5:32 p.m.
--_000_BLUPR02MB100378235058BDDF660037FFAC90BLUPR02MB100namprd_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello,
I am having trouble connecting to my guest vm (Kali Linux) which is running=
spice. My engine is running version: 4.2.1.7-1.el7.centos.
I am using oVirt Node as my host running version: 4.2.1.1.
I have taken the following steps to try and get everything running properly=
.
1. Download the root CA certificate https://ovirtengine.lan/ovirt-engine=
/services/pki-resource?resource=3Dca-certificate&format=3DX509-PEM-CA
2. Edit the vm and define the graphical console entries. Video type is =
set to QXL, Graphics protocol is spice, USB support is enabled.
3. Install the guest agent in Debian per the instructions here - https:/=
/www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-agent-in-=
debian/ It is my understanding that installing the guest agent will also i=
nstall the virt IO device drivers.
4. Install the spice-vdagent per the instructions here - https://www.ovi=
rt.org/documentation/how-to/guest-agent/install-the-spice-guest-agent/
5. On the aSpice client I have imported the CA certficate from step 1 a=
bove. I defined the connection using the IP of my Node and TLS port 5901.
To troubleshoot my connection issues I confirmed the port being used to lis=
ten.
virsh # domdisplay Kali
spice://172.30.42.12?tls-port=3D5901
I see the following when attempting to connect.
tail -f /var/log/libvirt/qemu/Kali.log
140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert int=
ernal error:s3_pkt.c:1493:SSL alert number 80
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept:=
SSL_accept failed, error=3D1
I came across some documentation that states in the caveat section "Certifi=
cate of spice SSL should be separate certificate."
https://www.ovirt.org/develop/release-management/features/infra/pki/
Is this still the case for version 4? The document references version 3.2 =
and 3.3. If so, how do I generate a new certificate for use with spice? P=
lease let me know if you require further info to troubleshoot, I am happy t=
o provide it. Many thanks in advance.
<https://www.ovirt.org/develop/release-management/features/infra/pki/>
--_000_BLUPR02MB100378235058BDDF660037FFAC90BLUPR02MB100namprd_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"><!-- P
{margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper"
style=3D"font-size:12pt;color:#000000;font=
-family:Calibri,Helvetica,sans-serif;" dir=3D"ltr">
<p style=3D"margin-top:0;margin-bottom:0">Hello,</p>
<p style=3D"margin-top:0;margin-bottom:0">I am having trouble connecting
to=
my guest vm (Kali Linux) which is running spice. My engine is running vers=
ion: <span class=3D"gwt-InlineLabel
GNEKTHVBIXB"></span><span class=3D=
"gwt-InlineLabel">4.2.1.7-1.el7.centos</span>.</p>
<p style=3D"margin-top:0;margin-bottom:0">I am using oVirt Node as my host
=
running version:<span> 4.2.1.1.
<br>
</span></p>
<p style=3D"margin-top:0;margin-bottom:0"><span><br>
</span></p>
<p style=3D"margin-top:0;margin-bottom:0"><span>I have taken the
following =
steps to try and get everything running properly.</span></p>
<ol style=3D"margin-bottom: 0px; margin-top: 0px;">
<li><span>Download the root CA certificate <a
href=3D"https://ovirteng=
ine.lan/ovirt-engine/services/pki-resource?resource=3Dca-certificate&fo=
rmat=3DX509-PEM-CA" class=3D"OWAAutoLink" id=3D"LPlnk141717"
previewremoved=
=3D"true">https://ovirtengine.lan/ovirt-engine/services/pki-resource?resour=
ce=3Dca-certificate&format=3DX509-PEM-CA</a></span></li><li><span>Edit
=
the vm and define the graphical console entries. Video type is set to=
QXL, Graphics protocol is spice, USB support is
enabled.</span></li><li><s=
pan>Install the guest agent in Debian per the instructions here - <a href=
=3D"https://www.ovirt.org/documentation/how-to/guest-agent/install-the-gues=
t-agent-in-debian/" class=3D"OWAAutoLink" id=3D"LPlnk263752"
previewremoved=
=3D"true">
https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-ag=
ent-in-debian/</a> It is my understanding that installing the guest a=
gent will also install the virt IO device drivers.<br>
</span></li><li><span>Install the spice-vdagent per the
instructions here -=
<a href=3D"https://www.ovirt.org/documentation/how-to/guest-agent/insta...
the-spice-guest-agent/" class=3D"OWAAutoLink" id=3D"LPlnk313725"
previewrem=
oved=3D"true">
https://www.ovirt.org/documentation/how-to/guest-agent/install-the-spice-gu=
est-agent/</a></span></li><li><span> On the aSpice
client I have impor=
ted the CA certficate from step 1 above. I defined the connection usi=
ng the IP of my Node and TLS port 5901.</span></li></ol>
<span><br>
To troubleshoot my connection issues I confirmed the port being used to lis=
ten. <br>
<div>virsh # domdisplay Kali<br>
<span>spice://172.30.42.12?tls-port=3D5901</span></div>
<br>
I see the following when attempting to connect.<br>
tail -f <span>/var/log/libvirt/qemu</span>/Kali.log<br>
<br>
<div>
<div>140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 aler=
t internal error:s3_pkt.c:1493:SSL alert number 80<br>
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept:=
SSL_accept failed, error=3D1<br>
<br>
I came across some documentation that states in the caveat section "<s=
pan>Certificate of spice SSL should be separate
certificate."</span><b=
r>
<a href=3D"https://www.ovirt.org/develop/release-management/features/in...
pki/" class=3D"OWAAutoLink" id=3D"LPlnk743161"
previewremoved=3D"true">http=
s://www.ovirt.org/develop/release-management/features/infra/pki/</a>...
<br>
Is this still the case for version 4? The document references version=
3.2 and 3.3. If so, how do I generate a new certificate for use with=
spice? Please let me know if you require further info to troubleshoo=
t, I am happy to provide it. Many thanks in advance.<br>
<a href=3D"https://www.ovirt.org/develop/release-management/features/in...
pki/" class=3D"OWAAutoLink" id=3D"LPlnk743161"
previewremoved=3D"true"></a>=
<br>
<br>
</div>
<br>
<br>
</div>
<br>
</span><br>
<span><br>
<br>
</span>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
</div>
</body>
</html>
--_000_BLUPR02MB100378235058BDDF660037FFAC90BLUPR02MB100namprd_--
11:19 a.m.
On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <
Jeremy_Tourville(a)hotmail.com> wrote:
Hello,
I am having trouble connecting to my guest vm (Kali Linux) which is
running spice. My engine is running version: 4.2.1.7-1.el7.centos.
I am using oVirt Node as my host running version: 4.2.1.1.
I have taken the following steps to try and get everything running
properly.
1. Download the root CA certificate https://
ovirtengine.lan/ovirt-engine/services/pki-resource?
resource=ca-certificate&format=X509-PEM-CA
<https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-ce...
2. Edit the vm and define the graphical console entries. Video type
is set to QXL, Graphics protocol is spice, USB support is enabled.
3. Install the guest agent in Debian per the instructions here -
https://www.ovirt.org/documentation/how-to/guest-
agent/install-the-guest-agent-in-debian/
<https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-...
It is my understanding that installing the guest agent will also install
the virt IO device drivers.
4. Install the spice-vdagent per the instructions here -
https://www.ovirt.org/documentation/how-to/guest-
agent/install-the-spice-guest-agent/
<https://www.ovirt.org/documentation/how-to/guest-agent/install-the-spice-...
5. On the aSpice client I have imported the CA certficate from step 1
above. I defined the connection using the IP of my Node and TLS port 5901.
are you really using aSPICE client (e.g. the android SPICE client?). If
yes, maybe you want to try to open it using moVirt (
https://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt&...)
which delegates the console to aSPICE but configures everything including
the certificates on it. Should be much simpler than configuring it by hand..
To troubleshoot my connection issues I confirmed the port being used to
listen.
virsh # domdisplay Kali
spice://172.30.42.12?tls-port=5901
I see the following when attempting to connect.
tail -f /var/log/libvirt/qemu/Kali.log
140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert
internal error:s3_pkt.c:1493:SSL alert number 80
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept:
SSL_accept failed, error=1
I came across some documentation that states in the caveat section "Certificate
of spice SSL should be separate certificate."
https://www.ovirt.org/develop/release-management/features/infra/pki/
Is this still the case for version 4? The document references version 3.2
and 3.3. If so, how do I generate a new certificate for use with spice?
Please let me know if you require further info to troubleshoot, I am happy
to provide it. Many thanks in advance.
