Hi to clarify, the Ubuntu apparmor.d doesn't include the default directory definition (/etc/pki/libvirt-spice) unlike the /etc/pki/libvirt-vnc directory, (which is included). S you will always need to add this directory as far as I am aware from my experience.<div> </div><div>I've made a suggestion that this is added as an update to the apparmor.d as part of the qemu-kvm-spice package install, whether anybody reads it I don't know.<div> </div><div>The actual error is:</div> <div> </div><div><div>2012-11-13 17:07:18.780+0000: starting up</div><div>LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid 2e6cca5a-9269-a9d2-2e2b-867ac0ce0a8c -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5</div> <div>char device redirected to /dev/pts/1</div><div>((null):2230): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted</div></div><div> </div><div> <div> <div class="gmail_quote"> On Tue, Nov 13, 2012 at 4:58 PM, David Jaša <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I think it is something different but I can't say it for sure unless I see the exact message... Jodi Curtis píše v Út 13. 11. 2012 v 16:26 +0000: <div class="im">> My latest issue is the error spice warning spice channels 1 should be > encrypted, I'm guessing this is an authentication issue with my > attempts to connect? > > On Tue, Nov 13, 2012 at 7:37 AM, Jodi Curtis <<a href="mailto:jodi.curtis@gmail.com">jodi.curtis@gmail.com</a>> > wrote: > The VM seems to start without complaints after adding the key > directory after /etc/pki/libvirt-vnc** r, in an identical > format within the apparmor.d config file </div>ubuntu docs should be probably updated about need to copy certs/keys to the default directory OR need to update apparmor configuration if custom directory is used. David <div class="HOEnZb"><div class="h5"> > > I haven't really slept much so I will check login after > sleeping > > > On Mon, Nov 12, 2012 at 11:33 PM, Jodi Curtis > <<a href="mailto:jodi.curtis@gmail.com">jodi.curtis@gmail.com</a>> wrote: > Hi > > > Copy of attempt so far, hopefully this will be useful > to have online, I will carry on tomorrow! > > > /etc/hostname > > > squealer > > > /etc/hosts > > > 127.0.0.1 localhost squealer <a href="http://squealer.maiakaat.co.uk" target="_blank">squealer.maiakaat.co.uk</a> > <a href="http://maiakaat.co.uk" target="_blank">maiakaat.co.uk</a> <a href="http://www.maiakaat.co.uk" target="_blank">www.maiakaat.co.uk</a> > 192.168.2.140 localhost squealer > <a href="http://squealer.maiakaat.co.uk" target="_blank">squealer.maiakaat.co.uk</a> <a href="http://maiakaat.co.uk" target="_blank">maiakaat.co.uk</a> > <a href="http://www.maiakaat.co.uk" target="_blank">www.maiakaat.co.uk</a> > > > cat /etc/passwd > > > root:x:0:0:root:/root:/bin/bash > daemon:x:1:1:daemon:/usr/sbin:/bin/sh > bin:x:2:2:bin:/bin:/bin/sh > sys:x:3:3:sys:/dev:/bin/sh > sync:x:4:65534:sync:/bin:/bin/sync > games:x:5:60:games:/usr/games:/bin/sh > man:x:6:12:man:/var/cache/man:/bin/sh > lp:x:7:7:lp:/var/spool/lpd:/bin/sh > mail:x:8:8:mail:/var/mail:/bin/sh > news:x:9:9:news:/var/spool/news:/bin/sh > uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh > proxy:x:13:13:proxy:/bin:/bin/sh > www-data:x:33:33:www-data:/var/www:/bin/sh > backup:x:34:34:backup:/var/backups:/bin/sh > list:x:38:38:Mailing List Manager:/var/list:/bin/sh > irc:x:39:39:ircd:/var/run/ircd:/bin/sh > gnats:x:41:41:Gnats Bug-Reporting System > (admin):/var/lib/gnats:/bin/sh > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > libuuid:x:100:101::/var/lib/libuuid:/bin/sh > syslog:x:101:103::/home/syslog:/bin/false > messagebus:x:102:105::/var/run/dbus:/bin/false > whoopsie:x:103:107::/nonexistent:/bin/false > landscape:x:104:110::/var/lib/landscape:/bin/false > sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin > libvirt-qemu:x:106:106:Libvirt > Qemu,,,:/var/lib/libvirt:/bin/false > libvirt-dnsmasq:x:107:112:Libvirt > Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false > jodic:x:1000:1000:jodic,,,:/home/jodic:/bin/bash > > > cd /var/lib/libvirt > sudo ls -l > > > drwx--x--x 2 root root 4096 Oct 6 01:58 boot > drwxr-xr-x 2 root root 4096 Oct 30 21:06 > dnsmasq > drwxr-xr-x 2 libvirt-qemu root 4096 Oct 31 06:11 > drivers > drwx--x--x 2 root root 4096 Oct 6 01:58 > images > drwxr-xr-x 5 libvirt-qemu root 4096 Nov 1 12:56 local > drwxr-xr-x 2 root root 4096 Nov 12 18:03 > network > drwxr-x--- 5 libvirt-qemu kvm 4096 Nov 12 18:11 qemu > drwx------ 2 root root 4096 Oct 6 01:58 > sanlock > drwxr-xr-x 5 libvirt-qemu root 4096 Oct 31 06:22 > shared > > > #drivers to be forwarded as filesystem element with > Windows drivers > #local contains volume pools(2) for VM volumes, and > all xml files used to create VM's volumes and pools. > > > sudo usermod -a -G root,kvm jodic > > > chmod 775 /var/lib/libvirt/qemu > #temporary change > > > #libvirt directory permissions are drwxr-xr-x > > > sudo mkdir /var/lib/libvirt/pki > sudo mkdir /var/lib/libvirt/pki/libvirt-spice > > > sudo nano /etc/libvirt/qemu.conf > > > spice_tls = 1 > spice_tls_x509_cert_dir = > "/var/lib/libvirt/pki/libvirt-spice" > > > cd /var/lib/libvirt/pki/libvirt-spice > > > sudo openssl genrsa -des3 -out ca-key.pem 1024 > sudo openssl req -new -x509 -days 750 -key ca-key.pem > -out ca-cert.pem -utf8 -subj "/CN=Self Signed" > sudo openssl genrsa -out server-key.pem 1024 > sudo openssl req -new -key server-key.pem -out > server-key.csr -utf8 -subj "/CN=squealer" > sudo openssl x509 req -days 750 -in server-key.csr -CA > ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out > server-cert.pem > sudo openssl rsa -in server-key.pem -out > server-key.pem.insecure > sudo mv server-key.pem server-key.pem.secure > sudo mv server-key.pem.insecure server-key.pem > > > sudo chown libvirt-qemu /var/lib/libvirt/pki > sudo chown > libvirt-qemu /var/lib/libvirt/pki/libvirt-spice > sudo chown > libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem > sudo chown > libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem > sudo chown > libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem > > > #temporary change > sudo chmod 775 /var/lib/libvirt/pki > sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice > sudo chmod > 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem > sudo chmod > 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem > sudo chmod > 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem > > > sudo virsh destroy VM11 > sudo virsh undefine VM11 > > > sudo shutdown -r now > #don't know how to restart service for re-read of > qemu.conf in Ubuntu > > > #Ubuntu offering 28 updates - none related to > virtualization at all > > > sudo apt-get update > sudo apt-get upgrade > > > sudo virsh > define /var/lib/libvirt/local/xml/default-revision7.xml > > > #defined VM11 > > > sudo virsh start VM11 > > > #started VM11 23:14 ish UK time > > > sudo /var/log/libvirt/qemu/qemu.conf > > > 2012-11-12 23:13:44.233+0000: starting up > LC_ALL=C > PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 > char device redirected to /dev/pts/2 > ((null):8891): Spice-Warning **: > reds.c:3307:reds_init_ssl: Could not load certificates > from /var/lib/libvirt/pki/libvirt-spice/server-cert.pem > ((null):8891): Spice-Warning **: > reds.c:3317:reds_init_ssl: Could not use private key > file > ((null):8891): Spice-Warning **: > reds.c:3325:reds_init_ssl: Could not use CA > file /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem > > > sudo virsh destroy VM11 > > > #destroyed > > > $ sudo /usr/bin/kvm-spice -monitor stdio -spice > tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing > > > > > #output > > > QEMU 0.12.0 monitor - type 'help' for more information > (qemu) > > > "If you see the same error again, there is something > wrong with > certificates themselves. If not, verify that they are > accessible to the > qemu process - note that it may run under different > user than root and > in addition, it may be confined by SELinux or > AppArmor. I can't speak > for AppArmor but