My latest issue is the error spice warning spice channels 1 should be encrypted, I'm guessing this is an authentication issue with my attempts to connect?<br><br><div class="gmail_quote">On Tue, Nov 13, 2012 at 7:37 AM, Jodi Curtis <span dir="ltr"><<a href="mailto:jodi.curtis@gmail.com" target="_blank">jodi.curtis@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The VM seems to start without complaints after adding the key directory after /etc/pki/libvirt-vnc** r, in an identical format within the apparmor.d config file<br>
<br>I haven't really slept much so I will check login after sleeping <div class="HOEnZb"><div class="h5"><br>
<br><div class="gmail_quote">On Mon, Nov 12, 2012 at 11:33 PM, Jodi Curtis <span dir="ltr"><<a href="mailto:jodi.curtis@gmail.com" target="_blank">jodi.curtis@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Hi<div><br></div><div>Copy of attempt so far, hopefully this will be useful to have online, I will carry on tomorrow!</div><div><br></div><div><div>/etc/hostname </div><div><br></div><div>squealer</div><div><br></div><div>


/etc/hosts</div><div><br></div><div>127.0.0.1 localhost squealer <a href="http://squealer.maiakaat.co.uk" target="_blank">squealer.maiakaat.co.uk</a> <a href="http://maiakaat.co.uk" target="_blank">maiakaat.co.uk</a> <a href="http://www.maiakaat.co.uk" target="_blank">www.maiakaat.co.uk</a></div>


<div>192.168.2.140 localhost squealer <a href="http://squealer.maiakaat.co.uk" target="_blank">squealer.maiakaat.co.uk</a> <a href="http://maiakaat.co.uk" target="_blank">maiakaat.co.uk</a> <a href="http://www.maiakaat.co.uk" target="_blank">www.maiakaat.co.uk</a></div>


<div><br></div><div>cat /etc/passwd</div><div><br></div><div>root:x:0:0:root:/root:/bin/bash</div><div>daemon:x:1:1:daemon:/usr/sbin:/bin/sh</div><div>bin:x:2:2:bin:/bin:/bin/sh</div><div>sys:x:3:3:sys:/dev:/bin/sh</div>

<div>
sync:x:4:65534:sync:/bin:/bin/sync</div><div>games:x:5:60:games:/usr/games:/bin/sh</div><div>man:x:6:12:man:/var/cache/man:/bin/sh</div><div>lp:x:7:7:lp:/var/spool/lpd:/bin/sh</div><div>mail:x:8:8:mail:/var/mail:/bin/sh</div>


<div>news:x:9:9:news:/var/spool/news:/bin/sh</div><div>uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh</div><div>proxy:x:13:13:proxy:/bin:/bin/sh</div><div>www-data:x:33:33:www-data:/var/www:/bin/sh</div><div>backup:x:34:34:backup:/var/backups:/bin/sh</div>


<div>list:x:38:38:Mailing List Manager:/var/list:/bin/sh</div><div>irc:x:39:39:ircd:/var/run/ircd:/bin/sh</div><div>gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh</div><div>nobody:x:65534:65534:nobody:/nonexistent:/bin/sh</div>


<div>libuuid:x:100:101::/var/lib/libuuid:/bin/sh</div><div>syslog:x:101:103::/home/syslog:/bin/false</div><div>messagebus:x:102:105::/var/run/dbus:/bin/false</div><div>whoopsie:x:103:107::/nonexistent:/bin/false</div><div>


landscape:x:104:110::/var/lib/landscape:/bin/false</div><div>sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin</div><div>libvirt-qemu:x:106:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false</div><div>libvirt-dnsmasq:x:107:112:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false</div>


<div>jodic:x:1000:1000:jodic,,,:/home/jodic:/bin/bash</div><div><br></div><div>cd /var/lib/libvirt</div><div>sudo ls -l</div><div><br></div><div>drwx--x--x 2 root         root 4096 Oct  6 01:58 boot</div><div>drwxr-xr-x 2 root         root 4096 Oct 30 21:06 dnsmasq</div>