<https://www.ovirt.org/develop/release-management/features/infra/pki/>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
7:10 p.m.
--_000_BLUPR02MB100BB5C2B1AFB1CB8A19904FAC80BLUPR02MB100namprd_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi Tomas,
To answer your question, yes I am really trying to use aSpice.
I appreciate your suggestion. I'm not sure if it meets my objective. Mayb=
e our goals are different? It seems to me that movirt is built around port=
able management of the ovirt environment. I am attempting to provide a VDI=
type experience for running a vm. My goal is to run a lab environment wit=
h 30 chromebooks loaded with a spice clent. The spice client would of cour=
se connect to the 30 vms running Kali and each session would be independent=
of each other.
I did a little further testing with a different client. (spice plugin for=
chrome). When I attempted to connect using that client I got a slightly d=
ifferent error message. The message still seemed to be of the same nature-=
i.e.: there is a problem with SSL protocol and communication.
Are you suggesting that movirt can help set up the proper certficates and c=
onfig the vms to use spice? Thanks!
________________________________
From: Tomas Jelinek <tjelinek(a)redhat.com>
Sent: Monday, February 19, 2018 4:19 AM
To: Jeremy Tourville
Cc: users(a)ovirt.org
Subject: Re: [ovirt-users] Spice Client Connection Issues Using aSpice
On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville@hotmail=
.com<mailto:Jeremy_Tourville@hotmail.com>> wrote:
Hello,
I am having trouble connecting to my guest vm (Kali Linux) which is running=
spice. My engine is running version: 4.2.1.7-1.el7.centos.
I am using oVirt Node as my host running version: 4.2.1.1.
I have taken the following steps to try and get everything running properly=
.
1. Download the root CA certificate https://ovirtengine.lan/ovirt-engine=
/services/pki-resource?resource=3Dca-certificate&format=3DX509-PEM-CA
2. Edit the vm and define the graphical console entries. Video type is =
set to QXL, Graphics protocol is spice, USB support is enabled.
3. Install the guest agent in Debian per the instructions here - https:/=
/www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-agent-in-=
debian/ It is my understanding that installing the guest agent will also i=
nstall the virt IO device drivers.
4. Install the spice-vdagent per the instructions here - https://www.ovi=
rt.org/documentation/how-to/guest-agent/install-the-spice-guest-agent/
5. On the aSpice client I have imported the CA certficate from step 1 a=
bove. I defined the connection using the IP of my Node and TLS port 5901.
are you really using aSPICE client (e.g. the android SPICE client?). If yes=
, maybe you want to try to open it using moVirt (https://play.google.com/st=
ore/apps/details?id=3Dorg.ovirt.mobile.movirt&hl=3Den) which delegates the =
console to aSPICE but configures everything including the certificates on i=
t. Should be much simpler than configuring it by hand..
To troubleshoot my connection issues I confirmed the port being used to lis=
ten.
virsh # domdisplay Kali
spice://172.30.42.12?tls-port=3D5901<http://172.30.42.12?tls-port=3D5901>
I see the following when attempting to connect.
tail -f /var/log/libvirt/qemu/Kali.log
140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert int=
ernal error:s3_pkt.c:1493:SSL alert number 80
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept:=
SSL_accept failed, error=3D1
I came across some documentation that states in the caveat section "Certifi=
cate of spice SSL should be separate certificate."
https://www.ovirt.org/develop/release-management/features/infra/pki/
Is this still the case for version 4? The document references version 3.2 =
and 3.3. If so, how do I generate a new certificate for use with spice? P=
lease let me know if you require further info to troubleshoot, I am happy t=
o provide it. Many thanks in advance.
<https://www.ovirt.org/develop/release-management/features/infra/pki/>
_______________________________________________
Users mailing list
Users@ovirt.org<mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users
--_000_BLUPR02MB100BB5C2B1AFB1CB8A19904FAC80BLUPR02MB100namprd_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"><!-- P
{margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper" style=3D"font-size: 12pt; color: rgb(0,
0,=
0); font-family: Calibri, Helvetica, sans-serif, "EmojiFont", &q=
uot;Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji,
&q=
uot;Segoe UI Symbol", "Android Emoji", EmojiSymbols;"
dir=3D=
"ltr">
<p style=3D"margin-top:0;margin-bottom:0">Hi Tomas, <br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">To answer your question, yes I
am=
really trying to use aSpice.</p>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">I appreciate your
suggestion.&nbs=
p; I'm not sure if it meets my objective.
<span>Maybe our goals are different?</span> It seems to me that
movir=
t is built around portable management of the ovirt environment. I am =
attempting to provide a VDI type experience for running a vm. My goal=
is to run a lab environment with 30 chromebooks
loaded with a spice clent. The spice client would of course connect =
to the 30 vms running Kali and each session would be independent of each ot=
her.
<br>
</p>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">I did a little further
test=
ing with a different client. (spice plugin for chrome). When I =
attempted to connect using that client I got a slightly different error mes=
sage. The message still seemed to be of the same
nature- i.e.: there is a problem with SSL protocol and communication. &nbs=
p; <br>
</p>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">Are you suggesting that movirt
ca=
n help set up the proper certficates and config the vms to use spice? =
Thanks!<br>
</p>
<br>
<br>
<div style=3D"color: rgb(0, 0, 0);">
<hr style=3D"display:inline-block;width:98%" tabindex=3D"-1">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font
style=3D"font-size:11pt" face=
=3D"Calibri, sans-serif" color=3D"#000000"><b>From:</b>
Tomas Jelinek <t=
jelinek(a)redhat.com&gt;<br>
<b>Sent:</b> Monday, February 19, 2018 4:19 AM<br>
<b>To:</b> Jeremy Tourville<br>
<b>Cc:</b> users(a)ovirt.org<br>
<b>Subject:</b> Re: [ovirt-users] Spice Client Connection Issues Using aSpi=
ce</font>
<div> </div>
</div>
<div>
<div dir=3D"ltr"><br>
<div class=3D"x_gmail_extra"><br>
<div class=3D"x_gmail_quote">On Sun, Feb 18, 2018 at 5:32 PM, Jeremy
Tourvi=
lle <span dir=3D"ltr">
<<a href=3D"mailto:Jeremy_Tourville@hotmail.com"
target=3D"_blank">Jerem=
y_Tourville(a)hotmail.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"x_gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;
bord=
er-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir=3D"ltr">
<div id=3D"x_gmail-m_4314768941515087156divtagdefaultwrapper"
dir=3D"ltr" s=
tyle=3D"font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helveti=
ca, sans-serif, "EmojiFont", "Apple Color Emoji",
"=
;Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol",
"A=
ndroid Emoji", EmojiSymbols;">
<p style=3D"margin-top:0px; margin-bottom:0px">Hello,</p>
<p style=3D"margin-top:0px; margin-bottom:0px">I am having trouble
connecti=
ng to my guest vm (Kali Linux) which is running spice. My engine is running=
version: <span class=3D"x_gmail-m_4314768941515087156gwt-InlineLabel =
x_gmail-m_4314768941515087156GNEKTHVBIXB"></span><span
class=3D"x_gmail-m_4=
314768941515087156gwt-InlineLabel">4.2.1.7-1.el7.centos</span>.</p>
<p style=3D"margin-top:0px; margin-bottom:0px">I am using oVirt Node as my
=
host running version:<span> 4.2.1.1.
<br>
</span></p>
<p style=3D"margin-top:0px; margin-bottom:0px"><span><br>
</span></p>
<p style=3D"margin-top:0px; margin-bottom:0px"><span>I have taken
the follo=
wing steps to try and get everything running properly.</span></p>
<ol style=3D"margin-bottom:0px; margin-top:0px">
<li><span>Download the root CA certificate <a
href=3D"https://ovirteng=
ine.lan/ovirt-engine/services/pki-resource?resource=3Dca-certificate&fo=
rmat=3DX509-PEM-CA" class=3D"x_gmail-m_4314768941515087156OWAAutoLink" id=
=3D"x_gmail-m_4314768941515087156LPlnk141717"
target=3D"_blank">https://<wb=
r>ovirtengine.lan/ovirt-engine/<wbr>services/pki-resource?<wbr>resource=3Dc=
a-certificate&<wbr>format=3DX509-PEM-CA</a></span></li><li><span>Edit
t=
he vm and define the graphical console entries. Video type is set to =
QXL, Graphics protocol is spice, USB support is
enabled.</span></li><li><sp=
an>Install the guest agent in Debian per the instructions here - <a href=3D=
"https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-a=
gent-in-debian/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink"
id=3D"x=
_gmail-m_4314768941515087156LPlnk263752" target=3D"_blank">
https://www.ovirt.org/<wbr>documentation/how-to/guest-<wbr>ag...
e-guest-agent-<wbr>in-debian/</a> It is my understanding that
install=
ing the guest agent will also install the virt IO device drivers.<br>
</span></li><li><span>Install the spice-vdagent per the
instructions here -=
<a href=3D"https://www.ovirt.org/documentation/how-to/guest-agent/insta...
the-spice-guest-agent/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink"
=
id=3D"x_gmail-m_4314768941515087156LPlnk313725" target=3D"_blank">
https://www.ovirt.org/<wbr>documentation/how-to/guest-<wbr>ag...
e-spice-guest-<wbr>agent/</a></span></li><li><span> On
the aSpice clie=
nt I have imported the CA certficate from step 1 above. I defined the=
connection using the IP of my Node and TLS port 5901.</span></li></ol>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>are you really using aSPICE client (e.g. the android SPICE client?). I=
f yes, maybe you want to try to open it using moVirt (<a href=3D"https://pl=
ay.google.com/store/apps/details?id=3Dorg.ovirt.mobile.movirt&hl=...
https://play.google.com/store/apps/details?id=3Dorg.ovirt.mobile.movirt&a...
