[Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)

Alon Bar-Lev alonbl at redhat.com
Thu Dec 13 11:35:33 UTC 2012 


----- Original Message -----
> From: "Cristian Falcas" <cristi.falcas at gmail.com>
> To: users at ovirt.org
> Sent: Thursday, December 13, 2012 1:27:09 PM
> Subject: Re: [Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)
> 
> 
> 
> 
> 
> 
> 
> On Thu, Dec 13, 2012 at 1:21 PM, David Jaša < djasa at redhat.com >
> wrote:
> 
> 
> Cristian Falcas píše v Čt 13. 12. 2012 v 12:43 +0200:
> 
> 
> > 
> > 
> > 
> > On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev < alonbl at redhat.com >
> > wrote:
> > 
> > 
> > ----- Original Message -----
> > > From: "Cristian Falcas" < cristi.falcas at gmail.com >
> > 
> > > To: "Alon Bar-Lev" < alonbl at redhat.com >
> > > Cc: "Roy Golan" < rgolan at redhat.com >, users at ovirt.org , "Juan
> > > Antonio Hernandez Fernandez" < jhernand at redhat.com >,
> > > "David Jaša" < djasa at redhat.com >, "Itamar Heim" <
> > > iheim at redhat.com >
> > > Sent: Thursday, December 13, 2012 2:01:22 AM
> > > Subject: Re: Spice issues with latest vdsm (was Re: [Users]
> > > Cannot find suitable CPU model for given data)
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> > > On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev <
> > > alonbl at redhat.com >
> > > wrote:
> > > 
> > > 
> > > 
> > > 
> > > 
> > > ----- Original Message -----
> > > > From: "Cristian Falcas" < cristi.falcas at gmail.com >
> > > > To: "Itamar Heim" < iheim at redhat.com >
> > 
> > > > Cc: "Roy Golan" < rgolan at redhat.com >, users at ovirt.org , "Alon
> > > > Bar-Lev" < alonbl at redhat.com >, "Juan Antonio Hernandez
> > > > Fernandez" < jhernand at redhat.com >, "David Jaša" <
> > > > djasa at redhat.com
> > > > > 
> > > > Sent: Wednesday, December 12, 2012 11:21:32 PM
> > > > Subject: Re: Spice issues with latest vdsm (was Re: [Users]
> > > > Cannot
> > > > find suitable CPU model for given data)
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim <
> > > > iheim at redhat.com >
> > > > wrote:
> > > > 
> > > > 
> > > > On 12/12/2012 10:39 PM, Cristian Falcas wrote:
> > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > i don't know if I should start a new thread for the spice
> > > > problems.
> > > > Here
> > > > goes some improvements:
> > > > 
> > > > I created the certificates like per https://gist.github.com/
> > > > 1655511
> > > > . i
> > > > copied the public one to my home:
> > > > cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem
> > > > ~cristi/.spice/spice_ truststore.pem
> > > > 
> > > > I had the same problem as in
> > > > https://bugzilla.redhat.com/ show_bug.cgi?id=880182 . For this
> > > > I
> > > 
> > > > needed
> > > > to downgrade libcacard twice (until I had the same version as
> > > > in
> > > > the
> > > > bug)
> > > > 
> > > > Now spice works with virt-manager.
> > > > 
> > > > Can someone tell me where do I need to copy the certificate on
> > > > ovirt
> > > > in
> > > > order to make spice working over there also?
> > > > 
> > > > with which version of boostrap on the engine did you add this
> > > > host.
> > > > 
> > > > 
> > > > vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch
> > > > 
> > > > And otopi packages installed:
> > > > 
> > > > otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
> > > > otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
> > > > 
> > > > 
> > > 
> > > Any reason to perform certificate enrollment manually?
> > > 
> > > Alon
> > > 
> > > 
> > > It's still not working with the handmade certificates.
> > > 
> > > I tried to create them because of those errors:
> > > 
> > > libvirt log:
> > > 
> > > ((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl: Could
> > > not
> > > load certificates from /etc/pki/vdsm/libvirt-spice/
> > > server-cert.pem
> > > ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl: Could
> > > not
> > > use private key file
> > > ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl: Could
> > > not
> > > use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
> > > 
> > > [root at localhost Ovirt]# ls -la
> > > /etc/pki/vdsm/libvirt-spice/server-cert.pem
> > > ls: cannot access /etc/pki/vdsm/libvirt-spice/server-cert.pem: No
> > > such file or directory
> > > [root at localhost Ovirt]# ls -la
> > > /etc/pki/vdsm/libvirt-spice/ca-cert.pem
> > > ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No
> > > such
