message. The message still seemed to be of the same nature-=
i.e.: there is a problem with SSL protocol and communication.
Are you suggesting that movirt can help set up the proper certficates and c=
onfig the vms to use spice? Thanks!
________________________________
From: Tomas Jelinek <tjelinek(a)redhat.com>
Sent: Monday, February 19, 2018 4:19 AM
To: Jeremy Tourville
Cc: users(a)ovirt.org
Subject: Re: [ovirt-users] Spice Client Connection Issues Using aSpice
On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville@hotmail=
.com<mailto:Jeremy_Tourville@hotmail.com>> wrote:
Hello,
I am having trouble connecting to my guest vm (Kali Linux) which is running=
spice. My engine is running version: 4.2.1.7-1.el7.centos.
I am using oVirt Node as my host running version: 4.2.1.1.
I have taken the following steps to try and get everything running properly=
.
1. Download the root CA certificate https://ovirtengine.lan/ovirt-engine=
/services/pki-resource?resource=3Dca-certificate&format=3DX509-PEM-CA
2. Edit the vm and define the graphical console entries. Video type is =
set to QXL, Graphics protocol is spice, USB support is enabled.
3. Install the guest agent in Debian per the instructions here - https:/=
/www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-agent-in-=
debian/ It is my understanding that installing the guest agent will also i=
nstall the virt IO device drivers.
4. Install the spice-vdagent per the instructions here - https://www.ovi=
rt.org/documentation/how-to/guest-agent/install-the-spice-guest-agent/
5. On the aSpice client I have imported the CA certficate from step 1 a=
bove. I defined the connection using the IP of my Node and TLS port 5901.
are you really using aSPICE client (e.g. the android SPICE client?). If yes=
, maybe you want to try to open it using moVirt (https://play.google.com/st=
ore/apps/details?id=3Dorg.ovirt.mobile.movirt&hl=3Den) which delegates the =
console to aSPICE but configures everything including the certificates on i=
t. Should be much simpler than configuring it by hand..
To troubleshoot my connection issues I confirmed the port being used to lis=
ten.
virsh # domdisplay Kali
spice://172.30.42.12?tls-port=3D5901<http://172.30.42.12?tls-port=3D5901>
I see the following when attempting to connect.
tail -f /var/log/libvirt/qemu/Kali.log
140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert int=
ernal error:s3_pkt.c:1493:SSL alert number 80
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept:=
SSL_accept failed, error=3D1
I came across some documentation that states in the caveat section "Certifi=
cate of spice SSL should be separate certificate."
https://www.ovirt.org/develop/release-management/features/infra/pki/
Is this still the case for version 4? The document references version 3.2 =
and 3.3. If so, how do I generate a new certificate for use with spice? P=
lease let me know if you require further info to troubleshoot, I am happy t=
o provide it. Many thanks in advance.
<https://www.ovirt.org/develop/release-management/features/infra/pki/>
_______________________________________________
Users mailing list
Users@ovirt.org<mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users
--_000_BLUPR02MB100BB5C2B1AFB1CB8A19904FAC80BLUPR02MB100namprd_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"><!-- P
{margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper" style=3D"font-size: 12pt; color: rgb(0,
0,=
0); font-family: Calibri, Helvetica, sans-serif, "EmojiFont", &q=
uot;Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji,
&q=
uot;Segoe UI Symbol", "Android Emoji", EmojiSymbols;"
dir=3D=
"ltr">
<p style=3D"margin-top:0;margin-bottom:0">Hi Tomas, <br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">To answer your question, yes I
am=
really trying to use aSpice.</p>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">I appreciate your
suggestion.&nbs=
p; I'm not sure if it meets my objective.
<span>Maybe our goals are different?</span> It seems to me that
movir=
t is built around portable management of the ovirt environment. I am =
attempting to provide a VDI type experience for running a vm. My goal=
is to run a lab environment with 30 chromebooks
loaded with a spice clent. The spice client would of course connect =
to the 30 vms running Kali and each session would be independent of each ot=
her.
