[ovirt-users] Spice Client Connection Issues Using aSpice

Tomas Jelinek tjelinek at redhat.com
Wed Feb 21 07:55:55 UTC 2018 

On Wed, Feb 21, 2018 at 2:05 AM, Jeremy Tourville <
Jeremy_Tourville at hotmail.com> wrote:

> Hello everyone,
>
> I can confirm that spice is working for me when I launch it using the .vv
> file.  I have virt viewer installed on my Windows pc and it works without
> issue.  I can also launch spice when I use movirt without any issues.  I
> examined the contents of the .vv file to see what the certificate looks
> like.   I can confirm that the certficate in the .vv file is the same as
> the file I downloaded in step 1 of my directions.
>
>
> I reviewed the PKI reference (https://www.ovirt.org/
> develop/release-management/features/infra/pki/)
> <https://www.ovirt.org/develop/release-management/features/infra/pki/>
> for a second time and I see the same certificate located in different
> locations.
>
>
> For example, all these locations contain the same certificate-
>
>    - <https://ovirtengine.lan/ovirt-en>https://ovirtengine.lan/ovirt-
>    engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>    <https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA>
>    - /etc/pki/vdsm/certs/cacert.pem
>    - /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>    - /etc/pki/CA/cacert.pem
>
> This is the certificate I am using to configure my aSpice client.
>
> Can someone answer the question from my original post?  The PKI reference
> says for version 3.2 and 3.3.  Is the documentation still correct for
> version 4.2?
>
>
> At this point I am trying to find out where the problems exists - ie.
>
> #1 Is my client not configured correctly?
>
> #2 Am I using the wrong cert?  (I think I am using the correct cert based
> on the research I listed above)
>

I'd guess yes based on above


> #3 Does my client need to be able to send a pasword?  (based on the
> contents of the .vv file, I'd have to guess yes)
>

yes


> Also my xml file for the VM in question contains this:
>  <graphics type='spice' autoport='yes' defaultMode='secure' passwd='*****'
> passwdValidTo='1970-01-01T00:00:01'>
> Please note:  I did not perform any hand configuration of the xml file, it
> was all done by the system using the UI.
>

the password is generated automatically. Normally it works like this:
- you ask for the .vv file
- ovirt generates a temporary password you can use to connect to console
- you can connect to the console using this temporary password


> #4 Can I configure a file on the system to turn off ticketing and
> passwords and see if that makes a difference, if so, what file?
>

I don't think there is an easy way to do this... Maybe writing some vdsm
hook or some other complex hack. I've seen an old discussion about it here:
http://lists.ovirt.org/pipermail/users/2014-August/026774.html
but I would not recommend you to go down this path.


> #5  Can someone explain this error?
>
> 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert
> internal error:s3_pkt.c:1493:SSL alert number 80
> ((null):27595): Spice-Warning **:reds_stream.c:379:reds_stream_ssl_accept:
> SSL_accept failed, error=1
>
> What I know about it is this:
> According to RFC 2246, the alert number 80 represents an "internal
> error".  Here is the description from the RFC
> internal_error: An internal error unrelated to the peer or the correctness
> of the protocol makes it impossible to continue (such as a memory
> allocation failure). This message is always fatal.
>
> #6 Could this error be related to any of #1 through #4 above?
>

yes, I'd say yes.


