[Users] Unable to login into console Spice VNC anyone?

Itamar Heim iheim at redhat.com
Sat Jul 28 04:28:31 UTC 2012


On 07/27/2012 10:15 PM, Brent Bolin wrote:
> I have been seeing selinux denials.  I'm not sure if it was for the
> allinone plugin.
>
> Should selinux be enabled or disabled?

enabled, but doesn't mean it doesn't have bugs:
- try with disabled
- report the denials

>
> On Fri, Jul 27, 2012 at 1:54 PM, Yaniv Kaul <ykaul at redhat.com> wrote:
>> Did you look for selinux denials?
>>
>> ----- Original Message -----
>>> I was not able to get this working using beta
>>> ovirt-engine-setup-plugin-allinone rpm
>>>
>>> Used answer file as recommended on the wiki.  I didn't document the
>>> exact error, but the install failed.
>>>
>>> I did another install using F16 Installing VDSM from rpm
>>>
>>> [ovirt-engine-3.0]
>>> name=ovirt-engine-3.0
>>> baseurl=http://www.ovirt.org/releases/3.0/rpm/Fedora/16
>>> enabled=1
>>> gpgcheck=0
>>>
>>>
>>> And then doing engine-setup
>>>
>>> And then installing spice-xpi
>>>
>>> Can't explain it but it's working from the F16 desktop using FF :)
>>>
>>>
>>>
>>> On Thu, Jul 26, 2012 at 5:13 AM, Itamar Heim <iheim at redhat.com>
>>> wrote:
>>>> On 07/26/2012 01:10 PM, David Jaša wrote:
>>>>>
>>>>> Brent Bolin píše v St 25. 07. 2012 v 13:46 -0500:
>>>>>>
>>>>>> I have seen this.  Can give it a try.
>>>>>>
>>>>>> At this point I'm not sure if it's a problem with my
>>>>>> configuration.
>>>>>> Or making console connections with either vnc or spice.  The
>>>>>> ports are
>>>>>> clearly running -
>>>>>>
>>>>>> netstat -an|grep 590
>>>>>> tcp        0      0 0.0.0.0:5900                0.0.0.0:*
>>>>>>        LISTEN
>>>>>> tcp        0      0 0.0.0.0:5901                0.0.0.0:*
>>>>>>        LISTEN
>>>>>>
>>>>>>
>>>>>> When using plain old kvm, virt-manager I could just simply
>>>>>> connect
>>>>>> using any vnc or virt-viewer or x11 virtmanager.
>>>>>>
>>>>>> I'm not sure what ovirt is doing with tls etc...
>>>>>>
>>>>>
>>>>> As Itamar already said, it:
>>>>> * sets up TLS and enforces it.
>>>>> * sets up temporary ticket
>>>>>
>>>>> If you want to connect to the console manually, you have to set up
>>>>> the
>>>>> ticket - on the server, follow these steps in order to achieve it
>>>>> (from
>>>>> top of my head, can contain typos):
>>>>> VM_UUID="$(vdsClient -s 0 list table | grep $VM_NAME | awk '{print
>>>>> $1}')"
>>>>> vdsClient -s 0 setVmTicket $VM_UUID $PASSWORD $TIMEOUT
>>>>>
>>>>> For TLS, you'll need CA file and host subject in case of host name
>>>>> used
>>>>> on CLI not matching host name in server cert CN. Assuming you're
>>>>> connecting from some other computer:
>>>>> SUBJECT="$(ssh root@$HOST 'grep Subject:
>>>>> /etc/pki/vdsm/libvirt-spice/server-cert.pem' | sed -e 's/, /,/')"
>>>>> scp root@$HOST:/etc/pki/rhevm/ca.pem $CA_FILE
>>>>> remote-viewer --spice-ca-file=$CA_FILE
>>>>> --spice-host-subject=$SUBJECT
>>>>> spice://$HOST/?port=$PORT,tls-port=$SECURE_PORT
>>>>> # it will ask for password in pop-up window
>>>>> # OR you can use "good old" spicec:
>>>>> spicec --ca-file=$CA_FILE --host-subject=$SUBJECT -h $HOST -p
>>>>> $PORT -s
>>>>> $SECURE_PORT -w $PASSWORD
>>>>>
>>>>> David
>>>>>
>>>>> PS: given all the info, I guess you've run into some instance of
>>>>> this
>>>>> downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=839548
>>>>
>>>>
>>>> brent - this only fails user portal. are you failing from webadmin
>>>> as well?
