6:23 p.m.
Hi all,
spicec connected to virtual machines on Ovirt web console... but
manual connect this (on windows or linux)
1344197680 INFO [3001:3002] RedPeer::connect_unsecure: Connected to
192.168.0.3 5900
1344197680 INFO [3001:3002] RedPeer::connect_secure: Connected to
192.168.0.3 5901
1344197680 ERROR [3001:3002] RedPeer::verify_subject: subject
mismatch: #entries cert=2, input=3
1344197680 ERROR [3001:3002] RedPeer::connect_secure: failed to
connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
1344197680 WARN [3001:3002] RedChannel::run: SSL Error:
1344197680 INFO [3001:3001] main: Spice client terminated (exitcode = 7)
what can be done about it ?
10:37 p.m.
On 08/05/2012 07:23 PM, Artem wrote:
Hi all,
spicec connected to virtual machines on Ovirt web console... but
manual connect this (on windows or linux)
1344197680 INFO [3001:3002] RedPeer::connect_unsecure: Connected to
192.168.0.3 5900
1344197680 INFO [3001:3002] RedPeer::connect_secure: Connected to
192.168.0.3 5901
1344197680 ERROR [3001:3002] RedPeer::verify_subject: subject
mismatch: #entries cert=2, input=3
1344197680 ERROR [3001:3002] RedPeer::connect_secure: failed to
connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
1344197680 WARN [3001:3002] RedChannel::run: SSL Error:
1344197680 INFO [3001:3001] main: Spice client terminated (exitcode = 7)
what can be done about it ?
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
did you mean you tried to connect from spice using command line?
what was the command line you used?
(this seems like a missing host fqdn for spice when asking to connect
with ssl)
10:56 p.m.
I have tried so
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
CN=CA-vm-srv.15064" --secure-channels=all
Error: subject mismatch: #entries cert=2, input=3
Error: failed to connect w/SSL, ssl_error
error:00000001:lib(0):func(0):reason(1)
3078249000:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1063:
Warning: SSL Error:
ping to vms-srv is done.
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
On 08/05/2012 07:23 PM, Artem wrote:
>
> Hi all,
>
> spicec connected to virtual machines on Ovirt web console... but
> manual connect this (on windows or linux)
>
> 1344197680 INFO [3001:3002] RedPeer::connect_unsecure: Connected to
> 192.168.0.3 5900
> 1344197680 INFO [3001:3002] RedPeer::connect_secure: Connected to
> 192.168.0.3 5901
> 1344197680 ERROR [3001:3002] RedPeer::verify_subject: subject
> mismatch: #entries cert=2, input=3
> 1344197680 ERROR [3001:3002] RedPeer::connect_secure: failed to
> connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
> 1344197680 WARN [3001:3002] RedChannel::run: SSL Error:
> 1344197680 INFO [3001:3001] main: Spice client terminated (exitcode = 7)
>
> what can be done about it ?
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
did you mean you tried to connect from spice using command line?
what was the command line you used?
(this seems like a missing host fqdn for spice when asking to connect with
ssl)
10:59 p.m.
On 08/05/2012 11:56 PM, Artem wrote:
I have tried so
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
CN=CA-vm-srv.15064" --secure-channels=all
this looks like the subject name of the CA, not the host running the
virtual machine?
Error: subject mismatch: #entries cert=2, input=3
Error: failed to connect w/SSL, ssl_error
error:00000001:lib(0):func(0):reason(1)
3078249000:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1063:
Warning: SSL Error:
ping to vms-srv is done.
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> On 08/05/2012 07:23 PM, Artem wrote:
>>
>> Hi all,
>>
>> spicec connected to virtual machines on Ovirt web console... but
>> manual connect this (on windows or linux)
>>
>> 1344197680 INFO [3001:3002] RedPeer::connect_unsecure: Connected to
>> 192.168.0.3 5900
>> 1344197680 INFO [3001:3002] RedPeer::connect_secure: Connected to
>> 192.168.0.3 5901
>> 1344197680 ERROR [3001:3002] RedPeer::verify_subject: subject
>> mismatch: #entries cert=2, input=3
>> 1344197680 ERROR [3001:3002] RedPeer::connect_secure: failed to
>> connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
>> 1344197680 WARN [3001:3002] RedChannel::run: SSL Error:
>> 1344197680 INFO [3001:3001] main: Spice client terminated (exitcode = 7)
>>
>> what can be done about it ?
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
> did you mean you tried to connect from spice using command line?
> what was the command line you used?
> (this seems like a missing host fqdn for spice when asking to connect with
> ssl)
>
11:07 p.m.
hmm... not sure if understood correctly...
vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm.
this subject name i get in .spicec/spice_truststore.pem
//////////////////////////////////
# cat .spicec/spice_truststore.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
Validity
Not Before: Jul 28 03:42:06 2012
Not After : Jul 26 23:42:07 2022 GMT
Subject: C=US, O=ICL, CN=CA-vm-srv.15064
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
///////////////////////////////////////////
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
this looks like the subject name of the CA, not the host running the
virtual
machine?
11:12 p.m.
On 08/06/2012 12:07 AM, Artem wrote:
hmm... not sure if understood correctly...
vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm.
did you install the engine and kvm host on same machine?
this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host
certificate.
(if you run engine and host on same machine, try:
"C=US, O=ICL, CN=vm-srv"
(assuming you added the host with hostname of vm-srv to engine. if you
added it with fqdn or ip, use them under last CN)
//////////////////////////////////
# cat .spicec/spice_truststore.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
Validity
Not Before: Jul 28 03:42:06 2012
Not After : Jul 26 23:42:07 2022 GMT
Subject: C=US, O=ICL, CN=CA-vm-srv.15064
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
///////////////////////////////////////////
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> this looks like the subject name of the CA, not the host running the virtual
> machine?
11:30 p.m.
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
i change host-subject but..
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
CN=vm-srv" --secure-channels=all
Error: subject mismatch: #entries cert=2, input=3
Error: failed to connect w/SSL, ssl_error
error:00000001:lib(0):func(0):reason(1)
3079539240:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1063:
Warning: SSL Error:
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
On 08/06/2012 12:07 AM, Artem wrote:
>
> hmm... not sure if understood correctly...
>
> vm-srv this KVM host.. (server) and I connect from another machine to vm
> on kvm.
did you install the engine and kvm host on same machine?
>
> this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host
certificate.
(if you run engine and host on same machine, try:
"C=US, O=ICL, CN=vm-srv"
(assuming you added the host with hostname of vm-srv to engine. if you added
it with fqdn or ip, use them under last CN)
>
> //////////////////////////////////
> # cat .spicec/spice_truststore.pem
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
> Validity
> Not Before: Jul 28 03:42:06 2012
> Not After : Jul 26 23:42:07 2022 GMT
> Subject: C=US, O=ICL, CN=CA-vm-srv.15064
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> ///////////////////////////////////////////
>
> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>>
>> this looks like the subject name of the CA, not the host running the
>> virtual
>> machine?
11:40 p.m.
On 08/06/2012 12:30 AM, Artem wrote:
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
what do you get for:
cat /etc/pki/vdsm/certs/vdsmcert.pem | grep Subject
?
i change host-subject but..
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
CN=vm-srv" --secure-channels=all
Error: subject mismatch: #entries cert=2, input=3
Error: failed to connect w/SSL, ssl_error
error:00000001:lib(0):func(0):reason(1)
3079539240:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1063:
Warning: SSL Error:
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> On 08/06/2012 12:07 AM, Artem wrote:
>>
>> hmm... not sure if understood correctly...
>>
>> vm-srv this KVM host.. (server) and I connect from another machine to vm
>> on kvm.
>
>
> did you install the engine and kvm host on same machine?
>
>
>>
>> this subject name i get in .spicec/spice_truststore.pem
>
>
> yes, spice trusts the CA, but client needs to validate the target host
> certificate.
> (if you run engine and host on same machine, try:
> "C=US, O=ICL, CN=vm-srv"
> (assuming you added the host with hostname of vm-srv to engine. if you added
> it with fqdn or ip, use them under last CN)
>
>
>>
>> //////////////////////////////////
>> # cat .spicec/spice_truststore.pem
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 1 (0x1)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
>> Validity
>> Not Before: Jul 28 03:42:06 2012
>> Not After : Jul 26 23:42:07 2022 GMT
>> Subject: C=US, O=ICL, CN=CA-vm-srv.15064
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (2048 bit)
>> Modulus:
>> ///////////////////////////////////////////
>>
>> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>>>
>>> this looks like the subject name of the CA, not the host running the
>>> virtual
>>> machine?
>
>
>
11:44 p.m.
On 08/06/2012 12:43 AM, Artem wrote:
[root@vm-srv ~]# cat /etc/pki/vdsm/certs/vdsmcert.pem | grep
Subject
Subject: O=ICL, CN=192.168.0.3
so, you added this host based on it's ip.
the above is the subject you should be using...
Subject Public Key Info:
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> cat /etc/pki/vdsm/certs/vdsmcert.pem | grep Subject
11:51 p.m.
oh ... I have done a foolish thing, but...
spicec -h vm-srv -p 5900 -s 5901 --host-subject "O=ICL,
CN=192.168.0.3" --secure-channels=all
Warning: connect failed 7
cat .spicec/spicec.log
1344217716 INFO [3164:3164] Application::main: starting 0.8.3
1344217716 INFO [3164:3164] init_key_map: using evdev mapping
1344217716 INFO [3164:3164] MultyMonScreen::MultyMonScreen:
platform_win: 58720257
1344217716 INFO [3164:3164] ForeignMenu::ForeignMenu: Creating a
foreign menu connection /tmp/SpiceForeignMenu-3164.uds
1344217716 INFO [3164:3165] RedPeer::connect_secure: Connected to vm-srv 5901
1344217716 WARN [3164:3165] RedChannel::run: connect failed 7
1344217716 INFO [3164:3164] main: Spice client terminated (exitcode = 3)
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
so, you added this host based on it's ip.
the above is the subject you should be using...
12:04 a.m.
On 08/06/2012 12:51 AM, Artem wrote:
oh ... I have done a foolish thing, but...
spicec -h vm-srv -p 5900 -s 5901 --host-subject "O=ICL,
CN=192.168.0.3" --secure-channels=all
Warning: connect failed 7
why are you assuming port 5901 is the secure port for spice connection?
cat .spicec/spicec.log
1344217716 INFO [3164:3164] Application::main: starting 0.8.3
1344217716 INFO [3164:3164] init_key_map: using evdev mapping
1344217716 INFO [3164:3164] MultyMonScreen::MultyMonScreen:
platform_win: 58720257
1344217716 INFO [3164:3164] ForeignMenu::ForeignMenu: Creating a
foreign menu connection /tmp/SpiceForeignMenu-3164.uds
1344217716 INFO [3164:3165] RedPeer::connect_secure: Connected to vm-srv 5901
1344217716 WARN [3164:3165] RedChannel::run: connect failed 7
1344217716 INFO [3164:3164] main: Spice client terminated (exitcode = 3)
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> so, you added this host based on it's ip.
> the above is the subject you should be using...
12:08 a.m.
section for target vm
<display>
<type>spice</type>
<address>192.168.0.3</address>
<port>5900</port>
<secure_port>5901</secure_port>
<monitors>1</monitors>
<allow_reconnect>true</allow_reconnect>
</display>
log from connect to spice-xpi
////////////////
2012-08-05 22:03:30.766+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204210, "microseconds": 766409}, "event":
"SPICE_CONNECTED", "data": {"server": {"port":
"5901", "family":
"ipv4", "host": "192.168.0.3"}, "client":
{"port": "54549", "family":
"ipv4", "host": "192.168.0.156"}}}
len=243
2012-08-05 22:03:30.767+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2
2012-08-05 22:03:30.768+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:30.768+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204210, "microseconds": 768142}, "event":
"SPICE_CONNECTED", "data": {"server": {"port":
"5901", "family":
"ipv4", "host": "192.168.0.3"}, "client":
{"port": "54550", "family":
"ipv4", "host": "192.168.0.156"}}}
len=243
2012-08-05 22:03:30.769+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2
2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204210, "microseconds": 769686}, "event":
"SPICE_CONNECTED", "data": {"server": {"port":
"5901", "family":
"ipv4", "host": "192.168.0.3"}, "client":
{"port": "54551", "family":
"ipv4", "host": "192.168.0.156"}}}
len=243
2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204211, "microseconds": 94700}, "event":
"SPICE_INITIALIZED", "data": {"server": {"auth":
"spice", "port":
"5901", "family": "ipv4", "host":
"192.168.0.3"}, "client": {"port":
"54551", "family": "ipv4", "channel-type": 4,
"connection-id":
2145174067, "host": "192.168.0.156", "channel-id": 0,
"tls": true}}}
len=339
2012-08-05 22:03:31.095+0000: 1587: debug :
qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.095+0000: 1587: debug :
qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2
2012-08-05 22:03:31.096+0000: 1587: debug : virDomainFree:2313 :
dom=0x21e2e60, (VM: name=dns-srv,
uuid=d3db360f-4ff5-46f5-b61d-db09465db52c)
2012-08-05 22:03:31.096+0000: 1587: debug : virDomainFree:2313 :
dom=0x21e2e60, (VM: name=dns-srv,
uuid=d3db360f-4ff5-46f5-b61d-db09465db52c)
2012-08-05 22:03:31.130+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.130+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204211, "microseconds": 130196}, "event":
"SPICE_INITIALIZED", "data": {"server": {"auth":
"spice", "port":
"5901", "family": "ipv4", "host":
"192.168.0.3"}, "client": {"port":
"54549", "family": "ipv4", "channel-type": 3,
"connection-id":
2145174067, "host": "192.168.0.156", "channel-id": 0,
"tls": true}}}
len=340
2012-08-05 22:03:31.131+0000: 1587: debug :
qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0
2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4
2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.131+0000: 1587: debug :
qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0
2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4
2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2
2012-08-05 22:03:31.131+0000: 1587: debug : virDomainFree:2313 :
dom=0x21e2e60, (VM: name=dns-srv,
uuid=d3db360f-4ff5-46f5-b61d-db09465db52c)
2012-08-05 22:03:31.132+0000: 1587: debug : virDomainFree:2313 :
dom=0x21e2e60, (VM: name=dns-srv,
uuid=d3db360f-4ff5-46f5-b61d-db09465db52c)
2012-08-05 22:03:31.135+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.135+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204211, "microseconds": 133524}, "event":
"SPICE_INITIALIZED", "data": {"server": {"auth":
"spice", "port":
"5901", "family": "ipv4", "host":
"192.168.0.3"}, "client": {"port":
"54550", "family": "ipv4", "channel-type": 2,
"connection-id":
2145174067, "host": "192.168.0.156", "channel-id": 0,
"tls": true}}}
len=340
////////
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
why are you assuming port 5901 is the secure port for spice
connection?
