The VM seems to start without complaints after adding the key directory after /etc/pki/libvirt-vnc** r, in an identical format within the apparmor.d config file<br><br>I haven't really slept much so I will check login after sleeping <br>
<br><div class="gmail_quote">On Mon, Nov 12, 2012 at 11:33 PM, Jodi Curtis <span dir="ltr"><<a href="mailto:jodi.curtis@gmail.com" target="_blank">jodi.curtis@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi<div><br></div><div>Copy of attempt so far, hopefully this will be useful to have online, I will carry on tomorrow!</div><div><br></div><div><div>/etc/hostname </div><div><br></div><div>squealer</div><div><br></div><div>
/etc/hosts</div><div><br></div><div>127.0.0.1 localhost squealer <a href="http://squealer.maiakaat.co.uk" target="_blank">squealer.maiakaat.co.uk</a> <a href="http://maiakaat.co.uk" target="_blank">maiakaat.co.uk</a> <a href="http://www.maiakaat.co.uk" target="_blank">www.maiakaat.co.uk</a></div>
<div>192.168.2.140 localhost squealer <a href="http://squealer.maiakaat.co.uk" target="_blank">squealer.maiakaat.co.uk</a> <a href="http://maiakaat.co.uk" target="_blank">maiakaat.co.uk</a> <a href="http://www.maiakaat.co.uk" target="_blank">www.maiakaat.co.uk</a></div>
<div><br></div><div>cat /etc/passwd</div><div><br></div><div>root:x:0:0:root:/root:/bin/bash</div><div>daemon:x:1:1:daemon:/usr/sbin:/bin/sh</div><div>bin:x:2:2:bin:/bin:/bin/sh</div><div>sys:x:3:3:sys:/dev:/bin/sh</div>
<div>
sync:x:4:65534:sync:/bin:/bin/sync</div><div>games:x:5:60:games:/usr/games:/bin/sh</div><div>man:x:6:12:man:/var/cache/man:/bin/sh</div><div>lp:x:7:7:lp:/var/spool/lpd:/bin/sh</div><div>mail:x:8:8:mail:/var/mail:/bin/sh</div>
<div>news:x:9:9:news:/var/spool/news:/bin/sh</div><div>uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh</div><div>proxy:x:13:13:proxy:/bin:/bin/sh</div><div>www-data:x:33:33:www-data:/var/www:/bin/sh</div><div>backup:x:34:34:backup:/var/backups:/bin/sh</div>
<div>list:x:38:38:Mailing List Manager:/var/list:/bin/sh</div><div>irc:x:39:39:ircd:/var/run/ircd:/bin/sh</div><div>gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh</div><div>nobody:x:65534:65534:nobody:/nonexistent:/bin/sh</div>
<div>libuuid:x:100:101::/var/lib/libuuid:/bin/sh</div><div>syslog:x:101:103::/home/syslog:/bin/false</div><div>messagebus:x:102:105::/var/run/dbus:/bin/false</div><div>whoopsie:x:103:107::/nonexistent:/bin/false</div><div>
landscape:x:104:110::/var/lib/landscape:/bin/false</div><div>sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin</div><div>libvirt-qemu:x:106:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false</div><div>libvirt-dnsmasq:x:107:112:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false</div>
<div>jodic:x:1000:1000:jodic,,,:/home/jodic:/bin/bash</div><div><br></div><div>cd /var/lib/libvirt</div><div>sudo ls -l</div><div><br></div><div>drwx--x--x 2 root root 4096 Oct 6 01:58 boot</div><div>drwxr-xr-x 2 root root 4096 Oct 30 21:06 dnsmasq</div>
<div>drwxr-xr-x 2 libvirt-qemu root 4096 Oct 31 06:11 drivers</div><div>drwx--x--x 2 root root 4096 Oct 6 01:58 images</div><div>drwxr-xr-x 5 libvirt-qemu root 4096 Nov 1 12:56 local</div><div>drwxr-xr-x 2 root root 4096 Nov 12 18:03 network</div>
<div>drwxr-x--- 5 libvirt-qemu kvm 4096 Nov 12 18:11 qemu</div><div>drwx------ 2 root root 4096 Oct 6 01:58 sanlock</div><div>drwxr-xr-x 5 libvirt-qemu root 4096 Oct 31 06:22 shared</div><div><br></div><div>#drivers to be forwarded as filesystem element with Windows drivers</div>
<div>#local contains volume pools(2) for VM volumes, and all xml files used to create VM's volumes and pools.</div><div><br></div><div>sudo usermod -a -G root,kvm jodic</div><div><br></div><div>chmod 775 /var/lib/libvirt/qemu</div>
<div>#temporary change</div><div><br></div><div>#libvirt directory permissions are drwxr-xr-x</div><div><br></div><div>sudo mkdir /var/lib/libvirt/pki</div><div>sudo mkdir /var/lib/libvirt/pki/libvirt-spice</div><div><br>
