Description of problem: The keyword console on ovirt-shell not lauching console and fails with unknown error : ================================================================================================= UNKNOWN ERROR ============================================================================================== 'ascii' codec can't decode byte 0xc3 in position 5374: ordinal not in range(128) ============================================================================================================================================================================================================== Version-Release number of selected component (if applicable): [oVirt shell (connected)]# info backend version: 3.6.5 sdk version : 3.6.3 cli version : 3.6.2 python version : 2.7.11.final.0 How reproducible: always Steps to Reproduce: 1. connect to ovirt-shell 2. console myvm Actual results: unknow error Expected results: VM console displays.
In theory this was fixed in version 3.6.2.0 of the CLI, see bug 807696, comment number 10. The problem is caused by non ASCII characters in the subject of the TLS certificate of the host. Can you repeat the same command using the "-d" option of the CLI? # ovirt-shell -d ... This should dump to the standard output the data exchanged with the server, so that we can check what is the content of the certificate. Note that this output contains the password of the user, so handle it with care, in particular remove the "Authorization: ..." lines before sharing.
Created attachment 1159875 [details] debug output of ovirt-shell Here are informations you have requested
OK, the subject of the certificate of the host doesn't look problematic, it doesn't contain characters outside of the ASCII set: <certificate> <organization>infra.local</organization> <subject>O=infra.local,CN=...</subject> </certificate> The other thing that can contain these characters is the CA certificate. Can you share that? It should be located in /etc/pki/ovirt-engine/ca.mepm, and you can use the following command to display its content: $ openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -text
Created attachment 1159880 [details] certificate Sure, here is the certificate.
That doesn't look problematic either. It may be that for some reason reading the certificate from the server failed in the past, and that the one that the CLI has stored is invalid. The CLI stores the certificate in the $HOME/.spicec directory, in a file named spice_truststore.pem. Can you check if that file exists and contains a valid certificate? If it doesn't contain a valid certificate then remove it, and try to open the console again. Please report your results.
The file spice_truststore.pem is here. It's not a certificate file, it a HTML file file spice_truststore.pem spice_truststore.pem: HTML document, UTF-8 Unicode text
Did you remove it and tried again?
Yes, same issue. I connect to my oVirt instance through HAProxy.
The CLI tries to download the CA file from http://.../ca.crt. For example, if you use https://engine.example.com/ovirt-engine/api as the URL parameter, then it will try to get http://engine.example.com/ca.crt, and it will save it to the spice_truststore.pem file, regardless of its content. Is that URL available in your setup? You may need to configure your HA proxy so that it also works for HTTP traffic, not just HTTPS. As a workaround you can get that file manually, and copy it over the existing spice_truststore.pem.
No, HTTP listener is not enable, but https://engine.example.com/ca.crt can be downloaded. If I put the cert in spice_truststore.pem, console is launching fine. But it's not displaying because it want to connect to the oVirt server and not through Spice Proxy. I will configure my HAproxy to enable download ca from in HTTP.
I have created an HTTP listener to access to /ca.crt, but it still not work. I am not seeing any HTTP request to get ca.crt in haproxy logs.
Is that listener using HTTP or HTTPS? The CLI will try to download http://.../ca.crt, not https://.../ca.crt.
Both, I have created an HTTP listener in addition to the HTTPS listener.
Is your HA proxy transparent for the user? I mean, does the user need to use explicitly a different URL? If it isn't transparent then you will need to tell the engine to use it for SPICE, using the global SpiceProxyDefault configuration parameter: # engine-config -s SpiceProxyDefault=http://ha-proxy-host:ha-proxy-port # systemctl restart ovirt-engine Or setting a proxy for the relevant cluster in the GUI (go to the cluster, right click, select "Edit", then click the "Console" section, and enable the proxy). Once this is done the engine will include the proxy address in the description of the VM generated by the API. Take into account that the CLI won't use that proxy address till bug 1343890 is fixed. If that works, I think we can close this bug as duplicate of bug 1343890.
I already set a SPICE proxy. My platform is setup with one URL ovirt.domain.tld for WebUI and spice.domain.tld with a SQUID proxy for Spice Proxy. Perhaps I need to use only one IP for SPICE proxy and HAProxy as a reverse proxy.
I think that you can configure the spice proxy as follows: # engine-config -s SpiceProxyDefault=http://spice.domain.tld # systemctl restart ovirt-engine Did you do that? With that done, and bug 1343890 fixed, the CLI should be able to display the console.
I believe that once bug 1343890 is fixed this will be fixed as well, so I'm closing it as a duplicate. *** This bug has been marked as a duplicate of bug 1343890 ***
Yes I did. I take note of bug duplicate.