On Wed, Feb 21, 2018 at 2:05 AM, Jeremy Tourville < [email protected]> wrote:
> Hello everyone, > > I can confirm that spice is working for me when I launch it using the .vv > file. I have virt viewer installed on my Windows pc and it works without > issue. I can also launch spice when I use movirt without any issues. I > examined the contents of the .vv file to see what the certificate looks > like. I can confirm that the certficate in the .vv file is the same as > the file I downloaded in step 1 of my directions. > > > I reviewed the PKI reference (https://www.ovirt.org/ > develop/release-management/features/infra/pki/) > <https://www.ovirt.org/develop/release-management/features/infra/pki/> > for a second time and I see the same certificate located in different > locations. > > > For example, all these locations contain the same certificate- > > - <https://ovirtengine.lan/ovirt-en>https://ovirtengine.lan/ovirt- > engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA > > <https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA> > - /etc/pki/vdsm/certs/cacert.pem > - /etc/pki/vdsm/libvirt-spice/ca-cert.pem > - /etc/pki/CA/cacert.pem > > This is the certificate I am using to configure my aSpice client. > > Can someone answer the question from my original post? The PKI reference > says for version 3.2 and 3.3. Is the documentation still correct for > version 4.2? > > > At this point I am trying to find out where the problems exists - ie. > > #1 Is my client not configured correctly? > > #2 Am I using the wrong cert? (I think I am using the correct cert based > on the research I listed above) > I'd guess yes based on above > #3 Does my client need to be able to send a pasword? (based on the > contents of the .vv file, I'd have to guess yes) > yes > Also my xml file for the VM in question contains this: > <graphics type='spice' autoport='yes' defaultMode='secure' passwd='*****' > passwdValidTo='1970-01-01T00:00:01'> > Please note: I did not perform any hand configuration of the xml file, it > was all done by the system using the UI. > the password is generated automatically. Normally it works like this: - you ask for the .vv file - ovirt generates a temporary password you can use to connect to console - you can connect to the console using this temporary password > #4 Can I configure a file on the system to turn off ticketing and > passwords and see if that makes a difference, if so, what file? > I don't think there is an easy way to do this... Maybe writing some vdsm hook or some other complex hack. I've seen an old discussion about it here: http://lists.ovirt.org/pipermail/users/2014-August/026774.html but I would not recommend you to go down this path. > #5 Can someone explain this error? > > 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert > internal error:s3_pkt.c:1493:SSL alert number 80 > ((null):27595): Spice-Warning **:reds_stream.c:379:reds_stream_ssl_accept: > SSL_accept failed, error=1 > > What I know about it is this: > According to RFC 2246, the alert number 80 represents an "internal > error". Here is the description from the RFC > internal_error: An internal error unrelated to the peer or the correctness > of the protocol makes it impossible to continue (such as a memory > allocation failure). This message is always fatal. > > #6 Could this error be related to any of #1 through #4 above? > yes, I'd say yes. > > Thanks! > > > ------------------------------ > *From:* Karli Sjöberg <[email protected]> > *Sent:* Tuesday, February 20, 2018 2:56 AM > *To:* Tomas Jelinek; Jeremy Tourville > > *Cc:* [email protected] > *Subject:* Re: [ovirt-users] Spice Client Connection Issues Using aSpice > > On Tue, 2018-02-20 at 08:59 +0100, Tomas Jelinek wrote: > > > > > > On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <Jeremy_Tourville@h > > otmail.com> wrote: > > > Hi Tomas, > > > To answer your question, yes I am really trying to use aSpice. > > > > > > I appreciate your suggestion. I'm not sure if it meets my > > > objective. Maybe our goals are different? It seems to me that > > > movirt is built around portable management of the ovirt > > > environment. I am attempting to provide a VDI type experience for > > > running a vm. My goal is to run a lab environment with 30 > > > chromebooks loaded with a spice clent. The spice client would of > > > course connect to the 30 vms running Kali and each session would be > > > independent of each other. > > > > > > > yes, it looks like a different use case > > > > > I did a little further testing with a different client. (spice > > > plugin for chrome). When I attempted to connect using that client > > > I got a slightly different error message. The message still seemed > > > to be of the same nature- i.e.: there is a problem with SSL > > > protocol and communication. > > > > > > Are you suggesting that movirt can help set up the proper > > > certficates and config the vms to use spice? Thanks! > > > > > > > moVirt has been developed for quite some time and works pretty well, > > this is why I recommended it. But anyway, you have a different use > > case. > > > > What I think the issue is, is that oVirt can have different CAs set > > for console communication and for API. And I think you are trying to > > configure aSPICE to use the one for API. > > > > What moVirt does to make sure it is using the correct CA to put