[Users] spicec not connect | SSL Error
Hi all, spicec connected to virtual machines on Ovirt web console... but manual connect this (on windows or linux) 1344197680 INFO [3001:3002] RedPeer::connect_unsecure: Connected to 192.168.0.3 5900 1344197680 INFO [3001:3002] RedPeer::connect_secure: Connected to 192.168.0.3 5901 1344197680 ERROR [3001:3002] RedPeer::verify_subject: subject mismatch: #entries cert=2, input=3 1344197680 ERROR [3001:3002] RedPeer::connect_secure: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 1344197680 WARN [3001:3002] RedChannel::run: SSL Error: 1344197680 INFO [3001:3001] main: Spice client terminated (exitcode = 7) what can be done about it ?
On 08/05/2012 07:23 PM, Artem wrote:
Hi all,
spicec connected to virtual machines on Ovirt web console... but manual connect this (on windows or linux)
1344197680 INFO [3001:3002] RedPeer::connect_unsecure: Connected to 192.168.0.3 5900 1344197680 INFO [3001:3002] RedPeer::connect_secure: Connected to 192.168.0.3 5901 1344197680 ERROR [3001:3002] RedPeer::verify_subject: subject mismatch: #entries cert=2, input=3 1344197680 ERROR [3001:3002] RedPeer::connect_secure: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 1344197680 WARN [3001:3002] RedChannel::run: SSL Error: 1344197680 INFO [3001:3001] main: Spice client terminated (exitcode = 7)
what can be done about it ? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
did you mean you tried to connect from spice using command line? what was the command line you used? (this seems like a missing host fqdn for spice when asking to connect with ssl)
I have tried so # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, CN=CA-vm-srv.15064" --secure-channels=all Error: subject mismatch: #entries cert=2, input=3 Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 3078249000:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: ping to vms-srv is done. 2012/8/6 Itamar Heim <iheim@redhat.com>:
On 08/05/2012 07:23 PM, Artem wrote:
Hi all,
spicec connected to virtual machines on Ovirt web console... but manual connect this (on windows or linux)
1344197680 INFO [3001:3002] RedPeer::connect_unsecure: Connected to 192.168.0.3 5900 1344197680 INFO [3001:3002] RedPeer::connect_secure: Connected to 192.168.0.3 5901 1344197680 ERROR [3001:3002] RedPeer::verify_subject: subject mismatch: #entries cert=2, input=3 1344197680 ERROR [3001:3002] RedPeer::connect_secure: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 1344197680 WARN [3001:3002] RedChannel::run: SSL Error: 1344197680 INFO [3001:3001] main: Spice client terminated (exitcode = 7)
what can be done about it ? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
did you mean you tried to connect from spice using command line? what was the command line you used? (this seems like a missing host fqdn for spice when asking to connect with ssl)
On 08/05/2012 11:56 PM, Artem wrote:
I have tried so
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, CN=CA-vm-srv.15064" --secure-channels=all
this looks like the subject name of the CA, not the host running the virtual machine?
Error: subject mismatch: #entries cert=2, input=3 Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 3078249000:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error:
ping to vms-srv is done.
2012/8/6 Itamar Heim <iheim@redhat.com>:
On 08/05/2012 07:23 PM, Artem wrote:
Hi all,
spicec connected to virtual machines on Ovirt web console... but manual connect this (on windows or linux)
1344197680 INFO [3001:3002] RedPeer::connect_unsecure: Connected to 192.168.0.3 5900 1344197680 INFO [3001:3002] RedPeer::connect_secure: Connected to 192.168.0.3 5901 1344197680 ERROR [3001:3002] RedPeer::verify_subject: subject mismatch: #entries cert=2, input=3 1344197680 ERROR [3001:3002] RedPeer::connect_secure: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 1344197680 WARN [3001:3002] RedChannel::run: SSL Error: 1344197680 INFO [3001:3001] main: Spice client terminated (exitcode = 7)
what can be done about it ? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
did you mean you tried to connect from spice using command line? what was the command line you used? (this seems like a missing host fqdn for spice when asking to connect with ssl)
hmm... not sure if understood correctly... vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm. this subject name i get in .spicec/spice_truststore.pem ////////////////////////////////// # cat .spicec/spice_truststore.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 Validity Not Before: Jul 28 03:42:06 2012 Not After : Jul 26 23:42:07 2022 GMT Subject: C=US, O=ICL, CN=CA-vm-srv.15064 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: /////////////////////////////////////////// 2012/8/6 Itamar Heim <iheim@redhat.com>:
this looks like the subject name of the CA, not the host running the virtual machine?
On 08/06/2012 12:07 AM, Artem wrote:
hmm... not sure if understood correctly...
vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm.
did you install the engine and kvm host on same machine?
this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host certificate. (if you run engine and host on same machine, try: "C=US, O=ICL, CN=vm-srv" (assuming you added the host with hostname of vm-srv to engine. if you added it with fqdn or ip, use them under last CN)
////////////////////////////////// # cat .spicec/spice_truststore.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 Validity Not Before: Jul 28 03:42:06 2012 Not After : Jul 26 23:42:07 2022 GMT Subject: C=US, O=ICL, CN=CA-vm-srv.15064 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ///////////////////////////////////////////
2012/8/6 Itamar Heim <iheim@redhat.com>:
this looks like the subject name of the CA, not the host running the virtual machine?
