Re: [Spice-devel] govirt 0.30 plans
On 11/06/2013 11:15 PM, i iordanov wrote: Hi Christophe, This one may turn out to not be an actual issue. I had gotten used to the functionality offered by oVirt Live 0.8 (I think it bundles oVirt 3.0) where I was able to attach as user admin@internal to virtual machines created in the Administrative Console (rather than in the User Console). It appears that oVirt 3.2 and 3.3 either do not allow this anymore or something else is amiss. One may not attach to such machines despite them being reported at /api/vms. To make a long story short, I made one of these machines a Template and created a VM based on it in the User Console of admin@internal. After that, I was able to connect! Do you think there is still anything wrong? Should we be able to attach to those vms (e.g. win and winbak)? (if you see a behavior change in ovirt, you an also ask/cc on us...@ovirt.org) in 3.0 we only allowed admin access to the API. in 3.1 we added user level access. main difference is users only get entities they have permissions with User Role on. an user with admin role can ask to get 'all', or just me as a user - all VMs which that admin has a User Role to. to not break api backward compatibility, default mode of the API remained 'admin mode', so you need to pass to the API filter=true to behave as a user. (we don't like this, and will try to come up with a better solution). i assume from Christophe next reply govirt (sensibly, as its geared for user access) default to user mode api. so you have two options - move to admin mode in govirt, or easier (and probably more consistent if you are aiming your solution for users rather than admins), give admin@internal a UserRole on the VMs, not an Admin Role. HTH, ITamar Cheers, iordan On Wed, Nov 6, 2013 at 4:22 AM, Christophe Fergeau cferg...@redhat.com wrote: On Tue, Nov 05, 2013 at 06:03:21PM -0600, i iordanov wrote: What I have done is manually navigated to https://FQDN/api/vms in order to attach the output I get there for you to see if you can spot why libgovirt fails to look up the VMs. The call failed with name set to both win and winbak. This code is happily parsed by the attached test program, so I'm not sure parsing is at fault. You can look at the REST calls by setting the REST_DEBUG env variable to 'proxy' Christophe ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
Hi Itamar, Thanks for the explanations! I'll let Christophe confirm that govirt defaults to user-mode. On Sat, Nov 16, 2013 at 5:26 AM, Itamar Heim ih...@redhat.com wrote: so you have two options - move to admin mode in govirt, or easier (and probably more consistent if you are aiming your solution for users rather than admins), give admin@internal a UserRole on the VMs, not an Admin Role. The client will be aimed at users, so there is no real problem here, once I got over the initial hurdle of actually attaching to machines. Thanks! iordan -- The conscious mind has only one thread of execution. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
On Wed, Nov 06, 2013 at 11:15:17PM -0500, i iordanov wrote: I had gotten used to the functionality offered by oVirt Live 0.8 (I think it bundles oVirt 3.0) where I was able to attach as user admin@internal to virtual machines created in the Administrative Console (rather than in the User Console). It appears that oVirt 3.2 and 3.3 either do not allow this anymore or something else is amiss. One may not attach to such machines despite them being reported at /api/vms. Did you try to set the OvirtProxy::admin property to TRUE? Christophe pgpZvqh6TVRHy.pgp Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
On Tue, Nov 05, 2013 at 12:27:11PM -0500, i iordanov wrote: Hi Christophe, I am now using the libgovirt 0.30 release. As a preliminary test with self-signed certificates, I re-enabled fetching the ssl cert with ovirt_proxy_fetch_ca_certificate(). However, at the point ovirt_proxy_set_tmp_ca_file() tries to set the ssl-ca-file property, I get the following error: GLib-GObject-WARNING **: g_object_set_valist: object class `OvirtProxy' has no property named `ssl-ca-file' Ah right, this property is only in librest git, see http://cgit.freedesktop.org/spice/spice-gtk/commit/?id=32b123f44fc79eaad388d6be09f103457f3 Christophe pgpF2PubWZy8N.pgp Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
