Hi to clarify, the Ubuntu apparmor.d doesn't include the default directory
definition (/etc/pki/libvirt-spice) unlike the /etc/pki/libvirt-vnc
directory, (which is included). S you will always need to add this
directory as far as I am aware from my experience.
I've made a suggestion that this is added as an update to the apparmor.d as
part of the qemu-kvm-spice package install, whether anybody reads it I
don't know.
The actual error is:
2012-11-13 17:07:18.780+0000: starting up
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu
Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
-enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
2e6cca5a-9269-a9d2-2e2b-867ac0ce0a8c -no-user-config -nodefaults -chardev
socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
-mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
-no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
-drive
file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
-drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
-device
ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
-netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
-chardev pty,id=charserial0 -device
isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
-spice
port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
-k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
char device redirected to /dev/pts/1
((null):2230): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
On Tue, Nov 13, 2012 at 4:58 PM, David Jaša <djasa at redhat.com> wrote:
> I think it is something different but I can't say it for sure unless I
> see the exact message...
>
> Jodi Curtis píše v Út 13. 11. 2012 v 16:26 +0000:
> > My latest issue is the error spice warning spice channels 1 should be
> > encrypted, I'm guessing this is an authentication issue with my
> > attempts to connect?
> >
> > On Tue, Nov 13, 2012 at 7:37 AM, Jodi Curtis <jodi.curtis at gmail.com>
> > wrote:
> > The VM seems to start without complaints after adding the key
> > directory after /etc/pki/libvirt-vnc** r, in an identical
> > format within the apparmor.d config file
>
> ubuntu docs should be probably updated about need to copy certs/keys to
> the default directory OR need to update apparmor configuration if custom
> directory is used.
>
> David
>
> >
> > I haven't really slept much so I will check login after
> > sleeping
> >
> >
> > On Mon, Nov 12, 2012 at 11:33 PM, Jodi Curtis
> > <jodi.curtis at gmail.com> wrote:
> > Hi
> >
> >
> > Copy of attempt so far, hopefully this will be useful
> > to have online, I will carry on tomorrow!
> >
> >
> > /etc/hostname
> >
> >
> > squealer
> >
> >
> > /etc/hosts
> >
> >
> > 127.0.0.1 localhost squealer squealer.maiakaat.co.uk
> > maiakaat.co.uk www.maiakaat.co.uk
> > 192.168.2.140 localhost squealer
> > squealer.maiakaat.co.uk maiakaat.co.uk
> > www.maiakaat.co.uk
> >
> >
> > cat /etc/passwd
> >
> >
> > root:x:0:0:root:/root:/bin/bash
> > daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> > bin:x:2:2:bin:/bin:/bin/sh
> > sys:x:3:3:sys:/dev:/bin/sh
> > sync:x:4:65534:sync:/bin:/bin/sync
> > games:x:5:60:games:/usr/games:/bin/sh
> > man:x:6:12:man:/var/cache/man:/bin/sh
> > lp:x:7:7:lp:/var/spool/lpd:/bin/sh
> > mail:x:8:8:mail:/var/mail:/bin/sh
> > news:x:9:9:news:/var/spool/news:/bin/sh
> > uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
> > proxy:x:13:13:proxy:/bin:/bin/sh
> > www-data:x:33:33:www-data:/var/www:/bin/sh
> > backup:x:34:34:backup:/var/backups:/bin/sh
> > list:x:38:38:Mailing List Manager:/var/list:/bin/sh
> > irc:x:39:39:ircd:/var/run/ircd:/bin/sh
> > gnats:x:41:41:Gnats Bug-Reporting System
> > (admin):/var/lib/gnats:/bin/sh
> > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
> > libuuid:x:100:101::/var/lib/libuuid:/bin/sh
> > syslog:x:101:103::/home/syslog:/bin/false
> > messagebus:x:102:105::/var/run/dbus:/bin/false
> > whoopsie:x:103:107::/nonexistent:/bin/false
> > landscape:x:104:110::/var/lib/landscape:/bin/false
> > sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
> > libvirt-qemu:x:106:106:Libvirt
> > Qemu,,,:/var/lib/libvirt:/bin/false
> > libvirt-dnsmasq:x:107:112:Libvirt
> > Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
> > jodic:x:1000:1000:jodic,,,:/home/jodic:/bin/bash
> >
> >
> > cd /var/lib/libvirt
> > sudo ls -l
> >
> >
> > drwx--x--x 2 root root 4096 Oct 6 01:58 boot
> > drwxr-xr-x 2 root root 4096 Oct 30 21:06
> > dnsmasq
> > drwxr-xr-x 2 libvirt-qemu root 4096 Oct 31 06:11
> > drivers
> > drwx--x--x 2 root root 4096 Oct 6 01:58
> > images
> > drwxr-xr-x 5 libvirt-qemu root 4096 Nov 1 12:56 local
> > drwxr-xr-x 2 root root 4096 Nov 12 18:03
> > network
> > drwxr-x--- 5 libvirt-qemu kvm 4096 Nov 12 18:11 qemu
> > drwx------ 2 root root 4096 Oct 6 01:58
> > sanlock
> > drwxr-xr-x 5 libvirt-qemu root 4096 Oct 31 06:22
> > shared
> >
> >
> > #drivers to be forwarded as filesystem element with
> > Windows drivers
> > #local contains volume pools(2) for VM volumes, and
> > all xml files used to create VM's volumes and pools.