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv) i change host-subject but.. # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, CN=vm-srv" --secure-channels=all Error: subject mismatch: #entries cert=2, input=3 Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 3079539240:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: 2012/8/6 Itamar Heim <iheim@redhat.com>:
On 08/06/2012 12:07 AM, Artem wrote:
hmm... not sure if understood correctly...
vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm.
did you install the engine and kvm host on same machine?
this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host certificate. (if you run engine and host on same machine, try: "C=US, O=ICL, CN=vm-srv" (assuming you added the host with hostname of vm-srv to engine. if you added it with fqdn or ip, use them under last CN)
////////////////////////////////// # cat .spicec/spice_truststore.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 Validity Not Before: Jul 28 03:42:06 2012 Not After : Jul 26 23:42:07 2022 GMT Subject: C=US, O=ICL, CN=CA-vm-srv.15064 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ///////////////////////////////////////////
2012/8/6 Itamar Heim <iheim@redhat.com>:
this looks like the subject name of the CA, not the host running the virtual machine?
On 08/06/2012 12:30 AM, Artem wrote:
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
what do you get for: cat /etc/pki/vdsm/certs/vdsmcert.pem | grep Subject ?
i change host-subject but..
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, CN=vm-srv" --secure-channels=all Error: subject mismatch: #entries cert=2, input=3 Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 3079539240:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error:
2012/8/6 Itamar Heim <iheim@redhat.com>:
On 08/06/2012 12:07 AM, Artem wrote:
hmm... not sure if understood correctly...
vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm.
did you install the engine and kvm host on same machine?
this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host certificate. (if you run engine and host on same machine, try: "C=US, O=ICL, CN=vm-srv" (assuming you added the host with hostname of vm-srv to engine. if you added it with fqdn or ip, use them under last CN)
////////////////////////////////// # cat .spicec/spice_truststore.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 Validity Not Before: Jul 28 03:42:06 2012 Not After : Jul 26 23:42:07 2022 GMT Subject: C=US, O=ICL, CN=CA-vm-srv.15064 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ///////////////////////////////////////////
2012/8/6 Itamar Heim <iheim@redhat.com>:
this looks like the subject name of the CA, not the host running the virtual machine?
On 08/06/2012 12:43 AM, Artem wrote:
[root@vm-srv ~]# cat /etc/pki/vdsm/certs/vdsmcert.pem | grep Subject Subject: O=ICL, CN=192.168.0.3
so, you added this host based on it's ip. the above is the subject you should be using...
Subject Public Key Info:
2012/8/6 Itamar Heim <iheim@redhat.com>:
cat /etc/pki/vdsm/certs/vdsmcert.pem | grep Subject
oh ... I have done a foolish thing, but... spicec -h vm-srv -p 5900 -s 5901 --host-subject "O=ICL, CN=192.168.0.3" --secure-channels=all Warning: connect failed 7 cat .spicec/spicec.log 1344217716 INFO [3164:3164] Application::main: starting 0.8.3 1344217716 INFO [3164:3164] init_key_map: using evdev mapping 1344217716 INFO [3164:3164] MultyMonScreen::MultyMonScreen: platform_win: 58720257 1344217716 INFO [3164:3164] ForeignMenu::ForeignMenu: Creating a foreign menu connection /tmp/SpiceForeignMenu-3164.uds 1344217716 INFO [3164:3165] RedPeer::connect_secure: Connected to vm-srv 5901 1344217716 WARN [3164:3165] RedChannel::run: connect failed 7 1344217716 INFO [3164:3164] main: Spice client terminated (exitcode = 3) 2012/8/6 Itamar Heim <iheim@redhat.com>:
so, you added this host based on it's ip. the above is the subject you should be using...
On 08/06/2012 12:51 AM, Artem wrote:
oh ... I have done a foolish thing, but...
spicec -h vm-srv -p 5900 -s 5901 --host-subject "O=ICL, CN=192.168.0.3" --secure-channels=all Warning: connect failed 7
why are you assuming port 5901 is the secure port for spice connection?
cat .spicec/spicec.log
1344217716 INFO [3164:3164] Application::main: starting 0.8.3 1344217716 INFO [3164:3164] init_key_map: using evdev mapping 1344217716 INFO [3164:3164] MultyMonScreen::MultyMonScreen: platform_win: 58720257 1344217716 INFO [3164:3164] ForeignMenu::ForeignMenu: Creating a foreign menu connection /tmp/SpiceForeignMenu-3164.uds 1344217716 INFO [3164:3165] RedPeer::connect_secure: Connected to vm-srv 5901 1344217716 WARN [3164:3165] RedChannel::run: connect failed 7 1344217716 INFO [3164:3164] main: Spice client terminated (exitcode = 3)
2012/8/6 Itamar Heim <iheim@redhat.com>:
so, you added this host based on it's ip. the above is the subject you should be using...