On Tue, Nov 05, 2013 at 06:03:21PM -0600, i iordanov wrote: What I have done is manually navigated to https://FQDN/api/vms in order to attach the output I get there for you to see if you can spot why libgovirt fails to look up the VMs. The call failed with name set to both win and winbak. This code is happily parsed by the attached test program, so I'm not sure parsing is at fault. You can look at the REST calls by setting the REST_DEBUG env variable to 'proxy' Christophe /* Compile with * gcc -Wall -g3 -ggdb3 -O0 $(pkg-config --cflags --libs govirt-1.0) ./test-vm-parser.c */ #include govirt/govirt.h #include rest/rest-xml-parser.h OvirtCollection *ovirt_collection_new_from_xml(RestXmlNode *root_node, GType collection_type, const char *collection_name, GType resource_type, const char *resource_name, GError **error); int main(int argc, char **argv) { OvirtCollection *collection; OvirtResource *vm; RestXmlParser *parser; RestXmlNode *root_node; gchar *xml; gsize xml_len; if (argc != 2) { g_print(Usage: %s filename\n, argv[0]); return 1; } if (!g_file_get_contents(argv[1], xml, xml_len, NULL)) { g_warning(failed to load %s, argv[1]); return 2; } parser = rest_xml_parser_new(); root_node = rest_xml_parser_parse_from_data(parser, xml, xml_len); if (root_node == NULL) { g_warning(failed to parse %s, argv[1]); return 3; } collection = ovirt_collection_new_from_xml(root_node, OVIRT_TYPE_COLLECTION, vms, OVIRT_TYPE_VM, vm, NULL); rest_xml_node_unref(root_node); g_object_unref(parser); if (collection == NULL) { g_warning(failed to parse collection); return 4; } vm = ovirt_collection_lookup_resource(collection, win); if (vm == NULL) { g_warning(could not find 'win'); return 5; } else { char *guid; g_object_get(G_OBJECT(vm), guid, guid, NULL); g_print(win: %s\n, guid); g_free(guid); } vm = ovirt_collection_lookup_resource(collection, winbak); if (vm == NULL) { g_warning(could not find 'winbak'); return 6; } else { char *guid; g_object_get(G_OBJECT(vm), guid, guid, NULL); g_print(winbak: %s\n, guid); g_free(guid); } g_object_unref(collection); return 0; } pgp7unN2BAL78.pgp Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
Hi Christophe, This one may turn out to not be an actual issue. I had gotten used to the functionality offered by oVirt Live 0.8 (I think it bundles oVirt 3.0) where I was able to attach as user admin@internal to virtual machines created in the Administrative Console (rather than in the User Console). It appears that oVirt 3.2 and 3.3 either do not allow this anymore or something else is amiss. One may not attach to such machines despite them being reported at /api/vms. To make a long story short, I made one of these machines a Template and created a VM based on it in the User Console of admin@internal. After that, I was able to connect! Do you think there is still anything wrong? Should we be able to attach to those vms (e.g. win and winbak)? Cheers, iordan On Wed, Nov 6, 2013 at 4:22 AM, Christophe Fergeau cferg...@redhat.com wrote: On Tue, Nov 05, 2013 at 06:03:21PM -0600, i iordanov wrote: What I have done is manually navigated to https://FQDN/api/vms in order to attach the output I get there for you to see if you can spot why libgovirt fails to look up the VMs. The call failed with name set to both win and winbak. This code is happily parsed by the attached test program, so I'm not sure parsing is at fault. You can look at the REST calls by setting the REST_DEBUG env variable to 'proxy' Christophe -- The conscious mind has only one thread of execution. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
