5:10 p.m.
Hi,
I seems very difficult to get this working. I have a Fedora 17 client, installed spice-xpi
and tried to access console from User Portal but console never shows up. engine.log
prints:
2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand]
(ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal: false.
Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM
2012-08-07 15:56:18,771 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13)
[2a8bc3f4] START, SetVmTicketVDSCommand(vdsId = acfc94c0-d7e1-11e1-b35e-b38016c320bb,
vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m
userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94
2012-08-07 15:56:18,816 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13)
[2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id: 3d61fa94
From the F17 client with "ovirt-shell" installed from
ovirt-3.1 repo:
$ console milli
(window briefly flashes and disappeares again)
warning: could not fetch host certificate info cause used backend/sdk does not support
it.
warning: host identity will not be validated.
And have also used "spicec" directly from F17 client:
# spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The first ticket had by this
time expired, so this is a new one)
(flashes)
Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1063:
Warning: SSL Error:
# spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG
(flashes)
Warning: connect error 5 - need secured connection
# rpm -qa | egrep '(ovirt|vdsm)'
ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch
vdsm-cli-4.10.0-5.fc17.noarch
ovirt-engine-config-3.1.0-1.fc17.noarch
ovirt-engine-userportal-3.1.0-1.fc17.noarch
vdsm-4.10.0-5.fc17.x86_64
ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch
ovirt-engine-sdk-3.1.0.4-1.fc17.noarch
ovirt-engine-restapi-3.1.0-1.fc17.noarch
ovirt-engine-backend-3.1.0-1.fc17.noarch
ovirt-engine-3.1.0-1.fc17.noarch
ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch
ovirt-engine-notification-service-3.1.0-1.fc17.noarch
ovirt-engine-dbscripts-3.1.0-1.fc17.noarch
vdsm-python-4.10.0-5.fc17.x86_64
ovirt-engine-genericapi-3.1.0-1.fc17.noarch
ovirt-engine-tools-common-3.1.0-1.fc17.noarch
ovirt-engine-cli-3.1.0.6-1.fc17.noarch
vdsm-xmlrpc-4.10.0-5.fc17.noarch
vdsm-bootstrap-4.10.0-5.fc17.noarch
ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch
ovirt-engine-setup-3.1.0-1.fc17.noarch
The engine is installed with SSL as enabled by default, the hosts too. VDSM and libvirt
are all active and validate fine towards the engine; have status "UP" and so on,
but can't get SPICE console working. VNC works of course, but SPICE would be much
cooler:) How do I get console working with SPICE?
Best Regards
Karli Sjöberg
5:14 p.m.
I don't know if this is the same issue but for some reason my CA cert for spice was a
blank file. I copied another one from the vdsm directory (mostly guessing) and it
worked.
cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem
________________________________________
From: users-bounces(a)ovirt.org [users-bounces(a)ovirt.org] on behalf of Karli Sjöberg
[Karli.Sjoberg(a)slu.se]
Sent: Tuesday, August 07, 2012 10:10 AM
To: users(a)oVirt.org
Subject: [Users] Cannot connect to guest with spice console; SSL validate error
Hi,
I seems very difficult to get this working. I have a Fedora 17 client, installed spice-xpi
and tried to access console from User Portal but console never shows up. engine.log
prints:
2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand]
(ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal: false.
Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM
2012-08-07 15:56:18,771 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13)
[2a8bc3f4] START, SetVmTicketVDSCommand(vdsId = acfc94c0-d7e1-11e1-b35e-b38016c320bb,
vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m
userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94
2012-08-07 15:56:18,816 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13)
[2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id: 3d61fa94
From the F17 client with "ovirt-shell" installed from
ovirt-3.1 repo:
$ console milli
(window briefly flashes and disappeares again)
warning: could not fetch host certificate info cause used backend/sdk does not support
it.
warning: host identity will not be validated.
And have also used "spicec" directly from F17 client:
# spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The first ticket had by this
time expired, so this is a new one)
(flashes)
Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:1063:
Warning: SSL Error:
# spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG
(flashes)
Warning: connect error 5 - need secured connection
# rpm -qa | egrep '(ovirt|vdsm)'
ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch
vdsm-cli-4.10.0-5.fc17.noarch
ovirt-engine-config-3.1.0-1.fc17.noarch
ovirt-engine-userportal-3.1.0-1.fc17.noarch
vdsm-4.10.0-5.fc17.x86_64
ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch
ovirt-engine-sdk-3.1.0.4-1.fc17.noarch
ovirt-engine-restapi-3.1.0-1.fc17.noarch
ovirt-engine-backend-3.1.0-1.fc17.noarch
ovirt-engine-3.1.0-1.fc17.noarch
ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch
ovirt-engine-notification-service-3.1.0-1.fc17.noarch
ovirt-engine-dbscripts-3.1.0-1.fc17.noarch
vdsm-python-4.10.0-5.fc17.x86_64
ovirt-engine-genericapi-3.1.0-1.fc17.noarch
ovirt-engine-tools-common-3.1.0-1.fc17.noarch
ovirt-engine-cli-3.1.0.6-1.fc17.noarch
vdsm-xmlrpc-4.10.0-5.fc17.noarch
vdsm-bootstrap-4.10.0-5.fc17.noarch
ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch
ovirt-engine-setup-3.1.0-1.fc17.noarch
The engine is installed with SSL as enabled by default, the hosts too. VDSM and libvirt
are all active and validate fine towards the engine; have status "UP" and so on,
but can't get SPICE console working. VNC works of course, but SPICE would be much
cooler:) How do I get console working with SPICE?
Best Regards
Karli Sjöberg
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
5:23 p.m.
On 08/07/2012 05:10 PM, Karli Sjöberg wrote:
Hi,
I seems very difficult to get this working. I have a Fedora 17 client, installed
spice-xpi and tried to access console from User Portal but console never shows up.
engine.log prints:
2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand]
(ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal: false.
Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM
2012-08-07 15:56:18,771 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13)
[2a8bc3f4] START, SetVmTicketVDSCommand(vdsId = acfc94c0-d7e1-11e1-b35e-b38016c320bb,
vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m
userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94
2012-08-07 15:56:18,816 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13)
[2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id: 3d61fa94
From the F17 client with "ovirt-shell" installed from ovirt-3.1 repo:
$ console milli
(window briefly flashes and disappeares again)
warning: could not fetch host certificate info cause used backend/sdk does not support
it.
warning: host identity will not be validated.
And have also used "spicec" directly from F17 client:
# spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The first ticket had by
this time expired, so this is a new one)
(flashes)
Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed:s3_clnt.c:1063:
Warning: SSL Error:
# spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG
(flashes)
Warning: connect error 5 - need secured connection
I wrote a simple script that collects the parameter needed to for spicec
in case of secure connection, I was using it on RHEL6, it probably will
be easy to convert it to Fedora if it does not already work OTB:
#!/bin/bash
# Usage: ./spice_to_vm.sh host vm_name
PASSWORD="root_password_to_the_host"
SECONDS="1200"
ssh-copy-id root@$1 >& /dev/null
ID=`ssh root@$1 vdsClient -s 0 list table | awk '{print
$1":"$3":"}' |
grep ":$2:" | sed -e 's/\:.*//g'`
ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD $SECONDS keep >&
/dev/null
PORT=`ssh root@$1 vdsClient -s 0 getVmStats $ID | grep displaySecurePort
| awk '{print $3}'`
SUBJECT=`ssh root@$1 openssl x509 -noout -text -in
/etc/pki/vdsm/certs/vdsmcert.pem | grep Subject: | cut -f 10- -d " " |
sed -e 's/\ //g'`
scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem >& /dev/null
COMMAND="sudo /usr/libexec/spicec --host-subject \"$SUBJECT\" --password
$PASSWORD --secure-channels all -h $1 --secure-port $PORT --ca-file
/tmp/cacert.pem"
echo $COMMAND
# rpm -qa | egrep '(ovirt|vdsm)'
ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch
vdsm-cli-4.10.0-5.fc17.noarch
ovirt-engine-config-3.1.0-1.fc17.noarch
ovirt-engine-userportal-3.1.0-1.fc17.noarch
vdsm-4.10.0-5.fc17.x86_64
ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch
ovirt-engine-sdk-3.1.0.4-1.fc17.noarch
ovirt-engine-restapi-3.1.0-1.fc17.noarch
ovirt-engine-backend-3.1.0-1.fc17.noarch
ovirt-engine-3.1.0-1.fc17.noarch
ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch
ovirt-engine-notification-service-3.1.0-1.fc17.noarch
ovirt-engine-dbscripts-3.1.0-1.fc17.noarch
vdsm-python-4.10.0-5.fc17.x86_64
ovirt-engine-genericapi-3.1.0-1.fc17.noarch
ovirt-engine-tools-common-3.1.0-1.fc17.noarch
ovirt-engine-cli-3.1.0.6-1.fc17.noarch
vdsm-xmlrpc-4.10.0-5.fc17.noarch
vdsm-bootstrap-4.10.0-5.fc17.noarch
ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch
ovirt-engine-setup-3.1.0-1.fc17.noarch
The engine is installed with SSL as enabled by default, the hosts too. VDSM and libvirt
are all active and validate fine towards the engine; have status "UP" and so on,
but can't get SPICE console working. VNC works of course, but SPICE would be much
cooler:) How do I get console working with SPICE?
Best Regards
Karli Sjöberg
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
Thanks,
Rami Vaknin, QE @ Red Hat, TLV, IL.
2:43 a.m.
On 08/07/2012 05:23 PM, Rami Vaknin wrote:
On 08/07/2012 05:10 PM, Karli Sjöberg wrote:
> Hi,
>
> I seems very difficult to get this working. I have a Fedora 17 client,
> installed spice-xpi and tried to access console from User Portal but
> console never shows up. engine.log prints:
> 2012-08-07 15:56:18,738 INFO
> [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13)
> [2a8bc3f4] Running command: SetVmTicketCommand internal: false.
> Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM
> 2012-08-07 15:56:18,771 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId =
> acfc94c0-d7e1-11e1-b35e-b38016c320bb,
> vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx,
> validTime=120,m userName=karli,
> userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94
> 2012-08-07 15:56:18,816 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketVDSCommand, log
> id: 3d61fa94
>
> From the F17 client with "ovirt-shell" installed from ovirt-3.1 repo:
> $ console milli
> (window briefly flashes and disappeares again)
> warning: could not fetch host certificate info cause used backend/sdk
> does not support it.
> warning: host identity will not be validated.
>
> And have also used "spicec" directly from F17 client:
> # spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The
> first ticket had by this time expired, so this is a new one)
> (flashes)
> Error: failed to connect w/SSL, ssl_error
> error:00000001:lib(0):func(0):reason(1)
> 140059992839392:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:s3_clnt.c:1063:
> Warning: SSL Error:
> # spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG
> (flashes)
> Warning: connect error 5 - need secured connection
I wrote a simple script that collects the parameter needed to for spicec
in case of secure connection, I was using it on RHEL6, it probably will
be easy to convert it to Fedora if it does not already work OTB:
#!/bin/bash
# Usage: ./spice_to_vm.sh host vm_name
PASSWORD="root_password_to_the_host"
SECONDS="1200"
ssh-copy-id root@$1 >& /dev/null
ID=`ssh root@$1 vdsClient -s 0 list table | awk '{print
$1":"$3":"}' |
grep ":$2:" | sed -e 's/\:.*//g'`
ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD $SECONDS keep >&
/dev/null
you should really setvmticket via restapi rather than directly to the host.
