[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] stubdom fails with tls enabled

On 24/11/09 18:02, Dan Hickox wrote:
John,
ÂÂÂÂ Thanks for the response.ÂI did see that much :) Correct me if I'm wrong; but, it appears that xm create pulls the configuration and formats it (among other things) and passes the configuration to qemu-dm or in this case stubdom-dm. It also seems that qemu-dm expects 'tls' as an argument and not 'tls=whatever'. The 'tls' argument was being auto generated in '/etc/xen/stubdom' (I think by the updated stubdom-dm script) and not something I had manually appended to the configuration of the VM; and occurs when (vnc-tls 1) is uncommented.
Â
I was able to patch image.py and create.py to pass the information to stubdom-dm. Which leaves me with:
Â
INFO (image:394) spawning device models: /usr/lib64/xen/bin/stubdom-dm ['/usr/lib64/xen/bin/stubdom-dm', '-d', '23', '-domain-name', 'windowsxp', '-videoram', '4', '-vnc', '127.0.0.1:1,tls,x509=/etc/xen/vnc', '-vcpus', '1', '-boot', 'd', '-acpi', '-usbdevice', 'tablet', '-net', 'nic,vlan=1,macaddr=00:16:3e:0a:12:15,model=rtl8139', '-net', 'tap,vlan=1,ifname=tap23.0,bridge=xenbr0', '-M', 'xenfv']
Â
That looks OK.

But, after all this it still appears that tls is either not enabled or there is some incompatibility between client/server. You wouldn't happend to know a compatible client? I did double check that vnc tls was enabled during build...

Check the qemu log files, also check the qemu-dm documentation that describes the set up in some detail.

There are two clients that I know work: VenCrypt (http://sourceforge.net/projects/vencrypt/) and gtk-vnc (http://live.gnome.org/gtk-vnc). The example python script in gtk-vnc works as does vinagre (http://projects.gnome.org/vinagre/) which uses gtk-vnc.

You'll need to be careful with your certificates: if you stick to using the fqdn of the various machines involved _everywhere_ then you'll avoid most of the pitfalls.

You can also use wireshark to check on the progress of the TLS negotiation (to a certain extent) but I know when I was doing this I resorted to stepping through the gtk-vnc code with a debugger to find out where I was going wrong.

Â
Well... Seems that there is more work to do...
Â
Any suggestions would be appreciated.



I should have something publicly visible before too long -- I'll let you know when it's published.

jch
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.