12:13 a.m.
On 08/06/2012 01:08 AM, Artem wrote:
section for target vm
<display>
<type>spice</type>
<address>192.168.0.3</address>
<port>5900</port>
<secure_port>5901</secure_port>
<monitors>1</monitors>
<allow_reconnect>true</allow_reconnect>
</display>
log from connect to spice-xpi
////////////////
2012-08-05 22:03:30.766+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204210, "microseconds": 766409}, "event":
"SPICE_CONNECTED", "data": {"server": {"port":
"5901", "family":
"ipv4", "host": "192.168.0.3"}, "client":
{"port": "54549", "family":
"ipv4", "host": "192.168.0.156"}}}
len=243
2012-08-05 22:03:30.767+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2
2012-08-05 22:03:30.768+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:30.768+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204210, "microseconds": 768142}, "event":
"SPICE_CONNECTED", "data": {"server": {"port":
"5901", "family":
"ipv4", "host": "192.168.0.3"}, "client":
{"port": "54550", "family":
"ipv4", "host": "192.168.0.156"}}}
len=243
2012-08-05 22:03:30.769+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2
2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204210, "microseconds": 769686}, "event":
"SPICE_CONNECTED", "data": {"server": {"port":
"5901", "family":
"ipv4", "host": "192.168.0.3"}, "client":
{"port": "54551", "family":
"ipv4", "host": "192.168.0.156"}}}
len=243
2012-08-05 22:03:30.770+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204211, "microseconds": 94700}, "event":
"SPICE_INITIALIZED", "data": {"server": {"auth":
"spice", "port":
"5901", "family": "ipv4", "host":
"192.168.0.3"}, "client": {"port":
"54551", "family": "ipv4", "channel-type": 4,
"connection-id":
2145174067, "host": "192.168.0.156", "channel-id": 0,
"tls": true}}}
len=339
2012-08-05 22:03:31.095+0000: 1587: debug :
qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.095+0000: 1587: debug :
qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.095+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2
2012-08-05 22:03:31.096+0000: 1587: debug : virDomainFree:2313 :
dom=0x21e2e60, (VM: name=dns-srv,
uuid=d3db360f-4ff5-46f5-b61d-db09465db52c)
2012-08-05 22:03:31.096+0000: 1587: debug : virDomainFree:2313 :
dom=0x21e2e60, (VM: name=dns-srv,
uuid=d3db360f-4ff5-46f5-b61d-db09465db52c)
2012-08-05 22:03:31.130+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.130+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204211, "microseconds": 130196}, "event":
"SPICE_INITIALIZED", "data": {"server": {"auth":
"spice", "port":
"5901", "family": "ipv4", "host":
"192.168.0.3"}, "client": {"port":
"54549", "family": "ipv4", "channel-type": 3,
"connection-id":
2145174067, "host": "192.168.0.156", "channel-id": 0,
"tls": true}}}
len=340
2012-08-05 22:03:31.131+0000: 1587: debug :
qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0
2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4
2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.131+0000: 1587: debug :
qemuMonitorEmitGraphics:975 : mon=0x7f3b2c0135d0
2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=4
2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.131+0000: 1587: debug : qemuMonitorUnref:210 :
QEMU_MONITOR_UNREF: mon=0x7f3b2c0135d0 refs=2
2012-08-05 22:03:31.131+0000: 1587: debug : virDomainFree:2313 :
dom=0x21e2e60, (VM: name=dns-srv,
uuid=d3db360f-4ff5-46f5-b61d-db09465db52c)
2012-08-05 22:03:31.132+0000: 1587: debug : virDomainFree:2313 :
dom=0x21e2e60, (VM: name=dns-srv,
uuid=d3db360f-4ff5-46f5-b61d-db09465db52c)
2012-08-05 22:03:31.135+0000: 1587: debug : qemuMonitorRef:201 :
QEMU_MONITOR_REF: mon=0x7f3b2c0135d0 refs=3
2012-08-05 22:03:31.135+0000: 1587: debug : qemuMonitorIOProcess:327 :
QEMU_MONITOR_IO_PROCESS: mon=0x7f3b2c0135d0 buf={"timestamp":
{"seconds": 1344204211, "microseconds": 133524}, "event":
"SPICE_INITIALIZED", "data": {"server": {"auth":
"spice", "port":
"5901", "family": "ipv4", "host":
"192.168.0.3"}, "client": {"port":
"54550", "family": "ipv4", "channel-type": 2,
"connection-id":
2145174067, "host": "192.168.0.156", "channel-id": 0,
"tls": true}}}
len=340
////////
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> why are you assuming port 5901 is the secure port for spice connection?
what about setting the spice ticket/password and passing it to spice client?
12:24 a.m.
hm... this all config... hov i get it?