;hl=3Den</a>)
which delegates the console to aSPICE but configures everything including =
the certificates on it. Should be much simpler than configuring it by hand.=
.<br>
</div>
<div> </div>
<blockquote class=3D"x_gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;
bord=
er-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir=3D"ltr">
<div id=3D"x_gmail-m_4314768941515087156divtagdefaultwrapper"
dir=3D"ltr" s=
tyle=3D"font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helveti=
ca, sans-serif, "EmojiFont", "Apple Color Emoji",
"=
;Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol",
"A=
ndroid Emoji", EmojiSymbols;">
<span><br>
To troubleshoot my connection issues I confirmed the port being used to lis=
ten. <br>
<div>virsh # domdisplay Kali<br>
<span>spice://<a href=3D"http://172.30.42.12?tls-port=3D5901"
target=3D"_bl=
ank">172.30.42.12?tls-port=3D<wbr>5901</a></span></div>
<br>
I see the following when attempting to connect.<br>
tail -f <span>/var/log/libvirt/qemu</span>/Kali.log<br>
<br>
<div>
<div>140400191081600:error:<wbr>14094438:SSL routines:ssl3_read_bytes:tlsv1=
alert internal error:s3_pkt.c:1493:SSL alert number 80<br>
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_<wbr>ssl_ac=
cept: SSL_accept failed, error=3D1<br>
<br>
I came across some documentation that states in the caveat section "<s=
pan>Certificate of spice SSL should be separate
certificate."</span><b=
r>
<a href=3D"https://www.ovirt.org/develop/release-management/features/in...
pki/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink"
id=3D"x_gmail-m_43=
14768941515087156LPlnk743161"
target=3D"_blank">https://www.ovirt.org/devel=
op/<wbr>release-management/features/<wbr>infra/pki/</a><br>
<br>
Is this still the case for version 4? The document references version=
3.2 and 3.3. If so, how do I generate a new certificate for use with=
spice? Please let me know if you require further info to troubleshoo=
t, I am happy to provide it. Many thanks in advance.<br>
<a href=3D"https://www.ovirt.org/develop/release-management/features/in...
pki/" class=3D"x_gmail-m_4314768941515087156OWAAutoLink"
id=3D"x_gmail-m_43=
14768941515087156LPlnk743161" target=3D"_blank"></a><br>
<br>
</div>
<br>
<br>
</div>
<br>
</span><br>
<span><br>
<br>
</span>
<p style=3D"margin-top:0px; margin-bottom:0px"><br>
</p>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href=3D"http://lists.ovirt.org/mailman/listinfo/users"
rel=3D"noreferrer=
"
target=3D"_blank">http://lists.ovirt.org/<wbr>mailman/...
br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
--_000_BLUPR02MB100BB5C2B1AFB1CB8A19904FAC80BLUPR02MB100namprd_--
8:59 a.m.
On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <
Jeremy_Tourville(a)hotmail.com> wrote:
Hi Tomas,
To answer your question, yes I am really trying to use aSpice.
I appreciate your suggestion. I'm not sure if it meets my objective. Maybe
our goals are different? It seems to me that movirt is built around
portable management of the ovirt environment. I am attempting to provide a
VDI type experience for running a vm. My goal is to run a lab environment
with 30 chromebooks loaded with a spice clent. The spice client would of
course connect to the 30 vms running Kali and each session would be
independent of each other.
yes, it looks like a different use case
I did a little further testing with a different client. (spice plugin
for chrome). When I attempted to connect using that client I got a
slightly different error message. The message still seemed to be of the
same nature- i.e.: there is a problem with SSL protocol and communication.
Are you suggesting that movirt can help set up the proper certficates and
config the vms to use spice? Thanks!
moVirt has been developed for quite some time and works pretty well, this
is why I recommended it. But anyway, you have a different use case.
What I think the issue is, is that oVirt can have different CAs set for
console communication and for API. And I think you are trying to configure
aSPICE to use the one for API.
What moVirt does to make sure it is using the correct CA to put into the
aSPICE is that it downloads the .vv file of the VM (e.g. you can just
connect to console using webadmin and save the .vv file somewhere), parse
it and use the CA= part from it as a certificate. This one is guaranteed to
be the correct one.
For more details about what else it takes from the .vv file you can check
here:
the parsing:
https://github.com/oVirt/moVirt/blob/master/moVirt/src/main/java/org/ovir...
configuration of aSPICE:
https://github.com/oVirt/moVirt/blob/master/moVirt/src/main/java/org/ovir...
enjoy :)
------------------------------
*From:* Tomas Jelinek <tjelinek(a)redhat.com>
*Sent:* Monday, February 19, 2018 4:19 AM
*To:* Jeremy Tourville
*Cc:* users(a)ovirt.org
*Subject:* Re: [ovirt-users] Spice Client Connection Issues Using aSpice
On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <
Jeremy_Tourville(a)hotmail.com> wrote:
Hello,
I am having trouble connecting to my guest vm (Kali Linux) which is
running spice. My engine is running version: 4.2.1.7-1.el7.centos.
I am using oVirt Node as my host running version: 4.2.1.1.
I have taken the following steps to try and get everything running
properly.
1. Download the root CA certificate https://ovirtengin
e.lan/ovirt-engine/services/pki-resource?resource=ca-
certificate&format=X509-PEM-CA
<https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-ce...
2. Edit the vm and define the graphical console entries. Video type
is set to QXL, Graphics protocol is spice, USB support is enabled.
3. Install the guest agent in Debian per the instructions here -
https://www.ovirt.org/documentation/how-to/guest-agent/
install-the-guest-agent-in-debian/
<https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-...
It is my understanding that installing the guest agent will also install
the virt IO device drivers.
4. Install the spice-vdagent per the instructions here -
https://www.ovirt.org/documentation/how-to/guest-agent/
install-the-spice-guest-agent/
<https://www.ovirt.org/documentation/how-to/guest-agent/install-the-spice-...
5. On the aSpice client I have imported the CA certficate from step 1
above. I defined the connection using the IP of my Node and TLS port 5901.
are you really using aSPICE client (e.g. the android SPICE client?). If
yes, maybe you want to try to open it using moVirt (
https://play.google.com/store/apps/details?id=org.
ovirt.mobile.movirt&hl=en) which delegates the console to aSPICE but
configures everything including the certificates on it. Should be much
simpler than configuring it by hand..
To troubleshoot my connection issues I confirmed the port being used to
listen.
virsh # domdisplay Kali
spice://172.30.42.12?tls-port=5901
I see the following when attempting to connect.
tail -f /var/log/libvirt/qemu/Kali.log
140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert
internal error:s3_pkt.c:1493:SSL alert number 80
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept:
SSL_accept failed, error=1
I came across some documentation that states in the caveat section "Certificate
of spice SSL should be separate certificate."
https://www.ovirt.org/develop/release-management/features/infra/pki/
Is this still the case for version 4? The document references version 3.2
and 3.3. If so, how do I generate a new certificate for use with spice?
Please let me know if you require further info to troubleshoot, I am happy
to provide it. Many thanks in advance.
<https://www.ovirt.org/develop/release-management/features/infra/pki/>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
9:56 a.m.
--=-NWqfxxSdaA6Wfj8CQgVR
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Tue, 2018-02-20 at 08:59 +0100, Tomas Jelinek wrote:
=20
=20
On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <Jeremy_Tourville@h
otmail.com> wrote:
> Hi Tomas,=20
> To answer your question, yes I am really trying to use aSpice.
