[ovirt-users] libvirt failed to read spice key

Bill James bill.james at j2.com
Fri Apr 1 15:21:44 UTC 2016 

SELinux status:                 disabled


[root at ovirt2 test ~]# ls -rtl /etc/pki/vdsm/libvirt-spice|grep -v 2016|tail
total 84
-rw-r--r-- 1 root kvm 1379 Feb 19 17:09 ca-cert.pem
-rw-r--r-- 1 root kvm 1570 Mar  7 09:44 server-cert.pem
-r--r----- 1 vdsm kvm 1675 Mar  7 09:44 server-key.pem

Now I modify them to get spice to work:

[root at ovirt2 dmz.test ~]# ls -rtl /etc/pki/vdsm/libvirt-spice
total 12
-rw-r--r-- 1 root kvm 1379 Mar 22 13:09 ca-cert.pem
-rw-r--r-- 1 root kvm 1570 Mar 22 13:09 server-cert.pem
-r--r--r-- 1 vdsm kvm 1675 Mar 22 13:09 server-key.pem


The only thing I do now out of basic install is adding 'user = "root"' 
to /etc/libvirt/qemu.conf  and then reboot the box.
This is for import-to-ovirt.pl to work.

I have tried host reploy, remove/install. The only thing I found that 
worked, other than change file perms is to re-kickstart the server.

Not sure what user other than vdsm or root would be accessing the file.



On 4/1/16 1:48 AM, Michal Skrivanek wrote:
>> On 26 Mar 2016, at 01:19, Bill James <bill.james at j2.com> wrote:
>>
>> I'm very interested in this too as I have same problem with spice private keys.
> can you please paste permissions and selinux status, security context of that qemu&libvirt process and the inaccessible key file(ps -Z, ls -lZ)?
>
> I wonder if host redeploy would help..did you try to reinstall the host? It should go through the certificate enrollment again and shouldn’t mess with anything else.
>
> Thanks,
> michal
>
>>
>>
>> On 3/24/16 2:02 AM, Fabrice Bacchella wrote:
>>> I' m running on a brand new Centos 7.2 an up to date ovirt 3.6.3.4.
>>>
>>> The host is new too and dedicated to ovirt.
>>>
>>> When I try to launch a vm, I get :
>>>
>>> Thread-9407::ERROR::2016-03-24 09:16:18,301::vm::759::virt.vm::(_startUnderlyingVm) vmId=`a32e1043-a5a5-4e4c-8436-f7b7a4ff644c`::The vm start process failed
>>> Traceback (most recent call last):
>>>    File "/usr/share/vdsm/virt/vm.py", line 703, in _startUnderlyingVm
>>>      self._run()
>>>    File "/usr/share/vdsm/virt/vm.py", line 1941, in _run
>>>      self._connection.createXML(domxml, flags),
>>>    File "/usr/lib/python2.7/site-packages/vdsm/libvirtconnection.py", line 124, in wrapper
>>>      ret = f(*args, **kwargs)
>>>    File "/usr/lib/python2.7/site-packages/vdsm/utils.py", line 1313, in wrapper
>>>      return func(inst, *args, **kwargs)
>>>    File "/usr/lib64/python2.7/site-packages/libvirt.py", line 3611, in createXML
>>>      if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self)
>>> libvirtError: internal error: process exited while connecting to monitor: ((null):23672): Spice-Warning **: reds.c:3311:reds_init_ssl: Could not use private key file
>>> 2016-03-24T08:16:18.005359Z qemu-kvm: failed to initialize spice server
>>>
>>>
>>> /var/log/libvirt/qemu/test.log says
>>>
>>> 2016-03-24 08:55:48.214+0000: starting up libvirt version: 1.2.17, package: 13.el7_2.3 (CentOS BuildSystem <http://bugs.centos.org>, 2016-02-16-17:06:00, worker1.bsys.centos.org), qemu version: 2.3.0 (qemu-kvm-ev-2.3.0-31.el7_2.7.1)
>>> LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -name test -S -machine pc-i440fx-rhel7.2.0,accel=kvm,usb=off -cpu Haswell-noTSX -m size=2097152k,slots=16,maxmem=4294967296k -realtime mlock=off -smp 2,maxcpus=16,sockets=16,cores=1,threads=1 -numa node,nodeid=0,cpus=0-1,mem=2048 -uuid a32e1043-a5a5-4e4c-8436-f7b7a4ff644c -smbios type=1,manufacturer=oVirt,product=oVirt Node,version=7-2.1511.el7.centos.2.10,serial=30373237-3132-5A43-3235-343233333937,uuid=a32e1043-a5a5-4e4c-8436-f7b7a4ff644c -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-test/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=2016-03-24T08:55:46,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -boot menu=on,strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x4 -device virtio-serial-pci,
>> id
>>>   =virtio-serial0,max_ports=16,bus=pci.0,addr=0x5 -drive if=none,id=drive-ide0-1-0,readonly=on,format=raw,serial= -device ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -drive file=/rhev/data-center/00000001-0001-0001-0001-00000000022a/85d19e93-ee08-41bb-94c9-56adf17287b4/images/da6f49dd-8662-418b-a859-3523b4360c0e/930bbe74-7470-4b22-b096-fdb03276262d,if=none,id=drive-scsi0-0-0-0,format=raw,serial=da6f49dd-8662-418b-a859-3523b4360c0e,cache=none,werror=stop,rerror=stop,aio=native,iops=300 -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 -netdev tap,fd=27,id=hostnet0,vhost=on,vhostfd=28 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:16:01:51,bus=pci.0,addr=0x3,bootindex=2 -chardev socket,id=charserial0,path=/var/run/ovirt-vmconsole-console/a32e1043-a5a5-4e4c-8436-f7b7a4ff644c.sock,server,nowait -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/var/lib/libvirt/q
>> emu
>>>   /channels/a32e1043-a5a5-4e4c-8436-f7b7a4ff644c.com.redhat.rhevm.vdsm,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.rhevm.vdsm -chardev socket,id=charchannel1,path=/var/lib/libvirt/qemu/channels/a32e1043-a5a5-4e4c-8436-f7b7a4ff644c.org.qemu.guest_agent.0,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=org.qemu.guest_agent.0 -chardev spicevmc,id=charchannel2,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=3,chardev=charchannel2,id=channel2,name=com.redhat.spice.0 -spice port=5900,tls-port=5901,addr=0,x509-dir=/etc/pki/vdsm/libvirt-spice,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=8388608,vgamem_mb=16,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on
>>> ((null):29166): Spice-Warning **: reds.c:3311:reds_init_ssl: Could not use private key file
>>> 2016-03-24T08:55:48.329252Z qemu-kvm: failed to initialize spice server
>>> 2016-03-24 08:55:48.479+0000: shutting down
>>>
>>> and indeed, when I try to strace libvirt :
>>>   open("/etc/pki/vdsm/libvirt-spice/server-key.pem", O_RDONLY) = -1 EACCES (Permission denied)
>>>
>>> chmod a+r /etc/pki/vdsm/libvirt-spice/server-key.pem solved the problem, but it's obviously not a solution.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>



Cloud Services for Business www.j2.com
j2 | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | Onebox


This email, its contents and attachments contain information from j2 Global, Inc. and/or its affiliates which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is prohibited. If you have received this email in error please notify the sender by reply e-mail and delete the original message and any copies. (c) 2015 j2 Global, Inc. All rights reserved. eFax, eVoice, Campaigner, FuseMail, KeepItSafe, and Onebox are registered trademarks of j2 Global, Inc. and its affiliates.

More information about the Users mailing list