Re: [Users] Cannot connect to VM via browser if engine was not in /etc/hosts
On 24 Jun 2013, at 13:09, David Jaša dj...@redhat.com wrote: Hi, So you're connecting via User Portal but then it doesn't work? If it doesn't, either you hit a bug or you've tweaked some value that affects things... In general, TLS shouldn't pose a problem because: 1) ovirt sets up its own CA that issues certificates for the hosts 2) the CA certificate and respective host certificate subject are passed to the client 3) the client can verify the host using these information even in cases when connection IP/FQDN doesn't match CN in subject of server certificate The only condition that indeed breaks it should be display network address override _when migrating the VM_ (because then the connection data are passed via the host and libvirt doesn't allow to pass the arbitrary IP/FQDN yet) David PS: Itamar, advice to disable SSL/TLS is IMO bad, bad thing. ;) No no, you just do that right after setenforce 0 and iptables -F and then it's all fine:-D Itamar Heim píše v Po 24. 06. 2013 v 08:55 +0300: On 06/24/2013 03:10 AM, lofyer wrote: 于 2013/6/24 1:47, Itamar Heim 写道: On 06/06/2013 11:51 AM, lof yer wrote: I connect https://192.168.1.111 and connect to the VM, then the remote-viewer shows up, but failed to show the VM desktop. Is it the https problem? Can I connect to the VM without modify /etc/hosts? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users was this resolved? sounds like a certificate/dns issue? Yes, it's certificate/dns problem. But how can I connect via IP instead of FQDN without https? i guess it depends if you can tell spice client to not validate the ssl certificate. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot connect to VM via browser if engine was not in /etc/hosts
On 06/24/2013 10:37 AM, lof yer wrote: Is 'engine-config -s SSLEnabled=false' or special spice parameter? It should do the trick. 2013/6/24 Itamar Heim ih...@redhat.com mailto:ih...@redhat.com On 06/24/2013 03:10 AM, lofyer wrote: 于 2013/6/24 1:47, Itamar Heim 写道: On 06/06/2013 11:51 AM, lof yer wrote: I connect https://192.168.1.111 and connect to the VM, then the remote-viewer shows up, but failed to show the VM desktop. Is it the https problem? Can I connect to the VM without modify /etc/hosts? _ Users mailing list Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/__mailman/listinfo/users http://lists.ovirt.org/mailman/listinfo/users was this resolved? sounds like a certificate/dns issue? Yes, it's certificate/dns problem. But how can I connect via IP instead of FQDN without https? i guess it depends if you can tell spice client to not validate the ssl certificate. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot connect to VM via browser if engine was not in /etc/hosts
Hi, So you're connecting via User Portal but then it doesn't work? If it doesn't, either you hit a bug or you've tweaked some value that affects things... In general, TLS shouldn't pose a problem because: 1) ovirt sets up its own CA that issues certificates for the hosts 2) the CA certificate and respective host certificate subject are passed to the client 3) the client can verify the host using these information even in cases when connection IP/FQDN doesn't match CN in subject of server certificate The only condition that indeed breaks it should be display network address override _when migrating the VM_ (because then the connection data are passed via the host and libvirt doesn't allow to pass the arbitrary IP/FQDN yet) David PS: Itamar, advice to disable SSL/TLS is IMO bad, bad thing. ;) Itamar Heim píše v Po 24. 06. 2013 v 08:55 +0300: On 06/24/2013 03:10 AM, lofyer wrote: 于 2013/6/24 1:47, Itamar Heim 写道: On 06/06/2013 11:51 AM, lof yer wrote: I connect https://192.168.1.111 and connect to the VM, then the remote-viewer shows up, but failed to show the VM desktop. Is it the https problem? Can I connect to the VM without modify /etc/hosts? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users was this resolved? sounds like a certificate/dns issue? Yes, it's certificate/dns problem. But how can I connect via IP instead of FQDN without https? i guess it depends if you can tell spice client to not validate the ssl certificate. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 smime.p7s Description: S/MIME cryptographic signature ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot connect to VM via browser if engine was not in /etc/hosts
On 06/06/2013 11:51 AM, lof yer wrote: I connect https://192.168.1.111 and connect to the VM, then the remote-viewer shows up, but failed to show the VM desktop. Is it the https problem? Can I connect to the VM without modify /etc/hosts? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users was this resolved? sounds like a certificate/dns issue? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot connect to VM via browser if engine was not in /etc/hosts
于 2013/6/24 1:47, Itamar Heim 写道: On 06/06/2013 11:51 AM, lof yer wrote: I connect https://192.168.1.111 and connect to the VM, then the remote-viewer shows up, but failed to show the VM desktop. Is it the https problem? Can I connect to the VM without modify /etc/hosts? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users was this resolved? sounds like a certificate/dns issue? Yes, it's certificate/dns problem. But how can I connect via IP instead of FQDN without https? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot connect to VM via browser if engine was not in /etc/hosts
On 06/24/2013 03:10 AM, lofyer wrote: 于 2013/6/24 1:47, Itamar Heim 写道: On 06/06/2013 11:51 AM, lof yer wrote: I connect https://192.168.1.111 and connect to the VM, then the remote-viewer shows up, but failed to show the VM desktop. Is it the https problem? Can I connect to the VM without modify /etc/hosts? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users was this resolved? sounds like a certificate/dns issue? Yes, it's certificate/dns problem. But how can I connect via IP instead of FQDN without https? i guess it depends if you can tell spice client to not validate the ssl certificate. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users