> >
> >
> > sudo usermod -a -G root,kvm jodic
> >
> >
> > chmod 775 /var/lib/libvirt/qemu
> > #temporary change
> >
> >
> > #libvirt directory permissions are drwxr-xr-x
> >
> >
> > sudo mkdir /var/lib/libvirt/pki
> > sudo mkdir /var/lib/libvirt/pki/libvirt-spice
> >
> >
> > sudo nano /etc/libvirt/qemu.conf
> >
> >
> > spice_tls = 1
> > spice_tls_x509_cert_dir =
> > "/var/lib/libvirt/pki/libvirt-spice"
> >
> >
> > cd /var/lib/libvirt/pki/libvirt-spice
> >
> >
> > sudo openssl genrsa -des3 -out ca-key.pem 1024
> > sudo openssl req -new -x509 -days 750 -key ca-key.pem
> > -out ca-cert.pem -utf8 -subj "/CN=Self Signed"
> > sudo openssl genrsa -out server-key.pem 1024
> > sudo openssl req -new -key server-key.pem -out
> > server-key.csr -utf8 -subj "/CN=squealer"
> > sudo openssl x509 req -days 750 -in server-key.csr -CA
> > ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out
> > server-cert.pem
> > sudo openssl rsa -in server-key.pem -out
> > server-key.pem.insecure
> > sudo mv server-key.pem server-key.pem.secure
> > sudo mv server-key.pem.insecure server-key.pem
> >
> >
> > sudo chown libvirt-qemu /var/lib/libvirt/pki
> > sudo chown
> > libvirt-qemu /var/lib/libvirt/pki/libvirt-spice
> > sudo chown
> > libvirt-qemu
> /var/lib/libvirt/pki/libvirt-spice/server-key.pem
> > sudo chown
> > libvirt-qemu
> /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
> > sudo chown
> > libvirt-qemu
> /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
> >
> >
> > #temporary change
> > sudo chmod 775 /var/lib/libvirt/pki
> > sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice
> > sudo chmod
> > 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem
> > sudo chmod
> > 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
> > sudo chmod
> > 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
> >
> >
> > sudo virsh destroy VM11
> > sudo virsh undefine VM11
> >
> >
> > sudo shutdown -r now
> > #don't know how to restart service for re-read of
> > qemu.conf in Ubuntu
> >
> >
> > #Ubuntu offering 28 updates - none related to
> > virtualization at all
> >
> >
> > sudo apt-get update
> > sudo apt-get upgrade
> >
> >
> > sudo virsh
> > define /var/lib/libvirt/local/xml/default-revision7.xml
> >
> >
> > #defined VM11
> >
> >
> > sudo virsh start VM11
> >
> >
> > #started VM11 23:14 ish UK time
> >
> >
> > sudo /var/log/libvirt/qemu/qemu.conf
> >
> >
> > 2012-11-12 23:13:44.233+0000: starting up
> > LC_ALL=C
> >
> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
> QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu
> Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
> -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
> 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
> -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
> -device
> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
> -drive
> file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
> -device
> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
> -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
> ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
> -device
> ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
> -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
> virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
> -chardev pty,id=charserial0 -device
> isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
> -spice
> port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
> -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
> > char device redirected to /dev/pts/2
> > ((null):8891): Spice-Warning **:
> > reds.c:3307:reds_init_ssl: Could not load certificates
> > from /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
> > ((null):8891): Spice-Warning **:
> > reds.c:3317:reds_init_ssl: Could not use private key
> > file
> > ((null):8891): Spice-Warning **:
> > reds.c:3325:reds_init_ssl: Could not use CA
> > file /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
> >
> >
> > sudo virsh destroy VM11
> >
> >
> > #destroyed
> >
> >
> > $ sudo /usr/bin/kvm-spice -monitor stdio -spice
> >
> tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
> >
> >
> >
> >
> > #output
> >
> >
> > QEMU 0.12.0 monitor - type 'help' for more information
> > (qemu)
> >
> >
> > "If you see the same error again, there is something
> > wrong with
> > certificates themselves. If not, verify that they are
> > accessible to the
> > qemu process - note that it may run under different
> > user than root and
> > in addition, it may be confined by SELinux or
> > AppArmor. I can't speak
> > for AppArmor but for SELinux, you may need to restore
> > context of the
> > files (and directories) to make them accessible for
> > qemu."
