Bug 1751065

Summary: Can't open guest console which has vnc graphics protocol by remote-viewer on rhv
Product: Red Hat Enterprise Linux 7 Reporter: mxie <mxie>
Component: virt-viewerAssignee: Daniel Berrangé <berrange>
Status: CLOSED WONTFIX QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.8CC: berrange, dblechte, juzhou, mzhan, tzheng, xiaodwan, zili
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1751073 (view as bug list) Environment:
Last Closed: 2019-12-19 12:22:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
remote-viewer.debug none

Description mxie@redhat.com 2019-09-11 06:30:44 UTC 
Description of problem:
Can't open guest console which has vnc graphics protocol by remote-viewer on rhv

Version-Release number of selected component (if applicable):
virt-viewer-5.0-15.el7.x86_64
libgovirt-0.3.4-3.el7.x86_64
gtk-vnc-0.7.0-3.el7.x86_64
rhv:4.3.6.5-0.1.el7

How reproducible:
100%

Steps to Reproduce:
1.Prepare a guest and set graphics protocol as vnc on rhv
2.Power on guest and click console option (open with remote-viewer) to connect guest console, the console will be disappeared immediately


Actual results:
As description

Expected results:
Can open guest console which has vnc graphics protocol by remote-viewer on rhv

Additional info:
1.Can open guest console which has spice graphics protocol by remote-viewer on rhv normally
Comment 3 Daniel Berrangé 2019-12-13 10:17:22 UTC 
To debug this I'll need you to reproduce the problem, launching virt-viewer with the "--debug --gtk-vnc-debug" arguments present on the command line & then attaching the resulting log file.
Comment 4 zhoujunqin 2019-12-17 03:05:59 UTC 
Created attachment 1645729 [details]
remote-viewer.debug
Comment 5 zhoujunqin 2019-12-17 03:07:21 UTC 
(In reply to Daniel Berrangé from comment #3)
> To debug this I'll need you to reproduce the problem, launching virt-viewer
> with the "--debug --gtk-vnc-debug" arguments present on the command line &
> then attaching the resulting log file.

Hi Daniel,
This issue was happened when I used remote-viewer to connect a vm which has a Graphics protocol: VNC.
The remote-viewer console exits suddenly.

I'll attach remote-viewer-debug log.
$ remote-viewer console.vv --debug --gtk-vnc-debug |& tee>remote-viewer.debug
Comment 6 Daniel Berrangé 2019-12-18 12:04:33 UTC 
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.705: vncconnection.c Do TLS handshake
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.760: vncconnection.c Checking if credentials are needed
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.760: vncconnection.c Want a TLS clientname
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.760: vncconnection.c Requesting missing credentials


So here we've seen a VNC auth type requiring a TLS handshake and are asking for the TLS credentials

(remote-viewer:14499): virt-viewer-DEBUG: 11:02:00.763: Got VNC credential request for 1 credential(s)
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.763: vncconnection.c Set credential 2 libvirt
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.763: vncconnection.c Searching for certs in /etc/pki
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.763: vncconnection.c Searching for certs in /home/juzhou/.pki
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate CA/cacert.pem
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c No CA certificate provided, using GNUTLS global trust
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate CA/cacrl.pem
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate libvirt/private/clientkey.pem
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate libvirt/clientcert.pem

Here we looked for both CA certs and client certs & didn't find either, so we're using the system CA trust DB. This is almost never what you want.


(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Waiting for missing credentials
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Got all credentials
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c No CA certificate provided; trying the system trust store instead
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c Using the system trust store and CRL
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c No client cert or key provided
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c No CA revocation list provided
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c Handshake was blocking
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.837: vncconnection.c Handshake was blocking
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.877: vncconnection.c Handshake done
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.877: vncconnection.c Validating
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.880: vncconnection.c Error: The certificate is not trusted

The server didn't require client cert so the TLS handshake completed.

We then tried to validate the server cert against the system trust DB CA certs and (unsurprisingly) failed

So the problem here is that there's no CA cert on your client that can be used to validate the server.
Comment 7 zhoujunqin 2019-12-19 11:25:54 UTC 
> (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.880: vncconnection.c Error:
> The certificate is not trusted
> 
> The server didn't require client cert so the TLS handshake completed.
> 
> We then tried to validate the server cert against the system trust DB CA
> certs and (unsurprisingly) failed
> 
> So the problem here is that there's no CA cert on your client that can be
> used to validate the server.

Hi Daniel,
The CA cert is contained by console.vv file I think, but it may not work as expected.
I can connect to a spice graphics vm's console on rhv use the same way.

$ cat console.vv 
[virt-viewer]
type=vnc
host=RRR
port=5900
password=GKKuIZMo4W2Q
# Password is valid for 120 seconds.
delete-this-file=1
fullscreen=0
title=juzhou-virt-viewer:%d
toggle-fullscreen=shift+f11
release-cursor=ctrl+alt
secure-attention=ctrl+alt+end
versions=rhev-win64:2.0-160;rhev-win32:2.0-160;rhel8:7.0-3;rhel7:2.0-6;rhel6:99.0-1
newer-version-url=https://RHV/ovirt-engine/rhv/client-resources

[ovirt]
host=RHV:443
vm-guid=1504dbe8-25d7-4508-8cbe-e2ce3089c4d4
sso-token=wWnMQJGiVlJCR43KwltnUZJL1J2UAWsvpTu1KYVeF8fPFzc8skFOvfp6O-vy9J3BeqYG5xgwkvkaaAqvVR8j-g
admin=1
ca=-----BEGIN CERTIFICATE-----\nMIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMxITAfBgNVBAoM\nGHJodHMuZW5nLnBlazIucmVkaGF0LmNvbTE2MDQGA1UEAwwtaWJtLXgzMjUwbTUtMDMucmh0cy5l\nbmcucGVrMi5yZWRoYXQuY29tLjk5NzU5MB4XDTE5MDEyMzA4MzE0N1oXDTI5MDEyMTA4MzE0N1ow\naDELMAkGA1UEBhMCVVMxITAfBgNVBAoMGHJodHMuZW5nLnBlazIucmVkaGF0LmNvbTE2MDQGA1UE\nAwwtaWJtLXgzMjUwbTUtMDMucmh0cy5lbmcucGVrMi5yZWRoYXQuY29tLjk5NzU5MIIBIjANBgkq\nhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwzDXz0csh8Gxrne5sAn5NZnUfFfofxoLdQwSL9KecHC1\ntf1IEr1/3yFD+/5qclmsovRlCCft8VjzMP6CqrNJNr5TyGY5RBNlqi1d1BeobSyZSfqKwXw/7EQk\nB1vmlSqjQSX4aJiFrkS/YOQJ0cl4/8OmRA+QfM5g70W/VcKta4Yxy4H7WVcJElxxDzfzRZhmSJr2\neDVjXtiIRXDaE9ufDRpk7cSfFvLFZUgwzRukRWNSrdk/3wUeuI2s53TMWukBMhJXEJc7pumGJy0j\npX/1mj1+HUTO1tFxUt4MIOLYbpT11XRffCvfywiCoSdIwvcvRKG2WwX9nORzqfCOHc6vfwIDAQAB\no4HZMIHWMB0GA1UdDgQWBBRurjvRvWWR6nvOFZLzRLeV4aBsVzCBkwYDVR0jBIGLMIGIgBRurjvR\nvWWR6nvOFZLzRLeV4aBsV6FspGowaDELMAkGA1UEBhMCVVMxITAfBgNVBAoMGHJodHMuZW5nLnBl\nazIucmVkaGF0LmNvbTE2MDQGA1UEAwwtaWJtLXgzMjUwbTUtMDMucmh0cy5lbmcucGVrMi5yZWRo\nYXQuY29tLjk5NzU5ggIQADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG\n9w0BAQsFAAOCAQEAWYat8O8XScB1TicxLm60Pmb+0pEICEqVTC9u6Osj+U2jmwCrgpbO2cprCLHZ\nr/PcblByLbDUwmaU6VXlfUjy/cwpD8lVB99naPtFYjRH/WHT/qyktPXP8rsK2sdqXETUFu4ZXukf\nxIQKjhkgmVm+eGInICrbeGirWTp18A96ZkqUdOU+FWTMEmOUiv5v+/qbS7Ipr4BVHt5Xo6zK3tU9\nrqGFEd4UjTIS85haR4vAMXHDZYitGXjZu9hwGorqi9jLSvsSPttK+rjGeBYfZ8CSGiaFHkQYl31B\nJYLuRhinmv3YK/pH6shjKZwyJ1Itnjl8XLDHQaqLyEZ+GZ7QKh7JLg==\n-----END CERTIFICATE-----\n
Comment 8 Daniel Berrangé 2019-12-19 11:30:28 UTC 
I don't know what virt-viewer is doing with that information, but from gtk-vnc's POV the certificate has to exist on disk in one of the file paths listed. There's no facility to pass the CA in via the API.

So I'm presuming that this scenario has never worked, and thus this bug is effectively an RFE.
Comment 9 zhoujunqin 2019-12-19 12:12:45 UTC 
Yes, we test more with Spice, and we also cloned a bug to rhel8.
Others meet same issue when test on CNV: https://bugzilla.redhat.com/show_bug.cgi?id=1751073#c1
Comment 10 Daniel Berrangé 2019-12-19 12:22:38 UTC 
This will require API enhancements to GTK-VNC to fix, and so given where we are in the RHEL-7 lifetime, I don't think it is realistic to fix here.  We can, however, target a fix for GTK-VNC and virt-viewer in RHEL-8.