</div><div>sudo nano /etc/libvirt/qemu.conf</div><div><br></div><div>spice_tls = 1</div><div>spice_tls_x509_cert_dir = "/var/lib/libvirt/pki/libvirt-spice"</div><div><br></div><div>cd /var/lib/libvirt/pki/libvirt-spice</div>
<div><br></div><div>sudo openssl genrsa -des3 -out ca-key.pem 1024</div><div>sudo openssl req -new -x509 -days 750 -key ca-key.pem -out ca-cert.pem -utf8 -subj "/CN=Self Signed"</div><div>sudo openssl genrsa -out server-key.pem 1024</div>
<div>sudo openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj "/CN=squealer"</div><div>sudo openssl x509 req -days 750 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem</div>
<div>sudo openssl rsa -in server-key.pem -out server-key.pem.insecure</div><div>sudo mv server-key.pem server-key.pem.secure</div><div>sudo mv server-key.pem.insecure server-key.pem</div><div><br></div><div>sudo chown libvirt-qemu /var/lib/libvirt/pki</div>
<div>sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice</div><div>sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem</div><div>sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem</div>
<div>sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem</div><div><br></div><div>#temporary change</div><div>sudo chmod 775 /var/lib/libvirt/pki</div><div>sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice</div>
<div>sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem</div><div>sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem</div><div>sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem</div>
<div><br></div><div>sudo virsh destroy VM11</div><div>sudo virsh undefine VM11</div><div><br></div><div>sudo shutdown -r now</div><div>#don't know how to restart service for re-read of qemu.conf in Ubuntu</div><div><br>
</div><div>#Ubuntu offering 28 updates - none related to virtualization at all</div><div><br></div><div>sudo apt-get update</div><div>sudo apt-get upgrade</div><div><br></div><div>sudo virsh define /var/lib/libvirt/local/xml/default-revision7.xml</div>
<div><br></div><div>#defined VM11</div><div><br></div><div>sudo virsh start VM11</div><div><br></div><div>#started VM11 23:14 ish UK time</div><div><br></div><div>sudo /var/log/libvirt/qemu/qemu.conf</div><div><br></div>
<div>2012-11-12 23:13:44.233+0000: starting up</div><div>LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5</div>
<div>char device redirected to /dev/pts/2</div><div>((null):8891): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /var/lib/libvirt/pki/libvirt-spice/server-cert.pem</div><div>((null):8891): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file</div>
<div>((null):8891): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem</div><div><br></div><div>sudo virsh destroy VM11</div><div><br></div><div>#destroyed</div>
<div><br></div><div>$ sudo /usr/bin/kvm-spice -monitor stdio -spice tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing</div><div><br></div><div><br></div><div>#output</div><div><br></div><div>QEMU 0.12.0 monitor - type 'help' for more information</div>
<div class="im">
<div>(qemu)</div><div><br></div><div>"If you see the same error again, there is something wrong with</div><div>certificates themselves. If not, verify that they are accessible to the</div><div>qemu process - note that it may run under different user than root and</div>
<div>in addition, it may be confined by SELinux or AppArmor. I can't speak</div><div>for AppArmor but for SELinux, you may need to restore context of the</div><div>files (and directories) to make them accessible for qemu."</div>
<div><br></div></div><div>I'll begin looking at the permissions and security tomorrow, although its stretching my</div><div>knowledge of Linux here, I guess the only way to learn is to do though.</div><div><br></div>
<div>I will likely set up my vm's without security for now (they are local only) to have something I can dev on etc</div>
<div>These are nfs (if the passthrough bug in ubuntu kvm-spice doesn't affect the passthrough of a logical volume to the guest, repos (source code), build and dev desktop</div></div><div><br></div><div>Thanks again for all the help<div>
