Re: [Users] Unable to login into console Spice VNC anyone?

I have been seeing selinux denials. I'm not sure if it was for the allinone plugin. Should selinux be enabled or disabled?

On Fri, Jul 27, 2012 at 1:54 PM, Yaniv Kaul <ykaul(a)redhat.com&gt; wrote: > Did you look for selinux denials? > > ----- Original Message ----- >> I was not able to get this working using beta >> ovirt-engine-setup-plugin-allinone rpm >> >> Used answer file as recommended on the wiki. I didn't document the >> exact error, but the install failed. >> >> I did another install using F16 Installing VDSM from rpm >> >> [ovirt-engine-3.0] >> name=ovirt-engine-3.0 >> baseurl=http://www.ovirt.org/releases/3.0/rpm/Fedora/16 >> enabled=1 >> gpgcheck=0 >> >> >> And then doing engine-setup >> >> And then installing spice-xpi >> >> Can't explain it but it's working from the F16 desktop using FF :) >> >> >> >> On Thu, Jul 26, 2012 at 5:13 AM, Itamar Heim <iheim(a)redhat.com&gt; >> wrote: >>> On 07/26/2012 01:10 PM, David Jaša wrote: >>>> >>>> Brent Bolin píše v St 25. 07. 2012 v 13:46 -0500: >>>>> >>>>> I have seen this. Can give it a try. >>>>> >>>>> At this point I'm not sure if it's a problem with my >>>>> configuration. >>>>> Or making console connections with either vnc or spice. The >>>>> ports are >>>>> clearly running - >>>>> >>>>> netstat -an|grep 590 >>>>> tcp 0 0 0.0.0.0:5900 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:5901 0.0.0.0:* >>>>> LISTEN >>>>> >>>>> >>>>> When using plain old kvm, virt-manager I could just simply >>>>> connect >>>>> using any vnc or virt-viewer or x11 virtmanager. >>>>> >>>>> I'm not sure what ovirt is doing with tls etc... >>>>> >>>> >>>> As Itamar already said, it: >>>> * sets up TLS and enforces it. >>>> * sets up temporary ticket >>>> >>>> If you want to connect to the console manually, you have to set up >>>> the >>>> ticket - on the server, follow these steps in order to achieve it >>>> (from >>>> top of my head, can contain typos): >>>> VM_UUID="$(vdsClient -s 0 list table | grep $VM_NAME | awk '{print >>>> $1}')" >>>> vdsClient -s 0 setVmTicket $VM_UUID $PASSWORD $TIMEOUT >>>> >>>> For TLS, you'll need CA file and host subject in case of host name >>>> used >>>> on CLI not matching host name in server cert CN. Assuming you're >>>> connecting from some other computer: >>>> SUBJECT="$(ssh root@$HOST 'grep Subject: >>>> /etc/pki/vdsm/libvirt-spice/server-cert.pem' | sed -e 's/, /,/')" >>>> scp root@$HOST:/etc/pki/rhevm/ca.pem $CA_FILE >>>> remote-viewer --spice-ca-file=$CA_FILE >>>> --spice-host-subject=$SUBJECT >>>> spice://$HOST/?port=$PORT,tls-port=$SECURE_PORT >>>> # it will ask for password in pop-up window >>>> # OR you can use "good old" spicec: >>>> spicec --ca-file=$CA_FILE --host-subject=$SUBJECT -h $HOST -p >>>> $PORT -s >>>> $SECURE_PORT -w $PASSWORD >>>> >>>> David >>>> >>>> PS: given all the info, I guess you've run into some instance of >>>> this >>>> downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=839548 >>> >>> >>> brent - this only fails user portal. are you failing from webadmin >>> as well? >>> >>> >>>> >>>> >>>>> Not being able to get console access is a definite show stopper. >>>>> And >>>>> it shouldn't be rocket science to do it. And it should be >>>>> accessible >>>>> from either linux or windows clients. Does vSphere (windows >>>>> only) >>>>> ring a bell? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Wed, Jul 25, 2012 at 1:09 PM, Itamar Heim <iheim(a)redhat.com&gt; >>>>> wrote: >>>>>> >>>>>> >>>>>> would it be relevant for you to try the 3.1 beta? >>>>>> it has this which should cover your 'all in one' needs: >>>>>> http://www.ovirt.org/wiki/Feature/AllInOne >>>>>> >>>>>> >>>>>> >>>>>> On 07/25/2012 06:52 PM, Brent Bolin wrote: >>>>>>> >>>>>>> >>>>>>> Thanks David for your reply - >>>>>>> >>>>>>> I have completely flushed all iptables rules 'iptables --flush" >>>>>>> - >>>>>>> >>>>>>> iptables -L -v -n >>>>>>> Chain INPUT (policy ACCEPT 1775K packets, 627M bytes) >>>>>>> pkts bytes target prot opt in out source >>>>>>> destination >>>>>>> >>>>>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >>>>>>> pkts