into > > the aSPICE is that it downloads the .vv file of the VM (e.g. you can > > just connect to console using webadmin and save the .vv file > > somewhere), parse it and use the CA= part from it as a certificate. > > This one is guaranteed to be the correct one. > > > > For more details about what else it takes from the .vv file you can > > check here: > > the parsing: https://github.com/oVirt/moVirt/blob/master/moVirt/src/m > > ain/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttp > > MessageConverter.java > > configuration of aSPICE: https://github.com/oVirt/moVirt/blob/master/ > > moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java > > > > enjoy :) > > Feels to me like OP should try to get it working _any_ "normal" way > before trying to get the special use case application working? > > Like trying to run before learning to crawl, if that makes sense? > > I would suggest just logging in to webadmin with a regular PC and > trying to get a SPICE console with remote-viewer to begin with. Then, > once that works, try to get a SPICE console working through moVirt with > aSPICE on an Android phone, or one of the Chromebooks you have to play > with before going into production. Once that´s settled and you know it > should work the way you normally access it, you can start playing with > your special use case application. > > Hope it helps! > > /K > > > > > > > > > From: Tomas Jelinek <[email protected]> > > > Sent: Monday, February 19, 2018 4:19 AM > > > To: Jeremy Tourville > > > Cc: [email protected] > > > Subject: Re: [ovirt-users] Spice Client Connection Issues Using > > > aSpice > > > > > > > > > > > > On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville > > > @hotmail.com> wrote: > > > > Hello, > > > > I am having trouble connecting to my guest vm (Kali Linux) which > > > > is running spice. My engine is running version: 4.2.1.7- > > > > 1.el7.centos. > > > > I am using oVirt Node as my host running version: 4.2.1.1. > > > > > > > > I have taken the following steps to try and get everything > > > > running properly. > > > > Download the root CA certificate https://ovirtengine.lan/ovirt-en > > > > gine/services/pki-resource?resource=ca-certificate&format=X509- > > > > PEM-CA > > > > Edit the vm and define the graphical console entries. Video type > > > > is set to QXL, Graphics protocol is spice, USB support is > > > > enabled. > > > > Install the guest agent in Debian per the instructions here - htt > > > > ps://www.ovirt.org/documentation/how-to/guest-agent/install-the- > > > > guest-agent-in-debian/ It is my understanding that installing > > > > the guest agent will also install the virt IO device drivers. > > > > Install the spice-vdagent per the instructions here - https://www > > > > .ovirt.org/documentation/how-to/guest-agent/install-the-spice- > > > > guest-agent/ > > > > On the aSpice client I have imported the CA certficate from step > > > > 1 above. I defined the connection using the IP of my Node and > > > > TLS port 5901. > > > > > > are you really using aSPICE client (e.g. the android SPICE > > > client?). If yes, maybe you want to try to open it using moVirt (ht > > > tps://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt > > > &hl=en) which delegates the console to aSPICE but configures > > > everything including the certificates on it. Should be much simpler > > > than configuring it by hand.. > > > > > > > To troubleshoot my connection issues I confirmed the port being > > > > used to listen. > > > > virsh # domdisplay Kali > > > > spice://172.30.42.12?tls-port=5901 > > > > > > > > I see the following when attempting to connect. > > > > tail -f /var/log/libvirt/qemu/Kali.log > > > > > > > > 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 > > > > alert internal error:s3_pkt.c:1493:SSL alert number 80 > > > > ((null):27595): Spice-Warning **: > > > > reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed, > > > > error=1 > > > > > > > > I came across some documentation that states in the caveat > > > > section "Certificate of spice SSL should be separate > > > > certificate." > > > > https://www.ovirt.org/develop/release-management/features/infra/p > > > > ki/ > > > > > > > > Is this still the case for version 4? The document references > > > > version 3.2 and 3.3. If so, how do I generate a new certificate > > > > for use with spice? Please let me know if you require further > > > > info to troubleshoot, I am happy to provide it. Many thanks in > > > > advance. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > Users mailing list > > > > [email protected] > > > > http://lists.ovirt.org/mailman/listinfo/users > Users Info Page - lists.ovirt.org Mailing Lists > <http://lists.ovirt.org/mailman/listinfo/users> > lists.ovirt.org > If you have a question about oVirt, this is where you can start getting > answers. To see the collection of prior postings to the list, visit the > Users Archives. > > > > > > > > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.ovirt.org/mailman/listinfo/users > Users Info Page - lists.ovirt.org Mailing Lists > <http://lists.ovirt.org/mailman/listinfo/users> > lists.ovirt.org > If you have a question about oVirt, this is where you can start getting > answers. To see the collection of prior postings to the list, visit the > Users Archives. >
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
