Hi Tomas,

To answer your question, yes I am really trying to use aSpice.


I appreciate your suggestion.  I'm not sure if it meets my objective.  Maybe 
our goals are different?  It seems to me that movirt is built around portable 
management of the ovirt environment.  I am attempting to provide a VDI type 
experience for running a vm.  My goal is to run a lab environment with 30 
chromebooks loaded with a spice clent.  The spice client would of course 
connect to the 30 vms running Kali and each session would be independent of 
each other.


I did  a little further testing with a different client.  (spice plugin for 
chrome).  When I attempted to connect using that client I got a slightly 
different error message.  The message still seemed to be of the same nature- 
i.e.: there is a problem with SSL protocol and communication.


Are you suggesting that movirt can help set up the proper certficates and 
config the vms to use spice?  Thanks!


________________________________
From: Tomas Jelinek <tjeli...@redhat.com>
Sent: Monday, February 19, 2018 4:19 AM
To: Jeremy Tourville
Cc: users@ovirt.org
Subject: Re: [ovirt-users] Spice Client Connection Issues Using aSpice



On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville 
<jeremy_tourvi...@hotmail.com<mailto:jeremy_tourvi...@hotmail.com>> wrote:

Hello,

I am having trouble connecting to my guest vm (Kali Linux) which is running 
spice. My engine is running version: 4.2.1.7-1.el7.centos.

I am using oVirt Node as my host running version: 4.2.1.1.


I have taken the following steps to try and get everything running properly.

  1.  Download the root CA certificate 
https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
  2.  Edit the vm and define the graphical console entries.  Video type is set 
to QXL, Graphics protocol is spice, USB support is enabled.
  3.  Install the guest agent in Debian per the instructions here - 
https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-agent-in-debian/
  It is my understanding that installing the guest agent will also install the 
virt IO device drivers.
  4.  Install the spice-vdagent per the instructions here - 
https://www.ovirt.org/documentation/how-to/guest-agent/install-the-spice-guest-agent/
  5.   On the aSpice client I have imported the CA certficate from step 1 
above.  I defined the connection using the IP of my Node and TLS port 5901.

are you really using aSPICE client (e.g. the android SPICE client?). If yes, 
maybe you want to try to open it using moVirt 
(https://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt&hl=en) 
which delegates the console to aSPICE but configures everything including the 
certificates on it. Should be much simpler than configuring it by hand..


To troubleshoot my connection issues I confirmed the port being used to listen.
virsh # domdisplay Kali
spice://172.30.42.12?tls-port=5901<http://172.30.42.12?tls-port=5901>

I see the following when attempting to connect.
tail -f /var/log/libvirt/qemu/Kali.log

140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert 
internal error:s3_pkt.c:1493:SSL alert number 80
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept: 
SSL_accept failed, error=1

I came across some documentation that states in the caveat section "Certificate 
of spice SSL should be separate certificate."
https://www.ovirt.org/develop/release-management/features/infra/pki/

Is this still the case for version 4?  The document references version 3.2 and 
3.3.  If so, how do I generate a new certificate for use with spice?  Please 
let me know if you require further info to troubleshoot, I am happy to provide 
it.  Many thanks in advance.
<https://www.ovirt.org/develop/release-management/features/infra/pki/>









_______________________________________________
Users mailing list
Users@ovirt.org<mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users


_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to