> >
> >
> > I'll begin looking at the permissions and security
> > tomorrow, although its stretching my
> > knowledge of Linux here, I guess the only way to learn
> > is to do though.
> >
> >
> > I will likely set up my vm's without security for now
> > (they are local only) to have something I can dev on
> > etc
> > These are nfs (if the passthrough bug in ubuntu
> > kvm-spice doesn't affect the passthrough of a logical
> > volume to the guest, repos (source code), build and
> > dev desktop
> >
> >
> > Thanks again for all the help
> >
> >
> > On Mon, Nov 12, 2012 at 10:40 PM, Jodi Curtis
> > <jodi.curtis at gmail.com> wrote:
> > Hi I'm going through the process now logging
> > everything I am doing.
> >
> >
> > The VM does start BTW, the problem is that it
> > cannot open the secure channel from
> > remote-viewer attempts to connect, with qemu
> > giving those errors in VM11.log. I will post
> > my new attempt here anyway in a little while,
> > with a success or failure, I've had some minor
> > issues with the pki directory, hence removing
> > and and trying again with fully checked
> > permissions.
> >
> > Thanks for the help.
> >
> >
> > On Mon, Nov 12, 2012 at 10:12 PM, David Jaša
> > <djasa at redhat.com> wrote:
> > Jodi Curtis píše v Po 12. 11. 2012 v
> > 19:47 +0000:
> > > hi
> > >
> > >
> > > sorry I should explain that I used
> > squealer as the server name which
> > > matches the hostname, this is
> > aliased to various ip's and domain
> > names
> > > in hosts, the usual method, I'll
> > check the local ip is listed in there
> > > though,I could try the local ip used
> > to connect .
> > >
> >
> >
> > Well, all of these are side problems
> > as long as your VMs refuse to
> > start... Anyway, given that spice
> > knows how to override the CN check
> > since its very beginnings (using
> > --spice-host-subject option), this is
> > no big deal, it's just more convenient
> > if you don't have to.
> >
> > >
> > > yes the keys were created in the
> > correct directory
> >
> >
> > and you already stated that.
> >
> > The error message is pretty clear
> > though: there is either something
> > wrong with certificates themselves or
> > qemu can not access them. If you
> > can see details of all of them using
> > CLI tools, then the certificates
> > should be ok. You could verify that
> > ultimately by trying to run
> > minimalistic qemu manually:
> >
> > $ sudo /usr/bin/kvm -monitor stdio
> > -spice
> >
> tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
> >
> > you should see just a message like
> > this:
> > QEMU 0.12.1 monitor - type 'help' for
> > more information
> > (qemu)
> >
> > If you see the same error again, there
> > is something wrong with
> > certificates themselves. If not,
> > verify that they are accessible to the
> > qemu process - note that it may run
> > under different user than root and
> > in addition, it may be confined by
> > SELinux or AppArmor. I can't speak
> > for AppArmor but for SELinux, you may
> > need to restore context of the
> > files (and directories) to make them
> > accessible for qemu.
> >
> > David
> >
> > >
> > > On Mon, Nov 12, 2012 at 7:42 PM,
> > David Jaša <djasa at redhat.com> wrote:
> > > Jodi Curtis píše v Po 12.
> > 11. 2012 v 18:53 +0000:
> > > > Hi
> > > >
> > > >
> > > > Package and OS
> > > >
> > ------------------------------
> > > > Ubuntu 12.10
> > > >
> > > > qemu-kvm-spice:
> > > > Installed:
> > 1.2.0-2012.09-0ubuntu1
> > > > Candidate:
> > 1.2.0-2012.09-0ubuntu1
> > > > Version table:
> > > > ***
> > 1.2.0-2012.09-0ubuntu1 0
> > > > 500
> > http://gb.archive.ubuntu.com/ubuntu/
> > > quantal/universe
> > > > amd64 Packages
> > > >
> > 100 /var/lib/dpkg/status
> > > >
> > > >
> > > > Key Creation
> > > >
> > > > -------------------------
> > > >
> > > >
> > > > openssl genrsa -des3 -out
> > ca-key.pem 1024
> > > > openssl req -new -x509
> > -days 1095 -key ca-key.pem -out
> > > ca-cert.pem
> > > > -utf8 -subj
> > "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
> > > > openssl genrsa -out
> > server-key.pem 1024
> > > > openssl req -new -key
> > server-key.pem -out server-key.csr
> > > -utf8 -subj
> > > > "/C=IL/L=Raanana/O=Red
> > Hat/CN=my server"
> > >
> > >
> > > (side note here: you can
> > omit C, L and O fields are redundant
> > > for uses
> > > outside of controlled
> > environments but CN field should
> > contain
> > > hostname
> > > or IP address of your server
> > so that you don't need to
> > > override the host
> > > subject)
> > >
> > > > openssl x509 -req -days
> > 1095 -in server-key.csr -CA
> > > ca-cert.pem -CAkey
> > > > ca-key.pem -set_serial 01
> > -out server-cert.pem
> > > > openssl rsa -in
> > server-key.pem -out
> > server-key.pem.insecure
> > > > mv server-key.pem
> > server-key.pem.secure
> > > > mv server-key.pem.insecure
> > server-key.pem
> > > >
> > >
> > >
> > > here,
> > >
> > > >
> > > > qemu.conf
> > > >
> > > > --------------
> > > >
> > > >
> > > > qemu.conf configuration
> > was attempted as default, and
> > > specified using
> > > > an uncommented path
> > "/etc/pki/libvirt-spice"
> > > >
> > >
> > >
> > > here,
> > >
> > > >
> > > > spice_tls = 1
> > > >
> > > > # default it to keep them
> > in /etc/pki/libvirt-spice. This
> > > directory
> > > >
> > > > # must contain
> > > >
> > > > ...
> > > >
> > > > #spice_tls_x509_cert_dir =
> > "/etc/pki/libvirt-spice" (using
> > > the default
> > > > path)
> > > >
> > > > spice_tls_x509_cert_dir =
> > >
> > "/etc/pki/libvirt-spice" (specifiying
> > the
> > > > path directly)
> > > >
> > >
> > >
> > > and here are the key points.
> > Did you copy the
> > > {ca,server}-{key,cert}.pem
> > > files
> > to /etc/pki/libvirt-spice?
