From Fedora Project Wiki

(Created page with '{{QA/Test_Case |description= |setup=Make sure you have a guest , which could be started successfully |actions= # force off the running guest # go the guest detail pannel , remove...')
 
m (fixed double-quotes that had been copied in as 2 single-quotes each)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
{{QA/Test_Case
{{QA/Test_Case
|description=
|description=
|setup=Make sure you have a guest , which could be started successfully
|setup=Make sure you have a guest, which could be started successfully
|actions=
|actions=
# force off the running guest
<ol>
# go the guest detail pannel , remove the ''Display VNC '' device
<li> force off the running guest
# click the ''Add Hardware'' button at the left bottom
<li> go the guest detail pannel, remove the "Display VNC" device
# Add ''Graphics'' -> Type ''SPICE server ''
<li> click the "Add Hardware" button at the left bottom
# Check OFF the ''Automatically allocation''
<li> Add "Graphics" -> Type "SPICE server"
Specify the Port to 5901 TLS port to 5902
<li> Check OFF the "Automatically allocation"
# Click Finish , and back to guest detail overview pannel , click Apply button
<li> Specify the Port to 5901 TLS port to 5902
# modify the followings in /etc/libvirt/qemu.conf
<li> Click Finish , and back to guest detail overview panel, click Apply button
#: <pre>
<li> modify the followings in /etc/libvirt/qemu.conf
#: -# spice_tls = 1
<pre>
#: + spice_tls = 1
-# spice_tls = 1
#:
+ spice_tls = 1
#: -# spice_tls_x509_cert_dir = ''/etc/pki/libvirt-spice''
 
#: + spice_tls_x509_cert_dir = ''/etc/pki/libvirt-spice''
-# spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
#: </pre>
+ spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
# perform the following script, to generate the cert files for ssl , and then copy *.pem file info /etc/pkil/libvirt-spice directory
</pre>
#: <pre>
<li> perform the following script, to generate the cert files for ssl , and then copy *.pem file info {{filename|/etc/pkil/libvirt-spice}} directory
#: #!/bin/bash
<pre>
#:
#!/bin/bash
#: SERVER_KEY=server-key.pem
 
#:
SERVER_KEY=server-key.pem
#: # creating a key for our ca
 
#: if [ ! -e ca-key.pem ]; then
# creating a key for our ca
#:    openssl genrsa -des3 -out ca-key.pem 1024
if [ ! -e ca-key.pem ]; then
#: fi
openssl genrsa -des3 -out ca-key.pem 1024
#: # creating a ca
fi
#: if [ ! -e ca-cert.pem ]; then
# creating a ca
#:    openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem  -subj ''/C=IL/L=Raanana/O=Red Hat/CN=my CA''
if [ ! -e ca-cert.pem ]; then
#: fi
openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem  -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
#: # create server key
fi
#: if [ ! -e $SERVER_KEY ]; then
# create server key
#:    openssl genrsa -out $SERVER_KEY 1024
if [ ! -e $SERVER_KEY ]; then
#: fi
openssl genrsa -out $SERVER_KEY 1024
#: # create a certificate signing request (csr)
fi
#: if [ ! -e server-key.csr ]; then
# create a certificate signing request (csr)
#:    openssl req -new -key $SERVER_KEY -out server-key.csr -subj ''/C=IL/L=Raanana/O=Red Hat/CN=my server''
if [ ! -e server-key.csr ]; then
#: fi
openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
#: # signing our server certificate with this ca
fi
#: if [ ! -e server-cert.pem ]; then
# signing our server certificate with this ca
#:    openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
if [ ! -e server-cert.pem ]; then
#: fi
openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
#:
fi
#: # now create a key that doesn't require a passphrase
 
#: openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
# now create a key that doesn't require a passphrase
#: mv $SERVER_KEY $SERVER_KEY.secure
openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
#: mv $SERVER_KEY.insecure $SERVER_KEY
mv $SERVER_KEY $SERVER_KEY.secure
#:
mv $SERVER_KEY.insecure $SERVER_KEY
#: # show the results (no other effect)
 
