On Sat, 2022-11-12 at 23:17 -0500, Ranbir wrote:
Yes, I tried that, but it errors when starting the KVM. I have to
remove the password before it'll start.
I'm not 100% sure which change fixed my problems with using SPICE on
Fedora 36, but one or a combo of them fixed it. Even better is that
everything else is working, too. I can:
- use the SPICE display without being prompted in virt-manager to
enter a password
- tcp and tls connections to the host are both working wtih
virt-manager, virt-viewer and virsh
- GSSAPI is working with virtproxyd
- polkit is used for local connections and qemu+ssh URI in
virt-manager, virt-viewer and virsh, but only if I add my IPA user
to the local "libvirt" group
- managing the KVM from cockpit is working again
- Remote Viewer link from cockpit _finally_ works (it never has before)
I ended up removing most of my changes to the virtqemud.conf and
virtproxyd.conf files and went with the defaults. Where I did make
changes was to change from polkit to SASL based authentication in
virtproxyd.conf and the removal of client side verification: I don't
need the client side verify to be enabled since I'm using GSSAPI. I
also added a couple of IPA users to the allowed users list in both
files.
I've rebooted the host a few times, restarted the KVM, and cleared my
kerberos cache to see if it would break, but all of it stayed working.
I think the move to the modular libvirt and my first time setup of TLS
usage with libvirt has been a success.
I wish I knew why the SPICE display wasn't working yesterday. I also
don't know why TLS and TCP connections where giving me GSSAPI errors
yesterday and today, stopped. I successfully connected with both after
I added my IPA user to the local libvirt group. But, I also tried again
without being in the libivrt group and that also worked. That's
annoying since it's not clear what was wrong.
If SPICE development slows or worse stops, I'm guessing the
other
distros will drop it, too.
I guess I can't point fingers at IBM since SPICE _is_ still working in
F36. I'm hoping it stays that way. Also, dropping it in RHEL just
doesn't make a whole lot of sense. I'm still concerned about RH not
working on the development of SPICE in the future and I don't know how
many people outside of RH are involved with the project.
Anyway, at least for the meantime the F36 desktop running the KVM is
working smoothly. I don't know what I'll do with my home "production"
kvm host since it's on AlmaLinux 8. When I migrate it to AlmaLinux 9
(and move to modular libvirt), I'm going to lose the SPICE support. :/
Thanks for the help! :)
--
Ranbir