> > > file or directory
> > > 
> > > 
> > > Spice log:
> > > 
> > > 1355334879 INFO [8950:8950] Application::main: starting 0.12.0
> > > 1355334879 INFO [8950:8950] Application::main: command line:
> > > spicec
> > > --controller
> > > 1355334879 INFO [8950:8950] init_key_map: using evdev mapping
> > > 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen:
> > > platform_win: 77594625
> > > 1355334879 INFO [8950:8950] GUI::GUI:
> > > 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu: Creating a
> > > foreign menu connection /tmp/SpiceForeignMenu-8950.uds
> > > 1355334879 INFO [8950:8950] Controller::Controller: Creating a
> > > controller connection /tmp/spicec-9GS5mA/spice-xpi
> > > 1355334882 INFO [8950:8952] RedPeer::connect_secure: Connected to
> > > cristifalcas.no-ip.org 5902
> > > 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed to
> > > connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
> > > 1355334882 WARN [8950:8952] RedChannel::run: SSL Error:
> > > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> > > failure
> > > 1355334882 INFO [8950:8950] main: Spice client terminated
> > > (exitcode =
> > > 7)
> > > 
> > > 
> > > 
> > > 
> > > I've done this without an improvment:
> > > 
> > > [root at localhost Ovirt]# /lib/systemd/systemd-vdsmd reconfigure
> > > Configuring libvirt for vdsm...
> > > [root at localhost Ovirt]# systemctl restart libvirtd.service
> > > vdsmd.service
> > > 
> > 
> > 
> > Why don't you deply the host again? It should create the
> > certificate correctly.
> > 
> > But before you can do this, you must remove whatever certificates
> > you put including symlinks at /etc/pki /etc/libvirt as libvirt
> > will not start if there are invalid certificates.
> > 
> > Alon.
> > 
> > I already did this. Also, i removed all configuration files from
> > host and ovirt, reinstalled ovirt-engine, removed
> > vdsm,libvirt,qemu on host.
> > 
> > I still got this when I start the machine:
> > ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl: Could
> > not load certificates from
> > /etc/pki/vdsm/libvirt-spice/server-cert.pem
> > ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl: Could
> > not use private key file
> > ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl: Could
> > not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
> > 
> > And this when I try to connect:
> > 
> > ((null):5004): Spice-Warning **:
> > reds.c:2913:reds_handle_ssl_accept: SSL_accept failed, error=1
> 
> Didn't you disable encryption on engine or in vdsm.conf?
> Unfortunately, it is still interdependent with spice encryption
> setup.
> 
> (and a side question: if so, why did you disable it? oVirt takes care
> of it without any extra work so I see no benefit in it)
> 
> David
> 
> PS: please send mails in plain text
> 
> > 
> > Best regards,
> > Cristian falcas
> > 
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> 
> --
> 
> David Jaša, RHCE
> 
> SPICE QE based in Brno
> GPG Key: 22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
> 
> 
> 
> 
> I didn't touched anything this time.
> 
> [cristi at localhost ~]$ cat /etc/vdsm/vdsm.conf
> [vars]
> ssl = true
> 
> [addresses]
> management_port = 54321
> 
> 
> qemu:
> ## beginning of configuration section by vdsm-4.9.11
> dynamic_ownership=0
> spice_tls=1
> save_image_format="lzop"
> spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
> lock_manager="sanlock"
> auto_dump_path="/var/log/core"
> ## end of configuration section by vdsm-4.9.11
> 
> libvirtd:
> ## beginning of configuration section by vdsm-4.9.11
> listen_addr="0.0.0.0"
> unix_sock_group="kvm"
> unix_sock_rw_perms="0770"
> auth_unix_rw="sasl"
> host_uuid="ac7ce924-3da8-41a5-9fa5-03af184b0437"
> log_outputs="1:file:/var/log/libvirtd.log"
> log_filters="1:libvirt 3:event 3:json 1:util 1:qemu"
> ca_file="/etc/pki/vdsm/certs/cacert.pem"
> cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
> key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
> ## end of configuration section by vdsm-4.9.11

BTW: it will be easier if you use plain text mail messages to list :)

Can you please try to create the following sym links manually and see if it works?

/etc/pki/vdsm/libvirt-spice/ca-cert.pem -> /etc/pki/vdsm/certs/cacert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem -> /etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-spice/server-key.pem -> /etc/pki/vdsm/keys/vdsmkey.pem

More information about the Users mailing list