Hi Christophe, I am now using the libgovirt 0.30 release. As a preliminary test with self-signed certificates, I re-enabled fetching the ssl cert with ovirt_proxy_fetch_ca_certificate(). However, at the point ovirt_proxy_set_tmp_ca_file() tries to set the ssl-ca-file property, I get the following error: GLib-GObject-WARNING **: g_object_set_valist: object class `OvirtProxy' has no property named `ssl-ca-file' Afterward, predictably the SSL handshake fails. Can you tell me what I'm doing wrong? Thanks! iordan On Tue, Oct 29, 2013 at 3:23 PM, i iordanov iiorda...@gmail.com wrote: Thanks Christophe! Iordan On Tue, Oct 29, 2013 at 1:29 PM, Christophe Fergeau cferg...@redhat.com wrote: On Fri, Oct 25, 2013 at 11:45:53AM -0400, i iordanov wrote: Are you getting close to a 0.30 release? I can't wait to see the final version of the upgraded SSL handling! I've finally released this: http://ftp.acc.umu.se/pub/GNOME/sources/libgovirt/0.3/libgovirt-0.3.0.tar.xz What happens when a self-signed certificate is encountered for which no valid CA is specified? Is it just a silent failure or (better) can one connect some signals so a callback is triggered (like the authentication callback) where the self-signed certificate is available for displaying to the user for verification? It's reported as a failure to do the call, some work will likely be needed if you want something more sophisticated. Christophe -- The conscious mind has only one thread of execution. -- The conscious mind has only one thread of execution. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
Just as an additional clarification, I am using rest-0.7.90 from: http://ftp.acc.umu.se/pub/GNOME/sources/rest/0.7/ Thanks! iordan On Tue, Nov 5, 2013 at 12:27 PM, i iordanov iiorda...@gmail.com wrote: Hi Christophe, I am now using the libgovirt 0.30 release. As a preliminary test with self-signed certificates, I re-enabled fetching the ssl cert with ovirt_proxy_fetch_ca_certificate(). However, at the point ovirt_proxy_set_tmp_ca_file() tries to set the ssl-ca-file property, I get the following error: GLib-GObject-WARNING **: g_object_set_valist: object class `OvirtProxy' has no property named `ssl-ca-file' Afterward, predictably the SSL handshake fails. Can you tell me what I'm doing wrong? Thanks! iordan On Tue, Oct 29, 2013 at 3:23 PM, i iordanov iiorda...@gmail.com wrote: Thanks Christophe! Iordan On Tue, Oct 29, 2013 at 1:29 PM, Christophe Fergeau cferg...@redhat.com wrote: On Fri, Oct 25, 2013 at 11:45:53AM -0400, i iordanov wrote: Are you getting close to a 0.30 release? I can't wait to see the final version of the upgraded SSL handling! I've finally released this: http://ftp.acc.umu.se/pub/GNOME/sources/libgovirt/0.3/libgovirt-0.3.0.tar.xz What happens when a self-signed certificate is encountered for which no valid CA is specified? Is it just a silent failure or (better) can one connect some signals so a callback is triggered (like the authentication callback) where the self-signed certificate is available for displaying to the user for verification? It's reported as a failure to do the call, some work will likely be needed if you want something more sophisticated. Christophe -- The conscious mind has only one thread of execution. -- The conscious mind has only one thread of execution. -- The conscious mind has only one thread of execution. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
Thanks Christophe! Iordan On Tue, Oct 29, 2013 at 1:29 PM, Christophe Fergeau cferg...@redhat.com wrote: On Fri, Oct 25, 2013 at 11:45:53AM -0400, i iordanov wrote: Are you getting close to a 0.30 release? I can't wait to see the final version of the upgraded SSL handling! I've finally released this: http://ftp.acc.umu.se/pub/GNOME/sources/libgovirt/0.3/libgovirt-0.3.0.tar.xz What happens when a self-signed certificate is encountered for which no valid CA is specified? Is it just a silent failure or (better) can one connect some signals so a callback is triggered (like the authentication callback) where the self-signed certificate is available for displaying to the user for verification? It's reported as a failure to do the call, some work will likely be needed if you want something more sophisticated. Christophe -- The conscious mind has only one thread of execution. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