>>>>
>>>>
>>>>>
>>>>>
>>>>>> Not being able to get console access is a definite show stopper.
>>>>>>   And
>>>>>> it shouldn't be rocket science to do it.  And it should be
>>>>>> accessible
>>>>>> from either linux or windows clients.  Does vSphere (windows
>>>>>> only)
>>>>>> ring a bell?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Jul 25, 2012 at 1:09 PM, Itamar Heim <iheim at redhat.com>
>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>> would it be relevant for you to try the 3.1 beta?
>>>>>>> it has this which should cover your 'all in one' needs:
>>>>>>> http://www.ovirt.org/wiki/Feature/AllInOne
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 07/25/2012 06:52 PM, Brent Bolin wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks David for your reply -
>>>>>>>>
>>>>>>>> I have completely flushed all iptables rules 'iptables --flush"
>>>>>>>> -
>>>>>>>>
>>>>>>>> iptables -L -v -n
>>>>>>>> Chain INPUT (policy ACCEPT 1775K packets, 627M bytes)
>>>>>>>>     pkts bytes target     prot opt in     out     source
>>>>>>>> destination
>>>>>>>>
>>>>>>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>>>>>>>     pkts bytes target     prot opt in     out     source
>>>>>>>> destination
>>>>>>>>
>>>>>>>> Chain OUTPUT (policy ACCEPT 1754K packets, 589M bytes)
>>>>>>>>     pkts bytes target     prot opt in     out     source
>>>>>>>> destination
>>>>>>>>
>>>>>>>>
>>>>>>>> The base host is Fedora 16 running with desktop
>>>>>>>>
>>>>>>>> First installed vdsm and then ovirt-engine
>>>>>>>>
>>>>>>>> Single network bridge installed, but there is another 1GB nic
>>>>>>>> that
>>>>>>>> isn't
>>>>>>>> being used -
>>>>>>>>
>>>>>>>> eth0      Link encap:Ethernet  HWaddr 00:1B:21:7D:ED:4A
>>>>>>>>              inet6 addr: fe80::21b:21ff:fe7d:ed4a/64 Scope:Link
>>>>>>>>              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>>>>>              RX packets:99656 errors:0 dropped:0 overruns:0
>>>>>>>>              frame:0
>>>>>>>>              TX packets:51508 errors:0 dropped:0 overruns:0
>>>>>>>>              carrier:0
>>>>>>>>              collisions:0 txqueuelen:1000
>>>>>>>>              RX bytes:63007897 (60.0 MiB)  TX bytes:18148736
>>>>>>>>              (17.3 MiB)
>>>>>>>>
>>>>>>>> lo        Link encap:Local Loopback
>>>>>>>>              inet addr:127.0.0.1  Mask:255.0.0.0
>>>>>>>>              inet6 addr: ::1/128 Scope:Host
>>>>>>>>              UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>>>>>>>              RX packets:1814674 errors:0 dropped:0 overruns:0
>>>>>>>>              frame:0
>>>>>>>>              TX packets:1814674 errors:0 dropped:0 overruns:0
>>>>>>>>              carrier:0
>>>>>>>>              collisions:0 txqueuelen:0
>>>>>>>>              RX bytes:646274067 (616.3 MiB)  TX bytes:646274067
>>>>>>>>              (616.3
>>>>>>>> MiB)
>>>>>>>>
>>>>>>>> ovirtmgmt Link encap:Ethernet  HWaddr 00:1B:21:7D:ED:4A
>>>>>>>>              inet addr:192.168.0.118  Bcast:192.168.0.255
>>>>>>>> Mask:255.255.255.0
>>>>>>>>              inet6 addr: fe80::21b:21ff:fe7d:ed4a/64 Scope:Link
>>>>>>>>              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>>>>>              RX packets:70706 errors:0 dropped:0 overruns:0
>>>>>>>>              frame:0
>>>>>>>>              TX packets:48717 errors:0 dropped:0 overruns:0
>>>>>>>>              carrier:0
>>>>>>>>              collisions:0 txqueuelen:0
>>>>>>>>              RX bytes:52195637 (49.7 MiB)  TX bytes:14942359
>>>>>>>>              (14.2 MiB)
>>>>>>>>
>>>>>>>> vnet0     Link encap:Ethernet  HWaddr FE:1A:4A:A8:00:00
>>>>>>>>              inet6 addr: fe80::fc1a:4aff:fea8:0/64 Scope:Link
>>>>>>>>              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>>>>>              RX packets:3 errors:0 dropped:0 overruns:0 frame:0
>>>>>>>>              TX packets:14 errors:0 dropped:0 overruns:1
>>>>>>>>              carrier:0
>>>>>>>>              collisions:0 txqueuelen:500
>>>>>>>>              RX bytes:1299 (1.2 KiB)  TX bytes:2760 (2.6 KiB)
>>>>>>>>
>>>>>>>> After ovirt engine is installed logged into the interface and
>>>>>>>> configured
>>>>>>>> the host using 127.0.0.1 .  Host reboots.  Host shows up in the
>>>>>>>> admin
>>>>>>>> interface only complaining about power management that isn't
>>>>>>>> configured.
