[ovirt-users] Spice Client Connection Issues Using aSpice

Jeremy Tourville Jeremy_Tourville at hotmail.com
Wed Feb 21 01:05:57 UTC 2018


Hello everyone,

I can confirm that spice is working for me when I launch it using the .vv file.  I have virt viewer installed on my Windows pc and it works without issue.  I can also launch spice when I use movirt without any issues.  I examined the contents of the .vv file to see what the certificate looks like.   I can confirm that the certficate in the .vv file is the same as the file I downloaded in step 1 of my directions.


I reviewed the PKI reference (https://www.ovirt.org/develop/release-management/features/infra/pki/)  <https://www.ovirt.org/develop/release-management/features/infra/pki/>

for a second time and I see the same certificate located in different locations.


For example, all these locations contain the same certificate-

  *   <https://ovirtengine.lan/ovirt-en> https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
  *   /etc/pki/vdsm/certs/cacert.pem
  *   /etc/pki/vdsm/libvirt-spice/ca-cert.pem
  *   /etc/pki/CA/cacert.pem

This is the certificate I am using to configure my aSpice client.

Can someone answer the question from my original post?  The PKI reference says for version 3.2 and 3.3.  Is the documentation still correct for version 4.2?


At this point I am trying to find out where the problems exists - ie.

#1 Is my client not configured correctly?

#2 Am I using the wrong cert?  (I think I am using the correct cert based on the research I listed above)

#3 Does my client need to be able to send a pasword?  (based on the contents of the .vv file, I'd have to guess yes)

Also my xml file for the VM in question contains this:

 <graphics type='spice' autoport='yes' defaultMode='secure' passwd='*****' passwdValidTo='1970-01-01T00:00:01'>
Please note:  I did not perform any hand configuration of the xml file, it was all done by the system using the UI.
#4 Can I configure a file on the system to turn off ticketing and passwords and see if that makes a difference, if so, what file?

#5  Can someone explain this error?

140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:s3_pkt.c:1493:SSL alert number 80
((null):27595): Spice-Warning **:reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed, error=1

What I know about it is this:
According to RFC 2246, the alert number 80 represents an "internal error".  Here is the description from the RFC
internal_error: An internal error unrelated to the peer or the correctness of the protocol makes it impossible to continue (such as a memory allocation failure). This message is always fatal.

#6 Could this error be related to any of #1 through #4 above?

Thanks!


________________________________
From: Karli Sjöberg <karli at inparadise.se>
Sent: Tuesday, February 20, 2018 2:56 AM
To: Tomas Jelinek; Jeremy Tourville
Cc: users at ovirt.org
Subject: Re: [ovirt-users] Spice Client Connection Issues Using aSpice

On Tue, 2018-02-20 at 08:59 +0100, Tomas Jelinek wrote:
>
>
> On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <Jeremy_Tourville at h
> otmail.com> wrote:
> > Hi Tomas,
> > To answer your question, yes I am really trying to use aSpice.
> >
> > I appreciate your suggestion.  I'm not sure if it meets my
> > objective.  Maybe our goals are different?  It seems to me that
> > movirt is built around portable management of the ovirt
> > environment.  I am attempting to provide a VDI type experience for
> > running a vm.  My goal is to run a lab environment with 30
> > chromebooks loaded with a spice clent.  The spice client would of
> > course connect to the 30 vms running Kali and each session would be
> > independent of each other.
> >
>
> yes, it looks like a different use case
>
> > I did  a little further testing with a different client.  (spice
> > plugin for chrome).  When I attempted to connect using that client
> > I got a slightly different error message.  The message still seemed
> > to be of the same nature- i.e.: there is a problem with SSL
> > protocol and communication.
> >
> > Are you suggesting that movirt can help set up the proper
> > certficates and config the vms to use spice?  Thanks!
> >
>
> moVirt has been developed for quite some time and works pretty well,
> this is why I recommended it. But anyway, you have a different use
> case.
>
> What I think the issue is, is that oVirt can have different CAs set
> for console communication and for API. And I think you are trying to
> configure aSPICE to use the one for API.
>
> What moVirt does to make sure it is using the correct CA to put into
> the aSPICE is that it downloads the .vv file of the VM (e.g. you can
> just connect to console using webadmin and save the .vv file
> somewhere), parse it and use the CA= part from it as a certificate.
> This one is guaranteed to be the correct one.
>
> For more details about what else it takes from the .vv file you can
> check here:
> the parsing: https://github.com/oVirt/moVirt/blob/master/moVirt/src/m
> ain/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttp
> MessageConverter.java
> configuration of aSPICE: https://github.com/oVirt/moVirt/blob/master/
> moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java
>
> enjoy :)

Feels to me like OP should try to get it working _any_ "normal" way
before trying to get the special use case application working?

Like trying to run before learning to crawl, if that makes sense?

I would suggest just logging in to webadmin with a regular PC and
trying to get a SPICE console with remote-viewer to begin with. Then,
once that works, try to get a SPICE console working through moVirt with
aSPICE on an Android phone, or one of the Chromebooks you have to play
with before going into production. Once that´s settled and you know it
should work the way you normally access it, you can start playing with
your special use case application.

Hope it helps!

/K

>
> >
> > From: Tomas Jelinek <tjelinek at redhat.com>
> > Sent: Monday, February 19, 2018 4:19 AM
> > To: Jeremy Tourville
> > Cc: users at ovirt.org
> > Subject: Re: [ovirt-users] Spice Client Connection Issues Using
> > aSpice
> >
> >
> >
> > On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville
> > @hotmail.com> wrote:
> > > Hello,
> > > I am having trouble connecting to my guest vm (Kali Linux) which
> > > is running spice. My engine is running version: 4.2.1.7-
> > > 1.el7.centos.
> > > I am using oVirt Node as my host running version: 4.2.1.1.
> > >
> > > I have taken the following steps to try and get everything
> > > running properly.
> > > Download the root CA certificate https://ovirtengine.lan/ovirt-en
> > > gine/services/pki-resource?resource=ca-certificate&format=X509-
> > > PEM-CA
> > > Edit the vm and define the graphical console entries.  Video type
> > > is set to QXL, Graphics protocol is spice, USB support is
> > > enabled.
> > > Install the guest agent in Debian per the instructions here - htt
> > > ps://www.ovirt.org/documentation/how-to/guest-agent/install-the-
> > > guest-agent-in-debian/  It is my understanding that installing
> > > the guest agent will also install the virt IO device drivers.
> > > Install the spice-vdagent per the instructions here - https://www
> > > .ovirt.org/documentation/how-to/guest-agent/install-the-spice-
> > > guest-agent/
> > >  On the aSpice client I have imported the CA certficate from step
> > > 1 above.  I defined the connection using the IP of my Node and
> > > TLS port 5901.
> >
> > are you really using aSPICE client (e.g. the android SPICE
> > client?). If yes, maybe you want to try to open it using moVirt (ht
> > tps://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt
> > &hl=en) which delegates the console to aSPICE but configures
> > everything including the certificates on it. Should be much simpler
> > than configuring it by hand..
> >
> > > To troubleshoot my connection issues I confirmed the port being
> > > used to listen.
> > > virsh # domdisplay Kali
> > > spice://172.30.42.12?tls-port=5901
> > >
> > > I see the following when attempting to connect.
> > > tail -f /var/log/libvirt/qemu/Kali.log
> > >
> > > 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1
> > > alert internal error:s3_pkt.c:1493:SSL alert number 80
> > > ((null):27595): Spice-Warning **:
> > > reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed,
> > > error=1
> > >
> > > I came across some documentation that states in the caveat
> > > section "Certificate of spice SSL should be separate
> > > certificate."
> > > https://www.ovirt.org/develop/release-management/features/infra/p
> > > ki/
> > >
> > > Is this still the case for version 4?  The document references
> > > version 3.2 and 3.3.  If so, how do I generate a new certificate
> > > for use with spice?  Please let me know if you require further
> > > info to troubleshoot, I am happy to provide it.  Many thanks in
> > > advance.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
Users Info Page - lists.ovirt.org Mailing Lists<http://lists.ovirt.org/mailman/listinfo/users>
lists.ovirt.org
If you have a question about oVirt, this is where you can start getting answers. To see the collection of prior postings to the list, visit the Users Archives.


> > >
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
Users Info Page - lists.ovirt.org Mailing Lists<http://lists.ovirt.org/mailman/listinfo/users>
lists.ovirt.org
If you have a question about oVirt, this is where you can start getting answers. To see the collection of prior postings to the list, visit the Users Archives.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180221/7c8ad0f9/attachment.html>


More information about the Users mailing list