Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 688586

Summary: Errors in man page: [un]supported tls-channels for Spice
Product: Red Hat Enterprise Linux 6 Reporter: Michal Haško <mhasko>
Component: qemu-kvmAssignee: Alon Levy <alevy>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: medium    
Version: 6.1CC: acathrow, dblechte, juzhang, minovotn, mkenneth, pbonzini, pschiffe, pslavice, tburke, virt-maint, wdai
Target Milestone: rcKeywords: ManPageChange
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1.2-2.238.el6 Doc Type: Bug Fix
Doc Text:
No Documentation Needed
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 11:32:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 767897    

Description Michal Haško 2011-03-17 12:29:06 UTC 
Description of problem:
The qemu-kvm man page shows, that supported tls-channels are:
    tls-channel=[main|display|inputs|record|playback|tunnel]
But if the tls-channel=tunnel is supplied, it fails with:
    spice: failed to set channel security for tunnel
Moreover, if tls-channel=cursor (legacy?) is supplied, it doesn't fail, although it is not specified in the man page.

Version-Release number of selected component (if applicable):
$ rpm -q qemu-kvm
qemu-kvm-0.12.1.2-2.150.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
$ /usr/libexec/qemu-kvm -spice tls-port=3001,tls-channel=cursor,tls-channel=tunnel
(this is not the actual nor correct usage of the options, but the minimal set to reproduce the issue)

Actual results:
spice: failed to set channel security for tunnel

Expected results:
The man page should not list tunnel channel and should list cursor channel instead?
Comment 1 Michal Haško 2011-03-22 12:54:07 UTC 
More man page errors:

in man page:
"-soundhw hda" -> that is not the correct way of adding the intel hda sound card

this works:
"-device intel-hda,id=sound0,bus=pci.0,addr=0x5 -device hda-duplex"
Comment 2 Alon Levy 2011-03-24 13:46:06 UTC 
regarding comment #1 - cursor is not legacy, tunnel is compiled out in our spec, and we also support a smartcard channel now which is also not mentioned.

I'm not sure how to proceed, because it seems the correct fix is to have a qemu.1.template and build the full one based on compile time options (maybe can be done with qemu.1.in, I'm not familiar enough with autotools to know, but I guess it can). So I'll take this upstream.

Alon
Comment 6 Andrew Cathrow 2011-09-19 18:56:15 UTC 
Moving to 6.3
Comment 9 Alon Levy 2012-02-26 10:28:34 UTC 
upstream commit d70d6b31091ab522ce793a52559e3dd9f9913b32 .
Comment 12 daiwei 2012-03-22 12:54:34 UTC 
Reproduced this issue with steps and environment as follows: 

# uname -r ; rpm -q qemu-kvm
2.6.32-220.el6.x86_64
qemu-kvm-0.12.1.2-2.209.el6.x86_64

1. Boot guest

/usr/libexec/qemu-kvm -cpu cpu64-rhel6,+x2apic,family=0xf -rtc base=localtime,clock=host,driftfix=slew -M rhel6.2.0 -enable-kvm -name win7_x64 -smp 2 -m 2G -uuid bd85c229-6384-446d-bedd-c111008ecfce -boot menu=on -drive file=/nfs/win7sp1.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,aio=native,media=disk,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-virtio-disk0,id=virtio-blk-pci0,bootindex=1 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=net0,mac=44:37:E6:5E:A3:F7 -spice port=9000,disable-ticketing,tls-channel=cursor,tls-port=3001,tls-channel=tunnel -balloon none -monitor stdio -usb -device usb-tablet,id=input1

spice: failed to set channel security for tunnel

2. On host ,check man manual

# man qemu-kvm      -----we can find
tls-port=<nr>
               Set the TCP port spice is listening on for encrypted channels.
tls-channel=[main|display|inputs|record|playback|tunnel]

Verified this issue with steps and environment as follows: 

# uname -r;rpm -q qemu-kvm
2.6.32-251.el6.x86_64
qemu-kvm-0.12.1.2-2.255.el6.x86_64

1. boot guest
 /usr/libexec/qemu-kvm -cpu cpu64-rhel6,+x2apic,family=0xf -rtc base=localtime,clock=host,driftfix=slew -M rhel6.2.0 -enable-kvm -name win7_x64 -smp 2 -m 2G -uuid bd85c229-6384-446d-bedd-c111008ecfce -boot menu=on -drive file=/nfs/win7sp1.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,aio=native,media=disk,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-virtio-disk0,id=virtio-blk-pci0,bootindex=1 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=net0,mac=44:37:E6:5E:A3:F7 -spice port=9000,disable-ticketing,tls-channel=cursor,tls-port=3001,tls-channel=main,tls-channel=display,tls-channel=inputs,tls-channel=record,tls-channel=playback -balloon none -monitor stdio -usb -device usb-tablet,id=input1


(qemu) info spice
Server:
     address: 0.0.0.0:9000
     address: 0.0.0.0:3001 [tls]
        auth: none
Channels: none



2. On host ,check man manual

# man qemu-kvm      -----we can find
tls-channel=[main|display|cursor|inputs|record|playback]

So,this bug had been fixed.
Comment 14 Michal Novotny 2012-05-03 17:05:29 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No Documentation Needed
Comment 15 errata-xmlrpc 2012-06-20 11:32:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0746.html