>>>>>>>>
>>>>>>>>
>>>>>>>> Here
>>>>>>>>
>>>>>>>> <https://picasaweb.google.com/lh/photo/3vclaT_6d3uy2QODU6xp_zyLvDWH8k_pPWnP_LVb4fM?feat=directlink>
>>>>>>>>
>>>>>>>> is a screen shot of the web interface
>>>>>>>>
>>>>>>>> The only configuration settings I've changed are in the
>>>>>>>> qemu.conf to
>>>>>>>> either tls=0 or tls=1
>>>>>>>>
>>>>>>>> spice-gtk-0.11-4.fc16.x86_64
>>>>>>>> spice-client-0.10.1-1.fc16.x86_64
>>>>>>>> spice-glib-0.11-4.fc16.x86_64
>>>>>>>> spice-gtk3-0.11-4.fc16.x86_64
>>>>>>>> spice-xpi-2.7-3.fc16.x86_64
>>>>>>>> spice-gtk-tools-0.11-4.fc16.x86_64
>>>>>>>> spice-server-0.10.1-1.fc16.x86_64
>>>>>>>>
>>>>>>>> The link in the admin interface shows available(using FF).
>>>>>>>>   When I
>>>>>>>> click
>>>>>>>> it opens a spicec:0 dialog and just closes
>>>>>>>>
>>>>>>>> If I try to open from a shell I get things like this -
>>>>>>>>
>>>>>>>> Brief window open and then error -
>>>>>>>>
>>>>>>>> spicec -h 127.0.0.1 -p 5900
>>>>>>>> Warning: connect error 5 - need secured connection
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Jul 25, 2012 at 10:04 AM, David Jaša <djasa at redhat.com
>>>>>>>> <mailto:djasa at redhat.com>> wrote:
>>>>>>>>    > Hi Brent,
>>>>>>>>    >
>>>>>>>>    > first guess: have a look if your iptables setup allow
>>>>>>>>    > connection to
>>>>>>>> the
>>>>>>>>    > qemu processes. RHEV 3.0 documentation (publicly accesible)
>>>>>>>>    > says
>>>>>>>> that a
>>>>>>>>    > host needs these ports open:
>>>>>>>>    >         port 22 for SSH,
>>>>>>>>    >         ports 5634 to 6166 for guest console connections,
>>>>>>>>    >         port 16514 for libvirt virtual machine migration
>>>>>>>>    >         traffic,
>>>>>>>>    >         ports 49152 to 49216 for VDSM virtual machine
>>>>>>>>    >         migration
>>>>>>>> traffic,
>>>>>>>>    >         and
>>>>>>>>    >         port 54321 for the Red Hat Enterprise
>>>>>>>>    >         Virtualization
>>>>>>>> Manager.
>>>>>>>>    >
>>>>>>>>    > If you have ovirt-engine running onu the same machine as
>>>>>>>>    > vdsm, most
>>>>>>>> of
>>>>>>>>    > the ports don't need to be accessible from outside but
>>>>>>>>    > "guest
>>>>>>>> console"
>>>>>>>>    > ports do.