On Fri, Oct 25, 2013 at 11:45:53AM -0400, i iordanov wrote: Are you getting close to a 0.30 release? I can't wait to see the final version of the upgraded SSL handling! I've finally released this: http://ftp.acc.umu.se/pub/GNOME/sources/libgovirt/0.3/libgovirt-0.3.0.tar.xz What happens when a self-signed certificate is encountered for which no valid CA is specified? Is it just a silent failure or (better) can one connect some signals so a callback is triggered (like the authentication callback) where the self-signed certificate is available for displaying to the user for verification? It's reported as a failure to do the call, some work will likely be needed if you want something more sophisticated. Christophe pgpMCOTOA7X4u.pgp Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
Hi Christophe, Are you getting close to a 0.30 release? I can't wait to see the final version of the upgraded SSL handling! What happens when a self-signed certificate is encountered for which no valid CA is specified? Is it just a silent failure or (better) can one connect some signals so a callback is triggered (like the authentication callback) where the self-signed certificate is available for displaying to the user for verification? Thanks! iordan On Mon, Oct 7, 2013 at 1:43 PM, i iordanov iiorda...@gmail.com wrote: Hi Christophe, Thank you! iordan On Mon, Oct 7, 2013 at 5:11 AM, Christophe Fergeau cferg...@redhat.com wrote: Hey, On Thu, Oct 03, 2013 at 04:03:22PM -0400, i iordanov wrote: When do you plan to release govirt 0.30 with the SSL fixes and the new API for getting available VMs, powering on the VM at login time, etc.? Ah thanks for the ping, after some bug fixing in the last weeks in the new features, it's starting to be in a good shape, I should try to get a release out this week. Do you plan to include something like the function that I submitted to spice-devel earlier for reading the cert from a local file? You had some suggestion for changes to the code, would you like me to make those changes? The OvirtProxy::ssl-ca-file property should do the trick for that. Christophe -- The conscious mind has only one thread of execution. -- The conscious mind has only one thread of execution. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
Hey, On Thu, Oct 03, 2013 at 04:03:22PM -0400, i iordanov wrote: When do you plan to release govirt 0.30 with the SSL fixes and the new API for getting available VMs, powering on the VM at login time, etc.? Ah thanks for the ping, after some bug fixing in the last weeks in the new features, it's starting to be in a good shape, I should try to get a release out this week. Do you plan to include something like the function that I submitted to spice-devel earlier for reading the cert from a local file? You had some suggestion for changes to the code, would you like me to make those changes? The OvirtProxy::ssl-ca-file property should do the trick for that. Christophe pgpUPvzbEDbGb.pgp Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] govirt 0.30 plans
Hi Christophe, Thank you! iordan On Mon, Oct 7, 2013 at 5:11 AM, Christophe Fergeau cferg...@redhat.com wrote: Hey, On Thu, Oct 03, 2013 at 04:03:22PM -0400, i iordanov wrote: When do you plan to release govirt 0.30 with the SSL fixes and the new API for getting available VMs, powering on the VM at login time, etc.? Ah thanks for the ping, after some bug fixing in the last weeks in the new features, it's starting to be in a good shape, I should try to get a release out this week. Do you plan to include something like the function that I submitted to spice-devel earlier for reading the cert from a local file? You had some suggestion for changes to the code, would you like me to make those changes? The OvirtProxy::ssl-ca-file property should do the trick for that. Christophe -- The conscious mind has only one thread of execution. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Spice-devel] govirt 0.30 plans
Hi Christophe, When do you plan to release govirt 0.30 with the SSL fixes and the new API for getting available VMs, powering on the VM at login time, etc.? Do you plan to include something like the function that I submitted to spice-devel earlier for reading the cert from a local file? You had some suggestion for changes to the code, would you like me to make those changes? Thanks! iordan -- The conscious mind has only one thread of execution. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel