[ovirt-users] Spice Client Connection Issues Using aSpice

Karli Sjöberg karli at inparadise.se
Tue Feb 20 08:56:26 UTC 2018


On Tue, 2018-02-20 at 08:59 +0100, Tomas Jelinek wrote:
> 
> 
> On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <Jeremy_Tourville at h
> otmail.com> wrote:
> > Hi Tomas, 
> > To answer your question, yes I am really trying to use aSpice.
> > 
> > I appreciate your suggestion.  I'm not sure if it meets my
> > objective.  Maybe our goals are different?  It seems to me that
> > movirt is built around portable management of the ovirt
> > environment.  I am attempting to provide a VDI type experience for
> > running a vm.  My goal is to run a lab environment with 30
> > chromebooks loaded with a spice clent.  The spice client would of
> > course connect to the 30 vms running Kali and each session would be
> > independent of each other.  
> > 
> 
> yes, it looks like a different use case
>  
> > I did  a little further testing with a different client.  (spice
> > plugin for chrome).  When I attempted to connect using that client
> > I got a slightly different error message.  The message still seemed
> > to be of the same nature- i.e.: there is a problem with SSL
> > protocol and communication.   
> > 
> > Are you suggesting that movirt can help set up the proper
> > certficates and config the vms to use spice?  Thanks!
> > 
> 
> moVirt has been developed for quite some time and works pretty well,
> this is why I recommended it. But anyway, you have a different use
> case.
> 
> What I think the issue is, is that oVirt can have different CAs set
> for console communication and for API. And I think you are trying to
> configure aSPICE to use the one for API. 
> 
> What moVirt does to make sure it is using the correct CA to put into
> the aSPICE is that it downloads the .vv file of the VM (e.g. you can
> just connect to console using webadmin and save the .vv file
> somewhere), parse it and use the CA= part from it as a certificate.
> This one is guaranteed to be the correct one.
> 
> For more details about what else it takes from the .vv file you can
> check here:
> the parsing: https://github.com/oVirt/moVirt/blob/master/moVirt/src/m
> ain/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttp
> MessageConverter.java
> configuration of aSPICE: https://github.com/oVirt/moVirt/blob/master/
> moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java
> 
> enjoy :)

Feels to me like OP should try to get it working _any_ "normal" way
before trying to get the special use case application working?

Like trying to run before learning to crawl, if that makes sense?

I would suggest just logging in to webadmin with a regular PC and
trying to get a SPICE console with remote-viewer to begin with. Then,
once that works, try to get a SPICE console working through moVirt with
aSPICE on an Android phone, or one of the Chromebooks you have to play
with before going into production. Once that´s settled and you know it
should work the way you normally access it, you can start playing with
your special use case application.

Hope it helps!

/K

>  
> > 
> > From: Tomas Jelinek <tjelinek at redhat.com>
> > Sent: Monday, February 19, 2018 4:19 AM
> > To: Jeremy Tourville
> > Cc: users at ovirt.org
> > Subject: Re: [ovirt-users] Spice Client Connection Issues Using
> > aSpice
> >  
> > 
> > 
> > On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville
> > @hotmail.com> wrote:
> > > Hello,
> > > I am having trouble connecting to my guest vm (Kali Linux) which
> > > is running spice. My engine is running version: 4.2.1.7-
> > > 1.el7.centos.
> > > I am using oVirt Node as my host running version: 4.2.1.1.  
> > > 
> > > I have taken the following steps to try and get everything
> > > running properly.
> > > Download the root CA certificate https://ovirtengine.lan/ovirt-en
> > > gine/services/pki-resource?resource=ca-certificate&format=X509-
> > > PEM-CA
> > > Edit the vm and define the graphical console entries.  Video type
> > > is set to QXL, Graphics protocol is spice, USB support is
> > > enabled.
> > > Install the guest agent in Debian per the instructions here - htt
> > > ps://www.ovirt.org/documentation/how-to/guest-agent/install-the-
> > > guest-agent-in-debian/  It is my understanding that installing
> > > the guest agent will also install the virt IO device drivers.
> > > Install the spice-vdagent per the instructions here - https://www
> > > .ovirt.org/documentation/how-to/guest-agent/install-the-spice-
> > > guest-agent/
> > >  On the aSpice client I have imported the CA certficate from step
> > > 1 above.  I defined the connection using the IP of my Node and
> > > TLS port 5901.
> > 
> > are you really using aSPICE client (e.g. the android SPICE
> > client?). If yes, maybe you want to try to open it using moVirt (ht
> > tps://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt
> > &hl=en) which delegates the console to aSPICE but configures
> > everything including the certificates on it. Should be much simpler
> > than configuring it by hand..
> >  
> > > To troubleshoot my connection issues I confirmed the port being
> > > used to listen.  
> > > virsh # domdisplay Kali
> > > spice://172.30.42.12?tls-port=5901
> > > 
> > > I see the following when attempting to connect.
> > > tail -f /var/log/libvirt/qemu/Kali.log
> > > 
> > > 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1
> > > alert internal error:s3_pkt.c:1493:SSL alert number 80
> > > ((null):27595): Spice-Warning **:
> > > reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed,
> > > error=1
> > > 
> > > I came across some documentation that states in the caveat
> > > section "Certificate of spice SSL should be separate
> > > certificate."
> > > https://www.ovirt.org/develop/release-management/features/infra/p
> > > ki/
> > > 
> > > Is this still the case for version 4?  The document references
> > > version 3.2 and 3.3.  If so, how do I generate a new certificate
> > > for use with spice?  Please let me know if you require further
> > > info to troubleshoot, I am happy to provide it.  Many thanks in
> > > advance.
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Users mailing list
> > > Users at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > > 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180220/0478134a/attachment.sig>


More information about the Users mailing list