>=20
> I appreciate your suggestion. I'm not sure if it meets my
> objective. Maybe our goals are different? It seems to me that
> movirt is built around portable management of the ovirt
> environment. I am attempting to provide a VDI type experience for
> running a vm. My goal is to run a lab environment with 30
> chromebooks loaded with a spice clent. The spice client would of
> course connect to the 30 vms running Kali and each session would be
> independent of each other. =20
>=20
=20
yes, it looks like a different use case
=20
> I did a little further testing with a different client. (spice
> plugin for chrome). When I attempted to connect using that client
> I got a slightly different error message. The message still seemed
> to be of the same nature- i.e.: there is a problem with SSL
> protocol and communication. =20
>=20
> Are you suggesting that movirt can help set up the proper
> certficates and config the vms to use spice? Thanks!
>=20
=20
moVirt has been developed for quite some time and works pretty well,
this is why I recommended it. But anyway, you have a different use
case.
=20
What I think the issue is, is that oVirt can have different CAs set
for console communication and for API. And I think you are trying to
configure aSPICE to use the one for API.=20
=20
What moVirt does to make sure it is using the correct CA to put into
the aSPICE is that it downloads the .vv file of the VM (e.g. you can
just connect to console using webadmin and save the .vv file
somewhere), parse it and use the CA=3D part from it as a certificate.
This one is guaranteed to be the correct one.
=20
For more details about what else it takes from the .vv file you can
check here:
the parsing: https://github.com/oVirt/moVirt/blob/master/moVirt/src/m
ain/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttp
MessageConverter.java
configuration of aSPICE: https://github.com/oVirt/moVirt/blob/master/
moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java
=20
enjoy :)
Feels to me like OP should try to get it working _any_ "normal" way
before trying to get the special use case application working?
Like trying to run before learning to crawl, if that makes sense?
I would suggest just logging in to webadmin with a regular PC and
trying to get a SPICE console with remote-viewer to begin with. Then,
once that works, try to get a SPICE console working through moVirt with
aSPICE on an Android phone, or one of the Chromebooks you have to play
with before going into production. Once that=C2=B4s settled and you know it
should work the way you normally access it, you can start playing with
your special use case application.
Hope it helps!
/K
=20
>=20
> From: Tomas Jelinek <tjelinek(a)redhat.com>
> Sent: Monday, February 19, 2018 4:19 AM
> To: Jeremy Tourville
> Cc: users(a)ovirt.org
> Subject: Re: [ovirt-users] Spice Client Connection Issues Using
> aSpice
> =20
>=20
>=20
> On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville
> @hotmail.com> wrote:
> > Hello,
> > I am having trouble connecting to my guest vm (Kali Linux) which
> > is running spice. My engine is running version: 4.2.1.7-
> > 1.el7.centos.
> > I am using oVirt Node as my host running version: 4.2.1.1. =20
> >=20
> > I have taken the following steps to try and get everything
> > running properly.
> > Download the root CA certificate https://ovirtengine.lan/ovirt-en
> > gine/services/pki-resource?resource=3Dca-certificate&format=3DX509-
> > PEM-CA
> > Edit the vm and define the graphical console entries. Video type
> > is set to QXL, Graphics protocol is spice, USB support is
> > enabled.
> > Install the guest agent in Debian per the instructions here - htt
> > ps://www.ovirt.org/documentation/how-to/guest-agent/install-the-
> > guest-agent-in-debian/ It is my understanding that installing
> > the guest agent will also install the virt IO device drivers.
> > Install the spice-vdagent per the instructions here - https://www
> > .ovirt.org/documentation/how-to/guest-agent/install-the-spice-
> > guest-agent/
> > On the aSpice client I have imported the CA certficate from step
> > 1 above. I defined the connection using the IP of my Node and
> > TLS port 5901.
>=20
> are you really using aSPICE client (e.g. the android SPICE
> client?). If yes, maybe you want to try to open it using moVirt (ht
> tps://play.google.com/store/apps/details?id=3Dorg.ovirt.mobile.movirt
> &hl=3Den) which delegates the console to aSPICE but configures
> everything including the certificates on it. Should be much simpler
> than configuring it by hand..
> =20
> > To troubleshoot my connection issues I confirmed the port being
> > used to listen. =20
> > virsh # domdisplay Kali
> > spice://172.30.42.12?tls-port=3D5901
> >=20
> > I see the following when attempting to connect.
> > tail -f /var/log/libvirt/qemu/Kali.log
> >=20
> > 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1
> > alert internal error:s3_pkt.c:1493:SSL alert number 80
> > ((null):27595): Spice-Warning **:
> > reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed,
> > error=3D1
> >=20
> > I came across some documentation that states in the caveat
> > section "Certificate of spice SSL should be separate
> > certificate."
> > https://www.ovirt.org/develop/release-management/features/infra/p
> > ki/
> >=20
> > Is this still the case for version 4? The document references
> > version 3.2 and 3.3. If so, how do I generate a new certificate
> > for use with spice? Please let me know if you require further
> > info to troubleshoot, I am happy to provide it. Many thanks in
> > advance.
> >=20
> >=20
> >=20
> >=20
> >=20
> >=20
> >=20
> >=20
> >=20
> >=20
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >=20
=20
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--=-NWqfxxSdaA6Wfj8CQgVR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
iQEcBAABCAAGBQJai+K6AAoJEBpo164N2cuRUXEH/3oKHSwEf2hYeltfRqz9R07z
oOpFBmVbCCitNbq/C7C1d97kjXqY2aC0oiSaIcz2lgC/Rep6FXFZ8tQGwr6zSonl
v0tHdMkzXGi4lUYuY8iTGoaSJvwPXBirNH8TU5xCWiYN8pO0xbtdPmSfXehSIeKm
ekx+dy8ybYmTwYQp7k76NeSoT9o5mV34Q/QfD4507IgLp6paTBsNmO/DMjwIvyV+
VFLg8cz46gz/gRd6kjvj1nMJS1rnjajq4wcchhfIS3yC7kI6gL382s9cUBRwy7bz
n1108hKq6H3cpGlPo67bOVtFo4BjAy3kYrMe9jkVO9/Ppe+fsXb7UEiORJl5/bc=
=Pq9i
-----END PGP SIGNATURE-----
--=-NWqfxxSdaA6Wfj8CQgVR--
2:05 a.m.
--_000_BLUPR02MB1006ACB8509467D8B874FECFACF0BLUPR02MB100namprd_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello everyone,
I can confirm that spice is working for me when I launch it using the .vv f=
ile. I have virt viewer installed on my Windows pc and it works without is=
sue. I can also launch spice when I use movirt without any issues. I exam=
ined the contents of the .vv file to see what the certificate looks like. =
I can confirm that the certficate in the .vv file is the same as the file =
I downloaded in step 1 of my directions.
I reviewed the PKI reference (https://www.ovirt.org/develop/release-managem=
ent/features/infra/pki/) <https://www.ovirt.org/develop/release-management=
/features/infra/pki/
for a second time and I see the same certificate located in different locat=
ions.
For example, all these locations contain the same certificate-
* <https://ovirtengine.lan/ovirt-en> https://ovirtengine.lan/ovirt-engi=
ne/services/pki-resource?resource=3Dca-certificate&format=3DX509-PEM-CA
* /etc/pki/vdsm/certs/cacert.pem
* /etc/pki/vdsm/libvirt-spice/ca-cert.pem
* /etc/pki/CA/cacert.pem
This is the certificate I am using to configure my aSpice client.
Can someone answer the question from my original post? The PKI reference s=
ays for version 3.2 and 3.3. Is the documentation still correct for versio=
n 4.2?
At this point I am trying to find out where the problems exists - ie.
#1 Is my client not configured correctly?
#2 Am I using the wrong cert? (I think I am using the correct cert based o=
n the research I listed above)
#3 Does my client need to be able to send a pasword? (based on the content=
s of the .vv file, I'd have to guess yes)
Also my xml file for the VM in question contains this:
<graphics type=3D'spice' autoport=3D'yes'
defaultMode=3D'secure' passwd=3D=
'*****' passwdValidTo=3D'1970-01-01T00:00:01' Please
note: I did not perform any hand configuration of the xml file, it =
was all done by the system using the UI.
#4 Can I configure a file on the system to turn off ticketing and passwords=
and see if that makes a difference, if so, what file?
#5 Can someone explain this error?