> > >
> > > David
> > >
> > > >
> > > > Permissions
> > > >
> > > > -------------
> > > >
> > > > Permissions were tested
> > set as default (assumed root or my
> > > account)
> > > > and
> > > >
> > > > sudo chown
> > libvirt-qemu /etc/pki/libvirt-spice/
> > > >
> > > > sudo chown
> > libvirt-qemu
> /etc/pki/libvirt-spice/<filenames of
> > > files>
> > > >
> > > >
> > > >
> > > > Error Reported
> > > > -------------------------
> > > >
> > > >
> > > > sudo
> > nano /var/log/libvirt/qemu/VM11.log
> > > >
> > > >
> > > > qemu: terminating on
> > signal 15 from pid 1417
> > > > 2012-11-12 18:11:24.586
> > +0000: shutting down
> > > > 2012-11-12 18:11:29.698
> > +0000: starting up
> > > > LC_ALL=C
> > > >
> > >
> >
> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
> > > >
> > QEMU_AUDIO_DRV=spice /usr/bin/kvm
> > -name VM11 -S -M pc-1.2
> > > -cpu
> > > > Opteron_G3,+ibs,+osvw,
> > +3dnowprefetch,+cr8legacy,+extapic,
> > > +cmp_legacy,
> > > > +3dnow,+3dnowext,+pdpe1gb,
> > +fxsr_opt,+mmxext,+ht,+vme
> > > -enable-kvm -m
> > > > 2048 -smp
> > 1,sockets=1,cores=1,threads=1 -uuid
> > > >
> > 35a6984d-0b77-da48-770e-a8fb0c7c284d
> > -no-user-config
> > > -nodefaults
> > > > -chardev
> > > >
> > >
> >
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
> -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
> -device
> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
> -drive
> file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
> -device
> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
> -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
> ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
> -device
> ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
> -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
> virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
> -chardev pty,id=charserial0 -device
> isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
> -spice
> port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
> -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
> > > > char device redirected
> > to /dev/pts/1
> > > > ((null):1916):
> > Spice-Warning **:
> > reds.c:3307:reds_init_ssl:
> > > Could not
> > > > load certificates
> > >
> > from
> /etc/pki/libvirt-spice/server-cert.pem
> > > > ((null):1916):
> > Spice-Warning **:
> > reds.c:3317:reds_init_ssl:
> > > Could not
> > > > use private key file
> > > > ((null):1916):
> > Spice-Warning **:
> > reds.c:3325:reds_init_ssl:
> > > Could not
> > > > use CA
> > file /etc/pki/libvirt-spice/ca-cert.pem
> > > >
> > > >
> > > >
> > > >
> > > > Certificates
> > > > --------------------
> > > > I was able to open and
> > read the files using the various
> > > commands
> > > > similar to sudo openssl
> > x509 -noout -text -in ca-cert.pem
> > > >
> > > >
> > > > I did wonder if it is
> > rejecting the CA as some security
> > > feature, I
> > > > hope this is of use.
> > > > I chose libvirt-qemu, as
> > this is the account closed to the
> > > Red
> > > > Hat/Fedora account name
> > used "qemu"
> > > >
> > > >
> > > >
> > > >
> > > > Creation
> > > > ---------------
> > > >
> > > >
> > > > creation was via an XML
> > definition followed by calling virsh
> > > define
> > > > <path>, virsh start VM11
> > > >
> > > >
> > > > I have tried to keep most
> > files inside the libvirt tree to
> > > try to
> > > > avoid permission errors,
> > the configuration has two volume
> > > pools,
> > > > specified
> > inside
> /var/lib/libvirt/local/<pool-name> (which
> > > are mounted
> > > > to other drives, and
> > operate without problem)
> > > >
> > > >
> > > > The volumes used are vmdk
> > volumes (for performance reasons)
> > > one inside
> > > > each pool, for fixed
> > allocation and sparse type
> > allocation),
> > > not that
> > > > this matters but it gives
> > you an idea of what the setup is
> > > like.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Location content
> > > >
> > > >
> > > >
> > > >
> > > >
> > jodic at squealer:/etc/pki/libvirt-spice$
> > dir
> > > > ca-cert.pem
> > server-cert.pem server-key.pem
> > > > ca-key.pem
> > server-key.csr server-key.pem.secure
> > > >
> > > >
> > > > I could try using a
> > location without the qemu tree to try
> > to
> > > rule out
> > > > some permission problems.
> > I'll go through it again in a
> > > little bit
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Mon, Nov 12, 2012 at
> > 6:11 PM, David Jaša
> > > <djasa at redhat.com> wrote:
> > > > Before reporting a
> > bug, could we rule out
> > > misconfiguration
> > > > possiblity
> > > > entirely?
> > > >
> > > > 1) do you use
> > libvirt?
> > > > 2) if so, do you
> > use system session or per-user
> > > session?
> > > > 3) could you look
> > at qemu command line? If you use
> > > libvirt,
> > > > you'll find it
> > in /var/log/libvirt/qemu/VM_NAME.log
> > > > 4) at the libvirt
> > command file, is there '...
> > > >
> > -spice ...,x509-(dir|ca...|server),...
> > ' entry?
> > > > 5) if the x509
> > directive is x509-dir, does "qemu-kvm
> > > -spice
> > > >
> >
> tls-port=12345,x509-dir=DIR,disable-ticketing"
> > > command throw
> > > > the same error?