<div>drwxr-xr-x 2 libvirt-qemu root 4096 Oct 31 06:11 drivers</div><div>drwx--x--x 2 root         root 4096 Oct  6 01:58 images</div><div>drwxr-xr-x 5 libvirt-qemu root 4096 Nov  1 12:56 local</div><div>drwxr-xr-x 2 root         root 4096 Nov 12 18:03 network</div>


<div>drwxr-x--- 5 libvirt-qemu kvm  4096 Nov 12 18:11 qemu</div><div>drwx------ 2 root         root 4096 Oct  6 01:58 sanlock</div><div>drwxr-xr-x 5 libvirt-qemu root 4096 Oct 31 06:22 shared</div><div><br></div><div>#drivers to be forwarded as filesystem element with Windows drivers</div>


<div>#local contains volume pools(2) for VM volumes, and all xml files used to create VM's volumes and pools.</div><div><br></div><div>sudo usermod -a -G root,kvm jodic</div><div><br></div><div>chmod 775 /var/lib/libvirt/qemu</div>


<div>#temporary change</div><div><br></div><div>#libvirt directory permissions are drwxr-xr-x</div><div><br></div><div>sudo mkdir /var/lib/libvirt/pki</div><div>sudo mkdir /var/lib/libvirt/pki/libvirt-spice</div><div><br>


</div><div>sudo nano /etc/libvirt/qemu.conf</div><div><br></div><div>spice_tls = 1</div><div>spice_tls_x509_cert_dir = "/var/lib/libvirt/pki/libvirt-spice"</div><div><br></div><div>cd /var/lib/libvirt/pki/libvirt-spice</div>


<div><br></div><div>sudo openssl genrsa -des3 -out ca-key.pem 1024</div><div>sudo openssl req -new -x509 -days 750 -key ca-key.pem -out ca-cert.pem -utf8 -subj "/CN=Self Signed"</div><div>sudo openssl genrsa -out server-key.pem 1024</div>


<div>sudo openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj "/CN=squealer"</div><div>sudo openssl x509 req -days 750 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem</div>


<div>sudo openssl rsa -in server-key.pem -out server-key.pem.insecure</div><div>sudo mv server-key.pem server-key.pem.secure</div><div>sudo mv server-key.pem.insecure server-key.pem</div><div><br></div><div>sudo chown libvirt-qemu /var/lib/libvirt/pki</div>


<div>sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice</div><div>sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem</div><div>sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem</div>


<div>sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem</div><div><br></div><div>#temporary change</div><div>sudo chmod 775 /var/lib/libvirt/pki</div><div>sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice</div>


<div>sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem</div><div>sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem</div><div>sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem</div>


<div><br></div><div>sudo virsh destroy VM11</div><div>sudo virsh undefine VM11</div><div><br></div><div>sudo shutdown -r now</div><div>#don't know how to restart service for re-read of qemu.conf in Ubuntu</div><div><br>


</div><div>#Ubuntu offering 28 updates - none related to virtualization at all</div><div><br></div><div>sudo apt-get update</div><div>sudo apt-get upgrade</div><div><br></div><div>sudo virsh define /var/lib/libvirt/local/xml/default-revision7.xml</div>


<div><br></div><div>#defined VM11</div><div><br></div><div>sudo virsh start VM11</div><div><br></div><div>#started VM11    23:14 ish UK time</div><div><br></div><div>sudo /var/log/libvirt/qemu/qemu.conf</div><div><br></div>


<div>2012-11-12 23:13:44.233+0000: starting up</div><div>LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5</div>


<div>char device redirected to /dev/pts/2</div><div>((null):8891): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /var/lib/libvirt/pki/libvirt-spice/server-cert.pem</div><div>((null):8891): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file</div>


<div>((null):8891): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem</div><div><br></div><div>sudo virsh destroy VM11</div><div><br></div><div>#destroyed</div>


<div><br></div><div>$ sudo /usr/bin/kvm-spice -monitor stdio -spice tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing</div><div><br></div><div><br></div><div>#output</div><div><br></div><div>QEMU 0.12.0 monitor - type 'help' for more information</div>

<div>
<div>(qemu)</div><div><br></div><div>"If you see the same error again, there is something wrong with</div><div>certificates themselves. If not, verify that they are accessible to the</div><div>qemu process - note that it may run under different user than root and</div>


<div>in addition, it may be confined by SELinux or AppArmor. I can't speak</div><div>for AppArmor but for SELinux, you may need to restore context of the</div><div>files (and directories) to make them accessible for qemu."</div>


<div><br></div></div><div>I'll begin looking at the permissions and security tomorrow, although its stretching my</div><div>knowledge of Linux here, I guess the only way to learn is to do though.</div><div><br></div>

<div>I will likely set up my vm's without security for now (they are local only) to have something I can dev on etc</div>
<div>These are nfs (if the passthrough bug in ubuntu kvm-spice doesn't affect the passthrough of a logical volume to the guest, repos (source code), build and dev desktop</div></div><div><br></div><div>Thanks again for all the help<div>

<div><br>
<br><div class="gmail_quote">On Mon, Nov 12, 2012 at 10:40 PM, Jodi Curtis <span dir="ltr"><<a href="mailto:jodi.curtis@gmail.com" target="_blank">jodi.curtis@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


Hi I'm going through the process now logging everything I am doing.<div><br></div><div>The VM does start BTW, the problem is that it cannot open the secure channel from remote-viewer attempts to connect, with qemu giving those errors in VM11.log. I will post my new attempt here anyway in a little while, with a success or failure, I've had some minor issues with the pki directory, hence removing and and trying again with fully checked permissions.<br>



<br>Thanks for the help.<div><div><br><br><div class="gmail_quote">On Mon, Nov 12, 2012 at 10:12 PM, David Jaša <span dir="ltr"><<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Jodi Curtis píše v Po 12. 11. 2012 v 19:47 +0000:<br>
<div>> hi<br>
><br>
><br>
> sorry I should explain that I used squealer as the server name which<br>
> matches the hostname, this is aliased to various ip's and domain names<br>
> in hosts, the usual method, I'll check the local ip is listed in there<br>
> though,I could try the local ip used to connect .<br>
><br>
<br>
</div>Well, all of these are side problems as long as your VMs refuse to<br>
start... Anyway, given that spice knows how to override the CN check<br>
since its very beginnings (using --spice-host-subject option), this is<br>
no big deal, it's just more convenient if you don't have to.<br>
<div><br>
><br>
> yes the keys were created in the correct directory<br>
<br>
</div>and you already stated that.<br>
<br>
The error message is pretty clear though: there is either something<br>
wrong with certificates themselves or qemu can not access them. If you<br>
can see details of all of them using CLI tools, then the certificates<br>
should be ok. You could verify that ultimately by trying to run<br>
minimalistic qemu manually:<br>
<br>
$ sudo /usr/bin/kvm -monitor stdio -spice tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing<br>
<br>
you should see just a message like this:<br>
QEMU 0.12.1 monitor - type 'help' for more information<br>
(qemu)<br>
<br>
If you see the same error again, there is something wrong with<br>
certificates themselves. If not, verify that they are accessible to the<br>
qemu process - note that it may run under different user than root and<br>
in addition, it may be confined by SELinux or AppArmor. I can't speak<br>
for AppArmor but for SELinux, you may need to restore context of the<br>
files (and directories) to make them accessible for qemu.<br>
<span><font color="#888888"><br>
David<br>
</font></span><div><div><br>
><br>
> On Mon, Nov 12, 2012 at 7:42 PM, David Jaša <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote:<br>
>         Jodi Curtis píše v Po 12. 11. 2012 v 18:53 +0000:<br>
>         > Hi<br>
>         ><br>
>         ><br>
>         > Package and OS<br>
>         > ------------------------------<br>
>         > Ubuntu 12.10<br>
>         ><br>
>         > qemu-kvm-spice:<br>
>         >   Installed: 1.2.0-2012.09-0ubuntu1<br>
>         >   Candidate: 1.2.0-2012.09-0ubuntu1<br>
>         >   Version table:<br>
>         >  *** 1.2.0-2012.09-0ubuntu1 0<br>
>         >         500 <a href="http://gb.archive.ubuntu.com/ubuntu/" target="_blank">http://gb.archive.ubuntu.com/ubuntu/</a><br>
>         quantal/universe<br>
>         > amd64 Packages<br>
>         >         100 /var/lib/dpkg/status<br>
>         ><br>
>         ><br>
>         > Key Creation<br>
>         ><br>
>         > -------------------------<br>
>         ><br>
>         ><br>
>         > openssl genrsa -des3 -out ca-key.pem 1024<br>
>         > openssl req -new -x509 -days 1095 -key ca-key.pem -out<br>
>         ca-cert.pem<br>
>         > -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"<br>
>         > openssl genrsa -out server-key.pem 1024<br>
>         > openssl req -new -key server-key.pem -out server-key.csr<br>
>         -utf8 -subj<br>
>         > "/C=IL/L=Raanana/O=Red Hat/CN=my server"<br>
><br>
><br>
>         (side note here: you can omit C, L and O fields are redundant<br>
>         for uses<br>
>         outside of controlled environments but CN field should contain<br>
>         hostname<br>
>         or IP address of your server so that you don't need to<br>
>         override the host<br>
>         subject)<br>
><br>
>         > openssl x509 -req -days 1095 -in server-key.csr -CA<br>
>         ca-cert.pem -CAkey<br>
>         > ca-key.pem -set_serial 01 -out server-cert.pem<br>
>         > openssl rsa -in server-key.pem -out server-key.pem.insecure<br>
>         > mv server-key.pem server-key.pem.secure<br>
>         > mv server-key.pem.insecure server-key.pem<br>
>         ><br>
><br>
><br>
>         here,<br>
><br>
>         ><br>
>         > qemu.conf<br>
>         ><br>
>         > --------------<br>
>         ><br>
>         ><br>
>         > qemu.conf configuration was attempted as default, and<br>
>         specified using<br>
>         > an uncommented path "/etc/pki/libvirt-spice"<br>
>         ><br>
><br>
><br>
>         here,<br>
><br>
>         ><br>
>         > spice_tls = 1<br>
>         ><br>
>         > # default it to keep them in /etc/pki/libvirt-spice. This<br>
>         directory<br>
>         ><br>
>         > # must contain<br>
>         ><br>
>         > ...<br>
>         ><br>
>         > #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (using<br>
>         the default<br>
>         > path)<br>
>         ><br>
>         > spice_tls_x509_cert_dir =<br>
>         "/etc/pki/libvirt-spice" (specifiying the<br>
>         > path directly)<br>
>         ><br>
><br>
><br>
>         and here are the key points. Did you copy the<br>
>         {ca,server}-{key,cert}.pem<br>
>         files to /etc/pki/libvirt-spice?<br>
><br>
>         David<br>
><br>
>         ><br>
>         > Permissions<br>
>         ><br>
>         > -------------<br>
>         ><br>
>         > Permissions were tested set as default (assumed root or my<br>
>         account)<br>
>         > and<br>
>         ><br>
>         > sudo chown libvirt-qemu /etc/pki/libvirt-spice/<br>
>         ><br>
>         > sudo chown libvirt-qemu /etc/pki/libvirt-spice/<filenames of<br>
>         files><br>
>         ><br>
>         ><br>
>         ><br>
>         > Error Reported<br>
>         > -------------------------<br>
>         ><br>
>         ><br>
>         > sudo nano /var/log/libvirt/qemu/VM11.log<br>
>         ><br>
>         ><br>
>         > qemu: terminating on signal 15 from pid 1417<br>
>         > 2012-11-12 18:11:24.586+0000: shutting down<br>
>         > 2012-11-12 18:11:29.698+0000: starting up<br>
>         > LC_ALL=C<br>
>         ><br>
>         PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin<br>
>         > QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2<br>
>         -cpu<br>
>         > Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,<br>
>         +cmp_legacy,<br>
>         > +3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme<br>
>         -enable-kvm -m<br>
>         > 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid<br>
>         > 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config<br>
>         -nodefaults<br>
>         > -chardev<br>
>         ><br>
>         socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5<br>




>         > char device redirected to /dev/pts/1<br>
>         > ((null):1916): Spice-Warning **: reds.c:3307:reds_init_ssl:<br>
>         Could not<br>
>         > load certificates<br>
>         from /etc/pki/libvirt-spice/server-cert.pem<br>
>         > ((null):1916): Spice-Warning **: reds.c:3317:reds_init_ssl:<br>
>         Could not<br>
>         > use private key file<br>
>         > ((null):1916): Spice-Warning **: reds.c:3325:reds_init_ssl:<br>
>         Could not<br>
>         > use CA file /etc/pki/libvirt-spice/ca-cert.pem<br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         > Certificates<br>
>         > --------------------<br>
>         > I was able to open and read the files using the various<br>
>         commands<br>
>         > similar to sudo openssl x509 -noout -text -in ca-cert.pem<br>
>         ><br>
>         ><br>
>         > I did wonder if it is rejecting the CA as some security<br>
>         feature, I<br>
>         > hope this is of use.<br>
>         > I chose libvirt-qemu, as this is the account closed to the<br>
>         Red<br>
>         > Hat/Fedora account name used "qemu"<br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         > Creation<br>
>         > ---------------<br>
>         ><br>
>         ><br>
>         > creation was via an XML definition followed by calling virsh<br>
>         define<br>
>         > <path>, virsh start VM11<br>
>         ><br>
>         ><br>
>         > I have tried to keep most files inside the libvirt tree to<br>
>         try to<br>
>         > avoid permission errors, the configuration has two volume<br>
>         pools,<br>
>         > specified inside /var/lib/libvirt/local/<pool-name> (which<br>
>         are mounted<br>
>         > to other drives, and operate without problem)<br>
>         ><br>
>         ><br>
>         > The volumes used are vmdk volumes (for performance reasons)<br>
>         one inside<br>
>         > each pool, for fixed allocation and sparse type allocation),<br>
>         not that<br>
>         > this matters but it gives you an idea of what the setup is<br>
>         like.<br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         > Location content<br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         > jodic@squealer:/etc/pki/libvirt-spice$ dir<br>
>         > ca-cert.pem  server-cert.pem  server-key.pem<br>
>         > ca-key.pem   server-key.csr   server-key.pem.secure<br>
>         ><br>
>         ><br>
>         > I could try using a location without the qemu tree to try to<br>
>         rule out<br>
>         > some permission problems. I'll go through it again in a<br>
>         little bit<br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         > On Mon, Nov 12, 2012 at 6:11 PM, David Jaša<br>
>         <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote:<br>
>         >         Before reporting a bug, could we rule out<br>
>         misconfiguration<br>
>         >         possiblity<br>
>         >         entirely?<br>
>         ><br>
>         >         1) do you use libvirt?<br>
>         >         2) if so, do you use system session or per-user<br>
>         session?<br>
>         >         3) could you look at qemu command line? If you use<br>
>         libvirt,<br>
>         >         you'll find it in /var/log/libvirt/qemu/VM_NAME.log<br>
>         >         4) at the libvirt command file, is there '...<br>
>         >         -spice ...,x509-(dir|ca...|server),... ' entry?<br>
>         >         5) if the x509 directive is x509-dir, does "qemu-kvm<br>
>         -spice<br>
>         >         tls-port=12345,x509-dir=DIR,disable-ticketing"<br>
>         command throw<br>
>         >         the same error?<br>
>         >            (the same goes for per-file x509 options)<br>
>         >         6) if it is indeed a problem, is it permission issue<br>
>         or are<br>
>         >         the files empty or are they invalid?<br>
>         ><br>
>         >         (...)<br>
>         ><br>
>         >         David<br>
>         ><br>
>         ><br>
>         >         Jodi Curtis píše v Po 12. 11. 2012 v 17:55 +0000:<br>
>         >         > Hi<br>
>         >         ><br>
>         >         ><br>
>         >         > I've used the directory correctly on qemu.conf,<br>
>         I've seen<br>
>         >         these<br>
>         >         > problems relating to Red Hat/oVirt, where it<br>
>         wasn't set<br>
>         >         despite being<br>
>         >         > set in qemu.conf, so I will probably file a bug<br>
>         report with<br>
>         >         Ubuntu on<br>
>         >         > this one.<br>
>         >         ><br>
>         >         ><br>
>         >         > The red-hat solution isn't valid for Ubuntu.<br>
>         >         ><br>
>         >         ><br>
>         >         > Thanks<br>
>         >         ><br>
>         >         > On Mon, Nov 12, 2012 at 5:49 PM, David Jaša<br>
>         >         <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote:<br>
>         >         >         Jodi Curtis píše v Po 12. 11. 2012 v 17:31<br>
>         +0000:<br>
>         >         >         > Hi<br>
>         >         >         ><br>
>         >         >         ><br>
>         >         >         > Thanks, I found the method in the end,<br>
>         my current<br>
>         >         problem is<br>
>         >         >         related<br>
>         >         >         > to a problem with Ubuntu/SSL/Spice, so<br>
>         not really<br>
>         >         your<br>
>         >         >         software, I<br>
>         >         >         > have asked for help from a Linux admin,<br>
>         but its<br>
>         >         detailed<br>
>         >         >         below for the<br>
>         >         >         > record, I've gone through the key making<br>
>         proces<br>
>         >         twice, and<br>
>         >         >         rebooted,<br>
>         >         >         > obviously paths have been checked and<br>
>         qemu.conf<br>
>         >         has been set<br>
>         >         >         as<br>
>         >         >         > required<br>
>         >         >         ><br>
>         >         >         ><br>
>         >         >         > ((null):2176): Spice-Warning **:<br>
>         >         reds.c:3307:reds_init_ssl:<br>
>         >         >         Could not<br>
>         >         >         > load certificates from server-cert.pem<br>
>         >         >         > ((null):2176): Spice-Warning **:<br>
>         >         reds.c:3317:reds_init_ssl:<br>
>         >         >         Could not<br>
>         >         >         > use private key file<br>
>         >         >         > ((null):2176): Spice-Warning **:<br>
>         >         reds.c:3325:reds_init_ssl:<br>
>         >         >         Could not<br>
>         >         >         > use CA file<br>
>         >         ><br>
>         >         ><br>
>         >         >         Assuming that your cert/key files are<br>
>         correct and in<br>
>         >         place,<br>
>         >         >         this looks<br>
>         >         >         like incorrect x509-dir option of qemu cli<br>
>         or<br>
>         >         >         spice_tls_x509_cert_dir<br>
>         >         >         directive of /etc/libvirt/qemu.conf<br>
>         pointing to a<br>
>         >         wrong<br>
>         >         >         directory. Just<br>
>         >         >         a configuration issue.<br>
>         >         ><br>
>         >         >         David<br>
>         >         ><br>
>         >         >         ><br>
>         >         >         ><br>
>         >         >         > There is very little obvious on the<br>
>         internet, so<br>
>         >         am trying<br>
>         >         >         to identify<br>
>         >         >         > if its a common SSL or config problem,<br>
>         or if I<br>
>         >         should file a<br>
>         >         >         bug<br>
>         >         >         > report with Ubuntu kvm-spice<br>
>         >         >         ><br>
>         >         >         ><br>
>         >         >         > Jodi<br>
>         >         >         ><br>
>         >         >         ><br>
>         >         >         > On Mon, Nov 12, 2012 at 12:12 PM, David<br>
>         Jaša<br>
>         >         >         <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote:<br>
>         >         >         >         Hi Jodi,<br>
>         >         >         ><br>
>         >         >         >         You can find full tls-enabled<br>
>         >         remote-viewer<br>
>         >         >         invocation in this<br>
>         >         >         >         oVirt<br>
>         >         >         >         wiki page:<br>
>         >         >         ><br>
>         >         ><br>
>         ><br>
>         <a href="http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal" target="_blank">http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal</a><br>
>         >         >         ><br>
>         >         >         >         David<br>
>         >         >         ><br>
>         >         >         ><br>
>         >         >         >         Jodi Curtis píše v Ne 11. 11.<br>
>         2012 v 23:28<br>
>         >         +0000:<br>
>         >         >         >         > Hi<br>
>         >         >         >         ><br>
>         >         >         >         ><br>
>         >         >         >         > I'm having trouble connecting<br>
>         to a spice<br>
>         >         server<br>
>         >         >         with tls<br>
>         >         >         >         enabled<br>
>         >         >         >         > through virt-viewer on<br>
>         windows, I have<br>
>         >         tls<br>
>         >         >         configured and a<br>
>         >         >         >         > ca-cert.pem file, but I don't<br>
>         know where<br>
>         >         to put<br>
>         >         >         it, or what<br>
>         >         >         >         to use<br>
>         >         >         >         ><br>
>         >         >         >         ><br>
>         >         >         >         > I have tried various<br>
>         combinations of<br>
>         >         >         >         spice://192.168.2.140:590x<br>
>         >         >         >         ><br>
>         >         >         >         ><br>
>         >         >         >         > I have tried adding +ssh or<br>
>         +tls, I have<br>
>         >         tried<br>
>         >         >         adding the<br>
>         >         >         >         ca-cert.pem<br>
>         >         >         >         > file to the location used by<br>
>         the spicec<br>
>         >         page that<br>
>         >         >         covers how<br>
>         >         >         >         to set up<br>
>         >         >         >         > tls, and I have tried adding<br>
>         my username<br>
>         >         before<br>
>         >         >         the IP.<br>
>         >         >         >         ><br>
>         >         >         >         > I have tried connecting to<br>
>         both ports.<br>
>         >         >         >         ><br>
>         >         >         >         ><br>
>         >         >         >         > Any help on what it should be,<br>
>         or if<br>
>         >         there is an<br>
>         >         >         alternative<br>
>         >         >         >         to<br>
>         >         >         >         > virt-viewer on windows that I<br>
>         need to<br>
>         >         use for the<br>
>         >         >         secure<br>
>         >         >         >         connection.<br>
>         >         >         >         ><br>
>         >         >         >         ><br>
>         >         >         >         > Thanks<br>
>         >         >         ><br>
>         >         >         >         ><br>
>         >         _______________________________________________<br>
>         >         >         >         > Spice-devel mailing list<br>
>         >         >         >         ><br>
>         <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a><br>
>         >         >         >         ><br>
>         >         ><br>
>         ><br>
>         <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
>         >         >         ><br>
>         >         >         >         --<br>
>         >         >         ><br>
>         >         >         >         David Jaša, RHCE<br>
>         >         >         ><br>
>         >         >         >         SPICE QE based in Brno<br>
>         >         >         >         GPG Key:     22C33E24<br>
>         >         >         >         Fingerprint: 513A 060B D1B4 2A72<br>
>         7F0D 0278<br>
>         >         B125 CD00<br>
>         >         >         22C3 3E24<br>
>         >         >         ><br>
>         >         >         ><br>
>         >         >         ><br>
>         >         >         ><br>
>         >         >         ><br>
>         >         >         ><br>
>         _______________________________________________<br>
>         >         >         > Spice-devel mailing list<br>
>         >         >         > <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a><br>
>         >         >         ><br>
>         ><br>
>         <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
>         >         ><br>
>         >         >         --<br>
>         >         ><br>
>         >         >         David Jaša, RHCE<br>
>         >         ><br>
>         >         >         SPICE QE based in Brno<br>
>         >         >         GPG Key:     22C33E24<br>
>         >         >         Fingerprint: 513A 060B D1B4 2A72 7F0D 0278<br>
>         B125 CD00<br>
>         >         22C3 3E24<br>
>         >         ><br>
>         >         ><br>
>         >         ><br>
>         >         ><br>
>         >         ><br>
>         >         ><br>
>         ><br>
>         >         --<br>
>         ><br>
>         >         David Jaša, RHCE<br>
>         ><br>
>         >         SPICE QE based in Brno<br>
>         >         GPG Key:     22C33E24<br>
>         >         Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00<br>
>         22C3 3E24<br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         ><br>
>         > _______________________________________________<br>
>         > Spice-devel mailing list<br>
>         > <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a><br>
>         > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
><br>
>         --<br>
><br>
>         David Jaša, RHCE<br>
><br>
>         SPICE QE based in Brno<br>
>         GPG Key:     22C33E24<br>
>         Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24<br>
><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Spice-devel mailing list<br>
> <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
<br>
--<br>
<br>
David Jaša, RHCE<br>
<br>
SPICE QE based in Brno<br>
GPG Key:     22C33E24<br>
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24<br>
<br>
<br>
<br>
</div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br>
</div></div></blockquote></div><br>