section for target vm <display> <type>spice</type> <address>192.168.0.3</address> <port>5900</port> <secure_port>5901</secure_port> <monitors>1</monitors> <allow_reconnect>true</allow_reconnect> </display> log from connect to spice-xpi //////////////// 2012-08-05 22:03:30.766+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204210, "microseconds": 766409}, "event": "SPICE_CONNECTED", "data": {"server": {"port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54549", "family": "ipv4", "host": "192.168.0.156"}}} len=243 2012-08-05 22:03:30.767+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2 2012-08-05 22:03:30.768+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:30.768+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204210, "microseconds": 768142}, "event": "SPICE_CONNECTED", "data": {"server": {"port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54550", "family": "ipv4", "host": "192.168.0.156"}}} len=243 2012-08-05 22:03:30.769+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2 2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204210, "microseconds": 769686}, "event": "SPICE_CONNECTED", "data": {"server": {"port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54551", "family": "ipv4", "host": "192.168.0.156"}}} len=243 2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204211, "microseconds": 94700}, "event": "SPICE_INITIALIZED", "data": {"server": {"auth": "spice", "port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54551", "family": "ipv4", "channel-type": 4, "connection-id": 2145174067, "host": "192.168.0.156", "channel-id": 0, "tls": true}}} len=339 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2 2012-08-05 22:03:31.096+0000: 1587: debug : virDomainFree:2313 : dom=0x21e2e60, (VM: name=dns-srv, uuid=d3db360f-4ff5-46f5-b61d-db09465db52c) 2012-08-05 22:03:31.096+0000: 1587: debug : virDomainFree:2313 : dom=0x21e2e60, (VM: name=dns-srv, uuid=d3db360f-4ff5-46f5-b61d-db09465db52c) 2012-08-05 22:03:31.130+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.130+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204211, "microseconds": 130196}, "event": "SPICE_INITIALIZED", "data": {"server": {"auth": "spice", "port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54549", "family": "ipv4", "channel-type": 3, "connection-id": 2145174067, "host": "192.168.0.156", "channel-id": 0, "tls": true}}} len=340 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2 2012-08-05 22:03:31.131+0000: 1587: debug : virDomainFree:2313 : dom=0x21e2e60, (VM: name=dns-srv, uuid=d3db360f-4ff5-46f5-b61d-db09465db52c) 2012-08-05 22:03:31.132+0000: 1587: debug : virDomainFree:2313 : dom=0x21e2e60, (VM: name=dns-srv, uuid=d3db360f-4ff5-46f5-b61d-db09465db52c) 2012-08-05 22:03:31.135+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.135+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204211, "microseconds": 133524}, "event": "SPICE_INITIALIZED", "data": {"server": {"auth": "spice", "port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54550", "family": "ipv4", "channel-type": 2, "connection-id": 2145174067, "host": "192.168.0.156", "channel-id": 0, "tls": true}}} len=340 //////// 2012/8/6 Itamar Heim <iheim@redhat.com>:
why are you assuming port 5901 is the secure port for spice connection?
On 08/06/2012 01:08 AM, Artem wrote:
section for target vm
<display> <type>spice</type> <address>192.168.0.3</address> <port>5900</port> <secure_port>5901</secure_port> <monitors>1</monitors> <allow_reconnect>true</allow_reconnect> </display>
log from connect to spice-xpi
//////////////// 2012-08-05 22:03:30.766+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204210, "microseconds": 766409}, "event": "SPICE_CONNECTED", "data": {"server": {"port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54549", "family": "ipv4", "host": "192.168.0.156"}}} len=243 2012-08-05 22:03:30.767+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2 2012-08-05 22:03:30.768+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:30.768+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204210, "microseconds": 768142}, "event": "SPICE_CONNECTED", "data": {"server": {"port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54550", "family": "ipv4", "host": "192.168.0.156"}}} len=243 2012-08-05 22:03:30.769+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2 2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204210, "microseconds": 769686}, "event": "SPICE_CONNECTED", "data": {"server": {"port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54551", "family": "ipv4", "host": "192.168.0.156"}}} len=243 2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204211, "microseconds": 94700}, "event": "SPICE_INITIALIZED", "data": {"server": {"auth": "spice", "port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54551", "family": "ipv4", "channel-type": 4, "connection-id": 2145174067, "host": "192.168.0.156", "channel-id": 0, "tls": true}}} len=339 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2 2012-08-05 22:03:31.096+0000: 1587: debug : virDomainFree:2313 : dom=0x21e2e60, (VM: name=dns-srv, uuid=d3db360f-4ff5-46f5-b61d-db09465db52c) 2012-08-05 22:03:31.096+0000: 1587: debug : virDomainFree:2313 : dom=0x21e2e60, (VM: name=dns-srv, uuid=d3db360f-4ff5-46f5-b61d-db09465db52c) 2012-08-05 22:03:31.130+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.130+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204211, "microseconds": 130196}, "event": "SPICE_INITIALIZED", "data": {"server": {"auth": "spice", "port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54549", "family": "ipv4", "channel-type": 3, "connection-id": 2145174067, "host": "192.168.0.156", "channel-id": 0, "tls": true}}} len=340 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 : QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2 2012-08-05 22:03:31.131+0000: 1587: debug : virDomainFree:2313 : dom=0x21e2e60, (VM: name=dns-srv, uuid=d3db360f-4ff5-46f5-b61d-db09465db52c) 2012-08-05 22:03:31.132+0000: 1587: debug : virDomainFree:2313 : dom=0x21e2e60, (VM: name=dns-srv, uuid=d3db360f-4ff5-46f5-b61d-db09465db52c) 2012-08-05 22:03:31.135+0000: 1587: debug : qemuMonitorRef:201 : QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3 2012-08-05 22:03:31.135+0000: 1587: debug : qemuMonitorIOProcess:327 : QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp": {"seconds": 1344204211, "microseconds": 133524}, "event": "SPICE_INITIALIZED", "data": {"server": {"auth": "spice", "port": "5901", "family": "ipv4", "host": "192.168.0.3"}, "client": {"port": "54550", "family": "ipv4", "channel-type": 2, "connection-id": 2145174067, "host": "192.168.0.156", "channel-id": 0, "tls": true}}} len=340 ////////
2012/8/6 Itamar Heim <iheim@redhat.com>:
why are you assuming port 5901 is the secure port for spice connection?
what about setting the spice ticket/password and passing it to spice client?
hm... this all config... hov i get it? <vms> <vm id="d3db360f-4ff5-46f5-b61d-db09465db52c" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c"> <name>dns-srv</name> <actions> <link rel="shutdown" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/shutdown"/> <link rel="start" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/start"/> <link rel="stop" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/stop"/> <link rel="suspend" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/suspend"/> <link rel="export" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/export"/> <link rel="detach" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/detach"/> <link rel="move" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/move"/> <link rel="ticket" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket"/> <link rel="migrate" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/migrate"/> <link rel="cancelmigration" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cancelmigration"/> </actions> <link rel="disks" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/disks"/> <link rel="nics" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/nics"/> <link rel="cdroms" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cdroms"/> <link rel="snapshots" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/snapshots"/> <link rel="tags" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/tags"/> <link rel="permissions" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/permissions"/> <link rel="statistics" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/statistics"/> <type>server</type> <status> <state>up</state> </status> <memory>536870912</memory> <cpu> <topology cores="1" sockets="1"/> </cpu> <os type="rhel_6x64"> <boot dev="hd"/> <boot dev="cdrom"/> <kernel/> <initrd/> <cmdline/> </os> <high_availability> <enabled>false</enabled> <priority>1</priority> </high_availability> <display> <type>spice</type> <address>192.168.0.3</address> <port>5900</port> <secure_port>5901</secure_port> <monitors>1</monitors> <allow_reconnect>true</allow_reconnect> </display> <host id="82899d36-d913-11e1-84c7-cbe4a64e9810" href="/api/hosts/82899d36-d913-11e1-84c7-cbe4a64e9810"/> <cluster id="6e6c825a-d913-11e1-af2a-bfe9e665ddb3" href="/api/clusters/6e6c825a-d913-11e1-af2a-bfe9e665ddb3"/> <template id="00000000-0000-0000-0000-000000000000" href="/api/templates/00000000-0000-0000-0000-000000000000"/> <start_time>2012-08-05T16:05:43.413+04:00</start_time> <creation_time>2012-08-01T03:01:12.573+04:00</creation_time> <origin>ovirt</origin> <stateless>false</stateless> <placement_policy> <affinity>migratable</affinity> </placement_policy> <memory_policy> <guaranteed>536870912</guaranteed> </memory_policy> <quota id="1060e438-244e-4888-ae60-c3fa754343c5"/> <usb> <enabled>false </enabled> </usb> </vm> 2012/8/6 Itamar Heim <iheim@redhat.com>:
what about setting the spice ticket/password and passing it to spice client?
On 08/06/2012 01:24 AM, Artem wrote:
hm... this all config... hov i get it?
you need to set it (default expiration is 120 seconds iirc). check this thread: http://www.mail-archive.com/engine-devel@ovirt.org/msg00611.html and this documentation on setvmticket: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html...
<vms> <vm id="d3db360f-4ff5-46f5-b61d-db09465db52c" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c"> <name>dns-srv</name> <actions> <link rel="shutdown" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/shutdown"/> <link rel="start" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/start"/> <link rel="stop" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/stop"/> <link rel="suspend" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/suspend"/> <link rel="export" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/export"/> <link rel="detach" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/detach"/> <link rel="move" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/move"/> <link rel="ticket" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket"/> <link rel="migrate" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/migrate"/> <link rel="cancelmigration" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cancelmigration"/> </actions> <link rel="disks" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/disks"/> <link rel="nics" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/nics"/> <link rel="cdroms" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cdroms"/> <link rel="snapshots" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/snapshots"/> <link rel="tags" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/tags"/> <link rel="permissions" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/permissions"/> <link rel="statistics" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/statistics"/> <type>server</type> <status> <state>up</state> </status> <memory>536870912</memory> <cpu> <topology cores="1" sockets="1"/> </cpu> <os type="rhel_6x64"> <boot dev="hd"/> <boot dev="cdrom"/> <kernel/> <initrd/> <cmdline/> </os> <high_availability> <enabled>false</enabled> <priority>1</priority> </high_availability> <display> <type>spice</type> <address>192.168.0.3</address> <port>5900</port> <secure_port>5901</secure_port> <monitors>1</monitors> <allow_reconnect>true</allow_reconnect> </display> <host id="82899d36-d913-11e1-84c7-cbe4a64e9810" href="/api/hosts/82899d36-d913-11e1-84c7-cbe4a64e9810"/> <cluster id="6e6c825a-d913-11e1-af2a-bfe9e665ddb3" href="/api/clusters/6e6c825a-d913-11e1-af2a-bfe9e665ddb3"/> <template id="00000000-0000-0000-0000-000000000000" href="/api/templates/00000000-0000-0000-0000-000000000000"/> <start_time>2012-08-05T16:05:43.413+04:00</start_time> <creation_time>2012-08-01T03:01:12.573+04:00</creation_time> <origin>ovirt</origin> <stateless>false</stateless> <placement_policy> <affinity>migratable</affinity> </placement_policy> <memory_policy> <guaranteed>536870912</guaranteed> </memory_policy> <quota id="1060e438-244e-4888-ae60-c3fa754343c5"/> <usb> <enabled>false </enabled> </usb> </vm>
2012/8/6 Itamar Heim <iheim@redhat.com>:
what about setting the spice ticket/password and passing it to spice client?