for SELinux, you may need to restore > context of the > files (and directories) to make them accessible for > qemu." > > > I'll begin looking at the permissions and security > tomorrow, although its stretching my > knowledge of Linux here, I guess the only way to learn > is to do though. > > > I will likely set up my vm's without security for now > (they are local only) to have something I can dev on > etc > These are nfs (if the passthrough bug in ubuntu > kvm-spice doesn't affect the passthrough of a logical > volume to the guest, repos (source code), build and > dev desktop > > > Thanks again for all the help > > > On Mon, Nov 12, 2012 at 10:40 PM, Jodi Curtis > <<a href="mailto:jodi.curtis@gmail.com">jodi.curtis@gmail.com</a>> wrote: > Hi I'm going through the process now logging > everything I am doing. > > > The VM does start BTW, the problem is that it > cannot open the secure channel from > remote-viewer attempts to connect, with qemu > giving those errors in VM11.log. I will post > my new attempt here anyway in a little while, > with a success or failure, I've had some minor > issues with the pki directory, hence removing > and and trying again with fully checked > permissions. > > Thanks for the help. > > > On Mon, Nov 12, 2012 at 10:12 PM, David Jaša > <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> wrote: > Jodi Curtis píše v Po 12. 11. 2012 v > 19:47 +0000: > > hi > > > > > > sorry I should explain that I used > squealer as the server name which > > matches the hostname, this is > aliased to various ip's and domain > names > > in hosts, the usual method, I'll > check the local ip is listed in there > > though,I could try the local ip used > to connect . > > > > > Well, all of these are side problems > as long as your VMs refuse to > start... Anyway, given that spice > knows how to override the CN check > since its very beginnings (using > --spice-host-subject option), this is > no big deal, it's just more convenient > if you don't have to. > > > > > yes the keys were created in the > correct directory > > > and you already stated that. > > The error message is pretty clear > though: there is either something > wrong with certificates themselves or > qemu can not access them. If you > can see details of all of them using > CLI tools, then the certificates > should be ok. You could verify that > ultimately by trying to run > minimalistic qemu manually: > > $ sudo /usr/bin/kvm -monitor stdio > -spice > tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing > > you should see just a message like > this: > QEMU 0.12.1 monitor - type 'help' for > more information > (qemu) > > If you see the same error again, there > is something wrong with > certificates themselves. If not, > verify that they are accessible to the > qemu process - note that it may run > under different user than root and > in addition, it may be confined by > SELinux or AppArmor. I can't speak > for AppArmor but for SELinux, you may > need to restore context of the > files (and directories) to make them > accessible for qemu. > > David > > > > > On Mon, Nov 12, 2012 at 7:42 PM, > David Jaša <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> wrote: > > Jodi Curtis píše v Po 12. > 11. 2012 v 18:53 +0000: > > > Hi > > > > > > > > > Package and OS > > > > ------------------------------ > > > Ubuntu 12.10 > > > > > > qemu-kvm-spice: > > > Installed: > 1.2.0-2012.09-0ubuntu1 > > > Candidate: > 1.2.0-2012.09-0ubuntu1 > > > Version table: > > > *** > 1.2.0-2012.09-0ubuntu1 0 > > > 500 > <a href="http://gb.archive.ubuntu.com/ubuntu/" target="_blank">http://gb.archive.ubuntu.com/ubuntu/</a> > > quantal/universe > > > amd64 Packages > > > > 100 /var/lib/dpkg/status > > > > > > > > > Key Creation > > > > > > ------------------------- > > > > > > > > > openssl genrsa -des3 -out > ca-key.pem 1024 > > > openssl req -new -x509 > -days 1095 -key ca-key.pem -out > > ca-cert.pem > > > -utf8 -subj > "/C=IL/L=Raanana/O=Red Hat/CN=my CA" > > > openssl genrsa -out > server-key.pem 1024 > > > openssl req -new -key > server-key.pem -out server-key.csr > > -utf8 -subj > > > "/C=IL/L=Raanana/O=Red > Hat/CN=my server" > > > > > > (side note here: you can > omit C, L and O fields are redundant > > for uses > > outside of controlled > environments but CN field should > contain > > hostname > > or IP address of your server > so that you don't need to > > override the host > > subject) > > > > > openssl x509 -req -days > 1095 -in server-key.csr -CA > > ca-cert.pem -CAkey > > > ca-key.pem -set_serial 01 > -out server-cert.pem > > > openssl rsa -in > server-key.pem -out > server-key.pem.insecure > > > mv server-key.pem > server-key.pem.secure > > > mv server-key.pem.insecure > server-key.pem > > > > > > > > > here, > > > > > > > > qemu.conf > > > > > > -------------- > > > > > > > > > qemu.conf configuration > was attempted as default, and > > specified using > > > an uncommented path > "/etc/pki/libvirt-spice" > > > > > > > > > here, > > > > > > > > spice_tls = 1 > > > > > > # default it to keep them > in /etc/pki/libvirt-spice. This > > directory > > > > > > # must contain > > > > > > ... > > > > > > #spice_tls_x509_cert_dir = > "/etc/pki/libvirt-spice" (using > > the default > > > path) > > > > > > spice_tls_x509_cert_dir = > > > "/etc/pki/libvirt-spice" (specifiying > the > > > path directly) > > > > > > > > > and here are the key points. > Did you copy the > > {ca,server}-{key,cert}.pem > > files > to /etc/pki/libvirt-spice? > > > > David > > > > > > > > Permissions > > > > > > ------------- > > > > > > Permissions were tested > set as default (assumed root or my > > account) > > > and > > > > > > sudo chown > libvirt-qemu /etc/pki/libvirt-spice/ > > > > > > sudo chown > libvirt-qemu /etc/pki/libvirt-spice/<filenames of > > files> > > > > > > > > > > > > Error Reported > > > ------------------------- > > > > > > > > > sudo > nano /var/log/libvirt/qemu/VM11.log > > > > > > > > > qemu: terminating on > signal 15 from pid 1417 > > > 2012-11-12 18:11:24.586 > +0000: shutting down > > > 2012-11-12 18:11:29.698 > +0000: starting up > > > LC_ALL=C > > > > > > PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin > > > > QEMU_AUDIO_DRV=spice /usr/bin/kvm > -name VM11 -S -M pc-1.2 > > -cpu > > > Opteron_G3,+ibs,+osvw, > +3dnowprefetch,+cr8legacy,+extapic, > > +cmp_legacy, > > > +3dnow,+3dnowext,+pdpe1gb, > +fxsr_opt,+mmxext,+ht,+vme </div></div><div class="HOEnZb"><div class="h5">> > -enable-kvm -m > > > 2048 -smp > 1,sockets=1,cores=1,threads=1 -uuid > > > > 35a6984d-0b77-da48-770e-a8fb0c7c284d > -no-user-config > > -nodefaults > > > -chardev > > > > > > socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 > > > char device redirected > to /dev/pts/1 > > > ((null):1916): > Spice-Warning **: > reds.c:3307:reds_init_ssl: > > Could not > > > load certificates > > > from /etc/pki/libvirt-spice/server-cert.pem > > > ((null):1916): > Spice-Warning **: > reds.c:3317:reds_init_ssl: > > Could not > > > use private key file > > > ((null):1916): > Spice-Warning **: > reds.c:3325:reds_init_ssl: > > Could not > > > use CA > file /etc/pki/libvirt-spice/ca-cert.pem > > > > > > > > > > > > > > > Certificates > > > -------------------- > > > I was able to open and > read the files using the various > > commands > > > similar to sudo openssl > x509 -noout -text -in ca-cert.pem > > > > > > > > > I did wonder if it is > rejecting the CA as some security > > feature, I > > > hope this is of use. > > > I chose libvirt-qemu, as > this is the account closed to the > > Red > > > Hat/Fedora account name > used "qemu" > > > > > > > > > > > > > > > Creation > > > --------------- > > > > > > > > > creation was via an XML > definition followed by calling virsh > > define > > > <path>, virsh start VM11 > > > > > > > > > I have tried to keep most > files inside the libvirt tree to > > try to > > > avoid permission errors, > the configuration has two volume > > pools, > > > specified > inside /var/lib/libvirt/local/<pool-name> (which > > are mounted > > > to other drives, and > operate without problem) > > > > > > > > > The volumes used are vmdk > volumes (for performance reasons) > > one inside > > > each pool, for fixed > allocation and sparse type > allocation), > > not that > > > this matters but it gives > you an idea of what the setup is > > like. > > > > > > > > > > > > > > > > > > > > > Location content > > > > > > > > > > > > > > > > jodic@squealer:/etc/pki/libvirt-spice$ > dir > > > ca-cert.pem > server-cert.pem server-key.pem > > > ca-key.pem > server-key.csr server-key.pem.secure > > > > > > > > > I could try using a > location without the qemu tree to try > to > > rule out > > > some permission problems. > I'll go through it again in a > > little bit > > > > > > > > > > > > > > > > > > > > > On Mon, Nov 12, 2012 at > 6:11 PM, David Jaša > > <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> wrote: > > > Before reporting a > bug, could we rule out > > misconfiguration > > > possiblity > > > entirely? > > > > > > 1) do you use > libvirt? > > > 2) if so, do you > use system session or per-user > > session? > > > 3) could you look > at qemu command line? If you use > > libvirt, > > > you'll find it > in /var/log/libvirt/qemu/VM_NAME.log > > > 4) at the libvirt > command file, is there '... > > > > -spice ...,x509-(dir|ca...|server),... > ' entry? > > > 5) if the x509 > directive is x509-dir, does "qemu-kvm > > -spice > > > > tls-port=12345,x509-dir=DIR,disable-ticketing" > > command throw > > > the same error? > > > (the same goes > for per-file x509 options) > > > 6) if it is indeed > a problem, is it permission issue > > or are > > > the files empty or > are they invalid? > > > > > > (...) > > > > > > David > > > > > > > > > Jodi Curtis píše v > Po 12. 11. 2012 v 17:55 +0000: > > > > Hi > > > > > > > > > > > > I've used the > directory correctly on qemu.conf, > > I've seen > > > these > > > > problems > relating to Red Hat/oVirt, where it > > wasn't set > > > despite being > > > > set in > qemu.conf, so I will probably file a > bug > > report with > > > Ubuntu on > > > > this one. > > > > > > > > > > > > The red-hat > solution isn't valid for Ubuntu. > > > > > > > > > > > > Thanks > > > > > > > > On Mon, Nov 12, > 2012 at 5:49 PM, David Jaša > > > <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> > wrote: > > > > Jodi > Curtis píše v Po 12. 11. 2012 v 17:31 > > +0000: > > > > > Hi > > > > > > > > > > > > > > > > Thanks, I found the method in the end, > > my current > > > problem is > > > > related > > > > > to a > problem with Ubuntu/SSL/Spice, so > > not really > > > your > > > > > software, I > > > > > have > asked for help from a Linux admin, > > but its > > > detailed > > > > below > for the > > > > > > record, I've gone through the key > making > > proces > > > twice, and > > > > > rebooted, > > > > > > obviously paths have been checked and > > qemu.conf > > > has been set > > > > as > > > > > > required > > > > > > > > > > > > > > > > ((null):2176): Spice-Warning **: > > > > reds.c:3307:reds_init_ssl: > > > > Could > not > > > > > load > certificates from server-cert.pem > > > > > > ((null):2176): Spice-Warning **: > > > > reds.c:3317:reds_init_ssl: > > > > Could > not > > > > > use > private key file > > > > > > ((null):2176): Spice-Warning **: > > > > reds.c:3325:reds_init_ssl: > > > > Could > not > > > > > use CA > file > > > > > > > > > > > > Assuming > that your cert/key files are > > correct and in > > > place, > > > > this > looks > > > > like > incorrect x509-dir option of qemu cli > > or > > > > > spice_tls_x509_cert_dir > > > > > directive of /etc/libvirt/qemu.conf > > pointing to a > > > wrong > > > > > directory. Just > > > > a > configuration issue. > > > > > > > > David > > > > > > > > > > > > > > > > > > > There > is very little obvious on the > > internet, so > > > am trying > > > > to > identify > > > > > if its > a common SSL or config problem, > > or if I > > > should file a > > > > bug > > > > > report > with Ubuntu kvm-spice > > > > > > > > > > > > > > > Jodi > > > > > > > > > > > > > > > On > Mon, Nov 12, 2012 at 12:12 PM, David > > Jaša > > > > > <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> wrote: > > > > > > Hi Jodi, > > > > > > > > > > > You can find full tls-enabled > > > remote-viewer > > > > > invocation in this > > > > > > oVirt > > > > > > wiki page: > > > > > > > > > > > > > > > <a href="http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal" target="_blank">http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal</a> > > > > > > > > > > > David > > > > > > > > > > > > > > > > Jodi Curtis píše v Ne 11. 11. > > 2012 v 23:28 > > > +0000: > > > > > > > Hi > > > > > > > > > > > > > > > > > > > > > I'm having trouble connecting > > to a spice > > > server > > > > with tls > > > > > > enabled > > > > > > > through virt-viewer on > > windows, I have > > > tls > > > > > configured and a > > > > > > > ca-cert.pem file, but I don't > > know where > > > to put > > > > it, or > what > > > > > > to use > > > > > > > > > > > > > > > > > > > > > I have tried various > > combinations of > > > > > > spice://192.168.2.140:590x > > > > > > > > > > > > > > > > > > > > > I have tried adding +ssh or > > +tls, I have > > > tried > > > > adding > the > > > > > > ca-cert.pem > > > > > > > file to the location used by > > the spicec > > > page that > > > > covers > how > > > > > > to set up > > > > > > > tls, and I have tried adding > > my username > > > before > > > > the IP. > > > > > > > > > > > > > > I have tried connecting to > > both ports. > > > > > > > > > > > > > > > > > > > > > Any help on what it should be, > > or if > > > there is an > > > > > alternative > > > > > > to > > > > > > > virt-viewer on windows that I > > need to > > > use for the > > > > secure > > > > > > connection. > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Spice-devel mailing list > > > > > > > > > > <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a> > > > > > > > > > > > > > > > > > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a> > > > > > > > > > > > -- > > > > > > > > > > > David Jaša, RHCE > > > > > > > > > > > SPICE QE based in Brno > > > > > > GPG Key: 22C33E24 > > > > > > Fingerprint: 513A 060B D1B4 2A72 > > 7F0D 0278 > > > B125 CD00 > > > > 22C3 > 3E24 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > Spice-devel mailing list > > > > > > <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a> > > > > > > > > > > > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a> > > > > > > > > -- > > > > > > > > David > Jaša, RHCE > > > > > > > > SPICE QE > based in Brno > > > > GPG Key: > 22C33E24 > > > > > Fingerprint: 513A 060B D1B4 2A72 7F0D > 0278 > > B125 CD00 > > > 22C3 3E24 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > David Jaša, RHCE > > > > > > SPICE QE based in > Brno > > > GPG Key: > 22C33E24 > > > Fingerprint: 513A > 060B D1B4 2A72 7F0D 0278 B125 CD00 > > 22C3 3E24 > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Spice-devel mailing list > > > > <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a> > > > > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a> > > > > -- > > > > David Jaša, RHCE > > > > SPICE QE based in Brno > > GPG Key: 22C33E24 > > Fingerprint: 513A 060B D1B4 > 2A72 7F0D 0278 B125 CD00 22C3 3E24 > > > > > > > > > > > > > > > _______________________________________________ > > Spice-devel mailing list > > <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a> > > > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a> > > -- > > David Jaša, RHCE > > SPICE QE based in Brno > GPG Key: 22C33E24 > Fingerprint: 513A 060B D1B4 2A72 7F0D > 0278 B125 CD00 22C3 3E24 > > > > > > > > > > > > _______________________________________________ > Spice-devel mailing list > <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a> > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a> -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 </div></div></blockquote></div> </div></div></div>