>
> Thanks!
>
>
> ------------------------------
> *From:* Karli Sjöberg <karli at inparadise.se>
> *Sent:* Tuesday, February 20, 2018 2:56 AM
> *To:* Tomas Jelinek; Jeremy Tourville
>
> *Cc:* users at ovirt.org
> *Subject:* Re: [ovirt-users] Spice Client Connection Issues Using aSpice
>
> On Tue, 2018-02-20 at 08:59 +0100, Tomas Jelinek wrote:
> >
> >
> > On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <Jeremy_Tourville at h
> > otmail.com> wrote:
> > > Hi Tomas,
> > > To answer your question, yes I am really trying to use aSpice.
> > >
> > > I appreciate your suggestion.  I'm not sure if it meets my
> > > objective.  Maybe our goals are different?  It seems to me that
> > > movirt is built around portable management of the ovirt
> > > environment.  I am attempting to provide a VDI type experience for
> > > running a vm.  My goal is to run a lab environment with 30
> > > chromebooks loaded with a spice clent.  The spice client would of
> > > course connect to the 30 vms running Kali and each session would be
> > > independent of each other.
> > >
> >
> > yes, it looks like a different use case
> >
> > > I did  a little further testing with a different client.  (spice
> > > plugin for chrome).  When I attempted to connect using that client
> > > I got a slightly different error message.  The message still seemed
> > > to be of the same nature- i.e.: there is a problem with SSL
> > > protocol and communication.
> > >
> > > Are you suggesting that movirt can help set up the proper
> > > certficates and config the vms to use spice?  Thanks!
> > >
> >
> > moVirt has been developed for quite some time and works pretty well,
> > this is why I recommended it. But anyway, you have a different use
> > case.
> >
> > What I think the issue is, is that oVirt can have different CAs set
> > for console communication and for API. And I think you are trying to
> > configure aSPICE to use the one for API.
> >
> > What moVirt does to make sure it is using the correct CA to put into
> > the aSPICE is that it downloads the .vv file of the VM (e.g. you can
> > just connect to console using webadmin and save the .vv file
> > somewhere), parse it and use the CA= part from it as a certificate.
> > This one is guaranteed to be the correct one.
> >
> > For more details about what else it takes from the .vv file you can
> > check here:
> > the parsing: https://github.com/oVirt/moVirt/blob/master/moVirt/src/m
> > ain/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttp
> > MessageConverter.java
> > configuration of aSPICE: https://github.com/oVirt/moVirt/blob/master/
> > moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java
> >
> > enjoy :)
>
> Feels to me like OP should try to get it working _any_ "normal" way
> before trying to get the special use case application working?
>
> Like trying to run before learning to crawl, if that makes sense?
>
> I would suggest just logging in to webadmin with a regular PC and
> trying to get a SPICE console with remote-viewer to begin with. Then,
> once that works, try to get a SPICE console working through moVirt with
> aSPICE on an Android phone, or one of the Chromebooks you have to play
> with before going into production. Once that´s settled and you know it
> should work the way you normally access it, you can start playing with
> your special use case application.
>
> Hope it helps!
>
> /K
>
> >
> > >
> > > From: Tomas Jelinek <tjelinek at redhat.com>
> > > Sent: Monday, February 19, 2018 4:19 AM
> > > To: Jeremy Tourville
> > > Cc: users at ovirt.org
> > > Subject: Re: [ovirt-users] Spice Client Connection Issues Using
> > > aSpice
> > >
> > >
> > >
> > > On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville
> > > @hotmail.com> wrote:
> > > > Hello,
> > > > I am having trouble connecting to my guest vm (Kali Linux) which
> > > > is running spice. My engine is running version: 4.2.1.7-
> > > > 1.el7.centos.
> > > > I am using oVirt Node as my host running version: 4.2.1.1.
> > > >
> > > > I have taken the following steps to try and get everything
> > > > running properly.
> > > > Download the root CA certificate https://ovirtengine.lan/ovirt-en
> > > > gine/services/pki-resource?resource=ca-certificate&format=X509-
> > > > PEM-CA
> > > > Edit the vm and define the graphical console entries.  Video type
> > > > is set to QXL, Graphics protocol is spice, USB support is
> > > > enabled.
> > > > Install the guest agent in Debian per the instructions here - htt
> > > > ps://www.ovirt.org/documentation/how-to/guest-agent/install-the-
> > > > guest-agent-in-debian/  It is my understanding that installing
> > > > the guest agent will also install the virt IO device drivers.
> > > > Install the spice-vdagent per the instructions here - https://www
> > > > .ovirt.org/documentation/how-to/guest-agent/install-the-spice-
> > > > guest-agent/
> > > >  On the aSpice client I have imported the CA certficate from step
> > > > 1 above.  I defined the connection using the IP of my Node and
> > > > TLS port 5901.
> > >
> > > are you really using aSPICE client (e.g. the android SPICE
> > > client?). If yes, maybe you want to try to open it using moVirt (ht
> > > tps://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt
> > > &hl=en) which delegates the console to aSPICE but configures
> > > everything including the certificates on it. Should be much simpler
> > > than configuring it by hand..
> > >
> > > > To troubleshoot my connection issues I confirmed the port being
> > > > used to listen.
> > > > virsh # domdisplay Kali
> > > > spice://172.30.42.12?tls-port=5901
> > > >
> > > > I see the following when attempting to connect.
> > > > tail -f /var/log/libvirt/qemu/Kali.log
> > > >
> > > > 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1
> > > > alert internal error:s3_pkt.c:1493:SSL alert number 80
> > > > ((null):27595): Spice-Warning **:
> > > > reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed,
> > > > error=1
> > > >
> > > > I came across some documentation that states in the caveat
> > > > section "Certificate of spice SSL should be separate
> > > > certificate."
> > > > https://www.ovirt.org/develop/release-management/features/infra/p
> > > > ki/
> > > >
> > > > Is this still the case for version 4?  The document references
> > > > version 3.2 and 3.3.  If so, how do I generate a new certificate
> > > > for use with spice?  Please let me know if you require further
> > > > info to troubleshoot, I am happy to provide it.  Many thanks in
> > > > advance.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> Users Info Page - lists.ovirt.org Mailing Lists
> <http://lists.ovirt.org/mailman/listinfo/users>
> lists.ovirt.org
> If you have a question about oVirt, this is where you can start getting
> answers. To see the collection of prior postings to the list, visit the
> Users Archives.
>
> > > >
> >
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> Users Info Page - lists.ovirt.org Mailing Lists
> <http://lists.ovirt.org/mailman/listinfo/users>
> lists.ovirt.org
> If you have a question about oVirt, this is where you can start getting
> answers. To see the collection of prior postings to the list, visit the
> Users Archives.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180221/36ce43e4/attachment.html>

More information about the Users mailing list