bytes target prot opt in out source >>>>>>> destination >>>>>>> >>>>>>> Chain OUTPUT (policy ACCEPT 1754K packets, 589M bytes) >>>>>>> pkts bytes target prot opt in out source >>>>>>> destination >>>>>>> >>>>>>> >>>>>>> The base host is Fedora 16 running with desktop >>>>>>> >>>>>>> First installed vdsm and then ovirt-engine >>>>>>> >>>>>>> Single network bridge installed, but there is another 1GB nic >>>>>>> that >>>>>>> isn't >>>>>>> being used - >>>>>>> >>>>>>> eth0 Link encap:Ethernet HWaddr 00:1B:21:7D:ED:4A >>>>>>> inet6 addr: fe80::21b:21ff:fe7d:ed4a/64 Scope:Link >>>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >>>>>>> RX packets:99656 errors:0 dropped:0 overruns:0 >>>>>>> frame:0 >>>>>>> TX packets:51508 errors:0 dropped:0 overruns:0 >>>>>>> carrier:0 >>>>>>> collisions:0 txqueuelen:1000 >>>>>>> RX bytes:63007897 (60.0 MiB) TX bytes:18148736 >>>>>>> (17.3 MiB) >>>>>>> >>>>>>> lo Link encap:Local Loopback >>>>>>> inet addr:127.0.0.1 Mask:255.0.0.0 >>>>>>> inet6 addr: ::1/128 Scope:Host >>>>>>> UP LOOPBACK RUNNING MTU:16436 Metric:1 >>>>>>> RX packets:1814674 errors:0 dropped:0 overruns:0 >>>>>>> frame:0 >>>>>>> TX packets:1814674 errors:0 dropped:0 overruns:0 >>>>>>> carrier:0 >>>>>>> collisions:0 txqueuelen:0 >>>>>>> RX bytes:646274067 (616.3 MiB) TX bytes:646274067 >>>>>>> (616.3 >>>>>>> MiB) >>>>>>> >>>>>>> ovirtmgmt Link encap:Ethernet HWaddr 00:1B:21:7D:ED:4A >>>>>>> inet addr:192.168.0.118 Bcast:192.168.0.255 >>>>>>> Mask:255.255.255.0 >>>>>>> inet6 addr: fe80::21b:21ff:fe7d:ed4a/64 Scope:Link >>>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >>>>>>> RX packets:70706 errors:0 dropped:0 overruns:0 >>>>>>> frame:0 >>>>>>> TX packets:48717 errors:0 dropped:0 overruns:0 >>>>>>> carrier:0 >>>>>>> collisions:0 txqueuelen:0 >>>>>>> RX bytes:52195637 (49.7 MiB) TX bytes:14942359 >>>>>>> (14.2 MiB) >>>>>>> >>>>>>> vnet0 Link encap:Ethernet HWaddr FE:1A:4A:A8:00:00 >>>>>>> inet6 addr: fe80::fc1a:4aff:fea8:0/64 Scope:Link >>>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >>>>>>> RX packets:3 errors:0 dropped:0 overruns:0 frame:0 >>>>>>> TX packets:14 errors:0 dropped:0 overruns:1 >>>>>>> carrier:0 >>>>>>> collisions:0 txqueuelen:500 >>>>>>> RX bytes:1299 (1.2 KiB) TX bytes:2760 (2.6 KiB) >>>>>>> >>>>>>> After ovirt engine is installed logged into the interface and >>>>>>> configured >>>>>>> the host using 127.0.0.1 . Host reboots. Host shows up in the >>>>>>> admin >>>>>>> interface only complaining about power management that isn't >>>>>>> configured. >>>>>>> >>>>>>> >>>>>>> Here >>>>>>> >>>>>>> <https://picasaweb.google.com/lh/photo/3vclaT_6d3uy2QODU6xp_zyLvDWH8k_pPWn... >>>>>>> >>>>>>> is a screen shot of the web interface >>>>>>> >>>>>>> The only configuration settings I've changed are in the >>>>>>> qemu.conf to >>>>>>> either tls=0 or tls=1 >>>>>>> >>>>>>> spice-gtk-0.11-4.fc16.x86_64 >>>>>>> spice-client-0.10.1-1.fc16.x86_64 >>>>>>> spice-glib-0.11-4.fc16.x86_64 >>>>>>> spice-gtk3-0.11-4.fc16.x86_64 >>>>>>> spice-xpi-2.7-3.fc16.x86_64 >>>>>>> spice-gtk-tools-0.11-4.fc16.x86_64 >>>>>>> spice-server-0.10.1-1.fc16.x86_64 >>>>>>> >>>>>>> The link in the admin interface shows available(using FF). >>>>>>> When I >>>>>>> click >>>>>>> it opens a spicec:0 dialog and just closes >>>>>>> >>>>>>> If I try to open from a shell I get things like this - >>>>>>> >>>>>>> Brief window open and then error - >>>>>>> >>>>>>> spicec -h 127.0.0.1 -p 5900 >>>>>>> Warning: connect error 5 - need secured connection >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Jul 25, 2012 at 10:04 AM, David Jaša <djasa(a)redhat.com >>>>>>> <mailto:djasa@redhat.com>> wrote: >>>>>>> > Hi Brent, >>>>>>> > >>>>>>> > first guess: have a look if your iptables setup allow >>>>>>> > connection to >>>>>>> the >>>>>>> > qemu processes. RHEV 3.0 documentation (publicly accesible) >>>>>>> > says >>>>>>> that a >>>>>>> > host needs these ports open: >>>>>>> > port 22 for SSH, >>>>>>> > ports 5634 to 6166 for guest console connections, >>>>>>> > port 16514 for libvirt virtual machine migration >>>>>>> > traffic, >>>>>>> > ports 49152 to 49216 for VDSM virtual machine >>>>>>> > migration >>>>>>> traffic, >>>>>>> > and >>>>>>> > port 54321 for the Red Hat Enterprise >>>>>>> > Virtualization >>>>>>> Manager. >>>>>>> > >>>>>>> > If you have ovirt-engine running onu the same machine as >>>>>>> > vdsm, most >>>>>>> of >>>>>>> > the ports don't need to be accessible from outside but >>>>>>> > "guest >>>>>>> console" >>>>>>> > ports do. >>>>>>> > >>>>>>> > If it isn't iptables, please share at least: >>>>>>> > * what your actual topology is (engine on the physical >>>>>>> > host?) >>>>>>> > * if you use some custom tls settings such as tls switched >>>>>>> > off >>>>>>> > * what spice client & xpi versions are you using >>>>>>> > * how exactly the client failed (showed error window? with >>>>>>> > what >>>>>>> error? >>>>>>> > just didn't launch?) >>>>>>> > >>>>>>> > In your email, you didn't write any debugging hints apart >>>>>>> > from the >>>>>>> setup >>>>>>> > being single-host one... >>>>>>> > >>>>>>> > David >>>>>>> > >>>>>>> > >>>>>>> > Brent Bolin píše v St 25. 07. 2012 v 09:00 -0500: >>>>>>> >> About 6 months ago I asked on this list if it was possible >>>>>>> >> to >>>>>>> install >>>>>>> >> ovirt on a single host. Thread got long and winded and >>>>>>> >> lost >>>>>>> interest. >>>>>>> >> >>>>>>> >> Started looking at the project again about two days ago. >>>>>>> >> What I >>>>>>> >> really didn't understand was using a base Fedora install. >>>>>>> Installing >>>>>>> >> vdsm and then installing ovirt engine. >>>>>>> >> >>>>>>> >> So everything is up. Created data center, storage, >>>>>>> >> cluster, host >>>>>>> and >>>>>>> >> virtual machine. >>>>>>> >> >>>>>>> >> But I can't get there from here. I can't get console >>>>>>> >> running to >>>>>>> >> configure the booted install. >>>>>>> >> >>>>>>> >> I've tried VNC, Spice, Firefox with spice-xpi plugin. >>>>>>> >> >>>>>>> >> Tried tweaking, turning, touching, swearing @ >>>>>>> /etc/libvirt/qemu.conf >>>>>>> >> settings. tls settings. Not even sure if this is the >>>>>>> >> right place >>>>>>> to >>>>>>> >> be checking. >>>>>>> >> >>>>>>> >> This is a show stopper. >>>>>>> >> >>>>>>> >> LSB Version: :core-4.0-amd64:core-4.0-noarch >>>>>>> >> Distributor ID: Fedora >>>>>>> >> Description: Fedora release 16 (Verne) >>>>>>> >> Release: 16 >>>>>>> >> Codename: Verne >>>>>>> >> >>>>>>> >> [root@ovirt # rpm -qa|grep ovirt-engine >>>>>>> >> ovirt-engine-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-log-collector-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-iso-uploader-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-backend-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-notification-service-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-jboss-deps-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-tools-common-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-dbscripts-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-setup-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-jbossas-1.2-2.fc16.x86_64 >>>>>>> >> ovirt-engine-userportal-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-restapi-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-genericapi-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-config-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> ovirt-engine-webadmin-portal-3.0.0_0001-1.6.fc16.x86_64 >>>>>>> >> >>>>>>> >> Any input would be appreciated >>>>>>> >> _______________________________________________ >>>>>>> >> Users mailing list >>>>>>> >> Users(a)ovirt.org <mailto:Users@ovirt.org> >>>>>>> >>>>>>> >> http://lists.ovirt.org/mailman/listinfo/users >>>>>>> > >>>>>>> > -- >>>>>>> > >>>>>>> > David Jaša, RHCE >>>>>>> > >>>>>>> > SPICE QE based in Brno >>>>>>> > GPG Key: 22C33E24 >>>>>>> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 >>>>>>> > 3E24 >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Users mailing list >>>>>>> Users(a)ovirt.org >>>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users(a)ovirt.org >>>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>>> >>> >>> >> _______________________________________________ >> Users mailing list >> Users(a)ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >>