Re: [ovirt-users] libvirt failed to read spice key

Fri, 01 Apr 2016 08:22:51 -0700 

SELinux status:                 disabled


[root@ovirt2 test ~]# ls -rtl /etc/pki/vdsm/libvirt-spice|grep -v 2016|tail
total 84
-rw-r--r-- 1 root kvm 1379 Feb 19 17:09 ca-cert.pem
-rw-r--r-- 1 root kvm 1570 Mar  7 09:44 server-cert.pem
-r--r----- 1 vdsm kvm 1675 Mar  7 09:44 server-key.pem

Now I modify them to get spice to work:

[root@ovirt2 dmz.test ~]# ls -rtl /etc/pki/vdsm/libvirt-spice
total 12
-rw-r--r-- 1 root kvm 1379 Mar 22 13:09 ca-cert.pem
-rw-r--r-- 1 root kvm 1570 Mar 22 13:09 server-cert.pem
-r--r--r-- 1 vdsm kvm 1675 Mar 22 13:09 server-key.pem
The only thing I do now out of basic install is adding 'user = "root"' to /etc/libvirt/qemu.conf and then reboot the box. 
This is for import-to-ovirt.pl to work.
I have tried host reploy, remove/install. The only thing I found that worked, other than change file perms is to re-kickstart the server. 

Not sure what user other than vdsm or root would be accessing the file.



On 4/1/16 1:48 AM, Michal Skrivanek wrote:

On 26 Mar 2016, at 01:19, Bill James <bill.ja...@j2.com> wrote:

I'm very interested in this too as I have same problem with spice private keys.

can you please paste permissions and selinux status, security context of that 
qemu&libvirt process and the inaccessible key file(ps -Z, ls -lZ)?

I wonder if host redeploy would help..did you try to reinstall the host? It 
should go through the certificate enrollment again and shouldn’t mess with 
anything else.

Thanks,
michal




On 3/24/16 2:02 AM, Fabrice Bacchella wrote:

I' m running on a brand new Centos 7.2 an up to date ovirt 3.6.3.4.

The host is new too and dedicated to ovirt.

When I try to launch a vm, I get :

Thread-9407::ERROR::2016-03-24 
09:16:18,301::vm::759::virt.vm::(_startUnderlyingVm) 
vmId=`a32e1043-a5a5-4e4c-8436-f7b7a4ff644c`::The vm start process failed
Traceback (most recent call last):
   File "/usr/share/vdsm/virt/vm.py", line 703, in _startUnderlyingVm
     self._run()
   File "/usr/share/vdsm/virt/vm.py", line 1941, in _run
     self._connection.createXML(domxml, flags),
   File "/usr/lib/python2.7/site-packages/vdsm/libvirtconnection.py", line 124, 
in wrapper
     ret = f(*args, **kwargs)
   File "/usr/lib/python2.7/site-packages/vdsm/utils.py", line 1313, in wrapper
     return func(inst, *args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/libvirt.py", line 3611, in createXML
     if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self)
libvirtError: internal error: process exited while connecting to monitor: 
((null):23672): Spice-Warning **: reds.c:3311:reds_init_ssl: Could not use 
private key file
2016-03-24T08:16:18.005359Z qemu-kvm: failed to initialize spice server


/var/log/libvirt/qemu/test.log says

2016-03-24 08:55:48.214+0000: starting up libvirt version: 1.2.17, package: 
13.el7_2.3 (CentOS BuildSystem <http://bugs.centos.org>, 2016-02-16-17:06:00, 
worker1.bsys.centos.org), qemu version: 2.3.0 (qemu-kvm-ev-2.3.0-31.el7_2.7.1)
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin 
QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -name test -S -machine 
pc-i440fx-rhel7.2.0,accel=kvm,usb=off -cpu Haswell-noTSX -m 
size=2097152k,slots=16,maxmem=4294967296k -realtime mlock=off -smp 
2,maxcpus=16,sockets=16,cores=1,threads=1 -numa node,nodeid=0,cpus=0-1,mem=2048 
-uuid a32e1043-a5a5-4e4c-8436-f7b7a4ff644c -smbios 
type=1,manufacturer=oVirt,product=oVirt 
Node,version=7-2.1511.el7.centos.2.10,serial=30373237-3132-5A43-3235-343233333937,uuid=a32e1043-a5a5-4e4c-8436-f7b7a4ff644c
 -no-user-config -nodefaults -chardev 
socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-test/monitor.sock,server,nowait
 -mon chardev=charmonitor,id=monitor,mode=control -rtc 
base=2016-03-24T08:55:46,driftfix=slew -global kvm-pit.lost_tick_policy=discard 
-no-hpet -no-shutdown -boot menu=on,strict=on -device 
piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device 
virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x4 -device virtio-serial-pci,

