[Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)
Cristian Falcas
cristi.falcas at gmail.com
Thu Dec 13 13:00:56 UTC 2012
On Thu, Dec 13, 2012 at 1:57 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:
>
>
> ----- Original Message -----
>> From: "Cristian Falcas" <cristi.falcas at gmail.com>
>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>> Cc: users at ovirt.org
>> Sent: Thursday, December 13, 2012 1:52:10 PM
>> Subject: Re: [Users] Spice issues with latest vdsm (was Re: Cannot find suitable CPU model for given data)
>>
>>
>>
>>
>> On Thu, Dec 13, 2012 at 1:35 PM, Alon Bar-Lev < alonbl at redhat.com >
>> wrote:
>> >
>> >
>> >
>> > ----- Original Message -----
>> > > From: "Cristian Falcas" < cristi.falcas at gmail.com >
>> > > To: users at ovirt.org
>> > > Sent: Thursday, December 13, 2012 1:27:09 PM
>> > > Subject: Re: [Users] Spice issues with latest vdsm (was Re:
>> > > Cannot find suitable CPU model for given data)
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > On Thu, Dec 13, 2012 at 1:21 PM, David Jaša < djasa at redhat.com >
>> > > wrote:
>> > >
>> > >
>> > > Cristian Falcas píše v Čt 13. 12. 2012 v 12:43 +0200:
>> > >
>> > >
>> > > >
>> > > >
>> > > >
>> > > > On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev <
>> > > > alonbl at redhat.com >
>> > > > wrote:
>> > > >
>> > > >
>> > > > ----- Original Message -----
>> > > > > From: "Cristian Falcas" < cristi.falcas at gmail.com >
>> > > >
>> > > > > To: "Alon Bar-Lev" < alonbl at redhat.com >
>> > > > > Cc: "Roy Golan" < rgolan at redhat.com >, users at ovirt.org ,
>> > > > > "Juan
>> > > > > Antonio Hernandez Fernandez" < jhernand at redhat.com >,
>> > > > > "David Jaša" < djasa at redhat.com >, "Itamar Heim" <
>> > > > > iheim at redhat.com >
>> > > > > Sent: Thursday, December 13, 2012 2:01:22 AM
>> > > > > Subject: Re: Spice issues with latest vdsm (was Re: [Users]
>> > > > > Cannot find suitable CPU model for given data)
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > >
>> > > > > On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev <
>> > > > > alonbl at redhat.com >
>> > > > > wrote:
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > > ----- Original Message -----
>> > > > > > From: "Cristian Falcas" < cristi.falcas at gmail.com >
>> > > > > > To: "Itamar Heim" < iheim at redhat.com >
>> > > >
>> > > > > > Cc: "Roy Golan" < rgolan at redhat.com >, users at ovirt.org ,
>> > > > > > "Alon
>> > > > > > Bar-Lev" < alonbl at redhat.com >, "Juan Antonio Hernandez
>> > > > > > Fernandez" < jhernand at redhat.com >, "David Jaša" <
>> > > > > > djasa at redhat.com
>> > > > > > >
>> > > > > > Sent: Wednesday, December 12, 2012 11:21:32 PM
>> > > > > > Subject: Re: Spice issues with latest vdsm (was Re: [Users]
>> > > > > > Cannot
>> > > > > > find suitable CPU model for given data)
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim <
>> > > > > > iheim at redhat.com >
>> > > > > > wrote:
>> > > > > >
>> > > > > >
>> > > > > > On 12/12/2012 10:39 PM, Cristian Falcas wrote:
>> > > > > >
>> > > > > >
>> > > > > > Hi,
>> > > > > >
>> > > > > > i don't know if I should start a new thread for the spice
>> > > > > > problems.
>> > > > > > Here
>> > > > > > goes some improvements:
>> > > > > >
>> > > > > > I created the certificates like per
>> > > > > > https://gist.github.com/
>> > > > > > 1655511
>> > > > > > . i
>> > > > > > copied the public one to my home:
>> > > > > > cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem
>> > > > > > ~cristi/.spice/spice_ truststore.pem
>> > > > > >
>> > > > > > I had the same problem as in
>> > > > > > https://bugzilla.redhat.com/ show_bug.cgi?id=880182 . For
>> > > > > > this
>> > > > > > I
>> > > > >
>> > > > > > needed
>> > > > > > to downgrade libcacard twice (until I had the same version
>> > > > > > as
>> > > > > > in
>> > > > > > the
>> > > > > > bug)
>> > > > > >
>> > > > > > Now spice works with virt-manager.
