Hello,

Apperently, VNC with TLS enabled is the default. At the very least I don't remember ever enabling it.

Attempting to disable it as a quick test, by altering /etc/libvirt/qemu.conf and setting vlc_tls=0 fixes it. So I guess, I'll need to disable it at the cluster level for a permanent fix. (And then reinstall the hosts....)

After seeing the previous reply, I figured that the "direct connection to the VM host" meant the VNC connection would be using TLS. SPICE "Just Works(TM)" with TLS enabled, but for VNC it requires a TLS cert to be installed on the ovirt host servers. And of course, the default is the internal engine CA. With no easy way to override it. (I.e. The new cert config won't survive a host reinstall / upgrade.) Which defeats the entire purpose of having a third party CA for end-user connections. I guess we'll have to disable this method of VM console access for now, and rely on noVNC until the cert issue gets fixed.

I'm not sure that the user mailing list is the place for feature requests, but just in case and to avoid criticizing without offering a solution, I would love some mechanism in the web interface to upload a new third party CA cert for the hosts to use with end-user requests. (VNC, image io proxy, cockpit, etc.) The internal engine CA could even be used to secure those cert updates. (As the engine itself could prompt the hosts to install the new cert via VDSM or something. Even better that method wouldn't require a host reinstall to finish.) That would simplify managment and renewal of the certs. As the operation could be delegated / restricted to users with a specific permission, (like with the VM permissions), and prevent us from needing to manually configure things in a text file. (The engine host could use this also.)

Thanks for the suggestions everyone.

-Patrick Hibbs

On Wed, 2021-12-15 at 00:05 +0000, Staniforth, Paul wrote:
Hi Patrick,

The ovirt-vmconsole is a for emulated serial connections (via a ssh tunnel).

The VNC ports are the same range as spice5900 - 6923.

Do you have encryption enabled for VNC?


Regards,
               Paul S.
From: Patrick Hibbs <hibbsncc1701@gmail.com>
Sent: 14 December 2021 22:53
To: Staniforth, Paul <P.Staniforth@leedsbeckett.ac.uk>
Cc: oVirt Users Mailing List <users@ovirt.org>
Subject: Re: [ovirt-users] Re: remote-viewer VNC mode issue
 

Caution External Mail: Do not click any links or open any attachments unless you trust the sender and know that the content is safe.

Hello,

Well a quick check of the hosts say that they have ovirt-vmconsole enabled on their firewall, but there doesn't seem to be any logs for the vmconsoles on them. Running wireshark on one of the end-user machines shows that the host does send packets back and forth but then the end-user machine TCP resets the connection. (I assume due to the credential failure.) So it doesn't seem to be a firewall issue.

Is there anything I can do to get some more logs from the vmconsoles on the Host?

Thanks.

-Patrick Hibbs

On Tue, 2021-12-14 at 12:56 +0000, Staniforth, Paul wrote:
Hello Patrick,
                        with noVNC the connection is made via the websocket-poxy service (probably on the engine server).
The remote-viewer connects directly from the client machine to the virtual host the VM is running on. Maybe check the network/firewall between the client and the host, also the OTP expires after 120 seconds.


Regards,

Paul S.
From: Strahil Nikolov via Users <users@ovirt.org>
Sent: 14 December 2021 12:12
To: hibbsncc1701@gmail.com <hibbsncc1701@gmail.com>; oVirt Users Mailing List <users@ovirt.org>
Subject: [ovirt-users] Re: remote-viewer VNC mode issue
 

Caution External Mail: Do not click any links or open any attachments unless you trust the sender and know that the content is safe.

The most common problem is the CA of oVirt not trusted in the web browser of the client.


Best Regards,
Strahil Nikolov

On Sun, Dec 12, 2021 at 0:00, Patrick Hibbs
<hibbsncc1701@gmail.com> wrote:
Hello,

    As oVirt unfortuately now requires VNC for the VM consoles,
I've been attempting to get VNC mode working on my end user clients.

    The noVNC browser client works just fine, but for some reason
the default download to remote-viewer fails on the same hosts.

All the end-user gets is a quick flash of the remote-viewer window on
their screen.

Running remote-viewer in debug mode I get this:

---log snip---

$ remote-viewer -v --debug Downloads/console.vv
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.906: Opening display
to Downloads/console.vv
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.906: Guest (null) has
a vnc display
Guest (null) has a vnc display
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.952: Spice foreign
menu updated
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.952: After open
connection callback fd=-1
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.952: Opening
connection to display at Downloads/console.vv
Opening connection to display at Downloads/console.vv
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.953: fullscreen
display 0: 0
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:35.953: notebook show
status 0x560a419d2280
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.032: notebook show
status 0x560a419d2280
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.032: Insert display 0
0x560a423fa1e0
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.032: notebook show
status 0x560a419d2280
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.052: Allocated
1024x740
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.052: Child allocate
1024x640
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.053: Got VNC
credential request for 1 credential(s)
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.067: Not removing
main window 0 0x560a4195d910
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.067: Disconnected
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.067: close
vnc=0x560a419fc220
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.068: notebook show
status 0x560a419d2280
(remote-viewer:4056): virt-viewer-DEBUG: 16:35:36.068: Guest (null)
display has disconnected, shutting down
Guest (null) display has disconnected, shutting down

---log snip---

It seems to be failing a credential request, but I'm not sure why. The
engine logs only show the VM console ticket being created, but does not
show any connection attempts unless noVNC is used.

---log snip---

2021-12-11 16:48:23,402-05 INFO
[org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-16)
[68b90cfe] Running command: SetVmTicketCommand internal: false.
Entities affected :  ID: bb05ab12-91e5-4ab6-92b1-b911ed78f64f Type:
VMAction group CONNECT_TO_VM with role type USER
2021-12-11 16:48:23,414-05 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(default task-16) [68b90cfe] START, SetVmTicketVDSCommand(HostName = --
REDACTED--, SetVmTicketVDSCommandParameters:{hostId='1fdd841b-477f-
4d13-9935-7908924dd5a1', vmId='bb05ab12-91e5-4ab6-92b1-b911ed78f64f',
protocol='VNC', ticket='ocziPsEOF4km', validTime='120', userName='--
REDACTED--@--REDACTED--', userId='e83ab2b3-c464-49a4-a0ab-
4e62e8131304', disconnectAction='LOCK_SCREEN'}), log id: f6dccdd
2021-12-11 16:48:23,435-05 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(default task-16) [68b90cfe] FINISH, SetVmTicketVDSCommand, return: ,
log id: f6dccdd
2021-12-11 16:48:23,461-05 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-16) [68b90cfe] EVENT_ID: VM_SET_TICKET(164), User --
REDACTED--@--REDACTED--@--REDACTED-- initiated console session for VM
Test
#

---log snip---

What else can I do to troubleshoot this?

- Patrick Hibbs

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
To view the terms under which this email is distributed, please go to:-
https://leedsbeckett.ac.uk/disclaimer/email


To view the terms under which this email is distributed, please go to:-
https://leedsbeckett.ac.uk/disclaimer/email