<div class="h5"><br>
<br><div class="gmail_quote">On Mon, Nov 12, 2012 at 10:40 PM, Jodi Curtis <span dir="ltr"><<a href="mailto:jodi.curtis@gmail.com" target="_blank">jodi.curtis@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi I'm going through the process now logging everything I am doing.<div><br></div><div>The VM does start BTW, the problem is that it cannot open the secure channel from remote-viewer attempts to connect, with qemu giving those errors in VM11.log. I will post my new attempt here anyway in a little while, with a success or failure, I've had some minor issues with the pki directory, hence removing and and trying again with fully checked permissions.<br>
<br>Thanks for the help.<div><div><br><br><div class="gmail_quote">On Mon, Nov 12, 2012 at 10:12 PM, David Jaša <span dir="ltr"><<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Jodi Curtis píše v Po 12. 11. 2012 v 19:47 +0000:<br>
<div>> hi<br>
><br>
><br>
> sorry I should explain that I used squealer as the server name which<br>
> matches the hostname, this is aliased to various ip's and domain names<br>
> in hosts, the usual method, I'll check the local ip is listed in there<br>
> though,I could try the local ip used to connect .<br>
><br>
<br>
</div>Well, all of these are side problems as long as your VMs refuse to<br>
start... Anyway, given that spice knows how to override the CN check<br>
since its very beginnings (using --spice-host-subject option), this is<br>
no big deal, it's just more convenient if you don't have to.<br>
<div><br>
><br>
> yes the keys were created in the correct directory<br>
<br>
</div>and you already stated that.<br>
<br>
The error message is pretty clear though: there is either something<br>
wrong with certificates themselves or qemu can not access them. If you<br>
can see details of all of them using CLI tools, then the certificates<br>
should be ok. You could verify that ultimately by trying to run<br>
minimalistic qemu manually:<br>
<br>
$ sudo /usr/bin/kvm -monitor stdio -spice tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing<br>
<br>
you should see just a message like this:<br>
QEMU 0.12.1 monitor - type 'help' for more information<br>
(qemu)<br>
<br>
If you see the same error again, there is something wrong with<br>
certificates themselves. If not, verify that they are accessible to the<br>
qemu process - note that it may run under different user than root and<br>
in addition, it may be confined by SELinux or AppArmor. I can't speak<br>
for AppArmor but for SELinux, you may need to restore context of the<br>
files (and directories) to make them accessible for qemu.<br>
<span><font color="#888888"><br>
David<br>
</font></span><div><div><br>
><br>
> On Mon, Nov 12, 2012 at 7:42 PM, David Jaša <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote:<br>
> Jodi Curtis píše v Po 12. 11. 2012 v 18:53 +0000:<br>
> > Hi<br>
> ><br>
> ><br>
> > Package and OS<br>
> > ------------------------------<br>
> > Ubuntu 12.10<br>
> ><br>
> > qemu-kvm-spice:<br>
> > Installed: 1.2.0-2012.09-0ubuntu1<br>
> > Candidate: 1.2.0-2012.09-0ubuntu1<br>
> > Version table:<br>
> > *** 1.2.0-2012.09-0ubuntu1 0<br>
> > 500 <a href="http://gb.archive.ubuntu.com/ubuntu/" target="_blank">http://gb.archive.ubuntu.com/ubuntu/</a><br>
> quantal/universe<br>
> > amd64 Packages<br>
> > 100 /var/lib/dpkg/status<br>
> ><br>
> ><br>
> > Key Creation<br>
> ><br>
> > -------------------------<br>
> ><br>
> ><br>
> > openssl genrsa -des3 -out ca-key.pem 1024<br>
> > openssl req -new -x509 -days 1095 -key ca-key.pem -out<br>
> ca-cert.pem<br>
> > -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"<br>
> > openssl genrsa -out server-key.pem 1024<br>
> > openssl req -new -key server-key.pem -out server-key.csr<br>
> -utf8 -subj<br>
> > "/C=IL/L=Raanana/O=Red Hat/CN=my server"<br>
><br>
><br>
> (side note here: you can omit C, L and O fields are redundant<br>
> for uses<br>
> outside of controlled environments but CN field should contain<br>
> hostname<br>
> or IP address of your server so that you don't need to<br>
> override the host<br>
> subject)<br>
><br>
> > openssl x509 -req -days 1095 -in server-key.csr -CA<br>
> ca-cert.pem -CAkey<br>
> > ca-key.pem -set_serial 01 -out server-cert.pem<br>
> > openssl rsa -in server-key.pem -out server-key.pem.insecure<br>
> > mv server-key.pem server-key.pem.secure<br>
> > mv server-key.pem.insecure server-key.pem<br>
> ><br>
><br>
><br>
> here,<br>
><br>
> ><br>
> > qemu.conf<br>
> ><br>
> > --------------<br>
> ><br>
> ><br>
> > qemu.conf configuration was attempted as default, and<br>
> specified using<br>
> > an uncommented path "/etc/pki/libvirt-spice"<br>
> ><br>
><br>
><br>
> here,<br>
><br>
> ><br>
> > spice_tls = 1<br>
> ><br>
> > # default it to keep them in /etc/pki/libvirt-spice. This<br>
> directory<br>
> ><br>
> > # must contain<br>
> ><br>
> > ...<br>
> ><br>
> > #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (using<br>
> the default<br>
> > path)<br>
> ><br>
> > spice_tls_x509_cert_dir =<br>
> "/etc/pki/libvirt-spice" (specifiying the<br>
> > path directly)<br>
> ><br>
><br>
><br>
> and here are the key points. Did you copy the<br>
> {ca,server}-{key,cert}.pem<br>
> files to /etc/pki/libvirt-spice?<br>
><br>
> David<br>
><br>
> ><br>
> > Permissions<br>
> ><br>
> > -------------<br>
> ><br>
> > Permissions were tested set as default (assumed root or my<br>
> account)<br>
> > and<br>
> ><br>
> > sudo chown libvirt-qemu /etc/pki/libvirt-spice/<br>
> ><br>
> > sudo chown libvirt-qemu /etc/pki/libvirt-spice/<filenames of<br>
> files><br>
> ><br>
> ><br>
> ><br>
> > Error Reported<br>
> > -------------------------<br>
> ><br>
> ><br>
> > sudo nano /var/log/libvirt/qemu/VM11.log<br>
> ><br>
> ><br>
> > qemu: terminating on signal 15 from pid 1417<br>
> > 2012-11-12 18:11:24.586+0000: shutting down<br>
> > 2012-11-12 18:11:29.698+0000: starting up<br>
> > LC_ALL=C<br>
> ><br>
> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin<br>
> > QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2<br>
> -cpu<br>
> > Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,<br>
> +cmp_legacy,<br>
> > +3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme<br>
> -enable-kvm -m<br>
> > 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid<br>
> > 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config<br>
> -nodefaults<br>
> > -chardev<br>
> ><br>
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5<br>
> > char device redirected to /dev/pts/1<br>
> > ((null):1916): Spice-Warning **: reds.c:3307:reds_init_ssl:<br>
> Could not<br>
> > load certificates<br>
> from /etc/pki/libvirt-spice/server-cert.pem<br>
> > ((null):1916): Spice-Warning **: reds.c:3317:reds_init_ssl:<br>
> Could not<br>
> > use private key file<br>
> > ((null):1916): Spice-Warning **: reds.c:3325:reds_init_ssl:<br>
> Could not<br>
> > use CA file /etc/pki/libvirt-spice/ca-cert.pem<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Certificates<br>
> > --------------------<br>
> > I was able to open and read the files using the various<br>
> commands<br>
> > similar to sudo openssl x509 -noout -text -in ca-cert.pem<br>
> ><br>
> ><br>
> > I did wonder if it is rejecting the CA as some security<br>
> feature, I<br>
> > hope this is of use.<br>
> > I chose libvirt-qemu, as this is the account closed to the<br>
> Red<br>
> > Hat/Fedora account name used "qemu"<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Creation<br>
> > ---------------<br>
> ><br>
> ><br>
> > creation was via an XML definition followed by calling virsh<br>
> define<br>
> > <path>, virsh start VM11<br>
> ><br>
> ><br>
> > I have tried to keep most files inside the libvirt tree to<br>
> try to<br>
> > avoid permission errors, the configuration has two volume<br>
> pools,<br>
> > specified inside /var/lib/libvirt/local/<pool-name> (which<br>
> are mounted<br>
> > to other drives, and operate without problem)<br>
> ><br>
> ><br>
> > The volumes used are vmdk volumes (for performance reasons)<br>
> one inside<br>
> > each pool, for fixed allocation and sparse type allocation),<br>
> not that<br>
> > this matters but it gives you an idea of what the setup is<br>
> like.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Location content<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > jodic@squealer:/etc/pki/libvirt-spice$ dir<br>
> > ca-cert.pem server-cert.pem server-key.pem<br>
> > ca-key.pem server-key.csr server-key.pem.secure<br>
> ><br>
> ><br>
> > I could try using a location without the qemu tree to try to<br>
> rule out<br>
> > some permission problems. I'll go through it again in a<br>
> little bit<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > On Mon, Nov 12, 2012 at 6:11 PM, David Jaša<br>
> <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote:<br>
> > Before reporting a bug, could we rule out<br>
> misconfiguration<br>
> > possiblity<br>
> > entirely?<br>
> ><br>
> > 1) do you use libvirt?<br>
> > 2) if so, do you use system session or per-user<br>
> session?<br>
> > 3) could you look at qemu command line? If you use<br>
> libvirt,<br>
> > you'll find it in /var/log/libvirt/qemu/VM_NAME.log<br>
> > 4) at the libvirt command file, is there '...<br>
> > -spice ...,x509-(dir|ca...|server),... ' entry?<br>
> > 5) if the x509 directive is x509-dir, does "qemu-kvm<br>
> -spice<br>
> > tls-port=12345,x509-dir=DIR,disable-ticketing"<br>
> command throw<br>
> > the same error?<br>
> > (the same goes for per-file x509 options)<br>
> > 6) if it is indeed a problem, is it permission issue<br>
> or are<br>
> > the files empty or are they invalid?<br>
> ><br>
> > (...)<br>
> ><br>
> > David<br>
> ><br>
> ><br>
> > Jodi Curtis píše v Po 12. 11. 2012 v 17:55 +0000:<br>
> > > Hi<br>
> > ><br>
> > ><br>
> > > I've used the directory correctly on qemu.conf,<br>
> I've seen<br>
> > these<br>
> > > problems relating to Red Hat/oVirt, where it<br>
> wasn't set<br>
> > despite being<br>
> > > set in qemu.conf, so I will probably file a bug<br>
> report with<br>
> > Ubuntu on<br>
> > > this one.<br>
> > ><br>
> > ><br>
> > > The red-hat solution isn't valid for Ubuntu.<br>
> > ><br>
> > ><br>
> > > Thanks<br>
> > ><br>
> > > On Mon, Nov 12, 2012 at 5:49 PM, David Jaša<br>
> > <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote:<br>
> > > Jodi Curtis píše v Po 12. 11. 2012 v 17:31<br>
> +0000:<br>
> > > > Hi<br>
> > > ><br>
> > > ><br>
> > > > Thanks, I found the method in the end,<br>
> my current<br>
> > problem is<br>
> > > related<br>
> > > > to a problem with Ubuntu/SSL/Spice, so<br>
> not really<br>
> > your<br>
> > > software, I<br>
> > > > have asked for help from a Linux admin,<br>
> but its<br>
> > detailed<br>
> > > below for the<br>
> > > > record, I've gone through the key making<br>
> proces<br>
> > twice, and<br>
> > > rebooted,<br>
> > > > obviously paths have been checked and<br>
> qemu.conf<br>
> > has been set<br>
> > > as<br>
> > > > required<br>
> > > ><br>
> > > ><br>
> > > > ((null):2176): Spice-Warning **:<br>
> > reds.c:3307:reds_init_ssl:<br>
> > > Could not<br>
> > > > load certificates from server-cert.pem<br>
> > > > ((null):2176): Spice-Warning **:<br>
> > reds.c:3317:reds_init_ssl:<br>
> > > Could not<br>
> > > > use private key file<br>
> > > > ((null):2176): Spice-Warning **:<br>
> > reds.c:3325:reds_init_ssl:<br>
> > > Could not<br>
> > > > use CA file<br>
> > ><br>
> > ><br>
> > > Assuming that your cert/key files are<br>
> correct and in<br>
> > place,<br>
> > > this looks<br>
> > > like incorrect x509-dir option of qemu cli<br>
> or<br>
> > > spice_tls_x509_cert_dir<br>
> > > directive of /etc/libvirt/qemu.conf<br>
> pointing to a<br>
> > wrong<br>
> > > directory. Just<br>
> > > a configuration issue.<br>
> > ><br>
> > > David<br>
> > ><br>
> > > ><br>
> > > ><br>
> > > > There is very little obvious on the<br>
> internet, so<br>
> > am trying<br>
> > > to identify<br>
> > > > if its a common SSL or config problem,<br>
> or if I<br>
> > should file a<br>
> > > bug<br>
> > > > report with Ubuntu kvm-spice<br>
> > > ><br>
> > > ><br>
> > > > Jodi<br>
> > > ><br>
> > > ><br>
> > > > On Mon, Nov 12, 2012 at 12:12 PM, David<br>
> Jaša<br>
> > > <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote:<br>
> > > > Hi Jodi,<br>
> > > ><br>
> > > > You can find full tls-enabled<br>
> > remote-viewer<br>
> > > invocation in this<br>
> > > > oVirt<br>
> > > > wiki page:<br>
> > > ><br>
> > ><br>
> ><br>
> <a href="http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal" target="_blank">http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal</a><br>
> > > ><br>
> > > > David<br>
> > > ><br>
> > > ><br>
> > > > Jodi Curtis píše v Ne 11. 11.<br>
> 2012 v 23:28<br>
> > +0000:<br>
> > > > > Hi<br>
> > > > ><br>
> > > > ><br>
> > > > > I'm having trouble connecting<br>
> to a spice<br>
> > server<br>
> > > with tls<br>
> > > > enabled<br>
> > > > > through virt-viewer on<br>
> windows, I have<br>
> > tls<br>
> > > configured and a<br>
> > > > > ca-cert.pem file, but I don't<br>
> know where<br>
> > to put<br>
> > > it, or what<br>
> > > > to use<br>
> > > > ><br>
> > > > ><br>
> > > > > I have tried various<br>
> combinations of<br>
> > > > spice://192.168.2.140:590x<br>
> > > > ><br>
> > > > ><br>
> > > > > I have tried adding +ssh or<br>
> +tls, I have<br>
> > tried<br>
> > > adding the<br>
> > > > ca-cert.pem<br>
> > > > > file to the location used by<br>
> the spicec<br>
> > page that<br>
> > > covers how<br>
> > > > to set up<br>
> > > > > tls, and I have tried adding<br>
> my username<br>
> > before<br>
> > > the IP.<br>
> > > > ><br>
> > > > > I have tried connecting to<br>
> both ports.<br>
> > > > ><br>
> > > > ><br>
> > > > > Any help on what it should be,<br>
> or if<br>
> > there is an<br>
> > > alternative<br>
> > > > to<br>
> > > > > virt-viewer on windows that I<br>
> need to<br>
> > use for the<br>
> > > secure<br>
> > > > connection.<br>
> > > > ><br>
> > > > ><br>
> > > > > Thanks<br>
> > > ><br>
> > > > ><br>
> > _______________________________________________<br>
> > > > > Spice-devel mailing list<br>
> > > > ><br>
> <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a><br>
> > > > ><br>
> > ><br>
> ><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
> > > ><br>
> > > > --<br>
> > > ><br>
> > > > David Jaša, RHCE<br>
> > > ><br>
> > > > SPICE QE based in Brno<br>
> > > > GPG Key: 22C33E24<br>
> > > > Fingerprint: 513A 060B D1B4 2A72<br>
> 7F0D 0278<br>
> > B125 CD00<br>
> > > 22C3 3E24<br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > ><br>
> _______________________________________________<br>
> > > > Spice-devel mailing list<br>
> > > > <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a><br>
> > > ><br>
> ><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
> > ><br>
> > > --<br>
> > ><br>
> > > David Jaša, RHCE<br>
> > ><br>
> > > SPICE QE based in Brno<br>
> > > GPG Key: 22C33E24<br>
> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278<br>
> B125 CD00<br>
> > 22C3 3E24<br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> ><br>
> > --<br>
> ><br>
> > David Jaša, RHCE<br>
> ><br>
> > SPICE QE based in Brno<br>
> > GPG Key: 22C33E24<br>
> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00<br>
> 22C3 3E24<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Spice-devel mailing list<br>
> > <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a><br>
> > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
><br>
> --<br>
><br>
> David Jaša, RHCE<br>
><br>
> SPICE QE based in Brno<br>
> GPG Key: 22C33E24<br>
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24<br>
><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Spice-devel mailing list<br>
> <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
<br>
--<br>
<br>
David Jaša, RHCE<br>
<br>
SPICE QE based in Brno<br>
GPG Key: 22C33E24<br>
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24<br>
<br>
<br>
<br>
</div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br>