<br>
</p>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">I did a little further
test=
ing with a different client. (spice plugin for chrome). When I =
attempted to connect using that client I got a slightly different error mes=
sage. The message still seemed to be of the same
nature- i.e.: there is a problem with SSL protocol and communication. &nbs=
p; <br>
</p>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">Are you suggesting that movirt
ca=
n help set up the proper certficates and config the vms to use spice? =
Thanks!<br>
</p>
<br>
<br>
<div style=3D"color: rgb(0, 0, 0);">
<hr style=3D"display:inline-block;width:98%" tabindex=3D"-1">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font
style=3D"font-size:11pt" face=
=3D"Calibri, sans-serif" color=3D"#000000"><b>From:</b>
Tomas Jelinek <t=
jelinek(a)redhat.com&gt;<br>
<b>Sent:</b> Monday, February 19, 2018 4:19 AM<br>
<b>To:</b> Jeremy Tourville<br>
<b>Cc:</b> users(a)ovirt.org<br>
<b>Subject:</b> Re: [ovirt-users] Spice Client Connection Issues Using aSpi=
ce</font>
<div> </div>
</div>
<div>
<div dir=3D"ltr"><br>
<div class=3D"x_gmail_extra"><br>
<div class=3D"x_gmail_quote">On Sun, Feb 18, 2018 at 5:32 PM, Jeremy
Tourvi=
lle <span dir=3D"ltr">
<<a href=3D"mailto:Jeremy_Tourville@hotmail.com"
target=3D"_blank">Jerem=
y_Tourville(a)hotmail.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"x_gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;
bord=
er-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir=3D"ltr">
<div id=3D"x_gmail-m_4314768941515087156divtagdefaultwrapper"
dir=3D"ltr" s=
tyle=3D"font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helveti=
ca, sans-serif, "EmojiFont", "Apple Color Emoji",
"=
;Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol",
"A=
ndroid Emoji", EmojiSymbols;">
<p style=3D"margin-top:0px; margin-bottom:0px">Hello,</p>
<p style=3D"margin-top:0px; margin-bottom:0px">I am having trouble
connecti=
ng to my guest vm (Kali Linux) which is running spice. My engine is running=
version: <span class=3D"x_gmail-m_4314768941515087156gwt-InlineLabel =
x_gmail-m_4314768941515087156GNEKTHVBIXB"></span><span
class=3D"x_gmail-m_4=
314768941515087156gwt-InlineLabel">4.2.1.7-1.el7.centos</span>.</p>
<p style=3D"margin-top:0px; margin-bottom:0px">I am using oVirt Node as my
=
host running version:<span> 4.2.1.1.
<br>
</span></p>
<p style=3D"margin-top:0px; margin-bottom:0px"><span><br>
</span></p>
<p style=3D"margin-top:0px; margin-bottom:0px"><span>I have taken
the follo=
wing steps to try and get everything running properly.</span></p>
<ol style=3D"margin-bottom:0px; margin-top:0px">
<li><span>Download the root CA certificate <a
href=3D"https://ovirteng=
ine.lan/ovirt-engine/services/pki-resource?resource=3Dca-certificate&fo=
rmat=3DX509-PEM-CA" class=3D"x_gmail-m_4314768941515087156OWAAutoLink" id=
=3D"x_gmail-m_4314768941515087156LPlnk141717"
target=3D"_blank">https://<wb=
r>ovirtengine.lan/ovirt-engine/<wbr>services/pki-resource?<wbr>resource=3Dc=
a-certificate&<wbr>format=3DX509-PEM-CA</a></span></li><li><span>Edit
t=
he vm and define the graphical console entries. Video type is set to =
QXL, Graphics protocol is spice, USB support is
enabled.</span></li><li><sp=
an>Install the guest agent in Debian per the instructions here - <a href=3D=
"https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-a=
gent-in-debian/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink"
id=3D"x=
_gmail-m_4314768941515087156LPlnk263752" target=3D"_blank">
https://www.ovirt.org/<wbr>documentation/how-to/guest-<wbr>ag...
