Bug 1257886 - Need trust anchor thing whlie using remote-viewer connect to .vv file to see foreign menu
Need trust anchor thing whlie using remote-viewer connect to .vv file to see ...
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: virt-viewer (Show other bugs)
x86_64 Unspecified
medium Severity medium
: rc
: 7.2
Assigned To: Virt Viewer Maint
Virtualization Bugs
Depends On:
  Show dependency treegraph
Reported: 2015-08-28 06:23 EDT by zhoujunqin
Modified: 2017-08-02 03:06 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description zhoujunqin 2015-08-28 06:23:58 EDT
Description of problem:
Need trust anchor thing whlie using remote-viewer connect to .vv file, otherwise foreign menu cannot be seen.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
Prepare a rhevm3.6 environment and a running guest on it:the guest can only be seen in admin portal.

1. Download guest file "console.vv" to check 'admin' field in the [ovirt] section of .vv files 

1.1 Login rhevm server with rhevm hostname instead of ip, right-click on this guest and select "Console Options" item, then select Console Invocation as "Native client".

1.2. Click the guest and select "Console" item, then save the console file "console.vv" to local machine.

1.3. Open file console.vv check the 'admin' field in the [ovirt] section 
# cat console.vv

2. Use remote-viewer launch guest:
# remote-viewer console.vv 

3. Download ca.crt file and then do "trust anchor ca.crt" as root before testing, then run step1 & step2 again.

# wget -k https://$rhevm-hostname/ca.crt

# trust anchor ca.crt

Actual results:
After step2, without trusting anchor thing, remote-viewer can launch guest but cannot see foreign menu.
After step3, with trusting anchor thing, remote-viewer can launch guest and foreign menu "Change CD" can be seen.

Expected results:
Without trust anchor thing whlie using remote-viewer connect to .vv file, foreign menu can be seen.

Additional info:
Comment 2 David Jaša 2015-08-31 08:00:36 EDT
This bug a slim chance for good solution so we're probably left with:
- good error message in virt-viewer
- a good documentation explaining what's needed

Let me explain: 
The root cause is RHEV API cert is neither trusted system-wide, nor specified system wide. The issue is complicated however because the certificate used for web can be and frequently is issued by different CA than RHEV CA - and RHEV doesn't have powers to ensure that the CA is even known to RHEV. This is caused by usual CA chain in TLS:

RootCA (trusted) [- intermediateCA_1 [- intermediateCA_n]] - webCertificate

The root CA
- is expected to be included in client system (in ca certificates or among
    trust anchors)
- is not expected to be included in CA chain
So in configuration with no intermediate CAs, the root CA cert may not even be included in RHEV-M system (in case it is some internal CA) so the only thing that engine can supply to the client is the web cert itself.

To make things more complicated, the TLS in RHEV is provided by apache and what RHEV does is merely a default configuration so getting the web certificate in use is not exactly an easy task to solve (well, by default, reading it from ssl.conf should be enough in most setups - but the only reliable way is to connect to apache and read the cert from ServerHello).

On client side, libsoup - glib's http library used for libgovirt networking - would need to support to add RHEV-M cert as trusted one. I have no idea if it has such a capability

If these two issues are resolved in satisfactory way, then it should be possible to add the web certificate to a new item in vv file [ovirt] section and have libgovirt use it. The room for things not working as expected would however still remain large so the question is if it is worth the hassle.
Comment 3 Christophe Fergeau 2015-09-07 10:38:36 EDT
Current state is that:
- if SPICE CA and web CA are the same, then 'trust anchor' needs to be used
- if SPICE CA and web CA are not the same, then 'trust anchor' needs to be used

The easy fix to #1 so that 'trust anchor' is not needed breaks #2 with no possible workaround, which is not so nice :(
Comment 4 Christophe Fergeau 2016-06-14 12:27:56 EDT
No good solution in sight for 7.3 I'm afraid, moving to 7.4...

Note You need to log in before you can comment on or make changes to this bug.