PORT=`ssh root@$1 vdsClient -s 0 getVmStats $ID | grep displaySecurePort
| awk '{print $3}'`
SUBJECT=`ssh root@$1 openssl x509 -noout -text -in
/etc/pki/vdsm/certs/vdsmcert.pem | grep Subject: | cut -f 10- -d " " |
sed -e 's/\ //g'`
scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem >& /dev/null
COMMAND="sudo /usr/libexec/spicec --host-subject \"$SUBJECT\" --password
$PASSWORD --secure-channels all -h $1 --secure-port $PORT --ca-file
/tmp/cacert.pem"
echo $COMMAND
>
> # rpm -qa | egrep '(ovirt|vdsm)'
> ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch
> vdsm-cli-4.10.0-5.fc17.noarch
> ovirt-engine-config-3.1.0-1.fc17.noarch
> ovirt-engine-userportal-3.1.0-1.fc17.noarch
> vdsm-4.10.0-5.fc17.x86_64
> ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch
> ovirt-engine-sdk-3.1.0.4-1.fc17.noarch
> ovirt-engine-restapi-3.1.0-1.fc17.noarch
> ovirt-engine-backend-3.1.0-1.fc17.noarch
> ovirt-engine-3.1.0-1.fc17.noarch
> ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch
> ovirt-engine-notification-service-3.1.0-1.fc17.noarch
> ovirt-engine-dbscripts-3.1.0-1.fc17.noarch
> vdsm-python-4.10.0-5.fc17.x86_64
> ovirt-engine-genericapi-3.1.0-1.fc17.noarch
> ovirt-engine-tools-common-3.1.0-1.fc17.noarch
> ovirt-engine-cli-3.1.0.6-1.fc17.noarch
> vdsm-xmlrpc-4.10.0-5.fc17.noarch
> vdsm-bootstrap-4.10.0-5.fc17.noarch
> ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch
> ovirt-engine-setup-3.1.0-1.fc17.noarch
>
>
> The engine is installed with SSL as enabled by default, the hosts too.
> VDSM and libvirt are all active and validate fine towards the engine;
> have status "UP" and so on, but can't get SPICE console working. VNC
> works of course, but SPICE would be much cooler:) How do I get console
> working with SPICE?
>
> Best Regards
> Karli Sjöberg
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
11:21 a.m.
--_000_CFC743BDE7CA451DB319DDE839A54220sluse_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
7 aug 2012 kl. 16.23 skrev Rami Vaknin:
On 08/07/2012 05:10 PM, Karli Sj=F6berg wrote:
Hi,
I seems very difficult to get this working. I have a Fedora 17 client, inst=
alled spice-xpi and tried to access console from User Portal but console ne=
ver shows up. engine.log prints:
2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand=
] (ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand int=
ernal: false. Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641=
Type: VM
2012-08-07 15:56:18,771 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.Se=
tVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVD=
SCommand(vdsId =3D acfc94c0-d7e1-11e1-b35e-b38016c320bb, vmId=3D2ad22641-7a=
eb-4d1b-999e-2c0563376641, ticket=3DNvbcLbRR/7Vx, validTime=3D120,m userNam=
e=3Dkarli, userId=3Dde526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94
2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.Se=
tVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketV=
DSCommand, log id: 3d61fa94
From the F17 client with "ovirt-shell" installed from
ovirt-3.1 repo:
$ console milli
(window briefly flashes and disappeares again)
warning: could not fetch host certificate info cause used backend/sdk does =
not support it.
warning: host identity will not be validated.
And have also used "spicec" directly from F17 client:
# spicec -h cirrus2-1.slu.se<http://cirrus2-1.slu.se> -p 5900 -s 5901 -w v3=
6BkUumraDG (The first ticket had by this time expired, so this is a new one=
)
(flashes)
Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):rea=
son(1)
140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:cer=
tificate verify failed:s3_clnt.c:1063:
Warning: SSL Error:
# spicec -h cirrus2-1.slu.se<http://cirrus2-1.slu.se> -p 5900 -w v36BkUumra=
DG
(flashes)
Warning: connect error 5 - need secured connection
I wrote a simple script that collects the parameter needed to for spicec
in case of secure connection, I was using it on RHEL6, it probably will
be easy to convert it to Fedora if it does not already work OTB:
#!/bin/bash
# Usage: ./spice_to_vm.sh host vm_name
PASSWORD=3D"root_password_to_the_host"
SECONDS=3D"1200"
ssh-copy-id root@$1 >& /dev/null
ID=3D`ssh root@$1 vdsClient -s 0 list table | awk '{print
$1":"$3":"}' |
grep ":$2:" | sed -e 's/\:.*//g'`
ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD $SECONDS keep >&
/dev/null
PORT=3D`ssh root@$1 vdsClient -s 0 getVmStats $ID | grep displaySecurePort
| awk '{print $3}'`
SUBJECT=3D`ssh root@$1 openssl x509 -noout -text -in
/etc/pki/vdsm/certs/vdsmcert.pem | grep Subject: | cut -f 10- -d " " |
sed -e 's/\ //g'`
scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem >& /dev/null
COMMAND=3D"sudo /usr/libexec/spicec --host-subject \"$SUBJECT\" --password
$PASSWORD --secure-channels all -h $1 --secure-port $PORT --ca-file
/tmp/cacert.pem"
echo $COMMAND
Thank you so much, this helped me realize what the issue was. I had at firs=
t added the hosts to my engine with a "black" address on the storage networ=
k. But I changed the "display network" to the public network, so that you c=
an connect to a console from anywhere. This made the certificate of the hos=
ts invalid, as the "--host-subject" doesn=B4t match the address that you co=
nnect to:
# spicec --host-subject "O=3Dslu,CN=3Dcirrus2-2.sto.slu.se" --password RFes=
feuIGHhd -h cirrus2-2.slu.se<http://cirrus2-2.slu.se> -s 5903
So this means that changing your display network breaks SPICE consoles. Les=
s than good, I would say.
I was able to solve this by removing the hosts from engine and adding them =
again, but with the public address instead, so now the connection address a=
nd host subject match. I logged in to the admin portal, clicked for console=
and voil=E1, console appears. BUT if I log in to the user portal with the =
same credentials and click for console on the same guest(or any other), a c=
onsole screen briefly flashes and then disappears:( Bug.
/Karli
# rpm -qa | egrep '(ovirt|vdsm)'
ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch
vdsm-cli-4.10.0-5.fc17.noarch
ovirt-engine-config-3.1.0-1.fc17.noarch
ovirt-engine-userportal-3.1.0-1.fc17.noarch
vdsm-4.10.0-5.fc17.x86_64
ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch
ovirt-engine-sdk-3.1.0.4-1.fc17.noarch
ovirt-engine-restapi-3.1.0-1.fc17.noarch
ovirt-engine-backend-3.1.0-1.fc17.noarch
ovirt-engine-3.1.0-1.fc17.noarch
ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch
ovirt-engine-notification-service-3.1.0-1.fc17.noarch
ovirt-engine-dbscripts-3.1.0-1.fc17.noarch
vdsm-python-4.10.0-5.fc17.x86_64
ovirt-engine-genericapi-3.1.0-1.fc17.noarch
ovirt-engine-tools-common-3.1.0-1.fc17.noarch
ovirt-engine-cli-3.1.0.6-1.fc17.noarch
vdsm-xmlrpc-4.10.0-5.fc17.noarch
vdsm-bootstrap-4.10.0-5.fc17.noarch
ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch
ovirt-engine-setup-3.1.0-1.fc17.noarch
The engine is installed with SSL as enabled by default, the hosts too. VDSM=
and libvirt are all active and validate fine towards the engine; have stat=
us "UP" and so on, but can't get SPICE console working. VNC works of
course=
, but SPICE would be much cooler:) How do I get console working with SPICE?
Best Regards
Karli Sj=F6berg
_______________________________________________
Users mailing list
Users@ovirt.org<mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users
--
Thanks,
Rami Vaknin, QE @ Red Hat, TLV, IL.
