1751065 – Can't open guest console which has vnc graphics protocol by remote-viewer on rhv

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1751065 - Can't open guest console which has vnc graphics protocol by remote-viewer on rhv

Summary: Can't open guest console which has vnc graphics protocol by remote-viewer on rhv

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	virt-viewer
Sub Component:
Version:	7.8
Hardware:	x86_64
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Berrangé
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-11 06:30 UTC by mxie@redhat.com
Modified:	2019-12-23 10:27 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1751073 (view as bug list)
Environment:
Last Closed:	2019-12-19 12:22:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
remote-viewer.debug (15.08 KB, text/plain) 2019-12-17 03:05 UTC, zhoujunqin	no flags	Details
View All

Description mxie@redhat.com 2019-09-11 06:30:44 UTC

Description of problem:
Can't open guest console which has vnc graphics protocol by remote-viewer on rhv

Version-Release number of selected component (if applicable):
virt-viewer-5.0-15.el7.x86_64
libgovirt-0.3.4-3.el7.x86_64
gtk-vnc-0.7.0-3.el7.x86_64
rhv:4.3.6.5-0.1.el7

How reproducible:
100%

Steps to Reproduce:
1.Prepare a guest and set graphics protocol as vnc on rhv
2.Power on guest and click console option (open with remote-viewer) to connect guest console, the console will be disappeared immediately


Actual results:
As description

Expected results:
Can open guest console which has vnc graphics protocol by remote-viewer on rhv

Additional info:
1.Can open guest console which has spice graphics protocol by remote-viewer on rhv normally

Comment 3 Daniel Berrangé 2019-12-13 10:17:22 UTC

To debug this I'll need you to reproduce the problem, launching virt-viewer with the "--debug --gtk-vnc-debug" arguments present on the command line & then attaching the resulting log file.

Comment 4 zhoujunqin 2019-12-17 03:05:59 UTC

Created attachment 1645729 [details]
remote-viewer.debug

Comment 5 zhoujunqin 2019-12-17 03:07:21 UTC

(In reply to Daniel Berrangé from comment #3)
> To debug this I'll need you to reproduce the problem, launching virt-viewer
> with the "--debug --gtk-vnc-debug" arguments present on the command line &
> then attaching the resulting log file.

Hi Daniel,
This issue was happened when I used remote-viewer to connect a vm which has a Graphics protocol: VNC.
The remote-viewer console exits suddenly.

I'll attach remote-viewer-debug log.
$ remote-viewer console.vv --debug --gtk-vnc-debug |& tee>remote-viewer.debug

Comment 6 Daniel Berrangé 2019-12-18 12:04:33 UTC

(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.705: vncconnection.c Do TLS handshake
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.760: vncconnection.c Checking if credentials are needed
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.760: vncconnection.c Want a TLS clientname
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.760: vncconnection.c Requesting missing credentials


So here we've seen a VNC auth type requiring a TLS handshake and are asking for the TLS credentials

(remote-viewer:14499): virt-viewer-DEBUG: 11:02:00.763: Got VNC credential request for 1 credential(s)
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.763: vncconnection.c Set credential 2 libvirt
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.763: vncconnection.c Searching for certs in /etc/pki
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.763: vncconnection.c Searching for certs in /home/juzhou/.pki
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate CA/cacert.pem
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c No CA certificate provided, using GNUTLS global trust
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate CA/cacrl.pem
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate libvirt/private/clientkey.pem
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Failed to find certificate libvirt/clientcert.pem

Here we looked for both CA certs and client certs & didn't find either, so we're using the system CA trust DB. This is almost never what you want.


(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Waiting for missing credentials
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c Got all credentials
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.764: vncconnection.c No CA certificate provided; trying the system trust store instead
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c Using the system trust store and CRL
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c No client cert or key provided
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c No CA revocation list provided
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.834: vncconnection.c Handshake was blocking
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.837: vncconnection.c Handshake was blocking
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.877: vncconnection.c Handshake done
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.877: vncconnection.c Validating
(remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.880: vncconnection.c Error: The certificate is not trusted

The server didn't require client cert so the TLS handshake completed.

We then tried to validate the server cert against the system trust DB CA certs and (unsurprisingly) failed

So the problem here is that there's no CA cert on your client that can be used to validate the server.

Comment 7 zhoujunqin 2019-12-19 11:25:54 UTC

> (remote-viewer:14499): gtk-vnc-DEBUG: 11:02:00.880: vncconnection.c Error:
> The certificate is not trusted
> 
> The server didn't require client cert so the TLS handshake completed.
> 
> We then tried to validate the server cert against the system trust DB CA
> certs and (unsurprisingly) failed
> 
> So the problem here is that there's no CA cert on your client that can be
> used to validate the server.

Hi Daniel,
The CA cert is contained by console.vv file I think, but it may not work as expected.
I can connect to a spice graphics vm's console on rhv use the same way.

