I am still having problems connecting via SSL after resolving the apparmor.d problem with reading the key directory contents
I am not sure what the error is caused by, any help would be appreciated
I can connect after commenting out the secure channel request
There is no port restrictions or firewall, and the attempt to connect has been tried on both secure and unsecure ports
(I think the secure port is passed so the unsecure port is used for the initial connection though, it isn't a passed argument issue)
I have tried passing the ca file via the appropriate argument from remote-viewer
Package and OS
------------------------------
Ubuntu 12.10
qemu-kvm-spice:
Installed: 1.2.0-2012.09-0ubuntu1
Candidate: 1.2.0-2012.09-0ubuntu1
Version table:
*** 1.2.0-2012.09-0ubuntu1 0
500 http://gb.archive.ubuntu.com/ubuntu/ quantal/universe amd64 Packages
100 /var/lib/dpkg/status
/etc/hostname
squealer
/etc/hosts
sudo usermod -a -G root,kvm jodic
chmod 775 /var/lib/libvirt/qemu
#temporary change
#libvirt directory permissions are drwxr-xr-x
sudo mkdir /var/lib/libvirt/pki
sudo mkdir /var/lib/libvirt/pki/libvirt-spice
sudo nano /etc/libvirt/qemu.conf
spice_tls = 1
spice_tls_x509_cert_dir = "/var/lib/libvirt/pki/libvirt-spice"
cd /var/lib/libvirt/pki/libvirt-spice
sudo openssl genrsa -des3 -out ca-key.pem 1024
sudo openssl req -new -x509 -days 750 -key ca-key.pem -out ca-cert.pem -utf8 -subj "/CN=Self Signed"
sudo openssl genrsa -out server-key.pem 1024
sudo openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj "/CN=squealer"
sudo openssl x509 req -days 750 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
sudo openssl rsa -in server-key.pem -out server-key.pem.insecure
sudo mv server-key.pem server-key.pem.secure
sudo mv server-key.pem.insecure server-key.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
#temporary change
sudo chmod 775 /var/lib/libvirt/pki
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
sudo virsh destroy VM11
sudo virsh undefine VM11
sudo shutdown -r now
#don't know how to restart service for re-read of qemu.conf in Ubuntu
#Ubuntu offering 28 updates - none related to virtualization at all
sudo apt-get update
sudo apt-get upgrade
edit apparmor.d/libvirt-qemu and add the key directory after /etc/pki/libvirt-vnc** r, in an identical format within the apparmor.d config file, along with any iso directories needed
sudo virsh define /var/lib/libvirt/local/xml/default-revision7.xml
#defined VM11
sudo virsh start VM11
#started VM11 23:14 ish UK time
#spice configuration
<graphics type="spice" autoport="yes" keymap="en-gb">
<channel name="main" mode="secure" />
<channel name="record" mode="insecure" />
<channel name="display" mode="insecure" />
<channel name="inputs" mode="insecure" />
<channel name="cursor" mode="insecure" />
<channel name="playback" mode="insecure" />
<channel name="usbredir" mode="insecure" />
<image compression="auto_glz"/>
<streaming mode="filter"/>
<clipboard copypaste="yes"/>
<mouse mode="client"/>
<!-- enable connection from remote terminal -->
<listen type="address" address="0.0.0.0" />
<disable-ticketing />
</graphics>
On attempts to connect via virsh I am given this warning
spice channels 1 should be encrypted, I'm guessing this is an authentication issue with my attempts to connect?
sudo /var/log/libvirt/qemu/qemu.conf
((null):2230): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
2012-11-13 07:28:43.081+0000: starting up
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid a5fa6af1-89e6-ff32-7d47-5fd28ab47a05 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
char device redirected to /dev/pts/1
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done: spice channels 1 should be encrypted
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel