Itamar Heim píše v Út 07. 08. 2012 v 23:18 +0300: > On 08/07/2012 10:04 PM, Artem wrote: > > Hello again, > > I figured out, this resolve my question > > > > # curl -X POST -H "Accept: application/xml" -H "Content-type: > > application/xml" -u admin@internal:pass --cacert ca.crt -d > > "<action><ticket><expiry>120</expiry></ticket></action>" > > https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > <action> > > <ticket> > > <value>+e/OUQvquJx4</value> > > <expiry>120</expiry> > > </ticket> > > <status> > > <state>complete</state> > > </status> > > </action> > > indeed. > artem/david - between all the inputs in this thread - please try to > capture it in a wiki as david suggested.
Just writing it right now (offline). David > > thanks, > Itamar > > > > > Artem > > > > 2012/8/7 Artem <ar...@e-inet.ru>: > >> Hi all, thaks for lot, it's work > >> > >> 1) get CA to client "wget -O ${CA_FILE} > >> http://ovirt-engine.example.org/ca.crt" > >> 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} > >> ${VALIDITY_SECONDS}" on kvm host > >> 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w > >> ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully > >> > >> but how to install "setVmTicket" without login as root on kvm host, > >> how to make it through the post request? > >> > >> > >> 2012/8/6 David Jaša <dj...@redhat.com>: > >>> @Itamar - this is recurring problem, what about creating a wiki page for > >>> it? > >>> > >>> @Artem: > >>> > >>> Artem píše v Po 06. 08. 2012 v 01:30 +0400: > >>>> yes engine and kvm(qemu-kvm) installed on same machine (vm-srv) > >>>> > >>>> i change host-subject but.. > >>>> > >>>> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, > >>>> CN=vm-srv" --secure-channels=all > >>> > >>> 1) your command line is missing '--ca-file $CA_FILE' altoghether > >>> > >>> 2) you don't mention password > >>> > >>> 3) you shouldn't need to specify host subject at all because your host > >>> (-h) matches name of server in CN field of host subject. If you override > >>> it anyway, strip white spaces after commas in it: > >>> --host-subject='C=US,O=ICL,CN=vm-srv' > >>> > >>> 4) you could omit -p and --secure-channels altogether in order to > >>> achieve tls-only connection, but you can hit > >>> https://bugzilla.redhat.com/show_bug.cgi?id=723582 then > >>> > >>> So you should do (out of my head, may contain typos): > >>> get CA: > >>> * on engine, it is found here: > >>> CA_FILE=/etc/pki/ovirt-engine/ca.pem > >>> * on host, it's here: > >>> CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem > >>> * on any other host, get it from engine web interface: > >>> wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt > >>> > >>> on the host, get UUID of the VM: > >>> $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ > >>> \t]\+\)[ \t].*$/\1/')" > >>> > >>> as root on the host, set ticket (password and its period of validity): > >>> # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS} > >>> (doing it via REST API is cleaner but more cumbersome for me) > >>> > >>> if the hostname you're connecting does not match what is in CN field of > >>> Subject of the server cert, get the subject without spaces after commas > >>> on the host: > >>> $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ > >>> \t]*\(.*\)$/\1/;s/,[ \t]*/,/' > >>> > >>> connect to the spice-server: > >>> $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT} > >>> OR, with newer, shinier and overall better client :) > >>> # yum install virt-viewer > >>> $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem > >>> spice://vm-srv/?tls-port=${SECURE_PORT} > >>> (you'll have to provide the password through the pop-up dialog) > >>> > >>> if you need to provide host subject (host name/IP not matching the one > >>> from server cert Subject): > >>> $ spicec --host-subject ${HOST_SUBJECT} [...] > >>> OR > >>> $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...] > >>> > >>> David > >>> > >>> > >>>> Error: subject mismatch: #entries cert=2, input=3 > >>>> Error: failed to connect w/SSL, ssl_error > >>>> error:00000001:lib(0):func(0):reason(1) > >>>> 3079539240:error:14090086:SSL > >>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > >>>> failed:s3_clnt.c:1063: > >>>> Warning: SSL Error: > >>>> > >>>> > >>>> 2012/8/6 Itamar Heim <ih...@redhat.com>: > >>>>> On 08/06/2012 12:07 AM, Artem wrote: > >>>>>> > >>>>>> hmm... not sure if understood correctly... > >>>>>> > >>>>>> vm-srv this KVM host.. (server) and I connect from another machine to > >>>>>> vm > >>>>>> on kvm. > >>>>> > >>>>> > >>>>> did you install the engine and kvm host on same machine? > >>>>> > >>>>> > >>>>>> > >>>>>> this subject name i get in .spicec/spice_truststore.pem > >>>>> > >>>>> > >>>>> yes, spice trusts the CA, but client needs to validate the target host > >>>>> certificate. > >>>>> (if you run engine and host on same machine, try: > >>>>> "C=US, O=ICL, CN=vm-srv" > >>>>> (assuming you added the host with hostname of vm-srv to engine. if you > >>>>> added > >>>>> it with fqdn or ip, use them under last CN) > >>>>> > >>>>> > >>>>>> > >>>>>> ////////////////////////////////// > >>>>>> # cat .spicec/spice_truststore.pem > >>>>>> Certificate: > >>>>>> Data: > >>>>>> Version: 3 (0x2) > >>>>>> Serial Number: 1 (0x1) > >>>>>> Signature Algorithm: sha1WithRSAEncryption > >>>>>> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 > >>>>>> Validity > >>>>>> Not Before: Jul 28 03:42:06 2012 > >>>>>> Not After : Jul 26 23:42:07 2022 GMT > >>>>>> Subject: C=US, O=ICL, CN=CA-vm-srv.15064 > >>>>>> Subject Public Key Info: > >>>>>> Public Key Algorithm: rsaEncryption > >>>>>> Public-Key: (2048 bit) > >>>>>> Modulus: > >>>>>> /////////////////////////////////////////// > >>>>>> > >>>>>> 2012/8/6 Itamar Heim <ih...@redhat.com>: > >>>>>>> > >>>>>>> this looks like the subject name of the CA, not the host running the > >>>>>>> virtual > >>>>>>> machine? > >>>>> > >>>>> > >>>>> > >>>> _______________________________________________ > >>>> Users mailing list > >>>> Users@ovirt.org > >>>> http://lists.ovirt.org/mailman/listinfo/users > >>> > >>> -- > >>> > >>> David Jaša, RHCE > >>> > >>> SPICE QE based in Brno > >>> GPG Key: 22C33E24 > >>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 > >>> > >>> > >>> > > -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users