e-guest-agent-<wbr>in-debian/</a> It is my understanding that
install=
ing the guest agent will also install the virt IO device drivers.<br>
</span></li><li><span>Install the spice-vdagent per the
instructions here -=
<a href=3D"https://www.ovirt.org/documentation/how-to/guest-agent/insta...
the-spice-guest-agent/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink"
=
id=3D"x_gmail-m_4314768941515087156LPlnk313725" target=3D"_blank">
https://www.ovirt.org/<wbr>documentation/how-to/guest-<wbr>ag...
e-spice-guest-<wbr>agent/</a></span></li><li><span> On
the aSpice clie=
nt I have imported the CA certficate from step 1 above. I defined the=
connection using the IP of my Node and TLS port 5901.</span></li></ol>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>are you really using aSPICE client (e.g. the android SPICE client?). I=
f yes, maybe you want to try to open it using moVirt (<a href=3D"https://pl=
ay.google.com/store/apps/details?id=3Dorg.ovirt.mobile.movirt&hl=...
https://play.google.com/store/apps/details?id=3Dorg.ovirt.mobile.movirt&a...
;hl=3Den</a>)
which delegates the console to aSPICE but configures everything including =
the certificates on it. Should be much simpler than configuring it by hand.=
.<br>
</div>
<div> </div>
<blockquote class=3D"x_gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;
bord=
er-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir=3D"ltr">
<div id=3D"x_gmail-m_4314768941515087156divtagdefaultwrapper"
dir=3D"ltr" s=
tyle=3D"font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helveti=
ca, sans-serif, "EmojiFont", "Apple Color Emoji",
"=
;Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol",
"A=
ndroid Emoji", EmojiSymbols;">
<span><br>
To troubleshoot my connection issues I confirmed the port being used to lis=
ten. <br>
<div>virsh # domdisplay Kali<br>
<span>spice://<a href=3D"http://172.30.42.12?tls-port=3D5901"
target=3D"_bl=
ank">172.30.42.12?tls-port=3D<wbr>5901</a></span></div>
<br>
I see the following when attempting to connect.<br>
tail -f <span>/var/log/libvirt/qemu</span>/Kali.log<br>
<br>
<div>
<div>140400191081600:error:<wbr>14094438:SSL routines:ssl3_read_bytes:tlsv1=
alert internal error:s3_pkt.c:1493:SSL alert number 80<br>
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_<wbr>ssl_ac=
cept: SSL_accept failed, error=3D1<br>
<br>
I came across some documentation that states in the caveat section "<s=
pan>Certificate of spice SSL should be separate
certificate."</span><b=
r>
<a href=3D"https://www.ovirt.org/develop/release-management/features/in...
pki/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink"
id=3D"x_gmail-m_43=
14768941515087156LPlnk743161"
target=3D"_blank">https://www.ovirt.org/devel=
op/<wbr>release-management/features/<wbr>infra/pki/</a><br>
<br>
Is this still the case for version 4? The document references version=
3.2 and 3.3. If so, how do I generate a new certificate for use with=
spice? Please let me know if you require further info to troubleshoo=
t, I am happy to provide it. Many thanks in advance.<br>
<a href=3D"https://www.ovirt.org/develop/release-management/features/in...
pki/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink"
id=3D"x_gmail-m_43=
14768941515087156LPlnk743161" target=3D"_blank"></a><br>
<br>
</div>
<br>
<br>
</div>
<br>
</span><br>
<span><br>
<br>
</span>
<p style=3D"margin-top:0px; margin-bottom:0px"><br>
</p>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href=3D"http://lists.ovirt.org/mailman/listinfo/users"
rel=3D"noreferrer=
"
target=3D"_blank">http://lists.ovirt.org/<wbr>mailman/...
br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
--_000_BLUPR02MB100BB5C2B1AFB1CB8A19904FAC80BLUPR02MB100namprd_--