> > > > (the same goes
> > for per-file x509 options)
> > > > 6) if it is indeed
> > a problem, is it permission issue
> > > or are
> > > > the files empty or
> > are they invalid?
> > > >
> > > > (...)
> > > >
> > > > David
> > > >
> > > >
> > > > Jodi Curtis píše v
> > Po 12. 11. 2012 v 17:55 +0000:
> > > > > Hi
> > > > >
> > > > >
> > > > > I've used the
> > directory correctly on qemu.conf,
> > > I've seen
> > > > these
> > > > > problems
> > relating to Red Hat/oVirt, where it
> > > wasn't set
> > > > despite being
> > > > > set in
> > qemu.conf, so I will probably file a
> > bug
> > > report with
> > > > Ubuntu on
> > > > > this one.
> > > > >
> > > > >
> > > > > The red-hat
> > solution isn't valid for Ubuntu.
> > > > >
> > > > >
> > > > > Thanks
> > > > >
> > > > > On Mon, Nov 12,
> > 2012 at 5:49 PM, David Jaša
> > > > <djasa at redhat.com>
> > wrote:
> > > > > Jodi
> > Curtis píše v Po 12. 11. 2012 v 17:31
> > > +0000:
> > > > > > Hi
> > > > > >
> > > > > >
> > > > > >
> > Thanks, I found the method in the end,
> > > my current
> > > > problem is
> > > > > related
> > > > > > to a
> > problem with Ubuntu/SSL/Spice, so
> > > not really
> > > > your
> > > > >
> > software, I
> > > > > > have
> > asked for help from a Linux admin,
> > > but its
> > > > detailed
> > > > > below
> > for the
> > > > > >
> > record, I've gone through the key
> > making
> > > proces
> > > > twice, and
> > > > >
> > rebooted,
> > > > > >
> > obviously paths have been checked and
> > > qemu.conf
> > > > has been set
> > > > > as
> > > > > >
> > required
> > > > > >
> > > > > >
> > > > > >
> > ((null):2176): Spice-Warning **:
> > > >
> > reds.c:3307:reds_init_ssl:
> > > > > Could
> > not
> > > > > > load
> > certificates from server-cert.pem
> > > > > >
> > ((null):2176): Spice-Warning **:
> > > >
> > reds.c:3317:reds_init_ssl:
> > > > > Could
> > not
> > > > > > use
> > private key file
> > > > > >
> > ((null):2176): Spice-Warning **:
> > > >
> > reds.c:3325:reds_init_ssl:
> > > > > Could
> > not
> > > > > > use CA
> > file
> > > > >
> > > > >
> > > > > Assuming
> > that your cert/key files are
> > > correct and in
> > > > place,
> > > > > this
> > looks
> > > > > like
> > incorrect x509-dir option of qemu cli
> > > or
> > > > >
> > spice_tls_x509_cert_dir
> > > > >
> > directive of /etc/libvirt/qemu.conf
> > > pointing to a
> > > > wrong
> > > > >
> > directory. Just
> > > > > a
> > configuration issue.
> > > > >
> > > > > David
> > > > >
> > > > > >
> > > > > >
> > > > > > There
> > is very little obvious on the
> > > internet, so
> > > > am trying
> > > > > to
> > identify
> > > > > > if its
> > a common SSL or config problem,
> > > or if I
> > > > should file a
> > > > > bug
> > > > > > report
> > with Ubuntu kvm-spice
> > > > > >
> > > > > >
> > > > > > Jodi
> > > > > >
> > > > > >
> > > > > > On
> > Mon, Nov 12, 2012 at 12:12 PM, David
> > > Jaša
> > > > >
> > <djasa at redhat.com> wrote:
> > > > > >
> > Hi Jodi,
> > > > > >
> > > > > >
> > You can find full tls-enabled
> > > > remote-viewer
> > > > >
> > invocation in this
> > > > > >
> > oVirt
> > > > > >
> > wiki page:
> > > > > >
> > > > >
> > > >
> > >
> >
> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
> > > > > >
> > > > > >
> > David
> > > > > >
> > > > > >
> > > > > >
> > Jodi Curtis píše v Ne 11. 11.
