Bug 1751065
Summary: | Can't open guest console which has vnc graphics protocol by remote-viewer on rhv | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | mxie <mxie> | ||||
Component: | virt-viewer | Assignee: | Daniel Berrangé <berrange> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Virtualization Bugs <virt-bugs> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.8 | CC: | berrange, dblechte, juzhou, mzhan, tzheng, xiaodwan, zili | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1751073 (view as bug list) | Environment: | |||||
Last Closed: | 2019-12-19 12:22:38 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
mxie@redhat.com
2019-09-11 06:30:44 UTC
To debug this I'll need you to reproduce the problem, launching virt-viewer with the "--debug --gtk-vnc-debug" arguments present on the command line & then attaching the resulting log file. Created attachment 1645729 [details]
remote-viewer.debug
(In reply to Daniel Berrangé from comment #3) > To debug this I'll need you to reproduce the problem, launching virt-viewer > with the "--debug --gtk-vnc-debug" arguments present on the command line & > then attaching the resulting log file. Hi Daniel, This issue was happened when I used remote-viewer to connect a vm which has a Graphics protocol: VNC. The remote-viewer console exits suddenly. I'll attach remote-viewer-debug log. $ remote-viewer console.vv --debug --gtk-vnc-debug |& tee>remote-viewer.debug (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.705: vncconnection.c Do TLS handshake (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.760: vncconnection.c Checking if credentials are needed (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.760: vncconnection.c Want a TLS clientname (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.760: vncconnection.c Requesting missing credentials So here we've seen a VNC auth type requiring a TLS handshake and are asking for the TLS credentials (remote-viewer:14499): virt-viewer-DEBUG: 11:02:00.763: Got VNC credential request for 1 credential(s) (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.763: vncconnection.c Set credential 2 libvirt (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.763: vncconnection.c Searching for certs in /etc/pki (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.763: vncconnection.c Searching for certs in /home/juzhou/.pki (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate CA/cacert.pem (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c No CA certificate provided, using GNUTLS global trust (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate CA/cacrl.pem (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate libvirt/private/clientkey.pem (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate libvirt/clientcert.pem Here we looked for both CA certs and client certs & didn't find either, so we're using the system CA trust DB. This is almost never what you want. (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Waiting for missing credentials (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Got all credentials (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c No CA certificate provided; trying the system trust store instead (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c Using the system trust store and CRL (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c No client cert or key provided (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c No CA revocation list provided (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c Handshake was blocking (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.837: vncconnection.c Handshake was blocking (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.877: vncconnection.c Handshake done (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.877: vncconnection.c Validating (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.880: vncconnection.c Error: The certificate is not trusted The server didn't require client cert so the TLS handshake completed. We then tried to validate the server cert against the system trust DB CA certs and (unsurprisingly) failed So the problem here is that there's no CA cert on your client that can be used to validate the server. > (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.880: vncconnection.c Error: > The certificate is not trusted > > The server didn't require client cert so the TLS handshake completed. > > We then tried to validate the server cert against the system trust DB CA > certs and (unsurprisingly) failed > > So the problem here is that there's no CA cert on your client that can be > used to validate the server. Hi Daniel, The CA cert is contained by console.vv file I think, but it may not work as expected. I can connect to a spice graphics vm's console on rhv use the same way. $ cat console.vv [virt-viewer] type=vnc host=RRR port=5900 password=GKKuIZMo4W2Q # Password is valid for 120 seconds. delete-this-file=1 fullscreen=0 title=juzhou-virt-viewer:%d toggle-fullscreen=shift+f11 release-cursor=ctrl+alt secure-attention=ctrl+alt+end versions=rhev-win64:2.0-160;rhev-win32:2.0-160;rhel8:7.0-3;rhel7:2.0-6;rhel6:99.0-1 newer-version-url=https://RHV/ovirt-engine/rhv/client-resources [ovirt] host=RHV:443 vm-guid=1504dbe8-25d7-4508-8cbe-e2ce3089c4d4 sso-token=wWnMQJGiVlJCR43KwltnUZJL1J2UAWsvpTu1KYVeF8fPFzc8skFOvfp6O-vy9J3BeqYG5xgwkvkaaAqvVR8j-g admin=1 ca=-----BEGIN CERTIFICATE-----\nMIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMxITAfBgNVBAoM\nGHJodHMuZW5nLnBlazIucmVkaGF0LmNvbTE2MDQGA1UEAwwtaWJtLXgzMjUwbTUtMDMucmh0cy5l\nbmcucGVrMi5yZWRoYXQuY29tLjk5NzU5MB4XDTE5MDEyMzA4MzE0N1oXDTI5MDEyMTA4MzE0N1ow\naDELMAkGA1UEBhMCVVMxITAfBgNVBAoMGHJodHMuZW5nLnBlazIucmVkaGF0LmNvbTE2MDQGA1UE\nAwwtaWJtLXgzMjUwbTUtMDMucmh0cy5lbmcucGVrMi5yZWRoYXQuY29tLjk5NzU5MIIBIjANBgkq\nhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwzDXz0csh8Gxrne5sAn5NZnUfFfofxoLdQwSL9KecHC1\ntf1IEr1/3yFD+/5qclmsovRlCCft8VjzMP6CqrNJNr5TyGY5RBNlqi1d1BeobSyZSfqKwXw/7EQk\nB1vmlSqjQSX4aJiFrkS/YOQJ0cl4/8OmRA+QfM5g70W/VcKta4Yxy4H7WVcJElxxDzfzRZhmSJr2\neDVjXtiIRXDaE9ufDRpk7cSfFvLFZUgwzRukRWNSrdk/3wUeuI2s53TMWukBMhJXEJc7pumGJy0j\npX/1mj1+HUTO1tFxUt4MIOLYbpT11XRffCvfywiCoSdIwvcvRKG2WwX9nORzqfCOHc6vfwIDAQAB\no4HZMIHWMB0GA1UdDgQWBBRurjvRvWWR6nvOFZLzRLeV4aBsVzCBkwYDVR0jBIGLMIGIgBRurjvR\nvWWR6nvOFZLzRLeV4aBsV6FspGowaDELMAkGA1UEBhMCVVMxITAfBgNVBAoMGHJodHMuZW5nLnBl\nazIucmVkaGF0LmNvbTE2MDQGA1UEAwwtaWJtLXgzMjUwbTUtMDMucmh0cy5lbmcucGVrMi5yZWRo\nYXQuY29tLjk5NzU5ggIQADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG\n9w0BAQsFAAOCAQEAWYat8O8XScB1TicxLm60Pmb+0pEICEqVTC9u6Osj+U2jmwCrgpbO2cprCLHZ\nr/PcblByLbDUwmaU6VXlfUjy/cwpD8lVB99naPtFYjRH/WHT/qyktPXP8rsK2sdqXETUFu4ZXukf\nxIQKjhkgmVm+eGInICrbeGirWTp18A96ZkqUdOU+FWTMEmOUiv5v+/qbS7Ipr4BVHt5Xo6zK3tU9\nrqGFEd4UjTIS85haR4vAMXHDZYitGXjZu9hwGorqi9jLSvsSPttK+rjGeBYfZ8CSGiaFHkQYl31B\nJYLuRhinmv3YK/pH6shjKZwyJ1Itnjl8XLDHQaqLyEZ+GZ7QKh7JLg==\n-----END CERTIFICATE-----\n I don't know what virt-viewer is doing with that information, but from gtk-vnc's POV the certificate has to exist on disk in one of the file paths listed. There's no facility to pass the CA in via the API. So I'm presuming that this scenario has never worked, and thus this bug is effectively an RFE. Yes, we test more with Spice, and we also cloned a bug to rhel8. Others meet same issue when test on CNV: https://bugzilla.redhat.com/show_bug.cgi?id=1751073#c1 This will require API enhancements to GTK-VNC to fix, and so given where we are in the RHEL-7 lifetime, I don't think it is realistic to fix here. We can, however, target a fix for GTK-VNC and virt-viewer in RHEL-8. |