Bug 1328793 - virt-viewer always be 'connecting server' when guest spice ssl with <channel name='main' mode='secure'/>
Summary: virt-viewer always be 'connecting server' when guest spice ssl with <channel ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: spice-gtk
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Default Assignee for SPICE Bugs
QA Contact: SPICE QE bug list
URL:
Whiteboard:
Depends On: 1329973
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-20 09:57 UTC by Han Han
Modified: 2016-11-04 01:17 UTC (History)
12 users (show)

Fixed In Version: spice-gtk-0.31-2.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 01:17:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
The virt-viewer cmdline debug info (15.84 KB, text/plain)
2016-04-20 09:57 UTC, Han Han 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2229 0 normal SHIPPED_LIVE virt-viewer, libgovirt, spice-gtk, and usbredir bug fix and enhancement update 2016-11-03 13:26:58 UTC

Description Han Han 2016-04-20 09:57:51 UTC 
Created attachment 1148986 [details]
The virt-viewer cmdline debug info

Description of problem:
As subject

Version-Release number of selected component (if applicable):
libvirt-1.3.3-2.el7.x86_64
qemu-kvm-rhev-2.5.0-4.el7.x86_64
spice-server-0.12.4-15.el7.x86_64
spice-gtk-0.26-8.el7.x86_64
spice-glib-0.26-8.el7.x86_64

How reproducible:
100%


Steps to Reproduce:
1. Prepare spice ssl env:
Change /etc/libvirt/qemu.conf to:
spice_listen = "0.0.0.0"
spice_tls = 1
spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"

Running following script to generate keys for spice-ssl and restart libvirtd service:
#!/bin/bash
SERVER_KEY=server-key.pem
# creating a key for our ca
if [ ! -e ca-key.pem ]; then
openssl genrsa -des3 -out ca-key.pem 1024
fi
# creating a ca
if [ ! -e ca-cert.pem ]; then
openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
fi
# create server key
if [ ! -e $SERVER_KEY ]; then
openssl genrsa -out $SERVER_KEY 1024
fi
# create a certificate signing request (csr)
if [ ! -e server-key.csr ]; then
openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
fi
# signing our server certificate with this ca
if [ ! -e server-cert.pem ]; then
openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
fi
# now create a key that doesn't require a passphrase
openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
mv $SERVER_KEY $SERVER_KEY.secure
mv $SERVER_KEY.insecure $SERVER_KEY
# show the results (no other effect)
openssl rsa -noout -text -in $SERVER_KEY
openssl rsa -noout -text -in ca-key.pem
openssl req -noout -text -in server-key.csr
openssl x509 -noout -text -in server-cert.pem
openssl x509 -noout -text -in ca-cert.pem
# copy *.pem file to /etc/pki/libvirt-spice
if [[ -d "/etc/pki/libvirt-spice" ]]
then
cp ./*.pem /etc/pki/libvirt-spice
else
mkdir /etc/pki/libvirt-spice
cp ./*.pem /etc/pki/libvirt-spice
fi
# echo --host-subject
echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
service libvirtd restart

Start a guest with following xml:
<graphics type='spice' autoport='yes'>
 <listen type='address' address='0.0.0.0'/>
<channel name='main' mode='secure'/>
</graphics>

# virsh list
 Id    Name                           State
----------------------------------------------------
 16    spice-13199                    running

2. connect spice with virt-viewer:
# virt-viewer spice-13199 --spice-host-subject="C=IL,L=Raanana,O=Red Hat,CN=my server" --spice-ca-file='/etc/pki/libvirt-spice/ca-cert.pem' --spice-debug --debug -v > spice.log
The virt-viewer shows 'connecting server' but not show the guest screen.

Actual results:
As step2

Expected results:
Connected to guest and ok to use.

Additional info:
1.When I delete <channel name='main' mode='secure'/> , xml as following:
<graphics type='spice' autoport='yes'>
 <listen type='address' address='0.0.0.0'/>
</graphics>
Spice is ok to use.
2. When I downgrade spice-gtk component to 0.26-5.el7, it is ok. The versions(0.26-6.el7~0.26-8.el7) higher than 0.26-5.el7 all have the bug. Maybe it is a regression of spice-gtk.
Comment 1 Han Han 2016-04-20 10:00:26 UTC 
The virt-viewer version is virt-viewer-2.0-7.el7.x86_64
Comment 4 Christophe Fergeau 2016-04-21 16:13:38 UTC 
This is fixed for me by https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=6d23963f5ce916d02b7b65be42b83a396959d41a
However, this patch is in the middle of a 'migration' patch series, and I believe there were some migration issues reported, so we probably need more than this single patch.

Wondering if https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=26b7767d4831be could be useful too (this applies cleanly on the current build provided you add these 2 patches first
https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=dc80df0c5
https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=923bcaa1a )
Comment 5 Christophe Fergeau 2016-04-21 16:40:26 UTC 
Scratch build with the patch mentioned in the previous comment https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=10911488
Comment 9 errata-xmlrpc 2016-11-04 01:17:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2229.html
Note You need to log in before you can comment on or make changes to this bug.