140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert int=
ernal error:s3_pkt.c:1493:SSL alert number 80
((null):27595): Spice-Warning **:reds_stream.c:379:reds_stream_ssl_accept: =
SSL_accept failed, error=3D1
What I know about it is this:
According to RFC 2246, the alert number 80 represents an "internal error". =
Here is the description from the RFC
internal_error: An internal error unrelated to the peer or the correctness =
of the protocol makes it impossible to continue (such as a memory allocatio=
n failure). This message is always fatal.
#6 Could this error be related to any of #1 through #4 above?
Thanks!
________________________________
From: Karli Sj=F6berg <karli(a)inparadise.se Sent:
Tuesday, February 20, 2018 2:56 AM
To: Tomas Jelinek; Jeremy Tourville
Cc: users(a)ovirt.org
Subject: Re: [ovirt-users] Spice Client Connection Issues Using aSpice
On Tue, 2018-02-20 at 08:59 +0100, Tomas Jelinek wrote:
> From: Tomas Jelinek <tjelinek(a)redhat.com > Sent: Monday, February 19, 2018 4:19 AM
> To: Jeremy Tourville
> Cc: users(a)ovirt.org
> Subject: Re: [ovirt-users] Spice Client Connection Issues Using
> aSpice
> On
Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville
> @hotmail.com> wrote:
> > Hello,
> > I am having trouble connecting to my guest vm (Kali Linux) which
> > is running spice. My engine is running version: 4.2.1.7-
> > 1.el7.centos.
> > I am using oVirt Node as my host running version: 4.2.1.1.
> > > I have taken the following steps to try and get
everything
> > running properly.
> > Download the root CA certificate https://ovirtengine.lan/ovirt-en
> > gine/services/pki-resource?resource=3Dca-certificate&format=3DX509-
> > PEM-CA
> > Edit the vm and define the graphical console entries. Video type
> > is set to QXL, Graphics protocol is spice, USB support is
> > enabled.
> > Install the guest agent in Debian per the instructions here - htt
> > ps://www.ovirt.org/documentation/how-to/guest-agent/install-the-
> > guest-agent-in-debian/ It is my understanding that installing
> > the guest agent will also install the virt IO device drivers.
> > Install the spice-vdagent per the instructions here - https://www
> > .ovirt.org/documentation/how-to/guest-agent/install-the-spice-
> > guest-agent/
> > On the aSpice client I have imported the CA certficate from step
> > 1 above. I defined the connection using the IP of my Node and
> > TLS port 5901.
> are you really using aSPICE client (e.g. the android
SPICE
> client?). If yes, maybe you want to try to open it using moVirt (ht
> tps://play.google.com/store/apps/details?id=3Dorg.ovirt.mobile.movirt
> &hl=3Den) which delegates the console to aSPICE but configures
> everything including the certificates on it. Should be much simpler
> than configuring it by hand..
> > To troubleshoot my connection issues I confirmed the
port being
> > used to listen.
> > virsh # domdisplay Kali
> > spice://172.30.42.12?tls-port=3D5901
> > > I see the following when attempting to connect.
> > tail -f /var/log/libvirt/qemu/Kali.log
> > > 140400191081600:error:14094438:SSL
routines:ssl3_read_bytes:tlsv1
> > alert internal error:s3_pkt.c:1493:SSL alert number 80
> > ((null):27595): Spice-Warning **:
> > reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed,
> > error=3D1
> > > I came across some documentation that states in the
caveat
> > section "Certificate of spice SSL should be separate
> > certificate."
> > https://www.ovirt.org/develop/release-management/features/infra/p
> > ki/
> > > Is this still the case for version 4? The document
references
> > version 3.2 and 3.3. If so, how do I generate a new certificate
> > for use with spice? Please let me know if you require further
> > info to troubleshoot, I am happy to provide it. Many thanks in
> > advance.
> > > >
> > >
> > >
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users Users Info Page -
lists.ovirt.org Mailing Lists<http://lists.ovirt.org/mail=
man/listinfo/users lists.ovirt.org
If you have a question about oVirt, this is where you can start getting ans=
wers. To see the collection of prior postings to the list, visit the Users =
Archives.
lists.ovirt.org
If you have a question about oVirt, this is where you can start getting ans=
wers. To see the collection of prior postings to the list, visit the Users =
Archives.
--_000_BLUPR02MB1006ACB8509467D8B874FECFACF0BLUPR02MB100namprd_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html <head <meta http-equiv=3D"Content-Type"
content=3D"text/html; charset=3Diso-8859-=
1" <style type=3D"text/css"
style=3D"display:none;"><!-- P {margin-top:0;margi=
n-bottom:0;} --></style </head <body dir=3D"ltr" <div
id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font=
-family:Calibri,Helvetica,sans-serif;" dir=3D"ltr" <p style=3D"margin-top:0;margin-bottom:0">Hello
everyone,<br </p <p
style=3D"margin-top:0;margin-bottom:0">I can confirm that spice is worki=
ng for me when I launch it using the .vv file. I have virt viewer ins=
talled on my Windows pc and it works without issue. I can also launch=
spice when I use movirt without any issues.
I examined the contents of the .vv file to see what the certificate looks =
like. I can confirm that the certficate in the .vv file is the same =
as the file I downloaded in step 1 of my directions.
<br </p <p
style=3D"margin-top:0;margin-bottom:0"><br
</p <p
style=3D"margin-top:0;margin-bottom:0">I reviewed the PKI reference<a hr=
ef=3D"https://www.ovirt.org/develop/release-management/features/infr...
class=3D"OWAAutoLink" id=3D"LPlnk894408"
previewremoved=3D"true"> (https:/=
/www.ovirt.org/develop/release-management/features/infra/pki/)
</a><span class=3D"OWAAutoLink"></p <div>for a second time and I see the same certificate
located in different =
locations.
</div </span <p></p <p
style=3D"margin-top:0;margin-bottom:0"><br
</p <p
style=3D"margin-top:0;margin-bottom:0">For example, all these locations =
contain the same certificate-</p <ul
style=3D"margin-bottom: 0px; margin-top: 0px;"
<li><font size=3D"2"><span
style=3D"font-size:11pt;"><a href=3D"https://ovi=
rtengine.lan/ovirt-en" id=3D"LPlnk401540"
previewremoved=3D"true"></a>https=
://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=3Dca-certifi=
cate&format=3DX509-PEM-CA</span></font><br
</li><li>/etc/pki/vdsm/certs/cacert.pem</li><li>/etc/pki/vdsm/libvirt-spice=
/ca-cert.pem</li><li>/etc/pki/CA/cacert.pem</li></ul <p style=3D"margin-top:0;margin-bottom:0">This
is the certificate I am usin=
g to configure my aSpice client.
<br </p <p
style=3D"margin-top:0;margin-bottom:0">Can someone answer the question f=
rom my original post? The PKI reference says for version 3.2 and 3.3.=
Is the documentation still correct for version 4.2?</p <p
style=3D"margin-top:0;margin-bottom:0"><br
</p <p
style=3D"margin-top:0;margin-bottom:0">At this point I am trying to find=
out where the problems exists - ie.
<br </p <p
style=3D"margin-top:0;margin-bottom:0">#1 Is my client not configured co=
rrectly?
<br </p <p
style=3D"margin-top:0;margin-bottom:0">#2 Am I using the wrong
cert?&nbs=
p; (I think I am using the correct cert based on the research I listed abov=
e)</p <p
style=3D"margin-top:0;margin-bottom:0">#3 Does my client need to be able=
to send a pasword? (based on the contents of the .vv file, I'd have =
to guess yes)</p <p
style=3D"margin-top:0;margin-bottom:0">Also my xml file for the VM in qu=
estion contains this:
</p <div> <graphics type=3D'spice'
autoport=3D'yes' defaultMode=3D'secu=
re' passwd=3D'*****'
passwdValidTo=3D'1970-01-01T00:00:01'><br Please
note: I did not perform any hand configuration of the xml file=
, it was all done by the system using the UI.<br
</div #4 Can I configure a file on the
system to turn off ticketing and passwords=
and see if that makes a difference, if so, what file?
<p></p <p
style=3D"margin-top:0;margin-bottom:0">#5 Can someone explain
this=
error? <br </p <p
style=3D"margin-top:0;margin-bottom:0"><font
size=3D"2"><span style=3D"f=
ont-size:11pt;">140400191081600:error:14094438:SSL routines:ssl3_read_bytes=
:tlsv1 alert internal error:s3_pkt.c:1493:SSL alert number 80
<br ((null):27595): Spice-Warning
**:reds_stream.c:379:reds_stream_ssl_accept: =
SSL_accept failed, error=3D1</span></font></p <p
style=3D"margin-top:0;margin-bottom:0"><font
size=3D"2"><span style=3D"f=
ont-size:11pt;"></p <div>What I know about it is
this:<br According to RFC 2246, the alert
number 80 represents an "internal err=
or". Here is the description from the RFC<br internal_error: An internal error unrelated to the peer or the
correctness =
of the protocol makes it impossible to continue (such as a memory allocatio=
n failure). This message is always fatal.</div
</span></font <p></p <div>#6 Could this error be related to any of #1 through
#4 above?<br <br
Thanks!<br <br
</div <br <div
style=3D"color: rgb(0, 0, 0);" <hr
style=3D"display:inline-block;width:98%" tabindex=3D"-1" <div id=3D"divRplyFwdMsg"
dir=3D"ltr"><font style=3D"font-size:11pt" face=
=3D"Calibri, sans-serif" color=3D"#000000"><b>From:</b>
Karli Sj=F6berg <=
;karli(a)inparadise.se&gt;<br <b>Sent:</b> Tuesday,
February 20, 2018 2:56 AM<br <b>To:</b> Tomas
Jelinek; Jeremy Tourville<br <b>Cc:</b>
users(a)ovirt.org<br <b>Subject:</b> Re:
[ovirt-users] Spice Client Connection Issues Using aSpi=
ce</font <div> </div </div <div
class=3D"BodyFragment"><font size=3D"2"><span
style=3D"font-size:11pt;=
" <div class=3D"PlainText">On Tue, 2018-02-20 at
08:59 +0100, Tomas Jelin=
ek wrote:<br > <br > <br >
On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <Jeremy_Tourville=
@h<br > otmail.com>
wrote:<br > > Hi Tomas,
<br > > To answer your question, yes I am really
trying to use aSpice.<br=
> > <br >
> I appreciate your suggestion. I'm not sure if it meets my<b=
r > > objective. Maybe our goals are
different? It seems to=
me that<br > > movirt is built
around portable management of the ovirt<br >
> environment. I am attempting to provide a VDI type experien=
ce for<br > > running a
vm. My goal is to run a lab environment with 30<b=
r > > chromebooks loaded with a spice
clent. The spice client wou=
ld of<br > > course connect to
the 30 vms running Kali and each session would =
be<br > > independent of
each other. <br > > <br > <br >
yes, it looks like a different use case<br
> <br > > I did a
little further testing with a different client.&nbs=
p; (spice<br > > plugin for
chrome). When I attempted to connect using that =
client<br > > I got a slightly
different error message. The message still=
seemed<br > > to be of the same
nature- i.e.: there is a problem with SSL<br >
> protocol and communication. <br > > <br >
> Are you suggesting that movirt can help set up the proper<br > > certficates and config the vms to use
spice? Thanks!<br > > <br > <br >
moVirt has been developed for quite some time and works pretty well,<b=
r > this is why I recommended it. But anyway, you have a
different use<br > case.<br > <br >
What I think the issue is, is that oVirt can have different CAs set<br=
> for console communication and for API. And I think you
are trying to<b=
r > configure aSPICE to use the one for API. <br > <br >
What moVirt does to make sure it is using the correct CA to put into<b=
r > the aSPICE is that it downloads the .vv file of the VM
(e.g. you can<b=
r > just connect to console using webadmin and save the
.vv file<br > somewhere), parse it and
use the CA=3D part from it as a certificate.<=
br > This one is guaranteed to be the correct
one.<br > <br > For more details about what else it takes from the .vv
file you can<br=
> check here:<br >
the parsing: <a href=3D"https://github.com/oVirt/moVirt/blob/master/mo=
Virt/src/m" id=3D"LPlnk119727" previewremoved=3D"true"
https://github.com/oVirt/moVirt/blob/master/moVirt/src/m</a><br >
ain/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttp<=
br > MessageConverter.java<br > configuration of aSPICE: <a
href=3D"https://github.com/oVirt/moVirt/bl=
ob/master/" id=3D"LPlnk744960" previewremoved=3D"true"
https://github.com/oVirt/moVirt/blob/master/</a><br >
moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java<b=
r > <br >
enjoy :)<br <br Feels to
me like OP should try to get it working _any_ "normal" w=
ay<br before trying to get the special use
case application working?<br <br Like
trying to run before learning to crawl, if that makes sense?<br <br I would suggest just logging in to
webadmin with a regular PC and<br trying to
get a SPICE console with remote-viewer to begin with. Then,<br once that works, try to get a SPICE console working through
moVirt with<br aSPICE on an Android phone, or one
of the Chromebooks you have to play<br with
before going into production. Once that=B4s settled and you know it<br=
should work the way you normally access it, you can start
playing with<br your special use case
application.<br <br Hope it
helps!<br <br
/K<br <br
> <br > > <br > > From: Tomas Jelinek
&lt;tjelinek(a)redhat.com&gt;<br >
> Sent: Monday, February 19, 2018 4:19 AM<br >
> To: Jeremy Tourville<br >
> Cc: users(a)ovirt.org<br > > Subject: Re:
[ovirt-users] Spice Client Connection Issues Using<b=
r > > aSpice<br >
> <br > > <br > > <br >
> On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tour=
ville<br > >
@hotmail.com> wrote:<br > > >
Hello,<br > > > I am
having trouble connecting to my guest vm (Kali Linux) w=
hich<br > > > is
running spice. My engine is running version: 4.2.1.7-<br >
> > 1.el7.centos.<br >
> > I am using oVirt Node as my host running version: 4.2.1.1.&n=
bsp; <br > > >
<br > > > I have taken the following steps to
try and get everything<b=
r > > > running properly.<br > > > Download the root CA certificate
<a href=3D"https://ovirteng=
ine.lan/ovirt-en" id=3D"LPlnk401540" previewremoved=3D"true" https://ovirtengine.lan/ovirt-en</a><br > > >
gine/services/pki-resource?resource=3Dca-certificate&for=
mat=3DX509-<br > > >
PEM-CA<br > > > Edit the
vm and define the graphical console entries. =
Video type<br > > > is set to
QXL, Graphics protocol is spice, USB support is<br=
> > > enabled.<br > > > Install the guest agent in Debian
per the instructions here =
- htt<br > > >
ps://www.ovirt.org/documentation/how-to/guest-agent/install-=
the-<br > > >
guest-agent-in-debian/ It is my understanding that ins=
talling<br > > > the guest
agent will also install the virt IO device drivers=
.<br > > > Install the spice-vdagent per the
instructions here - <a hre=
f=3D"https://www" id=3D"LPlnk534540"
previewremoved=3D"true" https://www</a><br > > >
.ovirt.org/documentation/how-to/guest-agent/install-the-spic=
e-<br > > >
guest-agent/<br > > >
On the aSpice client I have imported the CA certficate=
from step<br > > > 1
above. I defined the connection using the IP of my N=
ode and<br > > > TLS port
5901.<br > > <br > > are you really using aSPICE client (e.g. the
android SPICE<br > > client?). If yes,
maybe you want to try to open it using moVirt (=
ht<br > >
tps://play.google.com/store/apps/details?id=3Dorg.ovirt.mobile.mo=
virt<br > > &hl=3Den)
which delegates the console to aSPICE but configure=
s<br > > everything including the certificates on it.
