<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <span dir="ltr"><<a href="mailto:Jeremy_Tourville@hotmail.com" target="_blank">Jeremy_Tourville@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div id="gmail-m_1541550978349566744divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols" dir="ltr">
<p style="margin-top:0px;margin-bottom:0px">Hi Tomas, <br>
</p>
<p style="margin-top:0px;margin-bottom:0px">To answer your question, yes I am really trying to use aSpice.</p>
<p style="margin-top:0px;margin-bottom:0px"><br>
</p>
<p style="margin-top:0px;margin-bottom:0px">I appreciate your suggestion. I'm not sure if it meets my objective.
<span>Maybe our goals are different?</span> It seems to me that movirt is built around portable management of the ovirt environment. I am attempting to provide a VDI type experience for running a vm. My goal is to run a lab environment with 30 chromebooks
loaded with a spice clent. The spice client would of course connect to the 30 vms running Kali and each session would be independent of each other.
<br></p></div></div></blockquote><div><br></div><div>yes, it looks like a different use case<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_1541550978349566744divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols" dir="ltr"><p style="margin-top:0px;margin-bottom:0px">
</p>
<p style="margin-top:0px;margin-bottom:0px"><br>
</p>
<p style="margin-top:0px;margin-bottom:0px">I did a little further testing with a different client. (spice plugin for chrome). When I attempted to connect using that client I got a slightly different error message. The message still seemed to be of the same
nature- i.e.: there is a problem with SSL protocol and communication. <br>
</p>
<p style="margin-top:0px;margin-bottom:0px"><br>
</p>
<p style="margin-top:0px;margin-bottom:0px">Are you suggesting that movirt can help set up the proper certficates and config the vms to use spice? Thanks!<br></p></div></div></blockquote><div><br></div><div>moVirt has been developed for quite some time and works pretty well, this is why I recommended it. But anyway, you have a different use case.<br><br></div><div>What I think the issue is, is that oVirt can have different CAs set for console communication and for API. And I think you are trying to configure aSPICE to use the one for API. <br><br>What moVirt does to make sure it is using the correct CA to put into the aSPICE is that it downloads the .vv file of the VM (e.g. you can just connect to console using webadmin and save the .vv file somewhere), parse it and use the CA= part from it as a certificate. This one is guaranteed to be the correct one.<br><br></div><div>For more details about what else it takes from the .vv file you can check here:<br></div><div>the parsing: <a href="https://github.com/oVirt/moVirt/blob/master/moVirt/src/main/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttpMessageConverter.java">https://github.com/oVirt/moVirt/blob/master/moVirt/src/main/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttpMessageConverter.java</a><br></div><div>configuration of aSPICE: <a href="https://github.com/oVirt/moVirt/blob/master/moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java">https://github.com/oVirt/moVirt/blob/master/moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java</a><br></div><div><br></div><div>enjoy :)<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_1541550978349566744divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols" dir="ltr"><p style="margin-top:0px;margin-bottom:0px">
</p>
<br>
<br>
<div style="color:rgb(0,0,0)">
<hr style="display:inline-block;width:98%">
<div id="gmail-m_1541550978349566744divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>From:</b> Tomas Jelinek <<a href="mailto:tjelinek@redhat.com" target="_blank">tjelinek@redhat.com</a>><br>
<b>Sent:</b> Monday, February 19, 2018 4:19 AM<br>
<b>To:</b> Jeremy Tourville<br>
<b>Cc:</b> <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>
<b>Subject:</b> Re: [ovirt-users] Spice Client Connection Issues Using aSpice</font>
<div> </div>
</div><div><div class="gmail-h5">
<div>
<div dir="ltr"><br>
<div class="gmail-m_1541550978349566744x_gmail_extra"><br>
<div class="gmail-m_1541550978349566744x_gmail_quote">On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <span dir="ltr">
<<a href="mailto:Jeremy_Tourville@hotmail.com" target="_blank">Jeremy_Tourville@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail-m_1541550978349566744x_gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div id="gmail-m_1541550978349566744x_gmail-m_4314768941515087156divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<p style="margin-top:0px;margin-bottom:0px">Hello,</p>
<p style="margin-top:0px;margin-bottom:0px">I am having trouble connecting to my guest vm (Kali Linux) which is running spice. My engine is running version: <span class="gmail-m_1541550978349566744x_gmail-m_4314768941515087156gwt-InlineLabel gmail-m_1541550978349566744x_gmail-m_4314768941515087156GNEKTHVBIXB"></span><span class="gmail-m_1541550978349566744x_gmail-m_4314768941515087156gwt-InlineLabel">4.2.1.7-1.el7.centos</span>.</p>
<p style="margin-top:0px;margin-bottom:0px">I am using oVirt Node as my host running version:<span> 4.2.1.1.
