[Users] Questions on ovirt 3.3 browser based spice/novnc working

Dead Horse deadhorseconsulting at gmail.com
Thu Aug 1 18:01:47 UTC 2013


After Referencing:
http://www.ovirt.org/Features/noVNC_console
http://www.ovirt.org/Features/SpiceHTML5

and looking at some of the related engine code.

I am still attempting to get the spice/novnc browser based consoles to work.

I am working from a build from master yesterday I used to upgrade over a
previous 3.3 master build from about a month back.

VDSM version on host is 4.12.0 built minutes ago.

I have installed and configured the websocket proxy like so:

Set WebSocketProxy to engine ENGINEIP port 6100
engine-config -s WebSocketProxy=ENGINEIP:6100

/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=websocket-proxy
--password=install --subject="/C=US/O=DHC/CN=ENGINEFQDN"

This generates:
/etc/pki/ovirt-engine/keys/websocket-proxy.p12
/etc/pki/ovirt-engine/certs/websocket-proxy.cer
/etc/pki/ovirt-engine/requests/websocket-proxy.req

However it does not generate the key that websockify wants so we do:
openssl pkcs12 -in websocket-proxy.p12 -nocerts -nodes -out
/etc/pki/ovirt-engine/keys/websocket-proxy.key

The configuration of ovirt-websocket-proxy:
PROXY_HOST=*
PROXY_PORT=6100
SOURCE_IS_IPV6=False
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key
FORCE_DATA_VERIFICATION=False
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=True
TRACE_ENABLE=False
TRACE_FILE=
ENGINE_USR="/usr/share/ovirt-engine"

Install spice-html5
git clone http://anongit.freedesktop.org/git/spice/spice-html5.git
mv spice-html5 /usr/share

Test spice:
In Webadmin UI we set create a VM, set display as spice, start it and set
it's console to spice-html5.
Result spice-html client opens in a new tab but does not connect.

>From engine.log:
2013-08-01 12:49:52,352 INFO
[org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-9)
Running command: SetVmTicketCommand internal: false. Entities affected :
ID: fec3260c-871a-4fbe-a006-9eee4fbfbbcc Type: VM
2013-08-01 12:49:52,371 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(ajp--127.0.0.1-8702-9) START, SetVmTicketVDSCommand(HostName =
ovirtnodefoo, HostId = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57,
vmId=fec3260c-871a-4fbe-a006-9eee4fbfbbcc, ticket=TKfzUQJLLrUI,
validTime=120,m userName=admin at internal,
userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: 5d258049
2013-08-01 12:49:52,445 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(ajp--127.0.0.1-8702-9) FINISH, SetVmTicketVDSCommand, log id: 5d258049

Test novnc:
In Webadmin UI we set create a VM, set display as VNC, start it and set
it's console to novnc.
Result novnc client opens in a new tab but does not connect, but does
display error: "Server disconnected (code: 1006)

>From engine.log:
2013-08-01 12:50:44,800 INFO
[org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-9)
Running command: SetVmTicketCommand internal: false. Entities affected :
ID: fec3260c-871a-4fbe-a006-9eee4fbfbbcc Type: VM
2013-08-01 12:50:44,833 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(ajp--127.0.0.1-8702-9) START, SetVmTicketVDSCommand(HostName =
ovirtnodefoo, HostId = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57,
vmId=fec3260c-871a-4fbe-a006-9eee4fbfbbcc, ticket=IPWOWh6U9erd,
validTime=120,m userName=admin at internal,
userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: bff6161
2013-08-01 12:50:44,917 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(ajp--127.0.0.1-8702-9) FINISH, SetVmTicketVDSCommand, log id: bff6161

I verified connection of both the spice/vnc console directly at the host
level with a quick connect via virt-viewer.

A quick scan with nmap of engine and host to verify sockets are open:

Nmap scan report for engine
Host is up (0.0042s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
6100/tcp open  synchronet-db

Nmap scan report for host
Host is up (0.0045s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
5900/tcp open  vnc

For grins I stopped the websocket proxy and manually started a websockify
like so:
websockify 3.57.111.11:6100
3.57.111.12:5900--cert=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
--key=/etc/pki/ovirt-engine/keys/websocket-proxy.key

WARNING: no 'numpy' module, HyBi protocol is slower or disabled
WebSocket server settings:
  - Listen on ENGINEIP:6100
  - Flash security policy server
  - SSL/TLS support
  - proxying from ENGINEIP:6100 to HOSTIP:5900

Attempting another connection via
https://ENGINEFQDN//ovirt-engine-novnc-main.html?host=ENGINEIP&port=6100results
in:

  1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca


I should also note in case it matters that the SSLEnabled=false, and
EnableSpiceRootCertificateValidation are both set as false are set in my
engine options.

Am I doing something wrong here, I don't see any reason this should not
work?

- DHC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130801/579827ed/attachment-0001.html>


More information about the Users mailing list