> > > 2012 v 23:28
> > > > +0000:
> > > > > >
> > > Hi
> > > > > >
> > >
> > > > > >
> > >
> > > > > >
> > > I'm having trouble connecting
> > > to a spice
> > > > server
> > > > > with tls
> > > > > >
> > enabled
> > > > > >
> > > through virt-viewer on
> > > windows, I have
> > > > tls
> > > > >
> > configured and a
> > > > > >
> > > ca-cert.pem file, but I don't
> > > know where
> > > > to put
> > > > > it, or
> > what
> > > > > >
> > to use
> > > > > >
> > >
> > > > > >
> > >
> > > > > >
> > > I have tried various
> > > combinations of
> > > > > >
> > spice://192.168.2.140:590x
> > > > > >
> > >
> > > > > >
> > >
> > > > > >
> > > I have tried adding +ssh or
> > > +tls, I have
> > > > tried
> > > > > adding
> > the
> > > > > >
> > ca-cert.pem
> > > > > >
> > > file to the location used by
> > > the spicec
> > > > page that
> > > > > covers
> > how
> > > > > >
> > to set up
> > > > > >
> > > tls, and I have tried adding
> > > my username
> > > > before
> > > > > the IP.
> > > > > >
> > >
> > > > > >
> > > I have tried connecting to
> > > both ports.
> > > > > >
> > >
> > > > > >
> > >
> > > > > >
> > > Any help on what it should be,
> > > or if
> > > > there is an
> > > > >
> > alternative
> > > > > >
> > to
> > > > > >
> > > virt-viewer on windows that I
> > > need to
> > > > use for the
> > > > > secure
> > > > > >
> > connection.
> > > > > >
> > >
> > > > > >
> > >
> > > > > >
> > > Thanks
> > > > > >
> > > > > >
> > >
> > > >
> >
> _______________________________________________
> > > > > >
> > > Spice-devel mailing list
> > > > > >
> > >
> > >
> > Spice-devel at lists.freedesktop.org
> > > > > >
> > >
> > > > >
> > > >
> > >
> >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > > > > >
> > > > > >
> > --
> > > > > >
> > > > > >
> > David Jaša, RHCE
> > > > > >
> > > > > >
> > SPICE QE based in Brno
> > > > > >
> > GPG Key: 22C33E24
> > > > > >
> > Fingerprint: 513A 060B D1B4 2A72
> > > 7F0D 0278
> > > > B125 CD00
> > > > > 22C3
> > 3E24
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > >
> >
> _______________________________________________
> > > > > >
> > Spice-devel mailing list
> > > > > >
> > Spice-devel at lists.freedesktop.org
> > > > > >
> > > >
> > >
> >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > > > >
> > > > > --
> > > > >
> > > > > David
> > Jaša, RHCE
> > > > >
> > > > > SPICE QE
> > based in Brno
> > > > > GPG Key:
> > 22C33E24
> > > > >
> > Fingerprint: 513A 060B D1B4 2A72 7F0D
> > 0278
> > > B125 CD00
> > > > 22C3 3E24
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > --
> > > >
> > > > David Jaša, RHCE
> > > >
> > > > SPICE QE based in
> > Brno
> > > > GPG Key:
> > 22C33E24
> > > > Fingerprint: 513A
> > 060B D1B4 2A72 7F0D 0278 B125 CD00
> > > 22C3 3E24
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> >
> _______________________________________________
> > > > Spice-devel mailing list
> > > >
> > Spice-devel at lists.freedesktop.org
> > > >
> >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > >
> > > --
> > >
> > > David Jaša, RHCE
> > >
> > > SPICE QE based in Brno
> > > GPG Key: 22C33E24
> > > Fingerprint: 513A 060B D1B4
> > 2A72 7F0D 0278 B125 CD00 22C3 3E24
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> _______________________________________________
> > > Spice-devel mailing list
> > > Spice-devel at lists.freedesktop.org
> > >
> >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
> > --
> >
> > David Jaša, RHCE
> >
> > SPICE QE based in Brno
> > GPG Key: 22C33E24
> > Fingerprint: 513A 060B D1B4 2A72 7F0D
> > 0278 B125 CD00 22C3 3E24
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> --
>
> David Jaša, RHCE
>
> SPICE QE based in Brno
> GPG Key: 22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20121113/e4169216/attachment-0001.html>