>> > > > > >
>> > > > > > Can someone tell me where do I need to copy the certificate
>> > > > > > on
>> > > > > > ovirt
>> > > > > > in
>> > > > > > order to make spice working over there also?
>> > > > > >
>> > > > > > with which version of boostrap on the engine did you add
>> > > > > > this
>> > > > > > host.
>> > > > > >
>> > > > > >
>> > > > > > vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch
>> > > > > >
>> > > > > > And otopi packages installed:
>> > > > > >
>> > > > > > otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
>> > > > > > otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
>> > > > > >
>> > > > > >
>> > > > >
>> > > > > Any reason to perform certificate enrollment manually?
>> > > > >
>> > > > > Alon
>> > > > >
>> > > > >
>> > > > > It's still not working with the handmade certificates.
>> > > > >
>> > > > > I tried to create them because of those errors:
>> > > > >
>> > > > > libvirt log:
>> > > > >
>> > > > > ((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl:
>> > > > > Could
>> > > > > not
>> > > > > load certificates from /etc/pki/vdsm/libvirt-spice/
>> > > > > server-cert.pem
>> > > > > ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl:
>> > > > > Could
>> > > > > not
>> > > > > use private key file
>> > > > > ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl:
>> > > > > Could
>> > > > > not
>> > > > > use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>> > > > >
>> > > > > [root at localhost Ovirt]# ls -la
>> > > > > /etc/pki/vdsm/libvirt-spice/server-cert.pem
>> > > > > ls: cannot access
>> > > > > /etc/pki/vdsm/libvirt-spice/server-cert.pem: No
>> > > > > such file or directory
>> > > > > [root at localhost Ovirt]# ls -la
>> > > > > /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>> > > > > ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No
>> > > > > such
>> > > > > file or directory
>> > > > >
>> > > > >
>> > > > > Spice log:
>> > > > >
>> > > > > 1355334879 INFO [8950:8950] Application::main: starting
>> > > > > 0.12.0
>> > > > > 1355334879 INFO [8950:8950] Application::main: command line:
>> > > > > spicec
>> > > > > --controller
>> > > > > 1355334879 INFO [8950:8950] init_key_map: using evdev mapping
>> > > > > 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen:
>> > > > > platform_win: 77594625
>> > > > > 1355334879 INFO [8950:8950] GUI::GUI:
>> > > > > 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu:
>> > > > > Creating a
>> > > > > foreign menu connection /tmp/SpiceForeignMenu-8950.uds
>> > > > > 1355334879 INFO [8950:8950] Controller::Controller: Creating
>> > > > > a
>> > > > > controller connection /tmp/spicec-9GS5mA/spice-xpi
>> > > > > 1355334882 INFO [8950:8952] RedPeer::connect_secure:
>> > > > > Connected to
>> > > > > cristifalcas.no-ip.org 5902
>> > > > > 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed
>> > > > > to
>> > > > > connect w/SSL, ssl_error
>> > > > > error:00000001:lib(0):func(0):reason(1)
>> > > > > 1355334882 WARN [8950:8952] RedChannel::run: SSL Error:
>> > > > > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
>> > > > > handshake
>> > > > > failure
>> > > > > 1355334882 INFO [8950:8950] main: Spice client terminated
>> > > > > (exitcode =
>> > > > > 7)
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > > I've done this without an improvment:
>> > > > >
>> > > > > [root at localhost Ovirt]# /lib/systemd/systemd-vdsmd
>> > > > > reconfigure
>> > > > > Configuring libvirt for vdsm...
>> > > > > [root at localhost Ovirt]# systemctl restart libvirtd.service
>> > > > > vdsmd.service
>> > > > >
>> > > >
>> > > >
>> > > > Why don't you deply the host again? It should create the
>> > > > certificate correctly.
>> > > >
>> > > > But before you can do this, you must remove whatever
>> > > > certificates
>> > > > you put including symlinks at /etc/pki /etc/libvirt as libvirt
>> > > > will not start if there are invalid certificates.
