Bug 1328793

Summary: virt-viewer always be 'connecting server' when guest spice ssl with <channel name='main' mode='secure'/>
Product: Red Hat Enterprise Linux 7 Reporter: Han Han <hhan>
Component: spice-gtkAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.3CC: cfergeau, dyuan, fjin, lmiksik, mxie, pgrunt, rbalakri, rduda, tpelka, tzheng, xiaodwan, xuzhang
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: spice-gtk-0.31-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 01:17:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1329973    
Bug Blocks:    
Attachments:
Description Flags
The virt-viewer cmdline debug info none

Description Han Han 2016-04-20 09:57:51 UTC 
Created attachment 1148986 [details]
The virt-viewer cmdline debug info

Description of problem:
As subject

Version-Release number of selected component (if applicable):
libvirt-1.3.3-2.el7.x86_64
qemu-kvm-rhev-2.5.0-4.el7.x86_64
spice-server-0.12.4-15.el7.x86_64
spice-gtk-0.26-8.el7.x86_64
spice-glib-0.26-8.el7.x86_64

How reproducible:
100%


Steps to Reproduce:
1. Prepare spice ssl env:
Change /etc/libvirt/qemu.conf to:
spice_listen = "0.0.0.0"
spice_tls = 1
spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"

Running following script to generate keys for spice-ssl and restart libvirtd service:
#!/bin/bash
SERVER_KEY=server-key.pem
# creating a key for our ca
if [ ! -e ca-key.pem ]; then
openssl genrsa -des3 -out ca-key.pem 1024
fi
# creating a ca
if [ ! -e ca-cert.pem ]; then
openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
fi
# create server key
if [ ! -e $SERVER_KEY ]; then
openssl genrsa -out $SERVER_KEY 1024
fi
# create a certificate signing request (csr)
if [ ! -e server-key.csr ]; then
openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
fi
# signing our server certificate with this ca
if [ ! -e server-cert.pem ]; then
openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
fi
# now create a key that doesn't require a passphrase
openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
mv $SERVER_KEY $SERVER_KEY.secure
mv $SERVER_KEY.insecure $SERVER_KEY
# show the results (no other effect)
openssl rsa -noout -text -in $SERVER_KEY
openssl rsa -noout -text -in ca-key.pem
openssl req -noout -text -in server-key.csr
openssl x509 -noout -text -in server-cert.pem
openssl x509 -noout -text -in ca-cert.pem
# copy *.pem file to /etc/pki/libvirt-spice
if [[ -d "/etc/pki/libvirt-spice" ]]
then
cp ./*.pem /etc/pki/libvirt-spice
else
mkdir /etc/pki/libvirt-spice
cp ./*.pem /etc/pki/libvirt-spice
fi
# echo --host-subject
echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
service libvirtd restart

Start a guest with following xml:
<graphics type='spice' autoport='yes'>
 <listen type='address' address='0.0.0.0'/>
<channel name='main' mode='secure'/>
</graphics>

# virsh list
 Id    Name                           State
----------------------------------------------------
 16    spice-13199                    running

2. connect spice with virt-viewer:
# virt-viewer spice-13199 --spice-host-subject="C=IL,L=Raanana,O=Red Hat,CN=my server" --spice-ca-file='/etc/pki/libvirt-spice/ca-cert.pem' --spice-debug --debug -v > spice.log
The virt-viewer shows 'connecting server' but not show the guest screen.

Actual results:
As step2

Expected results:
Connected to guest and ok to use.

Additional info:
1.When I delete <channel name='main' mode='secure'/> , xml as following:
<graphics type='spice' autoport='yes'>
 <listen type='address' address='0.0.0.0'/>
</graphics>
Spice is ok to use.
2. When I downgrade spice-gtk component to 0.26-5.el7, it is ok. The versions(0.26-6.el7~0.26-8.el7) higher than 0.26-5.el7 all have the bug. Maybe it is a regression of spice-gtk.
Comment 1 Han Han 2016-04-20 10:00:26 UTC 
The virt-viewer version is virt-viewer-2.0-7.el7.x86_64
Comment 4 Christophe Fergeau 2016-04-21 16:13:38 UTC 
This is fixed for me by https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=6d23963f5ce916d02b7b65be42b83a396959d41a
However, this patch is in the middle of a 'migration' patch series, and I believe there were some migration issues reported, so we probably need more than this single patch.

Wondering if https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=26b7767d4831be could be useful too (this applies cleanly on the current build provided you add these 2 patches first
https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=dc80df0c5
https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=923bcaa1a )
Comment 5 Christophe Fergeau 2016-04-21 16:40:26 UTC 
Scratch build with the patch mentioned in the previous comment https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=10911488
Comment 9 errata-xmlrpc 2016-11-04 01:17:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2229.html