On 08/06/2012 01:30 AM, Itamar Heim wrote:
On 08/06/2012 01:24 AM, Artem wrote:
hm... this all config... hov i get it?
you need to set it (default expiration is 120 seconds iirc). check this thread: http://www.mail-archive.com/engine-devel@ovirt.org/msg00611.html
and this documentation on setvmticket: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html...
or just use the ovirt cli 'console' command which will open a spice console for you after doing all you are trying to do...
<vms> <vm id="d3db360f-4ff5-46f5-b61d-db09465db52c" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c"> <name>dns-srv</name> <actions> <link rel="shutdown" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/shutdown"/> <link rel="start" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/start"/> <link rel="stop" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/stop"/> <link rel="suspend" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/suspend"/> <link rel="export" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/export"/> <link rel="detach" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/detach"/> <link rel="move" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/move"/> <link rel="ticket" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket"/> <link rel="migrate" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/migrate"/> <link rel="cancelmigration" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cancelmigration"/> </actions> <link rel="disks" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/disks"/> <link rel="nics" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/nics"/> <link rel="cdroms" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cdroms"/> <link rel="snapshots" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/snapshots"/> <link rel="tags" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/tags"/> <link rel="permissions" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/permissions"/> <link rel="statistics" href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/statistics"/> <type>server</type> <status> <state>up</state> </status> <memory>536870912</memory> <cpu> <topology cores="1" sockets="1"/> </cpu> <os type="rhel_6x64"> <boot dev="hd"/> <boot dev="cdrom"/> <kernel/> <initrd/> <cmdline/> </os> <high_availability> <enabled>false</enabled> <priority>1</priority> </high_availability> <display> <type>spice</type> <address>192.168.0.3</address> <port>5900</port> <secure_port>5901</secure_port> <monitors>1</monitors> <allow_reconnect>true</allow_reconnect> </display> <host id="82899d36-d913-11e1-84c7-cbe4a64e9810" href="/api/hosts/82899d36-d913-11e1-84c7-cbe4a64e9810"/> <cluster id="6e6c825a-d913-11e1-af2a-bfe9e665ddb3" href="/api/clusters/6e6c825a-d913-11e1-af2a-bfe9e665ddb3"/> <template id="00000000-0000-0000-0000-000000000000" href="/api/templates/00000000-0000-0000-0000-000000000000"/> <start_time>2012-08-05T16:05:43.413+04:00</start_time> <creation_time>2012-08-01T03:01:12.573+04:00</creation_time> <origin>ovirt</origin> <stateless>false</stateless> <placement_policy> <affinity>migratable</affinity> </placement_policy> <memory_policy> <guaranteed>536870912</guaranteed> </memory_policy> <quota id="1060e438-244e-4888-ae60-c3fa754343c5"/> <usb> <enabled>false </enabled> </usb> </vm>
2012/8/6 Itamar Heim <iheim@redhat.com>:
what about setting the spice ticket/password and passing it to spice client?
Run console from ovirt-shell work... but no auto fullscreen for display vm //// # ovirt-shell -c -l "http://192.168.0.3:8080/api" -u "admin@internal" -p 'pass' ==========================================
connected to oVirt manager 3.1.0.0 <<< ==========================================
++++++++++++++++++++++++++++++++++++++++++ Welcome to oVirt shell ++++++++++++++++++++++++++++++++++++++++++ [oVirt shell (connected)]# console dns-srv //// and console open 2012/8/6 Itamar Heim <iheim@redhat.com>:
or just use the ovirt cli 'console' command which will open a spice console for you after doing all you are trying to do...
Hm... thi is correct? curl -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" -u admin@internal:pass -d "<action><ticket><expiry>900</expiry></ticket></action>" https://192.168.0.3:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket 2012/8/6 Artem <artem@e-inet.ru>:
Run console from ovirt-shell work... but no auto fullscreen for display vm
////
# ovirt-shell -c -l "http://192.168.0.3:8080/api" -u "admin@internal" -p 'pass'
==========================================
connected to oVirt manager 3.1.0.0 <<< ==========================================
++++++++++++++++++++++++++++++++++++++++++
Welcome to oVirt shell
++++++++++++++++++++++++++++++++++++++++++
[oVirt shell (connected)]# console dns-srv
////
and console open
2012/8/6 Itamar Heim <iheim@redhat.com>:
or just use the ovirt cli 'console' command which will open a spice console for you after doing all you are trying to do...
On 08/06/2012 02:43 AM, Artem wrote:
Hm...
thi is correct?
curl -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" -u admin@internal:pass -d "<action><ticket><expiry>900</expiry></ticket></action>" https://192.168.0.3:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket
partially... this allows you to get the ticket in the response. i see the documentation is missing it, but you can also set the ticket value with your own password which should be easier then getting it from the response. <xs:complexType name="Ticket"> <xs:sequence> <xs:element name="value" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="expiry" type="xs:unsignedInt" minOccurs="0" maxOccurs="1"/> </xs:sequence> </xs:complexType>
2012/8/6 Artem <artem@e-inet.ru>:
Run console from ovirt-shell work... but no auto fullscreen for display vm
////
# ovirt-shell -c -l "http://192.168.0.3:8080/api" -u "admin@internal" -p 'pass'
==========================================
connected to oVirt manager 3.1.0.0 <<< ==========================================
++++++++++++++++++++++++++++++++++++++++++
Welcome to oVirt shell
++++++++++++++++++++++++++++++++++++++++++
[oVirt shell (connected)]# console dns-srv
////
and console open
2012/8/6 Itamar Heim <iheim@redhat.com>:
or just use the ovirt cli 'console' command which will open a spice console for you after doing all you are trying to do...
