Created attachment 737090 [details] Working version of spice.py Description of problem: when tying to connect to the console using rhevm-shell/ovirt-shell, the spicec does not want to connect. steps involved was ======================== same for ovirt-shell Version-Release number of selected component (if applicable): ovirt-engine-cli-3.2.0.10-1.el6.noarch rhev-cli-3.1.1.2-1.el6ev.noarch How reproducible: Steps to Reproduce: 1. rhevm-shell -l https://[ip] --user user --password pass -A [locationOfCA.crt] 2. console [vmname] 3. Actual results: At This point, the spicec client open and close quickly, looking at the logs .spicec/spicec.log we can see that it looks like an SSL issue? 1365413387 INFO [28493:28493] Application::main: starting 0.8.3 1365413387 INFO [28493:28493] init_key_map: using evdev mapping 1365413387 INFO [28493:28493] MultyMonScreen::MultyMonScreen: platform_win: 77594625 1365413387 INFO [28493:28493] ForeignMenu::ForeignMenu: Creating a foreign menu connection /tmp/SpiceForeignMenu-28493.uds 1365413387 INFO [28493:28494] RedPeer::connect_unsecure: Connected to 192.168.12.147 5906 1365413387 INFO [28493:28494] RedPeer::connect_secure: Connected to 192.168.12.147 5907 1365413387 ERROR [28493:28494] RedPeer::connect_secure: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 1365413387 WARN [28493:28494] RedChannel::run: SSL Error: 1365413388 INFO [28493:28493] main: Spice client terminated (exitcode = 7) Expected results: spice console to vm Additional info: ----------------------------------------------------------------- how this was fixed, #modify /usr/lib/python2.6/site-packages/ovirtcli/platform/posix/spice.py #original file - at the end of the script, the "else" section, is not passing the ca-file and host-subject else: args.extend(['-h', host]) args.extend(['-p', str(port)]) if secport: args.extend([ '-s', str(secport) ]) args.extend(['-w', ticket]) args.extend(['-t', title]) #fixed file if cmd.startswith('/usr/libexec'): args.extend([host]) args.extend([str(port)]) if secport: args.extend([str(secport)]) args.extend(['--ssl-channels', 'smain,sinputs']) args.extend(['--ca-file', certfile]) if host_subject and host_subject != '': args.extend(['--host-subject', host_subject]) args.extend(['-p', ticket]) else: args.extend(['-h', host]) args.extend(['-p', str(port)]) if secport: args.extend([ '-s', str(secport) ]) args.extend(['--ca-file', certfile]) if host_subject and host_subject != '': args.extend(['--host-subject', host_subject]) args.extend(['-w', ticket]) args.extend(['-t', title]) pid, pstdin = util.spawn(cmd, args, debug ------------------------------------------------------------------ i attached the file with the fix
feel free to post patch to gerrit.ovirt.org
we are running the "Red Hat Enterprise Virtualization Manager" but i don't have access to submit a bug in that section, hence why i submitted it in the ovirt section. support case number 00811800 but ok, i will have a look into submitting the patch
(In reply to comment #2) > we are running the "Red Hat Enterprise Virtualization Manager" but i don't > have access to submit a bug in that section, hence why i submitted it in the > ovirt section. > > support case number 00811800 > > > but ok, i will have a look into submitting the patch Simon - for the rhev-m side - can you please open a support ticket? (and as michael stated - we'd still appreciate submitting the patch to gerrit.ovirt.org) Thanks, Itamar
(In reply to comment #3) ... > Simon - for the rhev-m side - can you please open a support ticket? never mind that - noticed you did already
Hi Simon, Looks like bug 812299 already addresses mentioned issue in 3.2, http://gerrit.ovirt.org/#/c/3503/ *** This bug has been marked as a duplicate of bug 812299 ***
No the other bug is different, their case, they were not using SSL and the cli was passing through the -s port. in this case, we ARE using SSL, but the CLI is NOT passing through --ca-file and --host-subject . please remove this as being a duplicate/closed.
Hi Simon, (In reply to comment #6) > No the other bug is different, their case, they were not using SSL and the > cli was passing through the -s port. in this case, we ARE using SSL, but the > CLI is NOT passing through --ca-file and --host-subject . > > please remove this as being a duplicate/closed. AFAIKS the following patches [1] addressing issue you have mentioned, (as i can see they both available at release 3.1.0.4-1) [1] http://gerrit.ovirt.org/#/c/6047/ http://gerrit.ovirt.org/#/c/6063/
version that we are using are ovirt-engine-cli-3.2.0.10-1.el6.noarch rhev-cli-3.1.1.2-1.el6ev.noarch the one that you pointed out added the --host-subeject in the if cmd.startswith('/usr/libexec'): if host_subject and host_subject != '': args.extend(['--host-subject', host_subject] but did not add it in the else: section ===================================== as per description above #fixed file if cmd.startswith('/usr/libexec'): . . . args.extend(['--ca-file', certfile]) if host_subject and host_subject != '': [fix previously] args.extend(['--host-subject', host_subject])[fix previously] . else: . . if secport: args.extend([ '-s', str(secport) ]) args.extend(['--ca-file', certfile]) [the new one added] if host_subject and host_subject != '': [the new one added] args.extend(['--host-subject', host_subject])[the new one added] . . pid, pstdin = util.spawn(cmd, args, debug
michael - was this fixed (where/when) or not?
(In reply to Itamar Heim from comment #10) > michael - was this fixed (where/when) or not? AFAICS it was fixed by bug 953582, Simon can you confirm?
Because of the need to power off all our VM to migrate to 3.2, we have not upgraded to 3.2 yet. so i cannot confirm that it has been fix on the new version.
why do you need to power off your vm's? upgrade of engine doesn't require that, and upgrade of hosts can be done by moving vm's off the host via migration (move host to maintenance)
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days