This is a post by me from the people who have been giving me some advice at spice-de...@lists.freedesktop.org with more information of a recent re-attempt
/etc/hostname squealer /etc/hosts 127.0.0.1 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk www.maiakaat.co.uk 192.168.2.140 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk www.maiakaat.co.uk cat /etc/passwd root:x:0:0:root:/root:/bin/bash libvirt-qemu:x:106:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false libvirt-dnsmasq:x:107:112:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false jodic:x:1000:1000:jodic,,,:/home/jodic:/bin/bash cd /var/lib/libvirt sudo ls -l drwx--x--x 2 root root 4096 Oct 6 01:58 boot drwxr-xr-x 2 root root 4096 Oct 30 21:06 dnsmasq drwxr-xr-x 2 libvirt-qemu root 4096 Oct 31 06:11 drivers drwx--x--x 2 root root 4096 Oct 6 01:58 images drwxr-xr-x 5 libvirt-qemu root 4096 Nov 1 12:56 local drwxr-xr-x 2 root root 4096 Nov 12 18:03 network drwxr-x--- 5 libvirt-qemu kvm 4096 Nov 12 18:11 qemu drwx------ 2 root root 4096 Oct 6 01:58 sanlock drwxr-xr-x 5 libvirt-qemu root 4096 Oct 31 06:22 shared #drivers to be forwarded as filesystem element with Windows drivers #local contains volume pools(2) for VM volumes, and all xml files used to create VM's volumes and pools. sudo usermod -a -G root,kvm jodic chmod 775 /var/lib/libvirt/qemu #temporary change #libvirt directory permissions are drwxr-xr-x sudo mkdir /var/lib/libvirt/pki sudo mkdir /var/lib/libvirt/pki/libvirt-spice sudo nano /etc/libvirt/qemu.conf spice_tls = 1 spice_tls_x509_cert_dir = "/var/lib/libvirt/pki/libvirt-spice" cd /var/lib/libvirt/pki/libvirt-spice sudo openssl genrsa -des3 -out ca-key.pem 1024 sudo openssl req -new -x509 -days 750 -key ca-key.pem -out ca-cert.pem -utf8 -subj "/CN=Self Signed" sudo openssl genrsa -out server-key.pem 1024 sudo openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj "/CN=squealer" sudo openssl x509 req -days 750 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem sudo openssl rsa -in server-key.pem -out server-key.pem.insecure sudo mv server-key.pem server-key.pem.secure sudo mv server-key.pem.insecure server-key.pem sudo chown libvirt-qemu /var/lib/libvirt/pki sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem #temporary change sudo chmod 775 /var/lib/libvirt/pki sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem sudo virsh destroy VM11 sudo virsh undefine VM11 sudo shutdown -r now #don't know how to restart service for re-read of qemu.conf in Ubuntu #Ubuntu offering 28 updates - none related to virtualization at all sudo apt-get update sudo apt-get upgrade sudo virsh define /var/lib/libvirt/local/xml/default-revision7.xml #defined VM11 sudo virsh start VM11 #started VM11 23:14 ish UK time sudo /var/log/libvirt/qemu/qemu.conf 2012-11-12 23:13:44.233+0000: starting up LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 char device redirected to /dev/pts/2 ((null):8891): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /var/lib/libvirt/pki/libvirt-spice/server-cert.pem ((null):8891): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file ((null):8891): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem sudo virsh destroy VM11 #destroyed $ sudo /usr/bin/kvm-spice -monitor stdio -spice tls- port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing #output QEMU 0.12.0 monitor - type 'help' for more information (qemu) "If you see the same error again, there is something wrong with certificates themselves. If not, verify that they are accessible to the qemu process - note that it may run under different user than root and in addition, it may be confined by SELinux or AppArmor. I can't speak for AppArmor but for SELinux, you may need to restore context of the files (and directories) to make them accessible for qemu." I'll begin looking at the permissions and security tomorrow, although its stretching my knowledge of Linux here, I guess the only way to learn is to do though. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1078052 Title: TLS fails to work with Spice due to possible bug related to a similar issue in Red Hat under certain circumstances To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu-kvm-spice/+bug/1078052/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