>>>>>>>>    >
>>>>>>>>    > If it isn't iptables, please share at least:
>>>>>>>>    > * what your actual topology is (engine on the physical
>>>>>>>>    > host?)
>>>>>>>>    > * if you use some custom tls settings such as tls switched
>>>>>>>>    > off
>>>>>>>>    > * what spice client & xpi versions are you using
>>>>>>>>    > * how exactly the client failed (showed error window? with
>>>>>>>>    > what
>>>>>>>> error?
>>>>>>>>    >   just didn't launch?)
>>>>>>>>    >
>>>>>>>>    > In your email, you didn't write any debugging hints apart
>>>>>>>>    > from the
>>>>>>>> setup
>>>>>>>>    > being single-host one...
>>>>>>>>    >
>>>>>>>>    > David
>>>>>>>>    >
>>>>>>>>    >
>>>>>>>>    > Brent Bolin píše v St 25. 07. 2012 v 09:00 -0500:
>>>>>>>>    >> About 6 months ago I asked on this list if it was possible
>>>>>>>>    >> to
>>>>>>>> install
>>>>>>>>    >> ovirt on a single host.  Thread got long and winded and
>>>>>>>>    >> lost
>>>>>>>> interest.
>>>>>>>>    >>
>>>>>>>>    >> Started looking at the project again about two days ago.
>>>>>>>>    >>  What I
>>>>>>>>    >> really didn't understand was using a base Fedora install.
>>>>>>>> Installing
>>>>>>>>    >> vdsm and then installing ovirt engine.
>>>>>>>>    >>
>>>>>>>>    >> So everything is up.  Created data center, storage,
>>>>>>>>    >> cluster, host
>>>>>>>> and
>>>>>>>>    >> virtual machine.
>>>>>>>>    >>
>>>>>>>>    >> But I can't get there from here.  I can't get console
>>>>>>>>    >> running to
>>>>>>>>    >> configure the booted install.
>>>>>>>>    >>
>>>>>>>>    >> I've tried VNC, Spice, Firefox with spice-xpi plugin.
>>>>>>>>    >>
>>>>>>>>    >> Tried tweaking, turning, touching, swearing @
>>>>>>>> /etc/libvirt/qemu.conf
>>>>>>>>    >> settings.  tls settings.  Not even sure if this is the
>>>>>>>>    >> right place
>>>>>>>> to
>>>>>>>>    >> be checking.
>>>>>>>>    >>
>>>>>>>>    >> This is a show stopper.
>>>>>>>>    >>
>>>>>>>>    >> LSB Version:    :core-4.0-amd64:core-4.0-noarch
>>>>>>>>    >> Distributor ID: Fedora
>>>>>>>>    >> Description:    Fedora release 16 (Verne)
>>>>>>>>    >> Release:        16
>>>>>>>>    >> Codename:       Verne
>>>>>>>>    >>
>>>>>>>>    >> [root at ovirt # rpm -qa|grep ovirt-engine
>>>>>>>>    >> ovirt-engine-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-log-collector-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-iso-uploader-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-backend-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-notification-service-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-jboss-deps-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-tools-common-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-dbscripts-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-setup-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-jbossas-1.2-2.fc16.x86_64
>>>>>>>>    >> ovirt-engine-userportal-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-restapi-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-genericapi-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-config-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >> ovirt-engine-webadmin-portal-3.0.0_0001-1.6.fc16.x86_64
>>>>>>>>    >>
>>>>>>>>    >> Any input would be appreciated
>>>>>>>>    >> _______________________________________________
>>>>>>>>    >> Users mailing list
>>>>>>>>    >> Users at ovirt.org <mailto:Users at ovirt.org>
>>>>>>>>
>>>>>>>>    >> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>    >
>>>>>>>>    > --
>>>>>>>>    >
>>>>>>>>    > David Jaša, RHCE
>>>>>>>>    >
>>>>>>>>    > SPICE QE based in Brno
>>>>>>>>    > GPG Key:     22C33E24
>>>>>>>>    > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3
>>>>>>>>    > 3E24
>>>>>>>>    >
>>>>>>>>    >
>>>>>>>>    >
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at ovirt.org
>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>





More information about the Users mailing list