[Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)

Cristian Falcas cristi.falcas at gmail.com
Thu Dec 13 11:21:25 UTC 2012 

On Thu, Dec 13, 2012 at 12:53 PM, Cristian Falcas
<cristi.falcas at gmail.com>wrote:

>
>
>
> On Thu, Dec 13, 2012 at 12:43 PM, Cristian Falcas <cristi.falcas at gmail.com
> > wrote:
>
>>
>>
>>
>> On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev <alonbl at redhat.com> wrote:
>>
>>>
>>>
>>> ----- Original Message -----
>>> > From: "Cristian Falcas" <cristi.falcas at gmail.com>
>>> > To: "Alon Bar-Lev" <alonbl at redhat.com>
>>> > Cc: "Roy Golan" <rgolan at redhat.com>, users at ovirt.org, "Juan Antonio
>>> Hernandez Fernandez" <jhernand at redhat.com>,
>>> > "David Jaša" <djasa at redhat.com>, "Itamar Heim" <iheim at redhat.com>
>>> > Sent: Thursday, December 13, 2012 2:01:22 AM
>>> > Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot
>>> find suitable CPU model for given data)
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev < alonbl at redhat.com >
>>> > wrote:
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > ----- Original Message -----
>>> > > From: "Cristian Falcas" < cristi.falcas at gmail.com >
>>> > > To: "Itamar Heim" < iheim at redhat.com >
>>> > > Cc: "Roy Golan" < rgolan at redhat.com >, users at ovirt.org , "Alon
>>> > > Bar-Lev" < alonbl at redhat.com >, "Juan Antonio Hernandez
>>> > > Fernandez" < jhernand at redhat.com >, "David Jaša" < djasa at redhat.com
>>> > > >
>>> > > Sent: Wednesday, December 12, 2012 11:21:32 PM
>>> > > Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot
>>> > > find suitable CPU model for given data)
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim < iheim at redhat.com >
>>> > > wrote:
>>> > >
>>> > >
>>> > > On 12/12/2012 10:39 PM, Cristian Falcas wrote:
>>> > >
>>> > >
>>> > > Hi,
>>> > >
>>> > > i don't know if I should start a new thread for the spice problems.
>>> > > Here
>>> > > goes some improvements:
>>> > >
>>> > > I created the certificates like per https://gist.github.com/
>>> > > 1655511
>>> > > . i
>>> > > copied the public one to my home:
>>> > > cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem
>>> > > ~cristi/.spice/spice_ truststore.pem
>>> > >
>>> > > I had the same problem as in
>>> > > https://bugzilla.redhat.com/ show_bug.cgi?id=880182 . For this I
>>> >
>>> > > needed
>>> > > to downgrade libcacard twice (until I had the same version as in
>>> > > the
>>> > > bug)
>>> > >
>>> > > Now spice works with virt-manager.
>>> > >
>>> > > Can someone tell me where do I need to copy the certificate on
>>> > > ovirt
>>> > > in
>>> > > order to make spice working over there also?
>>> > >
>>> > > with which version of boostrap on the engine did you add this host.
>>> > >
>>> > >
>>> > > vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch
>>> > >
>>> > > And otopi packages installed:
>>> > >
>>> > > otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
>>> > > otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
>>> > >
>>> > >
>>> >
>>> > Any reason to perform certificate enrollment manually?
>>> >
>>> > Alon
>>> >
>>> >
>>> > It's still not working with the handmade certificates.
>>> >
>>> > I tried to create them because of those errors:
>>> >
>>> > libvirt log:
>>> >
>>> > ((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not
>>> > load certificates from /etc/pki/vdsm/libvirt-spice/
>>> > server-cert.pem
>>> > ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not
>>> > use private key file
>>> > ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not
>>> > use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>>> >
>>> > [root at localhost Ovirt]# ls -la
>>> > /etc/pki/vdsm/libvirt-spice/server-cert.pem
>>> > ls: cannot access /etc/pki/vdsm/libvirt-spice/server-cert.pem: No
>>> > such file or directory
>>> > [root at localhost Ovirt]# ls -la
>>> > /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>>> > ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No such
>>> > file or directory
>>> >
>>> >
>>> > Spice log:
>>> >
>>> > 1355334879 INFO [8950:8950] Application::main: starting 0.12.0
>>> > 1355334879 INFO [8950:8950] Application::main: command line: spicec
>>> > --controller
>>> > 1355334879 INFO [8950:8950] init_key_map: using evdev mapping
>>> > 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen:
>>> > platform_win: 77594625
>>> > 1355334879 INFO [8950:8950] GUI::GUI:
>>> > 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu: Creating a
>>> > foreign menu connection /tmp/SpiceForeignMenu-8950.uds
>>> > 1355334879 INFO [8950:8950] Controller::Controller: Creating a
>>> > controller connection /tmp/spicec-9GS5mA/spice-xpi
>>> > 1355334882 INFO [8950:8952] RedPeer::connect_secure: Connected to
>>> > cristifalcas.no-ip.org 5902
>>> > 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed to
>>> > connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
>>> > 1355334882 WARN [8950:8952] RedChannel::run: SSL Error:
>>> > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
>>> > failure
>>> > 1355334882 INFO [8950:8950] main: Spice client terminated (exitcode =
>>> > 7)
>>> >
>>> >
>>> >
>>> >
>>> > I've done this without an improvment:
>>> >
>>> > [root at localhost Ovirt]# /lib/systemd/systemd-vdsmd reconfigure
>>> > Configuring libvirt for vdsm...
>>> > [root at localhost Ovirt]# systemctl restart libvirtd.service
>>> > vdsmd.service
>>> >
>>>
>>> Why don't you deply the host again? It should create the certificate
>>> correctly.
>>>
>>> But before you can do this, you must remove whatever certificates you
>>> put including symlinks at /etc/pki /etc/libvirt as libvirt will not start
>>> if there are invalid certificates.
>>>
>>> Alon.
>>>
>>
>> I already did this. Also, i removed all configuration files from host and
>> ovirt, reinstalled ovirt-engine, removed vdsm,libvirt,qemu on host.
>>
>> I still got this when I start the machine:
>> ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not
>> load certificates from /etc/pki/vdsm/libvirt-spice/server-cert.pem
>> ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use
>> private key file
>> ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use
>> CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>>
>> And this when I try to connect:
>>
>> ((null):5004): Spice-Warning **: reds.c:2913:reds_handle_ssl_accept:
>> SSL_accept failed, error=1
>>
>> Best regards,
>> Cristian falcas
>>
>
> Also, spice is working with virt-manager without any modifications from my
> side.
>
>

qemu.conf is configured with this:

spice_tls=1
save_image_format="lzop"
spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"

But that directory is not created and so, no certificates can be found
there.

Also, the latest nightly doesn't use vdsm-bootstrap anymore (it wasn't
installed).

Maybe the otopi is not doing all the jobs from vdsm-bootstrap?

Are there any steps to create the cetificates needed by qemu/spice?

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121213/4cfe89fc/attachment-0001.html>

More information about the Users mailing list