From Fedora Project Wiki
(Created page with '{{QA/Test_Case |description= |setup=Make sure you have a guest , which could be started successfully |actions= # force off the running guest # go the guest detail pannel , remove...') |
m (fixed double-quotes that had been copied in as 2 single-quotes each) |
||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
{{QA/Test_Case | {{QA/Test_Case | ||
|description= | |description= | ||
|setup=Make sure you have a guest , which could be started successfully | |setup=Make sure you have a guest, which could be started successfully | ||
|actions= | |actions= | ||
<ol> | |||
<li> force off the running guest | |||
<li> go the guest detail pannel, remove the "Display VNC" device | |||
<li> click the "Add Hardware" button at the left bottom | |||
<li> Add "Graphics" -> Type "SPICE server" | |||
<li> Check OFF the "Automatically allocation" | |||
<li> Specify the Port to 5901 TLS port to 5902 | |||
<li> Click Finish , and back to guest detail overview panel, click Apply button | |||
<li> modify the followings in /etc/libvirt/qemu.conf | |||
<pre> | |||
-# spice_tls = 1 | |||
+ spice_tls = 1 | |||
-# spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" | |||
+ spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" | |||
</pre> | |||
<li> perform the following script, to generate the cert files for ssl , and then copy *.pem file info {{filename|/etc/pkil/libvirt-spice}} directory | |||
<pre> | |||
#!/bin/bash | |||
SERVER_KEY=server-key.pem | |||
# creating a key for our ca | |||
if [ ! -e ca-key.pem ]; then | |||
openssl genrsa -des3 -out ca-key.pem 1024 | |||
fi | |||
# creating a ca | |||
if [ ! -e ca-cert.pem ]; then | |||
openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA" | |||
fi | |||
# create server key | |||
if [ ! -e $SERVER_KEY ]; then | |||
openssl genrsa -out $SERVER_KEY 1024 | |||
fi | |||
# create a certificate signing request (csr) | |||
if [ ! -e server-key.csr ]; then | |||
openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server" | |||
fi | |||
# signing our server certificate with this ca | |||
if [ ! -e server-cert.pem ]; then | |||
openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem | |||
fi | |||
# now create a key that doesn't require a passphrase | |||
openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure | |||
mv $SERVER_KEY $SERVER_KEY.secure | |||
mv $SERVER_KEY.insecure $SERVER_KEY | |||
# show the results (no other effect) | |||
openssl rsa -noout -text -in $SERVER_KEY | |||
openssl rsa -noout -text -in ca-key.pem | |||
openssl req -noout -text -in server-key.csr | |||
openssl x509 -noout -text -in server-cert.pem | |||
openssl x509 -noout -text -in ca-cert.pem | |||
# copy *.pem file to /etc/pki/libvirt-spice | |||
if [[ -d "/etc/pki/libvirt-spice" ]] | |||
then | |||
cp ./*.pem /etc/pki/libvirt-spice | |||
else | |||
mkdir /etc/pki/libvirt-spice | |||
cp ./*.pem /etc/pki/libvirt-spice | |||
fi | |||
# echo --host-subject | |||
echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \" | |||
</pre> | |||
<li> restart libvirtd to rescan the configuration: {{command|service libvirtd restart}} | |||
<li> Start the guest: {{command|virsh start <guest>}} | |||
<li> Access the guest via following command line | |||
<pre>spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject "C=IL,L=Raanana,O=Red Hat,CN=my CA"</pre> | |||
</ol> | |||
|results= | |results= | ||
# Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set | # Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set |
Latest revision as of 19:00, 28 September 2011
Description
Setup
Make sure you have a guest, which could be started successfully
How to test
- force off the running guest
- go the guest detail pannel, remove the "Display VNC" device
- click the "Add Hardware" button at the left bottom
- Add "Graphics" -> Type "SPICE server"
- Check OFF the "Automatically allocation"
- Specify the Port to 5901 TLS port to 5902
- Click Finish , and back to guest detail overview panel, click Apply button
- modify the followings in /etc/libvirt/qemu.conf
-# spice_tls = 1 + spice_tls = 1 -# spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" + spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
- perform the following script, to generate the cert files for ssl , and then copy *.pem file info
/etc/pkil/libvirt-spice
directory#!/bin/bash SERVER_KEY=server-key.pem # creating a key for our ca if [ ! -e ca-key.pem ]; then openssl genrsa -des3 -out ca-key.pem 1024 fi # creating a ca if [ ! -e ca-cert.pem ]; then openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA" fi # create server key if [ ! -e $SERVER_KEY ]; then openssl genrsa -out $SERVER_KEY 1024 fi # create a certificate signing request (csr) if [ ! -e server-key.csr ]; then openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server" fi # signing our server certificate with this ca if [ ! -e server-cert.pem ]; then openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem fi # now create a key that doesn't require a passphrase openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure mv $SERVER_KEY $SERVER_KEY.secure mv $SERVER_KEY.insecure $SERVER_KEY # show the results (no other effect) openssl rsa -noout -text -in $SERVER_KEY openssl rsa -noout -text -in ca-key.pem openssl req -noout -text -in server-key.csr openssl x509 -noout -text -in server-cert.pem openssl x509 -noout -text -in ca-cert.pem # copy *.pem file to /etc/pki/libvirt-spice if [[ -d "/etc/pki/libvirt-spice" ]] then cp ./*.pem /etc/pki/libvirt-spice else mkdir /etc/pki/libvirt-spice cp ./*.pem /etc/pki/libvirt-spice fi # echo --host-subject echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
- restart libvirtd to rescan the configuration:
service libvirtd restart
- Start the guest:
virsh start <guest>
- Access the guest via following command line
spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject "C=IL,L=Raanana,O=Red Hat,CN=my CA"
Expected Results
- Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set