<br>
</span></p>
<p style="margin-top:0px;margin-bottom:0px"><span><br>
</span></p>
<p style="margin-top:0px;margin-bottom:0px"><span>I have taken the following steps to try and get everything running properly.</span></p>
<ol style="margin-bottom:0px;margin-top:0px">
<li><span>Download the root CA certificate <a href="https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA" class="gmail-m_1541550978349566744x_gmail-m_4314768941515087156OWAAutoLink" id="gmail-m_1541550978349566744x_gmail-m_4314768941515087156LPlnk141717" target="_blank">https://ovirtengin<wbr>e.lan/ovirt-engine/services/<wbr>pki-resource?resource=ca-<wbr>certificate&format=X509-PEM-CA</a></span></li><li><span>Edit the vm and define the graphical console entries. Video type is set to QXL, Graphics protocol is spice, USB support is enabled.</span></li><li><span>Install the guest agent in Debian per the instructions here - <a href="https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-agent-in-debian/" class="gmail-m_1541550978349566744x_gmail-m_4314768941515087156OWAAutoLink" id="gmail-m_1541550978349566744x_gmail-m_4314768941515087156LPlnk263752" target="_blank">
https://www.ovirt.org/document<wbr>ation/how-to/guest-agent/<wbr>install-the-guest-agent-in-<wbr>debian/</a> It is my understanding that installing the guest agent will also install the virt IO device drivers.<br>
</span></li><li><span>Install the spice-vdagent per the instructions here - <a href="https://www.ovirt.org/documentation/how-to/guest-agent/install-the-spice-guest-agent/" class="gmail-m_1541550978349566744x_gmail-m_4314768941515087156OWAAutoLink" id="gmail-m_1541550978349566744x_gmail-m_4314768941515087156LPlnk313725" target="_blank">
https://www.ovirt.org/document<wbr>ation/how-to/guest-agent/<wbr>install-the-spice-guest-agent/</a></span></li><li><span> On the aSpice client I have imported the CA certficate from step 1 above. I defined the connection using the IP of my Node and TLS port 5901.</span></li></ol>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>are you really using aSPICE client (e.g. the android SPICE client?). If yes, maybe you want to try to open it using moVirt (<a href="https://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt&hl=en" target="_blank">https://play.google.com/<wbr>store/apps/details?id=org.<wbr>ovirt.mobile.movirt&hl=en</a>)
which delegates the console to aSPICE but configures everything including the certificates on it. Should be much simpler than configuring it by hand..<br>
</div>
<div> </div>
<blockquote class="gmail-m_1541550978349566744x_gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div id="gmail-m_1541550978349566744x_gmail-m_4314768941515087156divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<span><br>
To troubleshoot my connection issues I confirmed the port being used to listen. <br>
<div>virsh # domdisplay Kali<br>
<span>spice://<a href="http://172.30.42.12?tls-port=5901" target="_blank">172.30.42.12?tls-port=<wbr>5901</a></span></div>
<br>
I see the following when attempting to connect.<br>
tail -f <span>/var/log/libvirt/qemu</span>/Kali.log<br>
<br>
<div>
<div>140400191081600:error:14094438<wbr>:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:s3_pkt.c:1493:SSL alert number 80<br>
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_<wbr>ssl_accept: SSL_accept failed, error=1<br>
<br>
I came across some documentation that states in the caveat section "<span>Certificate of spice SSL should be separate certificate."</span><br>
<a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" class="gmail-m_1541550978349566744x_gmail-m_4314768941515087156OWAAutoLink" id="gmail-m_1541550978349566744x_gmail-m_4314768941515087156LPlnk743161" target="_blank">https://www.ovirt.org/develop/<wbr>release-management/features/in<wbr>fra/pki/</a><br>
<br>
Is this still the case for version 4? The document references version 3.2 and 3.3. If so, how do I generate a new certificate for use with spice? Please let me know if you require further info to troubleshoot, I am happy to provide it. Many thanks in advance.<br>
<a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" class="gmail-m_1541550978349566744x_gmail-m_4314768941515087156OWAAutoLink" id="gmail-m_1541550978349566744x_gmail-m_4314768941515087156LPlnk743161" target="_blank"></a><br>
<br>
</div>
<br>
<br>
</div>
<br>
</span><br>
<span><br>
<br>
</span>
<p style="margin-top:0px;margin-bottom:0px"><br>
</p>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div></div></div>
</div>
</div>
</blockquote></div><br></div></div>