[Users] Questions on ovirt 3.3 browser based spice/novnc working

Dead Horse deadhorseconsulting at gmail.com
Thu Aug 1 18:59:14 UTC 2013 

That did the trick for getting the websocket proxy configured ( i backed
out all my changes prior to running engine-setup). I do notice that it
still seems to leave the ovirt-websocket-proxy.conf in it's default state
and makes no dedications to it. Instead it generated
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf

I also noted engine setup generated:
/etc/pki/ovirt-engine/certs/websocket-proxy.cer
/etc/pki/ovirt-engine/keys/websocket-proxy.p12
/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
/etc/pki/ovirt-engine/requests/websocket-proxy.req

None the less still neither spice nor novnc will connect. I tried changing
Engine:6100 to EngineIP:6100 so that IP would be used instead. However
using either the FQDN or IP still yielded the same results.

There was nothing interesting in the logs either. I do notice that whilst
the websocket-proxy service is running I never see an websockify processes
but instead in /var/log/messages I see:
Aug  1 13:44:10 ovirtfoo ovirt-websocket-proxy.py[435]: 11: handler
exception: [Errno 1] _ssl.c:1359: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

Thus I changed SSL_ONLY=True to SSL_ONLY=False in
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf and restarted
engine and websocket-proxy
No dice it still generated the same error as above during an attempted
connection to /var/log/messages

I also not the following error message at VM power off (albeit I am
guessing it has nothing to do with this issue):
2013-08-01 13:41:03,742 ERROR
[org.ovirt.engine.core.vdsbroker.DestroyVmVDSCommand] (pool-6-thread-50)
[304efb3e] VDS::destroy Failed destroying vm
fec3260c-871a-4fbe-a006-9eee4fbfbbcc in vds =
5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57 : ovirtnodefoo, error =
org.ovirt.engine.core.vdsbroker.vdsbroker.VDSErrorException:
VDSGenericException: VDSErrorException: Failed to DestroyVDS, error =
Unexpected exception

- DHC


On Thu, Aug 1, 2013 at 1:07 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:

> If you install the proxy on the engine machine you just need:
>
> # yum install ovirt-engine-websocket-proxy
> # engine-setup
>
> then answer yes when prompt if you like to configure websocket proxy.
>
> you can execute engine-setup again even if you already installed.
>
> ----- Original Message -----
> > From: "Dead Horse" <deadhorseconsulting at gmail.com>
> > To: "<users at ovirt.org>" <users at ovirt.org>
> > Sent: Thursday, August 1, 2013 9:01:47 PM
> > Subject: [Users] Questions on ovirt 3.3 browser based spice/novnc working
> >
> > After Referencing:
> > http://www.ovirt.org/Features/noVNC_console
> > http://www.ovirt.org/Features/SpiceHTML5
> >
> > and looking at some of the related engine code.
> >
> > I am still attempting to get the spice/novnc browser based consoles to
> work.
> >
> > I am working from a build from master yesterday I used to upgrade over a
> > previous 3.3 master build from about a month back.
> >
> > VDSM version on host is 4.12.0 built minutes ago.
> >
> > I have installed and configured the websocket proxy like so:
> >
> > Set WebSocketProxy to engine ENGINEIP port 6100
> > engine-config -s WebSocketProxy=ENGINEIP:6100
> >
> > /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=websocket-proxy
> > --password=install --subject="/C=US/O=DHC/CN=ENGINEFQDN"
> >
> > This generates:
> > /etc/pki/ovirt-engine/keys/websocket-proxy.p12
> > /etc/pki/ovirt-engine/certs/websocket-proxy.cer
> > /etc/pki/ovirt-engine/requests/websocket-proxy.req
> >
> > However it does not generate the key that websockify wants so we do:
> > openssl pkcs12 -in websocket-proxy.p12 -nocerts -nodes -out
> > /etc/pki/ovirt-engine/keys/websocket-proxy.key
> >
> > The configuration of ovirt-websocket-proxy:
> > PROXY_HOST=*
> > PROXY_PORT=6100
> > SOURCE_IS_IPV6=False
> > SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
> > SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key
> > FORCE_DATA_VERIFICATION=False
> > CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> > SSL_ONLY=True
> > TRACE_ENABLE=False
> > TRACE_FILE=
> > ENGINE_USR="/usr/share/ovirt-engine"
> >
> > Install spice-html5
> > git clone http://anongit.freedesktop.org/git/spice/spice-html5.git
> > mv spice-html5 /usr/share
> >
> > Test spice:
> > In Webadmin UI we set create a VM, set display as spice, start it and set
> > it's console to spice-html5.
> > Result spice-html client opens in a new tab but does not connect.
> >
> > From engine.log:
> > 2013-08-01 12:49:52,352 INFO
> [org.ovirt.engine.core.bll.SetVmTicketCommand]
> > (ajp--127.0.0.1-8702-9) Running command: SetVmTicketCommand internal:
> false.
> > Entities affected : ID: fec3260c-871a-4fbe-a006-9eee4fbfbbcc Type: VM
> > 2013-08-01 12:49:52,371 INFO
> > [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> > (ajp--127.0.0.1-8702-9) START, SetVmTicketVDSCommand(HostName =
> > ovirtnodefoo, HostId = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57,
> > vmId=fec3260c-871a-4fbe-a006-9eee4fbfbbcc, ticket=TKfzUQJLLrUI,
> > validTime=120,m userName=admin at internal,
> > userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: 5d258049
> > 2013-08-01 12:49:52,445 INFO
> > [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> > (ajp--127.0.0.1-8702-9) FINISH, SetVmTicketVDSCommand, log id: 5d258049
> >
> > Test novnc:
> > In Webadmin UI we set create a VM, set display as VNC, start it and set
> it's
> > console to novnc.
> > Result novnc client opens in a new tab but does not connect, but does
> display
> > error: "Server disconnected (code: 1006)
> >
> > From engine.log:
> > 2013-08-01 12:50:44,800 INFO
> [org.ovirt.engine.core.bll.SetVmTicketCommand]
> > (ajp--127.0.0.1-8702-9) Running command: SetVmTicketCommand internal:
> false.
> > Entities affected : ID: fec3260c-871a-4fbe-a006-9eee4fbfbbcc Type: VM
> > 2013-08-01 12:50:44,833 INFO
> > [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> > (ajp--127.0.0.1-8702-9) START, SetVmTicketVDSCommand(HostName =
> > ovirtnodefoo, HostId = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57,
> > vmId=fec3260c-871a-4fbe-a006-9eee4fbfbbcc, ticket=IPWOWh6U9erd,
> > validTime=120,m userName=admin at internal,
> > userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: bff6161
> > 2013-08-01 12:50:44,917 INFO
> > [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> > (ajp--127.0.0.1-8702-9) FINISH, SetVmTicketVDSCommand, log id: bff6161
> >
> > I verified connection of both the spice/vnc console directly at the host
> > level with a quick connect via virt-viewer.
> >
> > A quick scan with nmap of engine and host to verify sockets are open:
> >
> > Nmap scan report for engine
> > Host is up (0.0042s latency).
> > Not shown: 995 closed ports
> > PORT STATE SERVICE
> > 22/tcp open ssh
> > 80/tcp open http
> > 111/tcp open rpcbind
> > 443/tcp open https
> > 6100/tcp open synchronet-db
> >
> > Nmap scan report for host
> > Host is up (0.0045s latency).
> > Not shown: 997 closed ports
> > PORT STATE SERVICE
> > 22/tcp open ssh
> > 111/tcp open rpcbind
> > 5900/tcp open vnc
> >
> > For grins I stopped the websocket proxy and manually started a websockify
> > like so:
> > websockify 3.57.111.11:6100 3.57.111.12:5900
> > --cert=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
> > --key=/etc/pki/ovirt-engine/keys/websocket-proxy.key
> >
> > WARNING: no 'numpy' module, HyBi protocol is slower or disabled
> > WebSocket server settings:
> > - Listen on ENGINEIP:6100
> > - Flash security policy server
> > - SSL/TLS support
> > - proxying from ENGINEIP:6100 to HOSTIP:5900
> >
> > Attempting another connection via
> > https://ENGINEFQDN//ovirt-engine-novnc-main.html?host=ENGINEIP&port=6100
> > results in:
> >
> > 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL
> > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> >
> >
> > I should also note in case it matters that the SSLEnabled=false, and
> > EnableSpiceRootCertificateValidation are both set as false are set in my
> > engine options.
> >
> > Am I doing something wrong here, I don't see any reason this should not
> work?
> >
> > - DHC
> >
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130801/a07eea5f/attachment-0001.html>

More information about the Users mailing list