id

  =virtio-serial0,max_ports=16,bus=pci.0,addr=0x5 -drive 
if=none,id=drive-ide0-1-0,readonly=on,format=raw,serial= -device 
ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -drive 
file=/rhev/data-center/00000001-0001-0001-0001-00000000022a/85d19e93-ee08-41bb-94c9-56adf17287b4/images/da6f49dd-8662-418b-a859-3523b4360c0e/930bbe74-7470-4b22-b096-fdb03276262d,if=none,id=drive-scsi0-0-0-0,format=raw,serial=da6f49dd-8662-418b-a859-3523b4360c0e,cache=none,werror=stop,rerror=stop,aio=native,iops=300
 -device 
scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1
 -netdev tap,fd=27,id=hostnet0,vhost=on,vhostfd=28 -device 
virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:16:01:51,bus=pci.0,addr=0x3,bootindex=2
 -chardev 
socket,id=charserial0,path=/var/run/ovirt-vmconsole-console/a32e1043-a5a5-4e4c-8436-f7b7a4ff644c.sock,server,nowait
 -device isa-serial,chardev=charserial0,id=serial0 -chardev 
socket,id=charchannel0,path=/var/lib/libvirt/q

emu

  
/channels/a32e1043-a5a5-4e4c-8436-f7b7a4ff644c.com.redhat.rhevm.vdsm,server,nowait
 -device 
virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.rhevm.vdsm
 -chardev 
socket,id=charchannel1,path=/var/lib/libvirt/qemu/channels/a32e1043-a5a5-4e4c-8436-f7b7a4ff644c.org.qemu.guest_agent.0,server,nowait
 -device 
virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=org.qemu.guest_agent.0
 -chardev spicevmc,id=charchannel2,name=vdagent -device 
virtserialport,bus=virtio-serial0.0,nr=3,chardev=charchannel2,id=channel2,name=com.redhat.spice.0
 -spice 
port=5900,tls-port=5901,addr=0,x509-dir=/etc/pki/vdsm/libvirt-spice,seamless-migration=on
 -device 
qxl-vga,id=video0,ram_size=67108864,vram_size=8388608,vgamem_mb=16,bus=pci.0,addr=0x2
 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on
((null):29166): Spice-Warning **: reds.c:3311:reds_init_ssl: Could not use 
private key file
2016-03-24T08:55:48.329252Z qemu-kvm: failed to initialize spice server
2016-03-24 08:55:48.479+0000: shutting down

and indeed, when I try to strace libvirt :
  open("/etc/pki/vdsm/libvirt-spice/server-key.pem", O_RDONLY) = -1 EACCES 
(Permission denied)

chmod a+r /etc/pki/vdsm/libvirt-spice/server-key.pem solved the problem, but 
it's obviously not a solution.




_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users






Cloud Services for Business www.j2.com
j2 | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | Onebox


This email, its contents and attachments contain information from j2 Global, 
Inc. and/or its affiliates which may be privileged, confidential or otherwise 
protected from disclosure. The information is intended to be for the 
addressee(s) only. If you are not an addressee, any disclosure, copy, 
distribution, or use of the contents of this message is prohibited. If you have 
received this email in error please notify the sender by reply e-mail and 
delete the original message and any copies. (c) 2015 j2 Global, Inc. All rights 
reserved. eFax, eVoice, Campaigner, FuseMail, KeepItSafe, and Onebox are 
registered trademarks of j2 Global, Inc. and its affiliates.

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to