<vms>
<vm id="d3db360f-4ff5-46f5-b61d-db09465db52c"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c">
<name>dns-srv</name>
<actions>
<link rel="shutdown"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/shutdown"/>
<link rel="start"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/start"/>
<link rel="stop"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/stop"/>
<link rel="suspend"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/suspend"/>
<link rel="export"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/export"/>
<link rel="detach"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/detach"/>
<link rel="move"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/move"/>
<link rel="ticket"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket"/>
<link rel="migrate"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/migrate"/>
<link rel="cancelmigration"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cancelmigration"/>
</actions>
<link rel="disks"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/disks"/>
<link rel="nics"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/nics"/>
<link rel="cdroms"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cdroms"/>
<link rel="snapshots"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/snapshots"/>
<link rel="tags"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/tags"/>
<link rel="permissions"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/permissions"/>
<link rel="statistics"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/statistics"/>
<type>server</type>
<status>
<state>up</state>
</status>
<memory>536870912</memory>
<cpu>
<topology cores="1" sockets="1"/>
</cpu>
<os type="rhel_6x64">
<boot dev="hd"/>
<boot dev="cdrom"/>
<kernel/>
<initrd/>
<cmdline/>
</os>
<high_availability>
<enabled>false</enabled>
<priority>1</priority>
</high_availability>
<display>
<type>spice</type>
<address>192.168.0.3</address>
<port>5900</port>
<secure_port>5901</secure_port>
<monitors>1</monitors>
<allow_reconnect>true</allow_reconnect>
</display>
<host id="82899d36-d913-11e1-84c7-cbe4a64e9810"
href="/api/hosts/82899d36-d913-11e1-84c7-cbe4a64e9810"/>
<cluster id="6e6c825a-d913-11e1-af2a-bfe9e665ddb3"
href="/api/clusters/6e6c825a-d913-11e1-af2a-bfe9e665ddb3"/>
<template id="00000000-0000-0000-0000-000000000000"
href="/api/templates/00000000-0000-0000-0000-000000000000"/>
<start_time>2012-08-05T16:05:43.413+04:00</start_time>
<creation_time>2012-08-01T03:01:12.573+04:00</creation_time>
<origin>ovirt</origin>
<stateless>false</stateless>
<placement_policy>
<affinity>migratable</affinity>
</placement_policy>
<memory_policy>
<guaranteed>536870912</guaranteed>
</memory_policy>
<quota id="1060e438-244e-4888-ae60-c3fa754343c5"/>
<usb>
<enabled>false
</enabled>
</usb>
</vm>
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
what about setting the spice ticket/password and passing it to spice
client?
12:30 a.m.
On 08/06/2012 01:24 AM, Artem wrote:
hm... this all config... hov i get it?
you need to set it (default expiration is 120 seconds iirc).
check this thread:
http://www.mail-archive.com/engine-devel@ovirt.org/msg00611.html
and this documentation on setvmticket:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/h...
<vms>
<vm id="d3db360f-4ff5-46f5-b61d-db09465db52c"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c">
<name>dns-srv</name>
<actions>
<link rel="shutdown"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/shutdown"/>
<link rel="start"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/start"/>
<link rel="stop"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/stop"/>
<link rel="suspend"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/suspend"/>
<link rel="export"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/export"/>
<link rel="detach"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/detach"/>
<link rel="move"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/move"/>
<link rel="ticket"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket"/>
<link rel="migrate"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/migrate"/>
<link rel="cancelmigration"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cancelmigration"/>
</actions>
<link rel="disks"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/disks"/>
<link rel="nics"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/nics"/>
<link rel="cdroms"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cdroms"/>
<link rel="snapshots"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/snapshots"/>
<link rel="tags"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/tags"/>
<link rel="permissions"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/permissions"/>
<link rel="statistics"
href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/statistics"/>
<type>server</type>
<status>
<state>up</state>
</status>
<memory>536870912</memory>
<cpu>
<topology cores="1" sockets="1"/>
</cpu>
<os type="rhel_6x64">
<boot dev="hd"/>
<boot dev="cdrom"/>
<kernel/>
<initrd/>
<cmdline/>
</os>
<high_availability>
<enabled>false</enabled>
<priority>1</priority>
</high_availability>
<display>
<type>spice</type>
<address>192.168.0.3</address>
<port>5900</port>
<secure_port>5901</secure_port>
<monitors>1</monitors>
<allow_reconnect>true</allow_reconnect>
</display>
<host id="82899d36-d913-11e1-84c7-cbe4a64e9810"
href="/api/hosts/82899d36-d913-11e1-84c7-cbe4a64e9810"/>
<cluster id="6e6c825a-d913-11e1-af2a-bfe9e665ddb3"
href="/api/clusters/6e6c825a-d913-11e1-af2a-bfe9e665ddb3"/>
<template id="00000000-0000-0000-0000-000000000000"
href="/api/templates/00000000-0000-0000-0000-000000000000"/>
<start_time>2012-08-05T16:05:43.413+04:00</start_time>
<creation_time>2012-08-01T03:01:12.573+04:00</creation_time>
<origin>ovirt</origin>
<stateless>false</stateless>
<placement_policy>
<affinity>migratable</affinity>
</placement_policy>
<memory_policy>
<guaranteed>536870912</guaranteed>
</memory_policy>
<quota id="1060e438-244e-4888-ae60-c3fa754343c5"/>
<usb>
<enabled>false
</enabled>
</usb>
</vm>
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> what about setting the spice ticket/password and passing it to spice client?
12:33 a.m.
On 08/06/2012 01:30 AM, Itamar Heim wrote:
On 08/06/2012 01:24 AM, Artem wrote:
> hm... this all config... hov i get it?
you need to set it (default expiration is 120 seconds iirc).
check this thread:
http://www.mail-archive.com/engine-devel@ovirt.org/msg00611.html
and this documentation on setvmticket:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/h...
or just use the ovirt cli 'console' command which will open a spice
console for you after doing all you are trying to do...
>
> <vms>
> <vm id="d3db360f-4ff5-46f5-b61d-db09465db52c"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c">
> <name>dns-srv</name>
> <actions>
> <link rel="shutdown"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/shutdown"/>
> <link rel="start"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/start"/>
> <link rel="stop"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/stop"/>
> <link rel="suspend"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/suspend"/>
> <link rel="export"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/export"/>
> <link rel="detach"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/detach"/>
> <link rel="move"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/move"/>
> <link rel="ticket"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket"/>
> <link rel="migrate"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/migrate"/>
> <link rel="cancelmigration"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cancelmigration"/>
> </actions>
> <link rel="disks"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/disks"/>
> <link rel="nics"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/nics"/>
> <link rel="cdroms"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/cdroms"/>
> <link rel="snapshots"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/snapshots"/>
> <link rel="tags"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/tags"/>
> <link rel="permissions"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/permissions"/>
> <link rel="statistics"
> href="/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/statistics"/>
> <type>server</type>
> <status>
> <state>up</state>
> </status>
> <memory>536870912</memory>
> <cpu>
> <topology cores="1" sockets="1"/>
> </cpu>
> <os type="rhel_6x64">
> <boot dev="hd"/>
> <boot dev="cdrom"/>
> <kernel/>
> <initrd/>
> <cmdline/>
> </os>
> <high_availability>
> <enabled>false</enabled>
> <priority>1</priority>
> </high_availability>
> <display>
> <type>spice</type>
> <address>192.168.0.3</address>
> <port>5900</port>
> <secure_port>5901</secure_port>
> <monitors>1</monitors>
> <allow_reconnect>true</allow_reconnect>
> </display>
> <host id="82899d36-d913-11e1-84c7-cbe4a64e9810"
> href="/api/hosts/82899d36-d913-11e1-84c7-cbe4a64e9810"/>
> <cluster id="6e6c825a-d913-11e1-af2a-bfe9e665ddb3"
> href="/api/clusters/6e6c825a-d913-11e1-af2a-bfe9e665ddb3"/>
> <template id="00000000-0000-0000-0000-000000000000"
> href="/api/templates/00000000-0000-0000-0000-000000000000"/>
> <start_time>2012-08-05T16:05:43.413+04:00</start_time>
> <creation_time>2012-08-01T03:01:12.573+04:00</creation_time>
> <origin>ovirt</origin>
> <stateless>false</stateless>
> <placement_policy>
> <affinity>migratable</affinity>
> </placement_policy>
> <memory_policy>
> <guaranteed>536870912</guaranteed>
> </memory_policy>
> <quota id="1060e438-244e-4888-ae60-c3fa754343c5"/>
> <usb>
> <enabled>false
> </enabled>
> </usb>
> </vm>
>
> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>> what about setting the spice ticket/password and passing it to spice
>> client?