#: openssl rsa -noout -text -in $SERVER_KEY
# show the results (no other effect)
#: openssl rsa -noout -text -in ca-key.pem
openssl rsa -noout -text -in $SERVER_KEY
#: openssl req -noout -text -in server-key.csr
openssl rsa -noout -text -in ca-key.pem
#: openssl x509 -noout -text -in server-cert.pem
openssl req -noout -text -in server-key.csr
#: openssl x509 -noout -text -in ca-cert.pem
openssl x509 -noout -text -in server-cert.pem
#:
openssl x509 -noout -text -in ca-cert.pem
#: # copy *.pem file to /etc/pki/libvirt-spice
 
#: if [[ -d ''/etc/pki/libvirt-spice'' ]]  
# copy *.pem file to /etc/pki/libvirt-spice
#: then
if [[ -d "/etc/pki/libvirt-spice" ]]  
#:    cp ./*.pem /etc/pki/libvirt-spice
then
#: else
cp ./*.pem /etc/pki/libvirt-spice
#:    mkdir /etc/pki/libvirt-spice
else
#:        cp ./*.pem /etc/pki/libvirt-spice
mkdir /etc/pki/libvirt-spice
#: fi
    cp ./*.pem /etc/pki/libvirt-spice
#:
fi
#: # echo --host-subject
 
#: echo ''your --host-subject is'' \'' `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d '' ''` \''
# echo --host-subject
#: </pre>
echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
# restart libvirtd to rescan the configuration
</pre>
#: <pre>
<li> restart libvirtd to rescan the configuration: {{command|service libvirtd restart}}
#:    # service libvirtd restart
<li> Start the guest: {{command|virsh start <guest>}}
#: </pre>
<li> Access the guest via following command line
# Start the guest
<pre>spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject "C=IL,L=Raanana,O=Red Hat,CN=my CA"</pre>
#: <pre>
</ol>
#:    # virsh start guest
#: </pre>
# Access the guest via following command line
#: <pre>
#:  # spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject ''C=IL,L=Raanana,O=Red Hat,CN=my CA''
#: </pre>
|results=
|results=
# Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set  
# Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set  

Latest revision as of 19:00, 28 September 2011

Description

Setup

Make sure you have a guest, which could be started successfully

How to test

  1. force off the running guest
  2. go the guest detail pannel, remove the "Display VNC" device
  3. click the "Add Hardware" button at the left bottom
  4. Add "Graphics" -> Type "SPICE server"
  5. Check OFF the "Automatically allocation"
  6. Specify the Port to 5901 TLS port to 5902
  7. Click Finish , and back to guest detail overview panel, click Apply button
  8. modify the followings in /etc/libvirt/qemu.conf 
    -# spice_tls = 1
+ spice_tls = 1

-# spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
+ spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
  9. perform the following script, to generate the cert files for ssl , and then copy *.pem file info /etc/pkil/libvirt-spice directory 
    #!/bin/bash

SERVER_KEY=server-key.pem

# creating a key for our ca
if [ ! -e ca-key.pem ]; then
 openssl genrsa -des3 -out ca-key.pem 1024
fi
# creating a ca
if [ ! -e ca-cert.pem ]; then
 openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem  -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
fi
# create server key
if [ ! -e $SERVER_KEY ]; then
 openssl genrsa -out $SERVER_KEY 1024
fi
# create a certificate signing request (csr)
if [ ! -e server-key.csr ]; then
 openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
fi
# signing our server certificate with this ca
if [ ! -e server-cert.pem ]; then
 openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
fi

# now create a key that doesn't require a passphrase
openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
mv $SERVER_KEY $SERVER_KEY.secure
mv $SERVER_KEY.insecure $SERVER_KEY

# show the results (no other effect)
openssl rsa -noout -text -in $SERVER_KEY
openssl rsa -noout -text -in ca-key.pem
openssl req -noout -text -in server-key.csr
openssl x509 -noout -text -in server-cert.pem
openssl x509 -noout -text -in ca-cert.pem

# copy *.pem file to /etc/pki/libvirt-spice
if [[ -d "/etc/pki/libvirt-spice" ]] 
then
 cp ./*.pem /etc/pki/libvirt-spice
else
 mkdir /etc/pki/libvirt-spice
     cp ./*.pem /etc/pki/libvirt-spice
fi

# echo --host-subject
echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
  10. restart libvirtd to rescan the configuration: service libvirtd restart
  11. Start the guest: virsh start <guest>
  12. Access the guest via following command line 
    spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject "C=IL,L=Raanana,O=Red Hat,CN=my CA"

Expected Results

  1. Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162"