From Fedora Project Wiki

(Created page with '{{QA/Test_Case |description= |setup=Make sure you have a guest , which could be started successfully |actions= # force off the running guest # go the guest detail pannel , remove...')
 
(Corrected ordering)
Line 3: Line 3:
|setup=Make sure you have a guest , which could be started successfully
|setup=Make sure you have a guest , which could be started successfully
|actions=
|actions=
# force off the running guest
<ol>
# go the guest detail pannel , remove the ''Display VNC '' device
<li> force off the running guest
# click the ''Add Hardware'' button at the left bottom
<li> go the guest detail pannel , remove the ''Display VNC '' device
# Add ''Graphics'' -> Type ''SPICE server ''
<li> click the ''Add Hardware'' button at the left bottom
# Check OFF the ''Automatically allocation''
<li> Add ''Graphics'' -> Type ''SPICE server ''
Specify the Port to 5901 TLS port to 5902
<li> Check OFF the ''Automatically allocation''
# Click Finish , and back to guest detail overview pannel , click Apply button
<li> Specify the Port to 5901 TLS port to 5902
# modify the followings in /etc/libvirt/qemu.conf
<li> Click Finish , and back to guest detail overview pannel , click Apply button
#: <pre>
<li> modify the followings in /etc/libvirt/qemu.conf
#: -# spice_tls = 1
<pre>
#: + spice_tls = 1
-# spice_tls = 1
#:
+ spice_tls = 1
#: -# spice_tls_x509_cert_dir = ''/etc/pki/libvirt-spice''
 
#: + spice_tls_x509_cert_dir = ''/etc/pki/libvirt-spice''
-# spice_tls_x509_cert_dir = ''/etc/pki/libvirt-spice''
#: </pre>
+ spice_tls_x509_cert_dir = ''/etc/pki/libvirt-spice''
# perform the following script, to generate the cert files for ssl , and then copy *.pem file info /etc/pkil/libvirt-spice directory
</pre>
#: <pre>
<li> perform the following script, to generate the cert files for ssl , and then copy *.pem file info {{filename|/etc/pkil/libvirt-spice}} directory
#: #!/bin/bash
<pre>
#:
#!/bin/bash
#: SERVER_KEY=server-key.pem
 
#:
SERVER_KEY=server-key.pem
#: # creating a key for our ca
 
#: if [ ! -e ca-key.pem ]; then
# creating a key for our ca
#:    openssl genrsa -des3 -out ca-key.pem 1024
if [ ! -e ca-key.pem ]; then
#: fi
openssl genrsa -des3 -out ca-key.pem 1024
#: # creating a ca
fi
#: if [ ! -e ca-cert.pem ]; then
# creating a ca
#:    openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem  -subj ''/C=IL/L=Raanana/O=Red Hat/CN=my CA''
if [ ! -e ca-cert.pem ]; then
#: fi
openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem  -subj ''/C=IL/L=Raanana/O=Red Hat/CN=my CA''
#: # create server key
fi
#: if [ ! -e $SERVER_KEY ]; then
# create server key
#:    openssl genrsa -out $SERVER_KEY 1024
if [ ! -e $SERVER_KEY ]; then
#: fi
openssl genrsa -out $SERVER_KEY 1024
#: # create a certificate signing request (csr)
fi
#: if [ ! -e server-key.csr ]; then
# create a certificate signing request (csr)
#:    openssl req -new -key $SERVER_KEY -out server-key.csr -subj ''/C=IL/L=Raanana/O=Red Hat/CN=my server''
if [ ! -e server-key.csr ]; then
#: fi
openssl req -new -key $SERVER_KEY -out server-key.csr -subj ''/C=IL/L=Raanana/O=Red Hat/CN=my server''
#: # signing our server certificate with this ca
fi
#: if [ ! -e server-cert.pem ]; then
# signing our server certificate with this ca
#:    openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
if [ ! -e server-cert.pem ]; then
#: fi
openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
#:
fi
#: # now create a key that doesn't require a passphrase
 
#: openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
# now create a key that doesn't require a passphrase
#: mv $SERVER_KEY $SERVER_KEY.secure
openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
#: mv $SERVER_KEY.insecure $SERVER_KEY
mv $SERVER_KEY $SERVER_KEY.secure
#:
mv $SERVER_KEY.insecure $SERVER_KEY
#: # show the results (no other effect)
 
#: openssl rsa -noout -text -in $SERVER_KEY
# show the results (no other effect)
#: openssl rsa -noout -text -in ca-key.pem
openssl rsa -noout -text -in $SERVER_KEY
#: openssl req -noout -text -in server-key.csr
openssl rsa -noout -text -in ca-key.pem
#: openssl x509 -noout -text -in server-cert.pem
openssl req -noout -text -in server-key.csr
#: openssl x509 -noout -text -in ca-cert.pem
openssl x509 -noout -text -in server-cert.pem
#:
openssl x509 -noout -text -in ca-cert.pem
#: # copy *.pem file to /etc/pki/libvirt-spice
 
#: if [[ -d ''/etc/pki/libvirt-spice'' ]]  
# copy *.pem file to /etc/pki/libvirt-spice
#: then
if [[ -d ''/etc/pki/libvirt-spice'' ]]  
#:    cp ./*.pem /etc/pki/libvirt-spice
then
#: else
cp ./*.pem /etc/pki/libvirt-spice
#:    mkdir /etc/pki/libvirt-spice
else
#:        cp ./*.pem /etc/pki/libvirt-spice
mkdir /etc/pki/libvirt-spice
#: fi
    cp ./*.pem /etc/pki/libvirt-spice
#:
fi
#: # echo --host-subject
 
#: echo ''your --host-subject is'' \'' `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d '' ''` \''
# echo --host-subject
#: </pre>
echo ''your --host-subject is'' \'' `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d '' ''` \''
# restart libvirtd to rescan the configuration
</pre>
#: <pre>
<li> restart libvirtd to rescan the configuration: {{command|service libvirtd restart}}
#:    # service libvirtd restart
<li> Start the guest: {{command|virsh start <guest>}}
#: </pre>
<li> Access the guest via following command line
# Start the guest
<pre>spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject ''C=IL,L=Raanana,O=Red Hat,CN=my CA''</pre>
#: <pre>
</ol>
#:    # virsh start guest
#: </pre>
# Access the guest via following command line
#: <pre>
#:  # spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject ''C=IL,L=Raanana,O=Red Hat,CN=my CA''
#: </pre>
|results=
|results=
# Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set  
# Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set  

Revision as of 18:57, 14 April 2011

Description

Setup

Make sure you have a guest , which could be started successfully

How to test

  1. force off the running guest
  2. go the guest detail pannel , remove the Display VNC device
  3. click the Add Hardware button at the left bottom
  4. Add Graphics -> Type SPICE server
  5. Check OFF the Automatically allocation
  6. Specify the Port to 5901 TLS port to 5902
  7. Click Finish , and back to guest detail overview pannel , click Apply button
  8. modify the followings in /etc/libvirt/qemu.conf 
    -# spice_tls = 1
+ spice_tls = 1

-# spice_tls_x509_cert_dir = ''/etc/pki/libvirt-spice''
+ spice_tls_x509_cert_dir = ''/etc/pki/libvirt-spice''
  9. perform the following script, to generate the cert files for ssl , and then copy *.pem file info /etc/pkil/libvirt-spice directory 
    #!/bin/bash

SERVER_KEY=server-key.pem

# creating a key for our ca
if [ ! -e ca-key.pem ]; then
 openssl genrsa -des3 -out ca-key.pem 1024
fi
# creating a ca
if [ ! -e ca-cert.pem ]; then
 openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem  -subj ''/C=IL/L=Raanana/O=Red Hat/CN=my CA''
fi
# create server key
if [ ! -e $SERVER_KEY ]; then
 openssl genrsa -out $SERVER_KEY 1024
fi
# create a certificate signing request (csr)
if [ ! -e server-key.csr ]; then
 openssl req -new -key $SERVER_KEY -out server-key.csr -subj ''/C=IL/L=Raanana/O=Red Hat/CN=my server''
fi
# signing our server certificate with this ca
if [ ! -e server-cert.pem ]; then
 openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
fi

# now create a key that doesn't require a passphrase
openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
mv $SERVER_KEY $SERVER_KEY.secure
mv $SERVER_KEY.insecure $SERVER_KEY

# show the results (no other effect)
openssl rsa -noout -text -in $SERVER_KEY
openssl rsa -noout -text -in ca-key.pem
openssl req -noout -text -in server-key.csr
openssl x509 -noout -text -in server-cert.pem
openssl x509 -noout -text -in ca-cert.pem

# copy *.pem file to /etc/pki/libvirt-spice
if [[ -d ''/etc/pki/libvirt-spice'' ]] 
then
 cp ./*.pem /etc/pki/libvirt-spice
else
 mkdir /etc/pki/libvirt-spice
     cp ./*.pem /etc/pki/libvirt-spice
fi

# echo --host-subject
echo ''your --host-subject is'' \'' `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d '' ''` \''
  10. restart libvirtd to rescan the configuration: service libvirtd restart
  11. Start the guest: virsh start <guest>
  12. Access the guest via following command line 
    spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject ''C=IL,L=Raanana,O=Red Hat,CN=my CA''

Expected Results

  1. Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=232091"