Should be much simpl=
er<br > > than configuring
it by hand..<br > >
<br > > > To troubleshoot my connection issues
I confirmed the port be=
ing<br > > > used to
listen. <br > > > virsh #
domdisplay Kali<br > > >
spice://172.30.42.12?tls-port=3D5901<br >
> > <br > > > I see the
following when attempting to connect.<br >
> > tail -f /var/log/libvirt/qemu/Kali.log<br > > > <br >
> > 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:=
tlsv1<br > > > alert
internal error:s3_pkt.c:1493:SSL alert number 80<br >
> > ((null):27595): Spice-Warning **:<br >
> > reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed,=
<br > > > error=3D1<br > > > <br >
> > I came across some documentation that states in the caveat<b=
r > > > section "Certificate of
spice SSL should be separate<br=
> > > certificate."<br > > > <a
href=3D"https://www.ovirt.org/develop/release-management/=
features/infra/p" id=3D"LPlnk306127" previewremoved=3D"true"
https://www.ovirt.org/develop/release-management/features/infra/p</a&g... > > > ki/<br > > > <br >
> > Is this still the case for version 4? The document ref=
erences<br > > > version
3.2 and 3.3. If so, how do I generate a new ce=
rtificate<br > > > for use
with spice? Please let me know if you require =
further<br > > > info to
troubleshoot, I am happy to provide it. Many t=
hanks in<br > > >
advance.<br > > >
<br > > > <br >
> > <br > > >
<br > > > <br >
> > <br > > >
<br > > > <br >
> > <br > > >
<br > > >
_______________________________________________<br >
> > Users mailing list<br >
> > Users(a)ovirt.org<br >
> > <a href=3D"http://lists.ovirt.org/mailman/listinfo/users"
id=
=3D"LPlnk439922" previewremoved=3D"true"
http://lists.ovirt.org/mailman/listinfo/users</a <div
id=3D"LPBorder_GT_15191689794020.9506041758926115" style=3D"margin-bot=
tom: 20px; overflow: auto; width: 100%; text-indent: 0px;" <table
id=3D"LPContainer_15191689793980.020877905619313797" style=3D"width:=
90%; background-color: rgb(255, 255, 255); position: relative; overflow: a=
uto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top:=
1px dotted rgb(200, 200, 200); border-bottom: 1px dotted rgb(200, 200, 200=
);" role=3D"presentation" cellspacing=3D"0" <tbody <tr
style=3D"border-spacing: 0px;" valign=3D"top" <td id=3D"TextCell_15191689794000.745711158074434"
style=3D"vertical-align:=
top; position: relative; padding: 0px; display: table-cell;"
colspan=3D"2"=
<div
id=3D"LPRemovePreviewContainer_15191689794000.6616147681997978"></div <div id=3D"LPTitle_15191689794000.998721573314241"
style=3D"top: 0px; color=
: rgb(0, 120, 215); font-weight: 400; font-size: 21px; font-family: "w=
f_segoe-ui_light", "Segoe UI Light", "Segoe WP
Light&qu=
ot;, "Segoe UI", "Segoe WP", Tahoma, Arial,
sans-serif;=
line-height: 21px;" <a
id=3D"LPUrlAnchor_15191689794000.39103588621365026" style=3D"text-decora=
tion: none;" href=3D"http://lists.ovirt.org/mailman/listinfo/users"
target=
=3D"_blank">Users Info Page - lists.ovirt.org Mailing
Lists</a></div <div
id=3D"LPMetadata_15191689794010.7935502771020931" style=3D"margin: 10p=
x 0px 16px; color: rgb(102, 102, 102); font-weight: 400; font-family: "=
;wf_segoe-ui_normal", "Segoe UI", "Segoe WP",
Taho=
ma, Arial, sans-serif; font-size: 14px; line-height: 14px;" lists.ovirt.org</div <div
id=3D"LPDescription_15191689794010.9775418907289667" style=3D"display:=
block; color: rgb(102, 102, 102); font-weight: 400; font-family: "wf_=
segoe-ui_normal", "Segoe UI", "Segoe WP",
Tahoma, =
Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; o=
verflow: hidden;" If you have a question about oVirt,
this is where you can start getting ans=
wers. To see the collection of prior postings to the list, visit the Users =
Archives.</div </td
</tr </tbody </table
</div <br >
> > <br > <br >
_______________________________________________<br >
Users mailing list<br > Users(a)ovirt.org<br > <a
href=3D"http://lists.ovirt.org/mailman/listinfo/users" id=3D"LPlnk3=
78649" previewremoved=3D"true"
http://lists.ovirt.org/mailman/listinfo/users</a></div <div
id=3D"LPBorder_GT_15191689794330.830208412449906" style=3D"margin-bott=
om: 20px; overflow: auto; width: 100%; text-indent: 0px;" <table
id=3D"LPContainer_15191689794290.19160292129344736" style=3D"width: =
90%; background-color: rgb(255, 255, 255); position: relative; overflow: au=
to; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top: =
1px dotted rgb(200, 200, 200); border-bottom: 1px dotted rgb(200, 200, 200)=
;" role=3D"presentation" cellspacing=3D"0" <tbody <tr
style=3D"border-spacing: 0px;" valign=3D"top" <td
id=3D"TextCell_15191689794300.8164774816413748" style=3D"vertical-align=
: top; position: relative; padding: 0px; display: table-cell;" colspan=3D"2=
" <div
id=3D"LPRemovePreviewContainer_15191689794300.9561033892326608"></div <div
id=3D"LPTitle_15191689794310.4201760885913921" style=3D"top: 0px; colo=
r: rgb(0, 120, 215); font-weight: 400; font-size: 21px; font-family: "=
wf_segoe-ui_light", "Segoe UI Light", "Segoe WP
Light&q=
uot;, "Segoe UI", "Segoe WP", Tahoma, Arial,
sans-serif=
; line-height: 21px;" <a
id=3D"LPUrlAnchor_15191689794310.759099477830945" style=3D"text-decorati=
on: none;" href=3D"http://lists.ovirt.org/mailman/listinfo/users"
target=3D=
"_blank">Users Info Page - lists.ovirt.org Mailing
Lists</a></div <div
id=3D"LPMetadata_15191689794320.8467953153034486" style=3D"margin: 10p=
x 0px 16px; color: rgb(102, 102, 102); font-weight: 400; font-family: "=
;wf_segoe-ui_normal", "Segoe UI", "Segoe WP",
Taho=
ma, Arial, sans-serif; font-size: 14px; line-height: 14px;" lists.ovirt.org</div <div
id=3D"LPDescription_15191689794320.8773237228541786" style=3D"display:=
block; color: rgb(102, 102, 102); font-weight: 400; font-family: "wf_=
segoe-ui_normal", "Segoe UI", "Segoe WP",
Tahoma, =
Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; o=
verflow: hidden;" If you have a question about oVirt,
this is where you can start getting ans=
wers. To see the collection of prior postings to the list, visit the Users =
Archives.</div </td
</tr </tbody </table
</div
</span></font></div
</div </div </body
</html
--_000_BLUPR02MB1006ACB8509467D8B874FECFACF0BLUPR02MB100namprd_--
On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <Jeremy_Tourville@h
otmail.com> wrote:
> Hi Tomas,
> To answer your question, yes I am really trying to use aSpice.
> I appreciate your suggestion. I'm not sure if it
meets my
> objective. Maybe our goals are different? It seems to me that
> movirt is built around portable management of the ovirt
> environment. I am attempting to provide a VDI type experience for
> running a vm. My goal is to run a lab environment with 30
> chromebooks loaded with a spice clent. The spice client would of
> course connect to the 30 vms running Kali and each session would be
> independent of each other.
yes, it looks like a different use case
> I did a little further testing with a different client. (spice
> plugin for chrome). When I attempted to connect using that client
> I got a slightly different error message. The message still seemed
> to be of the same nature- i.e.: there is a problem with SSL
> protocol and communication.
> Are you suggesting that movirt can help set up the
proper
> certficates and config the vms to use spice? Thanks!
moVirt has been developed for quite some time and works pretty well,
this is why I recommended it. But anyway, you have a different use
case.
What I think the issue is, is that oVirt can have different CAs set
for console communication and for API. And I think you are trying to
configure aSPICE to use the one for API.
What moVirt does to make sure it is using the correct CA to put into
the aSPICE is that it downloads the .vv file of the VM (e.g. you can
just connect to console using webadmin and save the .vv file
somewhere), parse it and use the CA=3D part from it as a certificate.
This one is guaranteed to be the correct one.
For more details about what else it takes from the .vv file you can
check here:
the parsing: https://github.com/oVirt/moVirt/blob/master/moVirt/src/m
ain/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttp
MessageConverter.java
configuration of aSPICE: https://github.com/oVirt/moVirt/blob/master/
moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java
enjoy :)
Feels to me like OP should try to get it working _any_ "normal" way
before trying to get the special use case application working?
Like trying to run before learning to crawl, if that makes sense?
I would suggest just logging in to webadmin with a regular PC and
trying to get a SPICE console with remote-viewer to begin with. Then,
once that works, try to get a SPICE console working through moVirt with
aSPICE on an Android phone, or one of the Chromebooks you have to play
with before going into production. Once that=B4s settled and you know it
should work the way you normally access it, you can start playing with
your special use case application.
Hope it helps!
/K
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Users Info Page - lists.ovirt.org
Mailing Lists<http://lists.ovirt.org/mail=
man/listinfo/users
8:55 a.m.
On Wed, Feb 21, 2018 at 2:05 AM, Jeremy Tourville <
Jeremy_Tourville(a)hotmail.com> wrote:
Hello everyone,
I can confirm that spice is working for me when I launch it using the .vv
file. I have virt viewer installed on my Windows pc and it works without
issue. I can also launch spice when I use movirt without any issues. I
examined the contents of the .vv file to see what the certificate looks
like. I can confirm that the certficate in the .vv file is the same as
the file I downloaded in step 1 of my directions.
I reviewed the PKI reference (https://www.ovirt.org/
develop/release-management/features/infra/pki/)
<https://www.ovirt.org/develop/release-management/features/infra/pki/>
for a second time and I see the same certificate located in different
locations.
For example, all these locations contain the same certificate-
- <https://ovirtengine.lan/ovirt-en>https://ovirtengine.lan/ovirt-
engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
<https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-ce...
- /etc/pki/vdsm/certs/cacert.pem
- /etc/pki/vdsm/libvirt-spice/ca-cert.pem
- /etc/pki/CA/cacert.pem
This is the certificate I am using to configure my aSpice client.
Can someone answer the question from my original post? The PKI reference
says for version 3.2 and 3.3. Is the documentation still correct for
version 4.2?
At this point I am trying to find out where the problems exists - ie.
#1 Is my client not configured correctly?
#2 Am I using the wrong cert? (I think I am using the correct cert based
on the research I listed above)
I'd guess yes based on above
#3 Does my client need to be able to send a pasword? (based on the
contents of the .vv file, I'd have to guess yes)
yes
Also my xml file for the VM in question contains this:
<graphics type='spice' autoport='yes' defaultMode='secure'
passwd='*****'
passwdValidTo='1970-01-01T00:00:01'>
Please note: I did not perform any hand configuration of the xml file, it
was all done by the system using the UI.
the password is generated automatically. Normally it works like this:
- you ask for the .vv file
- ovirt generates a temporary password you can use to connect to console
- you can connect to the console using this temporary password
#4 Can I configure a file on the system to turn off ticketing and
passwords and see if that makes a difference, if so, what file?
I don't think there is an easy way to do this... Maybe writing some vdsm
hook or some other complex hack. I've seen an old discussion about it here:
http://lists.ovirt.org/pipermail/users/2014-August/026774.html
but I would not recommend you to go down this path.
#5 Can someone explain this error?
140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert
internal error:s3_pkt.c:1493:SSL alert number 80
((null):27595): Spice-Warning **:reds_stream.c:379:reds_stream_ssl_accept:
SSL_accept failed, error=1
What I know about it is this:
According to RFC 2246, the alert number 80 represents an "internal
error". Here is the description from the RFC
internal_error: An internal error unrelated to the peer or the correctness
of the protocol makes it impossible to continue (such as a memory
allocation failure). This message is always fatal.
#6 Could this error be related to any of #1 through #4 above?
yes, I'd say yes.
Thanks!
------------------------------
*From:* Karli Sjöberg <karli(a)inparadise.se>
*Sent:* Tuesday, February 20, 2018 2:56 AM
*To:* Tomas Jelinek; Jeremy Tourville
*Cc:* users(a)ovirt.org
*Subject:* Re: [ovirt-users] Spice Client Connection Issues Using aSpice
On Tue, 2018-02-20 at 08:59 +0100, Tomas Jelinek wrote:
>
>
> On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <Jeremy_Tourville@h
> otmail.com> wrote:
> > Hi Tomas,
> > To answer your question, yes I am really trying to use aSpice.
> >
> > I appreciate your suggestion. I'm not sure if it meets my
> > objective. Maybe our goals are different? It seems to me that
> > movirt is built around portable management of the ovirt
> > environment. I am attempting to provide a VDI type experience for
> > running a vm. My goal is to run a lab environment with 30
> > chromebooks loaded with a spice clent. The spice client would of
> > course connect to the 30 vms running Kali and each session would be
> > independent of each other.
> >
>
> yes, it looks like a different use case
>
> > I did a little further testing with a different client. (spice
> > plugin for chrome). When I attempted to connect using that client
> > I got a slightly different error message. The message still seemed
> > to be of the same nature- i.e.: there is a problem with SSL
> > protocol and communication.
> >
> > Are you suggesting that movirt can help set up the proper
> > certficates and config the vms to use spice? Thanks!
> >
>
> moVirt has been developed for quite some time and works pretty well,
> this is why I recommended it. But anyway, you have a different use
> case.
>
> What I think the issue is, is that oVirt can have different CAs set
> for console communication and for API. And I think you are trying to
> configure aSPICE to use the one for API.
>
> What moVirt does to make sure it is using the correct CA to put into
> the aSPICE is that it downloads the .vv file of the VM (e.g. you can
> just connect to console using webadmin and save the .vv file
> somewhere), parse it and use the CA= part from it as a certificate.
> This one is guaranteed to be the correct one.
>
> For more details about what else it takes from the .vv file you can
> check here:
> the parsing: https://github.com/oVirt/moVirt/blob/master/moVirt/src/m
> ain/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttp
> MessageConverter.java
> configuration of aSPICE: https://github.com/oVirt/moVirt/blob/master/
> moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java
>
> enjoy :)
Feels to me like OP should try to get it working _any_ "normal" way
before trying to get the special use case application working?
Like trying to run before learning to crawl, if that makes sense?
I would suggest just logging in to webadmin with a regular PC and
trying to get a SPICE console with remote-viewer to begin with. Then,
once that works, try to get a SPICE console working through moVirt with
aSPICE on an Android phone, or one of the Chromebooks you have to play
with before going into production. Once that´s settled and you know it
should work the way you normally access it, you can start playing with
your special use case application.
Hope it helps!
/K
>
> >
> > From: Tomas Jelinek <tjelinek(a)redhat.com>
> > Sent: Monday, February 19, 2018 4:19 AM
> > To: Jeremy Tourville
> > Cc: users(a)ovirt.org
> > Subject: Re: [ovirt-users] Spice Client Connection Issues Using
> > aSpice
> >
> >
> >
> > On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville
> > @hotmail.com> wrote:
> > > Hello,
> > > I am having trouble connecting to my guest vm (Kali Linux) which
> > > is running spice. My engine is running version: 4.2.1.7-
> > > 1.el7.centos.
> > > I am using oVirt Node as my host running version: 4.2.1.1.
> > >
> > > I have taken the following steps to try and get everything
> > > running properly.
> > > Download the root CA certificate https://ovirtengine.lan/ovirt-en
> > > gine/services/pki-resource?resource=ca-certificate&format=X509-
> > > PEM-CA
> > > Edit the vm and define the graphical console entries. Video type
> > > is set to QXL, Graphics protocol is spice, USB support is
> > > enabled.
> > > Install the guest agent in Debian per the instructions here - htt
> > > ps://www.ovirt.org/documentation/how-to/guest-agent/install-the-
> > > guest-agent-in-debian/ It is my understanding that installing
> > > the guest agent will also install the virt IO device drivers.
> > > Install the spice-vdagent per the instructions here - https://www
> > > .ovirt.org/documentation/how-to/guest-agent/install-the-spice-
> > > guest-agent/
> > > On the aSpice client I have imported the CA certficate from step
> > > 1 above. I defined the connection using the IP of my Node and
> > > TLS port 5901.
> >
> > are you really using aSPICE client (e.g. the android SPICE
> > client?). If yes, maybe you want to try to open it using moVirt (ht
> > tps://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt
> > &hl=en) which delegates the console to aSPICE but configures
> > everything including the certificates on it. Should be much simpler
> > than configuring it by hand..
> >
> > > To troubleshoot my connection issues I confirmed the port being
> > > used to listen.
> > > virsh # domdisplay Kali
> > > spice://172.30.42.12?tls-port=5901
> > >
> > > I see the following when attempting to connect.
> > > tail -f /var/log/libvirt/qemu/Kali.log
> > >
> > > 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1
> > > alert internal error:s3_pkt.c:1493:SSL alert number 80
> > > ((null):27595): Spice-Warning **:
> > > reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed,
> > > error=1
> > >
> > > I came across some documentation that states in the caveat
> > > section "Certificate of spice SSL should be separate
> > > certificate."
> > > https://www.ovirt.org/develop/release-management/features/infra/p
> > > ki/
> > >
> > > Is this still the case for version 4? The document references
> > > version 3.2 and 3.3. If so, how do I generate a new certificate
> > > for use with spice? Please let me know if you require further
> > > info to troubleshoot, I am happy to provide it. Many thanks in
> > > advance.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users(a)ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
Users Info Page - lists.ovirt.org Mailing Lists
<http://lists.ovirt.org/mailman/listinfo/users>
lists.ovirt.org
If you have a question about oVirt, this is where you can start getting
answers. To see the collection of prior postings to the list, visit the
Users Archives.
> > >
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
Users Info Page - lists.ovirt.org Mailing Lists
<http://lists.ovirt.org/mailman/listinfo/users>
lists.ovirt.org
If you have a question about oVirt, this is where you can start getting
answers. To see the collection of prior postings to the list, visit the
Users Archives.
2687
days inactive
2690
days old
6 comments
3 participants
participants (3)
-
Jeremy Tourville -
Karli Sjöberg -
Tomas Jelinek