On 08/06/2012 01:40 AM, Artem wrote:
Run console from ovirt-shell work... but no auto fullscreen for display vm
please open a bug for this to be added. thanks
////
# ovirt-shell -c -l "http://192.168.0.3:8080/api" -u "admin@internal" -p 'pass'
==========================================
connected to oVirt manager 3.1.0.0 <<< ==========================================
++++++++++++++++++++++++++++++++++++++++++
Welcome to oVirt shell
++++++++++++++++++++++++++++++++++++++++++
[oVirt shell (connected)]# console dns-srv
////
and console open
2012/8/6 Itamar Heim <iheim@redhat.com>:
or just use the ovirt cli 'console' command which will open a spice console for you after doing all you are trying to do...
@Itamar - this is recurring problem, what about creating a wiki page for it? @Artem: Artem píše v Po 06. 08. 2012 v 01:30 +0400:
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
i change host-subject but..
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, CN=vm-srv" --secure-channels=all
1) your command line is missing '--ca-file $CA_FILE' altoghether 2) you don't mention password 3) you shouldn't need to specify host subject at all because your host (-h) matches name of server in CN field of host subject. If you override it anyway, strip white spaces after commas in it: --host-subject='C=US,O=ICL,CN=vm-srv' 4) you could omit -p and --secure-channels altogether in order to achieve tls-only connection, but you can hit https://bugzilla.redhat.com/show_bug.cgi?id=723582 then So you should do (out of my head, may contain typos): get CA: * on engine, it is found here: CA_FILE=/etc/pki/ovirt-engine/ca.pem * on host, it's here: CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem * on any other host, get it from engine web interface: wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt on the host, get UUID of the VM: $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')" as root on the host, set ticket (password and its period of validity): # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS} (doing it via REST API is cleaner but more cumbersome for me) if the hostname you're connecting does not match what is in CN field of Subject of the server cert, get the subject without spaces after commas on the host: $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/' connect to the spice-server: $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT} OR, with newer, shinier and overall better client :) # yum install virt-viewer $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT} (you'll have to provide the password through the pop-up dialog) if you need to provide host subject (host name/IP not matching the one from server cert Subject): $ spicec --host-subject ${HOST_SUBJECT} [...] OR $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...] David
Error: subject mismatch: #entries cert=2, input=3 Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 3079539240:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error:
2012/8/6 Itamar Heim <iheim@redhat.com>:
On 08/06/2012 12:07 AM, Artem wrote:
hmm... not sure if understood correctly...
vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm.
did you install the engine and kvm host on same machine?
this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host certificate. (if you run engine and host on same machine, try: "C=US, O=ICL, CN=vm-srv" (assuming you added the host with hostname of vm-srv to engine. if you added it with fqdn or ip, use them under last CN)
////////////////////////////////// # cat .spicec/spice_truststore.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 Validity Not Before: Jul 28 03:42:06 2012 Not After : Jul 26 23:42:07 2022 GMT Subject: C=US, O=ICL, CN=CA-vm-srv.15064 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ///////////////////////////////////////////
2012/8/6 Itamar Heim <iheim@redhat.com>:
this looks like the subject name of the CA, not the host running the virtual machine?
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
Hi all, thaks for lot, it's work 1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt" 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}" on kvm host 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully but how to install "setVmTicket" without login as root on kvm host, how to make it through the post request? 2012/8/6 David Jaša <djasa@redhat.com>:
@Itamar - this is recurring problem, what about creating a wiki page for it?
@Artem:
Artem píše v Po 06. 08. 2012 v 01:30 +0400:
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
i change host-subject but..
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, CN=vm-srv" --secure-channels=all
1) your command line is missing '--ca-file $CA_FILE' altoghether
2) you don't mention password
3) you shouldn't need to specify host subject at all because your host (-h) matches name of server in CN field of host subject. If you override it anyway, strip white spaces after commas in it: --host-subject='C=US,O=ICL,CN=vm-srv'
4) you could omit -p and --secure-channels altogether in order to achieve tls-only connection, but you can hit https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
So you should do (out of my head, may contain typos): get CA: * on engine, it is found here: CA_FILE=/etc/pki/ovirt-engine/ca.pem * on host, it's here: CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem * on any other host, get it from engine web interface: wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
on the host, get UUID of the VM: $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')"
as root on the host, set ticket (password and its period of validity): # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS} (doing it via REST API is cleaner but more cumbersome for me)
if the hostname you're connecting does not match what is in CN field of Subject of the server cert, get the subject without spaces after commas on the host: $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/'
connect to the spice-server: $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT} OR, with newer, shinier and overall better client :) # yum install virt-viewer $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT} (you'll have to provide the password through the pop-up dialog)
if you need to provide host subject (host name/IP not matching the one from server cert Subject): $ spicec --host-subject ${HOST_SUBJECT} [...] OR $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
David
Error: subject mismatch: #entries cert=2, input=3 Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 3079539240:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error:
2012/8/6 Itamar Heim <iheim@redhat.com>:
On 08/06/2012 12:07 AM, Artem wrote:
hmm... not sure if understood correctly...
vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm.
did you install the engine and kvm host on same machine?
this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host certificate. (if you run engine and host on same machine, try: "C=US, O=ICL, CN=vm-srv" (assuming you added the host with hostname of vm-srv to engine. if you added it with fqdn or ip, use them under last CN)
////////////////////////////////// # cat .spicec/spice_truststore.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 Validity Not Before: Jul 28 03:42:06 2012 Not After : Jul 26 23:42:07 2022 GMT Subject: C=US, O=ICL, CN=CA-vm-srv.15064 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ///////////////////////////////////////////
2012/8/6 Itamar Heim <iheim@redhat.com>:
this looks like the subject name of the CA, not the host running the virtual machine?
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
Hello again, I figured out, this resolve my question # curl -X POST -H "Accept: application/xml" -H "Content-type: application/xml" -u admin@internal:pass --cacert ca.crt -d "<action><ticket><expiry>120</expiry></ticket></action>" https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <action> <ticket> <value>+e/OUQvquJx4</value> <expiry>120</expiry> </ticket> <status> <state>complete</state> </status> </action> Artem 2012/8/7 Artem <artem@e-inet.ru>:
Hi all, thaks for lot, it's work
1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt" 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}" on kvm host 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully
but how to install "setVmTicket" without login as root on kvm host, how to make it through the post request?
2012/8/6 David Jaša <djasa@redhat.com>:
@Itamar - this is recurring problem, what about creating a wiki page for it?
@Artem:
Artem píše v Po 06. 08. 2012 v 01:30 +0400:
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
i change host-subject but..
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, CN=vm-srv" --secure-channels=all
1) your command line is missing '--ca-file $CA_FILE' altoghether
2) you don't mention password
3) you shouldn't need to specify host subject at all because your host (-h) matches name of server in CN field of host subject. If you override it anyway, strip white spaces after commas in it: --host-subject='C=US,O=ICL,CN=vm-srv'
4) you could omit -p and --secure-channels altogether in order to achieve tls-only connection, but you can hit https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
So you should do (out of my head, may contain typos): get CA: * on engine, it is found here: CA_FILE=/etc/pki/ovirt-engine/ca.pem * on host, it's here: CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem * on any other host, get it from engine web interface: wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
on the host, get UUID of the VM: $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')"
as root on the host, set ticket (password and its period of validity): # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS} (doing it via REST API is cleaner but more cumbersome for me)
if the hostname you're connecting does not match what is in CN field of Subject of the server cert, get the subject without spaces after commas on the host: $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/'
connect to the spice-server: $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT} OR, with newer, shinier and overall better client :) # yum install virt-viewer $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT} (you'll have to provide the password through the pop-up dialog)
if you need to provide host subject (host name/IP not matching the one from server cert Subject): $ spicec --host-subject ${HOST_SUBJECT} [...] OR $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
David
Error: subject mismatch: #entries cert=2, input=3 Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 3079539240:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error:
2012/8/6 Itamar Heim <iheim@redhat.com>:
On 08/06/2012 12:07 AM, Artem wrote:
hmm... not sure if understood correctly...
vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm.
did you install the engine and kvm host on same machine?
this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host certificate. (if you run engine and host on same machine, try: "C=US, O=ICL, CN=vm-srv" (assuming you added the host with hostname of vm-srv to engine. if you added it with fqdn or ip, use them under last CN)
////////////////////////////////// # cat .spicec/spice_truststore.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 Validity Not Before: Jul 28 03:42:06 2012 Not After : Jul 26 23:42:07 2022 GMT Subject: C=US, O=ICL, CN=CA-vm-srv.15064 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ///////////////////////////////////////////
2012/8/6 Itamar Heim <iheim@redhat.com>:
this looks like the subject name of the CA, not the host running the virtual machine?
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
On 08/07/2012 10:04 PM, Artem wrote:
Hello again, I figured out, this resolve my question
# curl -X POST -H "Accept: application/xml" -H "Content-type: application/xml" -u admin@internal:pass --cacert ca.crt -d "<action><ticket><expiry>120</expiry></ticket></action>" https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <action> <ticket> <value>+e/OUQvquJx4</value> <expiry>120</expiry> </ticket> <status> <state>complete</state> </status> </action>
indeed. artem/david - between all the inputs in this thread - please try to capture it in a wiki as david suggested. thanks, Itamar
Artem
2012/8/7 Artem <artem@e-inet.ru>:
Hi all, thaks for lot, it's work
1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt" 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}" on kvm host 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully
but how to install "setVmTicket" without login as root on kvm host, how to make it through the post request?
2012/8/6 David Jaša <djasa@redhat.com>:
@Itamar - this is recurring problem, what about creating a wiki page for it?
@Artem:
Artem píše v Po 06. 08. 2012 v 01:30 +0400:
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
i change host-subject but..
