[ovirt-users] regenerate libvirt-spice keys after libvirtd restart?

Bill James bill.james at j2.com
Tue Mar 8 18:27:07 UTC 2016 

doesn't look too interesting to me, but maybe I'm missing something.

periodic/0::WARNING::2016-03-08 
10:16:10,290::periodic::258::virt.periodic.VmDispatcher::(__call__) 
could not run <class 'virt.periodic.DriveWatermarkMonitor'> on 
[u'e180a49c-8afc-4612-806b-f39d14b77389']
Thread-87::ERROR::2016-03-08 
10:16:10,775::vm::758::virt.vm::(_startUnderlyingVm) 
vmId=`e180a49c-8afc-4612-806b-f39d14b77389`::The vm start process failed
Traceback (most recent call last):
   File "/usr/share/vdsm/virt/vm.py", line 702, in _startUnderlyingVm
     self._run()
   File "/usr/share/vdsm/virt/vm.py", line 1930, in _run
     self._connection.createXML(domxml, flags),
   File "/usr/lib/python2.7/site-packages/vdsm/libvirtconnection.py", 
line 124, in wrapper
     ret = f(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/libvirt.py", line 3611, in 
createXML
     if ret is None:raise libvirtError('virDomainCreateXML() failed', 
conn=self)
libvirtError: internal error: process exited while connecting to 
monitor: ((null):6890): Spice-Warning **: reds.c:3311:reds_init_ssl: 
Could not use private key file
2016-03-08T18:16:10.556407Z qemu-kvm: failed to initialize spice server

Larger log entry attached.


ALso tried removing /etc/pki/vdsm/libvirt-spice & reinstalling vdsm, 
then "reinstalling" host in ovirt.
Same issue.





On 03/08/2016 09:43 AM, David Jaša wrote:
> The only problem with spice certs in oVirt I remember over the last 5
> years concerns certificate encoding - which bit only users who used
> non-ascii characters in Organization. The bugs (private RHEV
> unfortunately) should be fixed for quite some time - and the fix
> involved certificate regeneration. You can see it in recent versions of
> engine setup...
>
> Otherwise, it was really transparent process. Try removing
> the /etc/pki/vdsm/libvirt-spice directory, reinstalling package that
> owns it (yum reinstall vdsm) and reinstalling host in RHEV. You should
> get 100 % fresh certs by this time.
>
> BTW when I was meddling with libvirt settings on oVirt host last time,
> vdsm complained and refused to work. Doesn't it say something
> interesting about it?
>
> David
>
> On Út, 2016-03-08 at 09:11 -0800, Bill James wrote:
>> any suggestions on how to get ovirt and spice console keys to work
>> correctly?
>>
>>
>> On 03/07/2016 10:09 AM, Bill James wrote:
>>> thanks for the reply.
>>> I tried reinstall of one host. Didn't help.
>>> Also tried removing the host and reinstalling it. Didn't help.
>>>
>>> Looks like server cert & key were regenerated, but not ca-cert.pem.
>>>
>>>
>>> [root at ovirt2 test ~]# ls -rtl /etc/pki/vdsm/libvirt-spice|grep -v
>>> 2016|tail
>>> total 84
>>> -rw-r--r-- 1 root kvm 1379 Feb 19 17:09 ca-cert.pem
>>> -rw-r--r-- 1 root kvm 1570 Mar  7 09:44 server-cert.pem
>>> -r--r----- 1 vdsm kvm 1675 Mar  7 09:44 server-key.pem
>>>
>>> [root at ovirt2 test ~]# tail -3 /etc/libvirt/qemu.conf
>>> spice_tls=1
>>> spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
>>> ## end of configuration section by vdsm-4.17.0
>>>
>>> Chown'd all the files to vdsm:kvm just incase, and rebooted the host.
>>> Didn't help.
>>>
>>> Changed console back to VNC and it starts up fine.
>>>
>>>
>>> Seems strange that I could mess up the spice keys just by restarting
>>> libvirtd. (service libvirtd restart)
>>>
>>>
>>>
>>> On 03/07/2016 06:15 AM, David Jaša wrote:
>>>> Hi,
>>>>
>>>> it looks like you messed up private key location and/or contents. If you
>>>> "Reinstall" the host in ovirt engine, the keys/certs should get
>>>> regenerated.
>>>>
>>>> David
>>>>
>>>> On Pá, 2016-03-04 at 10:16 -0800, Bill James wrote:
>>>>> I needed to bounce libvirtd after changing a config in
>>>>> libvirt/qemu.conf
>>>>> so import-to-ovirt.pl,
>>>>> but now my VMs with Spice console complain:
>>>>>
>>>>> libvirtError: internal error: process exited while connecting to
>>>>> monitor: ((null):2791): Spice-Warning **: reds.c:3311:reds_init_ssl:
>>>>> Could not use private key file
>>>>>
>>>>> What is the proper way to sync up the key after restarting libvirtd?
>>>>> I even tried rebooting host and restart ovirt-engine and ovirt-engine
>>>>> setup, didn't help.
>>>>>
>>>>> Work around is just use VNC consoles. But I'd like to get spice working
>>>>> again.
>>>>>
>>>>> centos 7.2
>>>>> libvirt-client-1.2.17-13.el7_2.2.x86_64
>>>>> ovirt-engine-3.6.2.6-1.el7.centos.noarch
>>>>>
>>>>>
>>>>>
>>>>> Cloud Services for Business www.j2.com
>>>>> j2 | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | Onebox
>>>>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vdsm.log.gz.txt
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160308/2be53652/attachment-0001.txt>

More information about the Users mailing list