12:40 a.m.
Run console from ovirt-shell work... but no auto fullscreen for display vm
////
# ovirt-shell -c -l "http://192.168.0.3:8080/api" -u "admin@internal"
-p 'pass'
==========================================
>> connected to oVirt manager 3.1.0.0 <<<
==========================================
++++++++++++++++++++++++++++++++++++++++++
Welcome to oVirt shell
++++++++++++++++++++++++++++++++++++++++++
[oVirt shell (connected)]# console dns-srv
////
and console open
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
or just use the ovirt cli 'console' command which will open a
spice console
for you after doing all you are trying to do...
1:43 a.m.
Hm...
thi is correct?
curl -X POST -H "Accept: application/xml" -H "Content-Type:
application/xml" -u admin@internal:pass -d
"<action><ticket><expiry>900</expiry></ticket></action>"
https://192.168.0.3:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket
2012/8/6 Artem <artem(a)e-inet.ru>:
Run console from ovirt-shell work... but no auto fullscreen for
display vm
////
# ovirt-shell -c -l "http://192.168.0.3:8080/api" -u "admin@internal"
-p 'pass'
==========================================
>>> connected to oVirt manager 3.1.0.0 <<<
==========================================
++++++++++++++++++++++++++++++++++++++++++
Welcome to oVirt shell
++++++++++++++++++++++++++++++++++++++++++
[oVirt shell (connected)]# console dns-srv
////
and console open
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> or just use the ovirt cli 'console' command which will open a spice console
> for you after doing all you are trying to do...
8:16 a.m.
On 08/06/2012 02:43 AM, Artem wrote:
Hm...
thi is correct?
curl -X POST -H "Accept: application/xml" -H "Content-Type:
application/xml" -u admin@internal:pass -d
"<action><ticket><expiry>900</expiry></ticket></action>"
https://192.168.0.3:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket
partially...
this allows you to get the ticket in the response.
i see the documentation is missing it, but you can also set the ticket
value with your own password which should be easier then getting it from
the response.
<xs:complexType name="Ticket">
<xs:sequence>
<xs:element name="value" type="xs:string"
minOccurs="0"
maxOccurs="1"/>
<xs:element name="expiry" type="xs:unsignedInt"
minOccurs="0"
maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
2012/8/6 Artem <artem(a)e-inet.ru>:
> Run console from ovirt-shell work... but no auto fullscreen for display vm
>
> ////
>
> # ovirt-shell -c -l "http://192.168.0.3:8080/api" -u
"admin@internal" -p 'pass'
>
> ==========================================
> >>> connected to oVirt manager 3.1.0.0 <<<
> ==========================================
>
>
>
> ++++++++++++++++++++++++++++++++++++++++++
>
> Welcome to oVirt shell
>
> ++++++++++++++++++++++++++++++++++++++++++
>
>
> [oVirt shell (connected)]# console dns-srv
>
> ////
>
> and console open
>
> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>> or just use the ovirt cli 'console' command which will open a spice
console
>> for you after doing all you are trying to do...
8:17 a.m.
On 08/06/2012 01:40 AM, Artem wrote:
Run console from ovirt-shell work... but no auto fullscreen for
display vm
please open a bug for this to be added.
thanks
////
# ovirt-shell -c -l "http://192.168.0.3:8080/api" -u "admin@internal"
-p 'pass'
==========================================
>>> connected to oVirt manager 3.1.0.0 <<<
==========================================
++++++++++++++++++++++++++++++++++++++++++
Welcome to oVirt shell
++++++++++++++++++++++++++++++++++++++++++
[oVirt shell (connected)]# console dns-srv
////
and console open
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> or just use the ovirt cli 'console' command which will open a spice console
> for you after doing all you are trying to do...
1:30 p.m.
@Itamar - this is recurring problem, what about creating a wiki page for
it?
@Artem:
Artem píše v Po 06. 08. 2012 v 01:30 +0400:
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
i change host-subject but..
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
CN=vm-srv" --secure-channels=all
1) your command line is missing '--ca-file $CA_FILE' altoghether
2) you don't mention password
3) you shouldn't need to specify host subject at all because your host
(-h) matches name of server in CN field of host subject. If you override
it anyway, strip white spaces after commas in it:
--host-subject='C=US,O=ICL,CN=vm-srv'
4) you could omit -p and --secure-channels altogether in order to
achieve tls-only connection, but you can hit
https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
So you should do (out of my head, may contain typos):
get CA:
* on engine, it is found here:
CA_FILE=/etc/pki/ovirt-engine/ca.pem
* on host, it's here:
CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem
* on any other host, get it from engine web interface:
wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
on the host, get UUID of the VM:
$ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[
\t].*$/\1/')"
as root on the host, set ticket (password and its period of validity):
# vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}
(doing it via REST API is cleaner but more cumbersome for me)
if the hostname you're connecting does not match what is in CN field of
Subject of the server cert, get the subject without spaces after commas
on the host:
$ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[
\t]*/,/'
connect to the spice-server:
$ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}
OR, with newer, shinier and overall better client :)
# yum install virt-viewer
$ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem
spice://vm-srv/?tls-port=${SECURE_PORT}
(you'll have to provide the password through the pop-up dialog)
if you need to provide host subject (host name/IP not matching the one from server cert
Subject):
$ spicec --host-subject ${HOST_SUBJECT} [...]
OR
$ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
David
Error: subject mismatch: #entries cert=2, input=3
Error: failed to connect w/SSL, ssl_error
error:00000001:lib(0):func(0):reason(1)
3079539240:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1063:
Warning: SSL Error:
2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> On 08/06/2012 12:07 AM, Artem wrote:
>>
>> hmm... not sure if understood correctly...
>>
>> vm-srv this KVM host.. (server) and I connect from another machine to vm
>> on kvm.
>
>
> did you install the engine and kvm host on same machine?
>
>
>>
>> this subject name i get in .spicec/spice_truststore.pem
>
>
> yes, spice trusts the CA, but client needs to validate the target host
> certificate.
