Hide Forgot
Description of problem: SSIA. Version-Release number of selected component (if applicable): qemu-kvm-0.12.1.2-2.222.el6.x86_64 spice-server-0.10.1-1.el6.x86_64 How reproducible: always Steps to Reproduce: run all of these (<dir> and <file> are pointing to valid SSL certs/keys): qemu-kvm -spice port=<port>,tls-channel=main,tls-channel=inputs qemu-kvm -spice port=5900,x509-dir=<dir> qemu-kvm -spice port=5900,x509-cert-file=<file>,x509-cacert-file=<file>,x509-key-file=<file> Actual results: qemu-kvm happily runs Expected results: qemu-kvm should exit with non-zero error code and message like "spice: SSL/TLS options set but no tls-port specified" Additional info: High/High Priority/Severity set because this bug hides bugs that are in other components (RHEV/oVirt)
Created attachment 561980 [details] my take on this
Great, take it! :)
I've sent the patch upstream for review, but it's a qemu patch, I assume this should be moved to a different component?
Christophe, thanks a lot. I'm moving the bug to you, switching component like you suggested, note that it will require regetting acks, and moving to POST. The patch is slated for next pull by Gerd: http://patchwork.ozlabs.org/patch/142956/ Alon
It has now been sent to rhvirt-patches, thanks for the reminder.
Reproduced this issue with steps and environment as follows: # uname -r;rpm -q qemu-kvm 2.6.32-220.el6.x86_64 qemu-kvm-0.12.1.2-2.209.el6.x86_64 1.run all of these /usr/libexec/qemu-kvm -spice port=5900,tls-channel=main,tls-channel=inputs /usr/libexec/qemu-kvm -spice port=5900,x509-dir=/home/spice_x509-Pa5 /usr/libexec/qemu-kvm -spice port=5900,x509-cert-file=/home/spice_x509-a5/server-cert.pem,x509-cacert-file=/home/spice_x509-Pa5/ca-cert.pem,x509-key-file=/home/spice_x509-Pa5/server-key.pem qemu-kvm happily runs Verified this issue with steps and environment as follows: # uname -r;rpm -q qemu-kvm 2.6.32-220.el6.x86_64 qemu-kvm-0.12.1.2-2.269.el6.x86_64 redo above steps : 1. /usr/libexec/qemu-kvm -spice port=5900,tls-channel=main,tls-channel=inputs qemu reports: qemu-kvm: spice: tried to setup tls-channel without specifying a TLS port Program exited with code 01. 2. /usr/libexec/qemu-kvm -spice port=5900,x509-dir=/home/spice_x509-Pa5 qemu-kvm happily runs 3. /usr/libexec/qemu-kvm -spice port=5900,x509-cert-file=/home/spice_x509-a5/server-cert.pem,x509-cacert-file=/home/spice_x509-Pa5/ca-cert.pem,x509-key-file=/home/spice_x509-Pa5/server-key.pem qemu-kvm happily runs Hi Christophe, Is this consistent with the expected results ? daiwei
Hi Wei, please could you look if qemu-kvm opens only plaintext port in 2. and 3. and if you can connect to it with a client? If yes (spice console is accessible as a result), then you can mark it as verified.
Verified this issue with steps and environment as follows: # uname -r;rpm -q qemu-kvm 2.6.32-220.el6.x86_64 qemu-kvm-0.12.1.2-2.269.el6.x86_64 redo step 2 and step 3 2. /usr/libexec/qemu-kvm -spice port=5900,disable-ticketing,x509-dir=/home/spice_x509-Pa5 -monitor stdio With "spicec -h host_ip -p 5900" spice console is accessible 3. /usr/libexec/qemu-kvm -spice port=5900,disable-ticketing,x509-cert-file=/home/spice_x509-a5/server-cert.pem,x509-cacert-file=/home/spice_x509-Pa5/ca-cert.pem,x509-key-file=/home/spice_x509-Pa5/server-key.pem -monitor stdio With "spicec -h host_ip -p 5900" spice console is accessible According to Comment12, this issue has been fixed.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: NEEDINFO
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1,5 @@ -NEEDINFO+Cause: it's possible to specify SPICE TLS channels on qemu command line without specifying a TLS port for SPICE to use + +Consequence: when qemu is started this way, it's not possible to connect to the VM using SPICE + +Result: qemu now exits with an error in this situation
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0746.html