>> > > >
>> > > > Alon.
>> > > >
>> > > > I already did this. Also, i removed all configuration files
>> > > > from
>> > > > host and ovirt, reinstalled ovirt-engine, removed
>> > > > vdsm,libvirt,qemu on host.
>> > > >
>> > > > I still got this when I start the machine:
>> > > > ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl:
>> > > > Could
>> > > > not load certificates from
>> > > > /etc/pki/vdsm/libvirt-spice/server-cert.pem
>> > > > ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl:
>> > > > Could
>> > > > not use private key file
>> > > > ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl:
>> > > > Could
>> > > > not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>> > > >
>> > > > And this when I try to connect:
>> > > >
>> > > > ((null):5004): Spice-Warning **:
>> > > > reds.c:2913:reds_handle_ssl_accept: SSL_accept failed, error=1
>> > >
>> > > Didn't you disable encryption on engine or in vdsm.conf?
>> > > Unfortunately, it is still interdependent with spice encryption
>> > > setup.
>> > >
>> > > (and a side question: if so, why did you disable it? oVirt takes
>> > > care
>> > > of it without any extra work so I see no benefit in it)
>> > >
>> > > David
>> > >
>> > > PS: please send mails in plain text
>> > >
>> > > >
>> > > > Best regards,
>> > > > Cristian falcas
>> > > >
>> > > > _______________________________________________
>> > > > Users mailing list
>> > > > Users at ovirt.org
>> > > > http://lists.ovirt.org/mailman/listinfo/users
>> > >
>> > > --
>> > >
>> > > David Jaša, RHCE
>> > >
>> > > SPICE QE based in Brno
>> > > GPG Key: 22C33E24
>> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>> > >
>> > >
>> > >
>> > >
>> > > I didn't touched anything this time.
>> > >
>> > > [cristi at localhost ~]$ cat /etc/vdsm/vdsm.conf
>> > > [vars]
>> > > ssl = true
>> > >
>> > > [addresses]
>> > > management_port = 54321
>> > >
>> > >
>> > > qemu:
>> > > ## beginning of configuration section by vdsm-4.9.11
>> > > dynamic_ownership=0
>> > > spice_tls=1
>> > > save_image_format="lzop"
>> > > spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
>> > > lock_manager="sanlock"
>> > > auto_dump_path="/var/log/core"
>> > > ## end of configuration section by vdsm-4.9.11
>> > >
>> > > libvirtd:
>> > > ## beginning of configuration section by vdsm-4.9.11
>> > > listen_addr="0.0.0.0"
>> > > unix_sock_group="kvm"
>> > > unix_sock_rw_perms="0770"
>> > > auth_unix_rw="sasl"
>> > > host_uuid="ac7ce924-3da8-41a5-9fa5-03af184b0437"
>> > > log_outputs="1:file:/var/log/libvirtd.log"
>> > > log_filters="1:libvirt 3:event 3:json 1:util 1:qemu"
>> > > ca_file="/etc/pki/vdsm/certs/cacert.pem"
>> > > cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
>> > > key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
>> > > ## end of configuration section by vdsm-4.9.11
>> >
>> > BTW: it will be easier if you use plain text mail messages to list
>> > :)
>> >
>> > Can you please try to create the following sym links manually and
>> > see if it works?
>> >
>> > /etc/pki/vdsm/libvirt-spice/ca-cert.pem ->
>> > /etc/pki/vdsm/certs/cacert.pem
>> > /etc/pki/vdsm/libvirt-spice/server-cert.pem ->
>> > /etc/pki/vdsm/certs/vdsmcert.pem
>> > /etc/pki/vdsm/libvirt-spice/server-key.pem ->
>> > /etc/pki/vdsm/keys/vdsmkey.pem
>>
>>
>> It worked. Thank you.
>>
>> Regarding the html email: I'm using gmail as the email client and I
>> don't know how to set it to send text emails only. I removed all
>> formatting from this replay, maybe it's better now?
>
> gmail: new interface: right left arrow(menu) -> plain text mode.
> gmail: old interface: above message -> plain text
>
> I will fix this for next nightly.
>
> Alon.
thank you for the explanation
More information about the Users
mailing list