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, CN=vm-srv" --secure-channels=all
1) your command line is missing '--ca-file $CA_FILE' altoghether
2) you don't mention password
3) you shouldn't need to specify host subject at all because your host (-h) matches name of server in CN field of host subject. If you override it anyway, strip white spaces after commas in it: --host-subject='C=US,O=ICL,CN=vm-srv'
4) you could omit -p and --secure-channels altogether in order to achieve tls-only connection, but you can hit https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
So you should do (out of my head, may contain typos): get CA: * on engine, it is found here: CA_FILE=/etc/pki/ovirt-engine/ca.pem * on host, it's here: CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem * on any other host, get it from engine web interface: wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
on the host, get UUID of the VM: $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')"
as root on the host, set ticket (password and its period of validity): # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS} (doing it via REST API is cleaner but more cumbersome for me)
if the hostname you're connecting does not match what is in CN field of Subject of the server cert, get the subject without spaces after commas on the host: $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/'
connect to the spice-server: $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT} OR, with newer, shinier and overall better client :) # yum install virt-viewer $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT} (you'll have to provide the password through the pop-up dialog)
if you need to provide host subject (host name/IP not matching the one from server cert Subject): $ spicec --host-subject ${HOST_SUBJECT} [...] OR $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
David
Error: subject mismatch: #entries cert=2, input=3 Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 3079539240:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error:
2012/8/6 Itamar Heim <iheim@redhat.com>:
On 08/06/2012 12:07 AM, Artem wrote:
hmm... not sure if understood correctly...
vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm.
did you install the engine and kvm host on same machine?
this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host certificate. (if you run engine and host on same machine, try: "C=US, O=ICL, CN=vm-srv" (assuming you added the host with hostname of vm-srv to engine. if you added it with fqdn or ip, use them under last CN)
////////////////////////////////// # cat .spicec/spice_truststore.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 Validity Not Before: Jul 28 03:42:06 2012 Not After : Jul 26 23:42:07 2022 GMT Subject: C=US, O=ICL, CN=CA-vm-srv.15064 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ///////////////////////////////////////////
2012/8/6 Itamar Heim <iheim@redhat.com>: > > this looks like the subject name of the CA, not the host running the > virtual > machine?
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
Itamar Heim píše v Út 07. 08. 2012 v 23:18 +0300:
On 08/07/2012 10:04 PM, Artem wrote:
Hello again, I figured out, this resolve my question
# curl -X POST -H "Accept: application/xml" -H "Content-type: application/xml" -u admin@internal:pass --cacert ca.crt -d "<action><ticket><expiry>120</expiry></ticket></action>" https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <action> <ticket> <value>+e/OUQvquJx4</value> <expiry>120</expiry> </ticket> <status> <state>complete</state> </status> </action>
indeed. artem/david - between all the inputs in this thread - please try to capture it in a wiki as david suggested.
Just writing it right now (offline). David
thanks, Itamar
Artem
2012/8/7 Artem <artem@e-inet.ru>:
Hi all, thaks for lot, it's work
1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt" 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}" on kvm host 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully
but how to install "setVmTicket" without login as root on kvm host, how to make it through the post request?
2012/8/6 David Jaša <djasa@redhat.com>:
@Itamar - this is recurring problem, what about creating a wiki page for it?
@Artem:
Artem píše v Po 06. 08. 2012 v 01:30 +0400:
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
i change host-subject but..
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, CN=vm-srv" --secure-channels=all
1) your command line is missing '--ca-file $CA_FILE' altoghether
2) you don't mention password
3) you shouldn't need to specify host subject at all because your host (-h) matches name of server in CN field of host subject. If you override it anyway, strip white spaces after commas in it: --host-subject='C=US,O=ICL,CN=vm-srv'
4) you could omit -p and --secure-channels altogether in order to achieve tls-only connection, but you can hit https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
So you should do (out of my head, may contain typos): get CA: * on engine, it is found here: CA_FILE=/etc/pki/ovirt-engine/ca.pem * on host, it's here: CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem * on any other host, get it from engine web interface: wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
on the host, get UUID of the VM: $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')"
as root on the host, set ticket (password and its period of validity): # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS} (doing it via REST API is cleaner but more cumbersome for me)
if the hostname you're connecting does not match what is in CN field of Subject of the server cert, get the subject without spaces after commas on the host: $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/'
connect to the spice-server: $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT} OR, with newer, shinier and overall better client :) # yum install virt-viewer $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT} (you'll have to provide the password through the pop-up dialog)
if you need to provide host subject (host name/IP not matching the one from server cert Subject): $ spicec --host-subject ${HOST_SUBJECT} [...] OR $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
David
Error: subject mismatch: #entries cert=2, input=3 Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 3079539240:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error:
2012/8/6 Itamar Heim <iheim@redhat.com>:
On 08/06/2012 12:07 AM, Artem wrote: > > hmm... not sure if understood correctly... > > vm-srv this KVM host.. (server) and I connect from another machine to vm > on kvm.
did you install the engine and kvm host on same machine?
> > this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host certificate. (if you run engine and host on same machine, try: "C=US, O=ICL, CN=vm-srv" (assuming you added the host with hostname of vm-srv to engine. if you added it with fqdn or ip, use them under last CN)
> > ////////////////////////////////// > # cat .spicec/spice_truststore.pem > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 > Validity > Not Before: Jul 28 03:42:06 2012 > Not After : Jul 26 23:42:07 2022 GMT > Subject: C=US, O=ICL, CN=CA-vm-srv.15064 > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > /////////////////////////////////////////// > > 2012/8/6 Itamar Heim <iheim@redhat.com>: >> >> this looks like the subject name of the CA, not the host running the >> virtual >> machine?
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
-- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
participants (3)
-
Artem -
David Jaša -
Itamar Heim