$ cat console.vv 
[virt-viewer]
type=vnc
host=RRR
port=5900
password=GKKuIZMo4W2Q
# Password is valid for 120 seconds.
delete-this-file=1
fullscreen=0
title=juzhou-virt-viewer:%d
toggle-fullscreen=shift+f11
release-cursor=ctrl+alt
secure-attention=ctrl+alt+end
versions=rhev-win64:2.0-160;rhev-win32:2.0-160;rhel8:7.0-3;rhel7:2.0-6;rhel6:99.0-1
newer-version-url=https://RHV/ovirt-engine/rhv/client-resources

[ovirt]
host=RHV:443
vm-guid=1504dbe8-25d7-4508-8cbe-e2ce3089c4d4
sso-token=wWnMQJGiVlJCR43KwltnUZJL1J2UAWsvpTu1KYVeF8fPFzc8skFOvfp6O-vy9J3BeqYG5xgwkvkaaAqvVR8j-g
admin=1
ca=-----BEGIN CERTIFICATE-----\nMIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMxITAfBgNVBAoM\nGHJodHMuZW5nLnBlazIucmVkaGF0LmNvbTE2MDQGA1UEAwwtaWJtLXgzMjUwbTUtMDMucmh0cy5l\nbmcucGVrMi5yZWRoYXQuY29tLjk5NzU5MB4XDTE5MDEyMzA4MzE0N1oXDTI5MDEyMTA4MzE0N1ow\naDELMAkGA1UEBhMCVVMxITAfBgNVBAoMGHJodHMuZW5nLnBlazIucmVkaGF0LmNvbTE2MDQGA1UE\nAwwtaWJtLXgzMjUwbTUtMDMucmh0cy5lbmcucGVrMi5yZWRoYXQuY29tLjk5NzU5MIIBIjANBgkq\nhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwzDXz0csh8Gxrne5sAn5NZnUfFfofxoLdQwSL9KecHC1\ntf1IEr1/3yFD+/5qclmsovRlCCft8VjzMP6CqrNJNr5TyGY5RBNlqi1d1BeobSyZSfqKwXw/7EQk\nB1vmlSqjQSX4aJiFrkS/YOQJ0cl4/8OmRA+QfM5g70W/VcKta4Yxy4H7WVcJElxxDzfzRZhmSJr2\neDVjXtiIRXDaE9ufDRpk7cSfFvLFZUgwzRukRWNSrdk/3wUeuI2s53TMWukBMhJXEJc7pumGJy0j\npX/1mj1+HUTO1tFxUt4MIOLYbpT11XRffCvfywiCoSdIwvcvRKG2WwX9nORzqfCOHc6vfwIDAQAB\no4HZMIHWMB0GA1UdDgQWBBRurjvRvWWR6nvOFZLzRLeV4aBsVzCBkwYDVR0jBIGLMIGIgBRurjvR\nvWWR6nvOFZLzRLeV4aBsV6FspGowaDELMAkGA1UEBhMCVVMxITAfBgNVBAoMGHJodHMuZW5nLnBl\nazIucmVkaGF0LmNvbTE2MDQGA1UEAwwtaWJtLXgzMjUwbTUtMDMucmh0cy5lbmcucGVrMi5yZWRo\nYXQuY29tLjk5NzU5ggIQADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG\n9w0BAQsFAAOCAQEAWYat8O8XScB1TicxLm60Pmb+0pEICEqVTC9u6Osj+U2jmwCrgpbO2cprCLHZ\nr/PcblByLbDUwmaU6VXlfUjy/cwpD8lVB99naPtFYjRH/WHT/qyktPXP8rsK2sdqXETUFu4ZXukf\nxIQKjhkgmVm+eGInICrbeGirWTp18A96ZkqUdOU+FWTMEmOUiv5v+/qbS7Ipr4BVHt5Xo6zK3tU9\nrqGFEd4UjTIS85haR4vAMXHDZYitGXjZu9hwGorqi9jLSvsSPttK+rjGeBYfZ8CSGiaFHkQYl31B\nJYLuRhinmv3YK/pH6shjKZwyJ1Itnjl8XLDHQaqLyEZ+GZ7QKh7JLg==\n-----END CERTIFICATE-----\n

Comment 8 Daniel Berrangé 2019-12-19 11:30:28 UTC

I don't know what virt-viewer is doing with that information, but from gtk-vnc's POV the certificate has to exist on disk in one of the file paths listed. There's no facility to pass the CA in via the API.

So I'm presuming that this scenario has never worked, and thus this bug is effectively an RFE.

Comment 9 zhoujunqin 2019-12-19 12:12:45 UTC

Yes, we test more with Spice, and we also cloned a bug to rhel8.
Others meet same issue when test on CNV: https://bugzilla.redhat.com/show_bug.cgi?id=1751073#c1

Comment 10 Daniel Berrangé 2019-12-19 12:22:38 UTC

This will require API enhancements to GTK-VNC to fix, and so given where we are in the RHEL-7 lifetime, I don't think it is realistic to fix here.  We can, however, target a fix for GTK-VNC and virt-viewer in RHEL-8.

Note You need to log in before you can comment on or make changes to this bug.