> (if you run engine and host on same machine, try:
> "C=US, O=ICL, CN=vm-srv"
> (assuming you added the host with hostname of vm-srv to engine. if you added
> it with fqdn or ip, use them under last CN)
>
>
>>
>> //////////////////////////////////
>> # cat .spicec/spice_truststore.pem
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 1 (0x1)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
>> Validity
>> Not Before: Jul 28 03:42:06 2012
>> Not After : Jul 26 23:42:07 2022 GMT
>> Subject: C=US, O=ICL, CN=CA-vm-srv.15064
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (2048 bit)
>> Modulus:
>> ///////////////////////////////////////////
>>
>> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>>>
>>> this looks like the subject name of the CA, not the host running the
>>> virtual
>>> machine?
>
>
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
7:38 p.m.
Hi all, thaks for lot, it's work
1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt"
2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD}
${VALIDITY_SECONDS}" on kvm host
3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w
${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully
but how to install "setVmTicket" without login as root on kvm host,
how to make it through the post request?
2012/8/6 David Jaša <djasa(a)redhat.com>:
@Itamar - this is recurring problem, what about creating a wiki page
for
it?
@Artem:
Artem píše v Po 06. 08. 2012 v 01:30 +0400:
> yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
>
> i change host-subject but..
>
> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
> CN=vm-srv" --secure-channels=all
1) your command line is missing '--ca-file $CA_FILE' altoghether
2) you don't mention password
3) you shouldn't need to specify host subject at all because your host
(-h) matches name of server in CN field of host subject. If you override
it anyway, strip white spaces after commas in it:
--host-subject='C=US,O=ICL,CN=vm-srv'
4) you could omit -p and --secure-channels altogether in order to
achieve tls-only connection, but you can hit
https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
So you should do (out of my head, may contain typos):
get CA:
* on engine, it is found here:
CA_FILE=/etc/pki/ovirt-engine/ca.pem
* on host, it's here:
CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem
* on any other host, get it from engine web interface:
wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
on the host, get UUID of the VM:
$ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[
\t].*$/\1/')"
as root on the host, set ticket (password and its period of validity):
# vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}
(doing it via REST API is cleaner but more cumbersome for me)
if the hostname you're connecting does not match what is in CN field of
Subject of the server cert, get the subject without spaces after commas
on the host:
$ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[
\t]*/,/'
connect to the spice-server:
$ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}
OR, with newer, shinier and overall better client :)
# yum install virt-viewer
$ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem
spice://vm-srv/?tls-port=${SECURE_PORT}
(you'll have to provide the password through the pop-up dialog)
if you need to provide host subject (host name/IP not matching the one from server cert
Subject):
$ spicec --host-subject ${HOST_SUBJECT} [...]
OR
$ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
David
> Error: subject mismatch: #entries cert=2, input=3
> Error: failed to connect w/SSL, ssl_error
> error:00000001:lib(0):func(0):reason(1)
> 3079539240:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:s3_clnt.c:1063:
> Warning: SSL Error:
>
>
> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> > On 08/06/2012 12:07 AM, Artem wrote:
> >>
> >> hmm... not sure if understood correctly...
> >>
> >> vm-srv this KVM host.. (server) and I connect from another machine to vm
> >> on kvm.
> >
> >
> > did you install the engine and kvm host on same machine?
> >
> >
> >>
> >> this subject name i get in .spicec/spice_truststore.pem
> >
> >
> > yes, spice trusts the CA, but client needs to validate the target host
> > certificate.
> > (if you run engine and host on same machine, try:
> > "C=US, O=ICL, CN=vm-srv"
> > (assuming you added the host with hostname of vm-srv to engine. if you added
> > it with fqdn or ip, use them under last CN)
> >
> >
> >>
> >> //////////////////////////////////
> >> # cat .spicec/spice_truststore.pem
> >> Certificate:
> >> Data:
> >> Version: 3 (0x2)
> >> Serial Number: 1 (0x1)
> >> Signature Algorithm: sha1WithRSAEncryption
> >> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
> >> Validity
> >> Not Before: Jul 28 03:42:06 2012
> >> Not After : Jul 26 23:42:07 2022 GMT
> >> Subject: C=US, O=ICL, CN=CA-vm-srv.15064
> >> Subject Public Key Info:
> >> Public Key Algorithm: rsaEncryption
> >> Public-Key: (2048 bit)
> >> Modulus:
> >> ///////////////////////////////////////////
> >>
> >> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
> >>>
> >>> this looks like the subject name of the CA, not the host running the
> >>> virtual
> >>> machine?
> >
> >
> >
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
9:04 p.m.
Hello again,
I figured out, this resolve my question
# curl -X POST -H "Accept: application/xml" -H "Content-type:
application/xml" -u admin@internal:pass --cacert ca.crt -d
"<action><ticket><expiry>120</expiry></ticket></action>"
https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket
<?xml version="1.0" encoding="UTF-8"
standalone="yes"?>
<action>
<ticket>
<value>+e/OUQvquJx4</value>
<expiry>120</expiry>
</ticket>
<status>
<state>complete</state>
</status>
</action>
Artem
2012/8/7 Artem <artem(a)e-inet.ru>:
Hi all, thaks for lot, it's work
1) get CA to client "wget -O ${CA_FILE}
http://ovirt-engine.example.org/ca.crt"
2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD}
${VALIDITY_SECONDS}" on kvm host
3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w
${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully
but how to install "setVmTicket" without login as root on kvm host,
how to make it through the post request?
2012/8/6 David Jaša <djasa(a)redhat.com>:
> @Itamar - this is recurring problem, what about creating a wiki page for
> it?
>
> @Artem:
>
> Artem píše v Po 06. 08. 2012 v 01:30 +0400:
>> yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
>>
>> i change host-subject but..
>>
>> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
>> CN=vm-srv" --secure-channels=all
>
> 1) your command line is missing '--ca-file $CA_FILE' altoghether
>
> 2) you don't mention password
>
> 3) you shouldn't need to specify host subject at all because your host
> (-h) matches name of server in CN field of host subject. If you override
> it anyway, strip white spaces after commas in it:
> --host-subject='C=US,O=ICL,CN=vm-srv'
>
> 4) you could omit -p and --secure-channels altogether in order to
> achieve tls-only connection, but you can hit
> https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
>
> So you should do (out of my head, may contain typos):
> get CA:
> * on engine, it is found here:
> CA_FILE=/etc/pki/ovirt-engine/ca.pem
> * on host, it's here:
> CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem
> * on any other host, get it from engine web interface:
> wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
>
> on the host, get UUID of the VM:
> $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([
\t]\+\)[ \t].*$/\1/')"
>
> as root on the host, set ticket (password and its period of validity):
> # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}
> (doing it via REST API is cleaner but more cumbersome for me)
>
> if the hostname you're connecting does not match what is in CN field of
> Subject of the server cert, get the subject without spaces after commas
> on the host:
> $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[
\t]*/,/'
>
> connect to the spice-server:
> $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}
> OR, with newer, shinier and overall better client :)
> # yum install virt-viewer
> $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem
spice://vm-srv/?tls-port=${SECURE_PORT}
> (you'll have to provide the password through the pop-up dialog)
>
> if you need to provide host subject (host name/IP not matching the one from server
cert Subject):
> $ spicec --host-subject ${HOST_SUBJECT} [...]
> OR
> $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
>
> David
>
>
>> Error: subject mismatch: #entries cert=2, input=3
>> Error: failed to connect w/SSL, ssl_error
>> error:00000001:lib(0):func(0):reason(1)
>> 3079539240:error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>> failed:s3_clnt.c:1063:
>> Warning: SSL Error:
>>
>>
>> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>> > On 08/06/2012 12:07 AM, Artem wrote:
>> >>
>> >> hmm... not sure if understood correctly...
>> >>
>> >> vm-srv this KVM host.. (server) and I connect from another machine to
vm
>> >> on kvm.
>> >
>> >
>> > did you install the engine and kvm host on same machine?
>> >
>> >
>> >>
>> >> this subject name i get in .spicec/spice_truststore.pem
>> >
>> >
>> > yes, spice trusts the CA, but client needs to validate the target host
>> > certificate.
>> > (if you run engine and host on same machine, try:
>> > "C=US, O=ICL, CN=vm-srv"
>> > (assuming you added the host with hostname of vm-srv to engine. if you
added
>> > it with fqdn or ip, use them under last CN)
>> >
>> >
>> >>
>> >> //////////////////////////////////
>> >> # cat .spicec/spice_truststore.pem
>> >> Certificate:
>> >> Data:
>> >> Version: 3 (0x2)
>> >> Serial Number: 1 (0x1)
>> >> Signature Algorithm: sha1WithRSAEncryption
>> >> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
>> >> Validity
>> >> Not Before: Jul 28 03:42:06 2012
>> >> Not After : Jul 26 23:42:07 2022 GMT
>> >> Subject: C=US, O=ICL, CN=CA-vm-srv.15064
>> >> Subject Public Key Info:
>> >> Public Key Algorithm: rsaEncryption
>> >> Public-Key: (2048 bit)
>> >> Modulus:
>> >> ///////////////////////////////////////////
>> >>
>> >> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>> >>>
>> >>> this looks like the subject name of the CA, not the host running
the
>> >>> virtual
>> >>> machine?
>> >
>> >
>> >
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
> --
>
> David Jaša, RHCE
>
> SPICE QE based in Brno
> GPG Key: 22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>
>
>
10:18 p.m.
On 08/07/2012 10:04 PM, Artem wrote:
Hello again,
I figured out, this resolve my question
# curl -X POST -H "Accept: application/xml" -H "Content-type:
application/xml" -u admin@internal:pass --cacert ca.crt -d
"<action><ticket><expiry>120</expiry></ticket></action>"
https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket
<?xml version="1.0" encoding="UTF-8"
standalone="yes"?>
<action>
<ticket>
<value>+e/OUQvquJx4</value>
<expiry>120</expiry>
</ticket>
<status>
<state>complete</state>
</status>
</action>
indeed.
artem/david - between all the inputs in this thread - please try to
capture it in a wiki as david suggested.
thanks,
Itamar
Artem
2012/8/7 Artem <artem(a)e-inet.ru>:
> Hi all, thaks for lot, it's work
>
> 1) get CA to client "wget -O ${CA_FILE}
http://ovirt-engine.example.org/ca.crt"
> 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD}
> ${VALIDITY_SECONDS}" on kvm host
> 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w
> ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully
>
> but how to install "setVmTicket" without login as root on kvm host,
> how to make it through the post request?
>
>
> 2012/8/6 David Jaša <djasa(a)redhat.com>:
>> @Itamar - this is recurring problem, what about creating a wiki page for
>> it?
>>
>> @Artem:
>>
>> Artem píše v Po 06. 08. 2012 v 01:30 +0400:
>>> yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
>>>
>>> i change host-subject but..
>>>
>>> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
>>> CN=vm-srv" --secure-channels=all
>>
>> 1) your command line is missing '--ca-file $CA_FILE' altoghether
>>
>> 2) you don't mention password
>>
>> 3) you shouldn't need to specify host subject at all because your host
>> (-h) matches name of server in CN field of host subject. If you override
>> it anyway, strip white spaces after commas in it:
>> --host-subject='C=US,O=ICL,CN=vm-srv'
>>
>> 4) you could omit -p and --secure-channels altogether in order to
>> achieve tls-only connection, but you can hit
>> https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
>>
>> So you should do (out of my head, may contain typos):
>> get CA:
>> * on engine, it is found here:
>> CA_FILE=/etc/pki/ovirt-engine/ca.pem
>> * on host, it's here:
>> CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem
>> * on any other host, get it from engine web interface:
>> wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
>>
>> on the host, get UUID of the VM:
>> $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([
\t]\+\)[ \t].*$/\1/')"
>>
>> as root on the host, set ticket (password and its period of validity):
>> # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}
>> (doing it via REST API is cleaner but more cumbersome for me)
>>
>> if the hostname you're connecting does not match what is in CN field of
>> Subject of the server cert, get the subject without spaces after commas
>> on the host:
>> $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[
\t]*\(.*\)$/\1/;s/,[ \t]*/,/'
>>
>> connect to the spice-server:
>> $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}
>> OR, with newer, shinier and overall better client :)
>> # yum install virt-viewer
>> $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem
spice://vm-srv/?tls-port=${SECURE_PORT}
>> (you'll have to provide the password through the pop-up dialog)
>>
>> if you need to provide host subject (host name/IP not matching the one from
server cert Subject):
>> $ spicec --host-subject ${HOST_SUBJECT} [...]
>> OR
>> $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
>>
>> David
>>
>>
>>> Error: subject mismatch: #entries cert=2, input=3
>>> Error: failed to connect w/SSL, ssl_error
>>> error:00000001:lib(0):func(0):reason(1)
>>> 3079539240:error:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>>> failed:s3_clnt.c:1063:
>>> Warning: SSL Error:
>>>
>>>
>>> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>>>> On 08/06/2012 12:07 AM, Artem wrote:
>>>>>
>>>>> hmm... not sure if understood correctly...
>>>>>
>>>>> vm-srv this KVM host.. (server) and I connect from another machine to
vm
>>>>> on kvm.
>>>>
>>>>
>>>> did you install the engine and kvm host on same machine?
>>>>
>>>>
>>>>>
>>>>> this subject name i get in .spicec/spice_truststore.pem
>>>>
>>>>
>>>> yes, spice trusts the CA, but client needs to validate the target host
>>>> certificate.