Med V=E4nliga H=E4lsningar
---------------------------------------------------------------------------=
----
Karli Sj=F6berg
Swedish University of Agricultural Sciences
Box 7079 (Visiting Address Kron=E5sv=E4gen 8)
S-750 07 Uppsala, Sweden
Phone: +46-(0)18-67 15 66
karli.sjoberg@slu.se<mailto:karli.sjoberg@adm.slu.se>
--_000_CFC743BDE7CA451DB319DDE839A54220sluse_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html><head></head><body style=3D"word-wrap: break-word;
-webkit-nbsp-mode:=
space; -webkit-line-break: after-white-space; "><br><div><div>7
aug 2012 k=
l. 16.23 skrev Rami Vaknin:</div><br
class=3D"Apple-interchange-newline"><b=
lockquote type=3D"cite"><div>On 08/07/2012 05:10 PM, Karli Sj=F6berg
wrote:=
<br><blockquote
type=3D"cite">Hi,<br></blockquote><blockquote
type=3D"cite"=
<br></blockquote><blockquote
type=3D"cite">I seems very difficult to get t=
his working. I have a
Fedora 17 client, installed spice-xpi and tried to ac=
cess console from User Portal but console never shows up. engine.log prints=
:<br></blockquote><blockquote type=3D"cite">2012-08-07
15:56:18,738 INFO &n=
bsp;[org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13) [=
2a8bc3f4] Running command: SetVmTicketCommand internal: false. Entities aff=
ected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM<br></blockq=
uote><blockquote type=3D"cite">2012-08-07 15:56:18,771 INFO
[org.ovir=
t.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009=
-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId =3D acfc94c0-d7e1-11e1-b=
35e-b38016c320bb, vmId=3D2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=3DNvb=
cLbRR/7Vx, validTime=3D120,m userName=3Dkarli, userId=3Dde526322-d046-4a06-=
911e-546e7159556e), log id: 3d61fa94<br></blockquote><blockquote
type=3D"ci=
te">2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vds=
broker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, Set=
VmTicketVDSCommand, log id: 3d61fa94<br></blockquote><blockquote
type=3D"ci=
te"><br></blockquote><blockquote type=3D"cite"> From
the F17 client with "o=
virt-shell" installed from ovirt-3.1 repo:<br></blockquote><blockquote
type=
=3D"cite">$ console milli<br></blockquote><blockquote
type=3D"cite">(window=
briefly flashes and disappeares again)<br></blockquote><blockquote
type=3D=
"cite">warning: could not fetch host certificate info cause used backend/sd=
k does not support it.<br></blockquote><blockquote
type=3D"cite">warning: h=
ost identity will not be validated.<br></blockquote><blockquote
type=3D"cit=
e"><br></blockquote><blockquote type=3D"cite">And have
also used "spicec" d=
irectly from F17 client:<br></blockquote><blockquote
type=3D"cite"># spicec=
-h <a href=3D"http://cirrus2-1.slu.se">cirrus2-1.slu.se</a> -p 5900
-s 590=
1 -w v36BkUumraDG (The first ticket had by this time expired, so this is a =
new one)<br></blockquote><blockquote
type=3D"cite">(flashes)<br></blockquot=
e><blockquote type=3D"cite">Error: failed to connect w/SSL, ssl_error
error=
:00000001:lib(0):func(0):reason(1)<br></blockquote><blockquote
type=3D"cite=
">140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:c=
ertificate verify failed:s3_clnt.c:1063:<br></blockquote><blockquote type=
=3D"cite">Warning: SSL Error:<br></blockquote><blockquote
type=3D"cite"># s=
picec -h <a href=3D"http://cirrus2-1.slu.se">cirrus2-1.slu.se</a> -p
5900 -=
w v36BkUumraDG<br></blockquote><blockquote
type=3D"cite">(flashes)<br></blo=
ckquote><blockquote type=3D"cite">Warning: connect error 5 - need
secured c=
onnection<br></blockquote><br>I wrote a simple script that collects the
par=
ameter needed to for spicec <br>in case of secure connection, I was using i=
t on RHEL6, it probably will <br>be easy to convert it to Fedora if it does=
not already work OTB:<br><br>#!/bin/bash<br><br># Usage:
./spice_to_vm.sh =
host
vm_name<br><br>PASSWORD=3D"root_password_to_the_host"<br>SECONDS=3D"12=
00"<br><br>ssh-copy-id root@$1 >&
/dev/null<br><br>ID=3D`ssh root@$1=
vdsClient -s 0 list table | awk '{print $1":"$3":"}' |
<br>grep ":$2:" | s=
ed -e 's/\:.*//g'`<br>ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD
=
$SECONDS keep >& <br>/dev/null<br><br>PORT=3D`ssh root@$1
vdsClient =
-s 0 getVmStats $ID | grep displaySecurePort <br>| awk '{print
$3}'`<br>SUB=
JECT=3D`ssh root@$1 openssl x509 -noout -text -in <br>/etc/pki/vdsm/certs/v=
dsmcert.pem | grep Subject: | cut -f 10- -d " " | <br>sed -e 's/\
//g'`<br>=
<br>scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem >&
/d=
ev/null<br>COMMAND=3D"sudo /usr/libexec/spicec --host-subject
\"$SUBJECT\" =
--password <br>$PASSWORD --secure-channels all -h $1 --secure-port $PORT --=
ca-file <br>/tmp/cacert.pem"<br><br>echo
$COMMAND<br></div></blockquote><di=
v><br></div>Thank you so much, this helped me realize what the issue was.
I=
had at first added the hosts to my engine with a "black" address on the st=
orage network. But I changed the "display network" to the public network, s=
o that you can connect to a console from anywhere. This made the certificat=
e of the hosts invalid, as the "<span class=3D"Apple-style-span"
style=3D"f=
ont-size: 12px; ">--host-subject" doesn=B4t match the address that you conn=
ect
to:</span></div><div><br></div><div># <span
class=3D"Apple-style-s=
pan" style=3D"font-size: 12px; ">spicec --host-subject
"O=3Dslu,CN=3Dcirrus=
2-2.sto.slu.se" --password RFesfeuIGHhd -h </span><span
class=3D"Apple-styl=
e-span" style=3D"font-size: 12px; "><a
href=3D"http://cirrus2-2.slu.se">cir=
rus2-2.slu.se</a></span><span class=3D"Apple-style-span"
style=3D"font-size=
: 12px; "> -s
5903</span></div><div><br></div><div>So this means
that chang=
ing your display network breaks SPICE consoles. Less than good, I would say=
.</div><div><br></div><div>I was able to solve this by
removing the hosts f=
rom engine and adding them again, but with the public address instead, so n=
ow the connection address and host subject match. I logged in to the admin =
portal, clicked for console and voil=E1, console appears. BUT if I log in t=
o the <b>user</b> portal with the same credentials and click for console on=
the same guest(or any other), a console screen briefly flashes and then di=
sappears:(
Bug.</div><div><br></div><div>/Karli</div><div><br><blockquote
t=
ype=3D"cite"><div><br><blockquote
type=3D"cite"><br></blockquote><blockquot=
e type=3D"cite"># rpm -qa | egrep
'(ovirt|vdsm)'<br></blockquote><blockquot=
e
type=3D"cite">ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch<br></blo=
ckquote><blockquote
type=3D"cite">vdsm-cli-4.10.0-5.fc17.noarch<br></blockq=
uote><blockquote
type=3D"cite">ovirt-engine-config-3.1.0-1.fc17.noarch<br><=
/blockquote><blockquote
type=3D"cite">ovirt-engine-userportal-3.1.0-1.fc17.=
noarch<br></blockquote><blockquote
type=3D"cite">vdsm-4.10.0-5.fc17.x86_64<=
br></blockquote><blockquote
type=3D"cite">ovirt-log-collector-3.1.0-0.git10=
d719.fc17.noarch<br></blockquote><blockquote
type=3D"cite">ovirt-engine-sdk=
-3.1.0.4-1.fc17.noarch<br></blockquote><blockquote
type=3D"cite">ovirt-engi=
ne-restapi-3.1.0-1.fc17.noarch<br></blockquote><blockquote
type=3D"cite">ov=
irt-engine-backend-3.1.0-1.fc17.noarch<br></blockquote><blockquote
type=3D"=
cite">ovirt-engine-3.1.0-1.fc17.noarch<br></blockquote><blockquote
type=3D"=
cite">ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch<br></blockquote><blo=
ckquote type=3D"cite">ovirt-engine-notification-service-3.1.0-1.fc17.noarch=
<br></blockquote><blockquote
type=3D"cite">ovirt-engine-dbscripts-3.1.0-1.f=
c17.noarch<br></blockquote><blockquote
type=3D"cite">vdsm-python-4.10.0-5.f=
c17.x86_64<br></blockquote><blockquote
type=3D"cite">ovirt-engine-genericap=
i-3.1.0-1.fc17.noarch<br></blockquote><blockquote
type=3D"cite">ovirt-engin=
e-tools-common-3.1.0-1.fc17.noarch<br></blockquote><blockquote
type=3D"cite=
">ovirt-engine-cli-3.1.0.6-1.fc17.noarch<br></blockquote><blockquote
type=
=3D"cite">vdsm-xmlrpc-4.10.0-5.fc17.noarch<br></blockquote><blockquote
type=
=3D"cite">vdsm-bootstrap-4.10.0-5.fc17.noarch<br></blockquote><blockquote
t=
ype=3D"cite">ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch<br></blockquo=
te><blockquote
type=3D"cite">ovirt-engine-setup-3.1.0-1.fc17.noarch<br></bl=
ockquote><blockquote
type=3D"cite"><br></blockquote><blockquote type=3D"cit=
e"><br></blockquote><blockquote type=3D"cite">The
engine is installed with =
SSL as enabled by default, the hosts too. VDSM and libvirt are all active a=
nd validate fine towards the engine; have status "UP" and so on, but can't
=
get SPICE console working. VNC works of course, but SPICE would be much coo=
ler:) How do I get console working with SPICE?<br></blockquote><blockquote
=
type=3D"cite"><br></blockquote><blockquote
type=3D"cite">Best Regards<br></=
blockquote><blockquote type=3D"cite">Karli
Sj=F6berg<br></blockquote><block=
quote
type=3D"cite">_______________________________________________<br></bl=
ockquote><blockquote type=3D"cite">Users mailing
list<br></blockquote><bloc=
kquote type=3D"cite"><a
href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a>=
<br></blockquote><blockquote type=3D"cite"><a
href=3D"http://lists.ovirt.or=
g/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo...
<br></blockquote><br><br>--
<br><br>Thanks,<br><br>Rami Vaknin, QE @ Red Ha=
t, TLV,
IL.<br><br></div></blockquote></div><br><div>
<div><br
class=3D"Apple-interchange-newline"><br></div><div>Med
V=E4nliga H=
=E4lsningar<br>------------------------------------------------------------=
-------------------<br>Karli Sj=F6berg<br>Swedish University of Agricultura=
l Sciences<br>Box 7079 (Visiting Address Kron=E5sv=E4gen 8)<br>S-750 07 Upp=
sala, Sweden<br>Phone: +46-(0)18-67 15 66</div><div><a
href=3D"mailto=
:karli.sjoberg@adm.slu.se">karli.sjoberg@slu.se</a></div>
</div>
<br></body></html>=
--_000_CFC743BDE7CA451DB319DDE839A54220sluse_--
4488
days inactive
4490
days old
4 comments
4 participants
participants (4)
-
Itamar Heim -
Jacob Wyatt -
Karli Sjöberg -
Rami Vaknin