>>>> (if you run engine and host on same machine, try:
>>>> "C=US, O=ICL, CN=vm-srv"
>>>> (assuming you added the host with hostname of vm-srv to engine. if you
added
>>>> it with fqdn or ip, use them under last CN)
>>>>
>>>>
>>>>>
>>>>> //////////////////////////////////
>>>>> # cat .spicec/spice_truststore.pem
>>>>> Certificate:
>>>>> Data:
>>>>> Version: 3 (0x2)
>>>>> Serial Number: 1 (0x1)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
>>>>> Validity
>>>>> Not Before: Jul 28 03:42:06 2012
>>>>> Not After : Jul 26 23:42:07 2022 GMT
>>>>> Subject: C=US, O=ICL, CN=CA-vm-srv.15064
>>>>> Subject Public Key Info:
>>>>> Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (2048 bit)
>>>>> Modulus:
>>>>> ///////////////////////////////////////////
>>>>>
>>>>> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>>>>>>
>>>>>> this looks like the subject name of the CA, not the host running
the
>>>>>> virtual
>>>>>> machine?
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>> --
>>
>> David Jaša, RHCE
>>
>> SPICE QE based in Brno
>> GPG Key: 22C33E24
>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>
>>
>>
10:47 a.m.
Itamar Heim píše v Út 07. 08. 2012 v 23:18 +0300:
On 08/07/2012 10:04 PM, Artem wrote:
> Hello again,
> I figured out, this resolve my question
>
> # curl -X POST -H "Accept: application/xml" -H "Content-type:
> application/xml" -u admin@internal:pass --cacert ca.crt -d
>
"<action><ticket><expiry>120</expiry></ticket></action>"
> https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket
> <?xml version="1.0" encoding="UTF-8"
standalone="yes"?>
> <action>
> <ticket>
> <value>+e/OUQvquJx4</value>
> <expiry>120</expiry>
> </ticket>
> <status>
> <state>complete</state>
> </status>
> </action>
indeed.
artem/david - between all the inputs in this thread - please try to
capture it in a wiki as david suggested.
Just writing it right now (offline).
David
thanks,
Itamar
>
> Artem
>
> 2012/8/7 Artem <artem(a)e-inet.ru>:
>> Hi all, thaks for lot, it's work
>>
>> 1) get CA to client "wget -O ${CA_FILE}
http://ovirt-engine.example.org/ca.crt"
>> 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD}
>> ${VALIDITY_SECONDS}" on kvm host
>> 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w
>> ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully
>>
>> but how to install "setVmTicket" without login as root on kvm host,
>> how to make it through the post request?
>>
>>
>> 2012/8/6 David Jaša <djasa(a)redhat.com>:
>>> @Itamar - this is recurring problem, what about creating a wiki page for
>>> it?
>>>
>>> @Artem:
>>>
>>> Artem píše v Po 06. 08. 2012 v 01:30 +0400:
>>>> yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
>>>>
>>>> i change host-subject but..
>>>>
>>>> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
>>>> CN=vm-srv" --secure-channels=all
>>>
>>> 1) your command line is missing '--ca-file $CA_FILE' altoghether
>>>
>>> 2) you don't mention password
>>>
>>> 3) you shouldn't need to specify host subject at all because your host
>>> (-h) matches name of server in CN field of host subject. If you override
>>> it anyway, strip white spaces after commas in it:
>>> --host-subject='C=US,O=ICL,CN=vm-srv'
>>>
>>> 4) you could omit -p and --secure-channels altogether in order to
>>> achieve tls-only connection, but you can hit
>>> https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
>>>
>>> So you should do (out of my head, may contain typos):
>>> get CA:
>>> * on engine, it is found here:
>>> CA_FILE=/etc/pki/ovirt-engine/ca.pem
>>> * on host, it's here:
>>> CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem
>>> * on any other host, get it from engine web interface:
>>> wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
>>>
>>> on the host, get UUID of the VM:
>>> $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[
\t]\+\([ \t]\+\)[ \t].*$/\1/')"
>>>
>>> as root on the host, set ticket (password and its period of validity):
>>> # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}
>>> (doing it via REST API is cleaner but more cumbersome for me)
>>>
>>> if the hostname you're connecting does not match what is in CN field of
>>> Subject of the server cert, get the subject without spaces after commas
>>> on the host:
>>> $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[
\t]*\(.*\)$/\1/;s/,[ \t]*/,/'
>>>
>>> connect to the spice-server:
>>> $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}
>>> OR, with newer, shinier and overall better client :)
>>> # yum install virt-viewer
>>> $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem
spice://vm-srv/?tls-port=${SECURE_PORT}
>>> (you'll have to provide the password through the pop-up dialog)
>>>
>>> if you need to provide host subject (host name/IP not matching the one from
server cert Subject):
>>> $ spicec --host-subject ${HOST_SUBJECT} [...]
>>> OR
>>> $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
>>>
>>> David
>>>
>>>
>>>> Error: subject mismatch: #entries cert=2, input=3
>>>> Error: failed to connect w/SSL, ssl_error
>>>> error:00000001:lib(0):func(0):reason(1)
>>>> 3079539240:error:14090086:SSL
>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>>>> failed:s3_clnt.c:1063:
>>>> Warning: SSL Error:
>>>>
>>>>
>>>> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>>>>> On 08/06/2012 12:07 AM, Artem wrote:
>>>>>>
>>>>>> hmm... not sure if understood correctly...
>>>>>>
>>>>>> vm-srv this KVM host.. (server) and I connect from another
machine to vm
>>>>>> on kvm.
>>>>>
>>>>>
>>>>> did you install the engine and kvm host on same machine?
>>>>>
>>>>>
>>>>>>
>>>>>> this subject name i get in .spicec/spice_truststore.pem
>>>>>
>>>>>
>>>>> yes, spice trusts the CA, but client needs to validate the target
host
>>>>> certificate.
>>>>> (if you run engine and host on same machine, try:
>>>>> "C=US, O=ICL, CN=vm-srv"
>>>>> (assuming you added the host with hostname of vm-srv to engine. if
you added
>>>>> it with fqdn or ip, use them under last CN)
>>>>>
>>>>>
>>>>>>
>>>>>> //////////////////////////////////
>>>>>> # cat .spicec/spice_truststore.pem
>>>>>> Certificate:
>>>>>> Data:
>>>>>> Version: 3 (0x2)
>>>>>> Serial Number: 1 (0x1)
>>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>>> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
>>>>>> Validity
>>>>>> Not Before: Jul 28 03:42:06 2012
>>>>>> Not After : Jul 26 23:42:07 2022 GMT
>>>>>> Subject: C=US, O=ICL, CN=CA-vm-srv.15064
>>>>>> Subject Public Key Info:
>>>>>> Public Key Algorithm: rsaEncryption
>>>>>> Public-Key: (2048 bit)
>>>>>> Modulus:
>>>>>> ///////////////////////////////////////////
>>>>>>
>>>>>> 2012/8/6 Itamar Heim <iheim(a)redhat.com>:
>>>>>>>
>>>>>>> this looks like the subject name of the CA, not the host
running the
>>>>>>> virtual
>>>>>>> machine?
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>> --
>>>
>>> David Jaša, RHCE
>>>
>>> SPICE QE based in Brno
>>> GPG Key: 22C33E24
>>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>>
>>>
>>>
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
4590
days inactive
4593
days old
25 comments
3 participants
participants (3)
-
Artem -
David Jaša -
Itamar Heim