[libvirt-users] virt-viewer via ssh to a remote host
Hi, I have a virtualization host running KVM and libvirt 0.9.12 (on Debian unstable). I would like to connect with virt-viewer 0.5.4 from a different host to a domain that has Display Spice configured as graphics interface. I can connect to the KVM host using virsh --connect=qemu+ssh://mh@fan.local/system and start m KVM domain from there, so I guess that authentication is just fine. However, virt-viewer --connect=qemu+ssh://mh@fan.local/system <domain> does not work. The easy issue was that virt viewer issues a "nc fan.local 5900" on the remote host, while the Display Spice agent listens on 127.0.0.1 only. I could fix that by checking the "listen on all IP addresses" box in the Display Spice configuration in virt-manager. After that, I could see the TCP connection to the Spice agent on the remote host succeed when tcpdumping on the KVM host's lo interface. When I invoke virt-viewer when the domain is not running, it says "Waiting for the guest domain to start", and changes to "Connecting to graphic server" when I start the domain. When I invoke virt-viewer when the domain is already running, it immediately says "Connecting to graphic server", but the domain's console does never show up. When I invoke virt-viewer --connect=qemu:///system <domain> directly on the KVM host, the console shows up alright. On the KVM host, virt-viewer --connect=qemu+ssh:///system <domain> gives the same behavior as the remote invocation, while virt-viewer --direct --connect=qemu+ssh:///system <domain> does. So I guess there is something wrong with the tunneling of the Spice session through ssh. Am I doing something wrong? I would appreciate any hints. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 31958061 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 31958062
On 31.12.2012 19:25, Marc Haber wrote:
Hi,
I have a virtualization host running KVM and libvirt 0.9.12 (on Debian unstable). I would like to connect with virt-viewer 0.5.4 from a different host to a domain that has Display Spice configured as graphics interface.
I can connect to the KVM host using virsh --connect=qemu+ssh://mh@fan.local/system and start m KVM domain from there, so I guess that authentication is just fine.
However, virt-viewer --connect=qemu+ssh://mh@fan.local/system <domain> does not work. The easy issue was that virt viewer issues a "nc fan.local 5900" on the remote host, while the Display Spice agent listens on 127.0.0.1 only. I could fix that by checking the "listen on all IP addresses" box in the Display Spice configuration in virt-manager. After that, I could see the TCP connection to the Spice agent on the remote host succeed when tcpdumping on the KVM host's lo interface.
When I invoke virt-viewer when the domain is not running, it says "Waiting for the guest domain to start", and changes to "Connecting to graphic server" when I start the domain. When I invoke virt-viewer when the domain is already running, it immediately says "Connecting to graphic server", but the domain's console does never show up.
When I invoke virt-viewer --connect=qemu:///system <domain> directly on the KVM host, the console shows up alright. On the KVM host, virt-viewer --connect=qemu+ssh:///system <domain> gives the same behavior as the remote invocation, while virt-viewer --direct --connect=qemu+ssh:///system <domain> does. So I guess there is something wrong with the tunneling of the Spice session through ssh.
Am I doing something wrong? I would appreciate any hints.
Greetings Marc
The Spice session isn't tunneled over libvirt's connection whereas libvirt's APIs are tunneled. virt-viewer finds the desired domain, then asks for XML and cut 'listen' attribute (/domain/devices/graphics/@listen). Same goes for 'port'. Obtained values are used to establish a new TCP connection to Spice session. If you want the connection to inherit usage of ssh from libvirt connection, don't use '--direct' then. Or if you want to connect directly, without any tunnel magic, use '--direct'. There were some attempts to tunnel Spice/VNC over libvirt connection, but the patches aren't pushed yet: https://www.redhat.com/archives/libvir-list/2012-December/msg00399.html Michal
On Wed, Jan 02, 2013 at 11:06:34AM +0100, Michal Privoznik wrote:
The Spice session isn't tunneled over libvirt's connection whereas libvirt's APIs are tunneled. virt-viewer finds the desired domain, then asks for XML and cut 'listen' attribute (/domain/devices/graphics/@listen). Same goes for 'port'. Obtained values are used to establish a new TCP connection to Spice session.
But that TCP connection is obviously tunelled over ssh. On the host executing virt-viewer, virt-viewer spawns two ssh processes: bash,29341 `-virt-viewer,29462 --connect=qemu+ssh://mh@fan.zugschlus.de/system <domain> |-ssh,29463 -l mh fan.zugschlus.de sh -c 'if 'nc' -q 2>&1 | grep "requires an argument" >/dev/null 2>&1; then ARG=-q0;else ARG=;fi;'nc' $ARG -U /var/run/libvirt/libvirt-sock-ro' `-ssh,29465 -l mh fan.zugschlus.de nc fan.zugschlus.de 5900 The first is obviously the connection to libvirt, the second is the session carrying SPICE. Aside from the ssh connections, tcpdump does not show any communication between the host running virt-viewer and the host running the VM. On the host running the vm, two ssh receiving processes can be seen: |-sshd,12739 | `-sshd,12744 | `-sh,12745 -c... | `-nc,12748 -q0 -U /var/run/libvirt/libvirt-sock-ro `-sshd,12749 `-sshd,12751 `-nc,12752 fan.zugschlus.de 5900
If you want the connection to inherit usage of ssh from libvirt connection, don't use '--direct' then.
That doesn't work without tweaking, see my original e-mail. This is my original problem.
Or if you want to connect directly, without any tunnel magic, use '--direct'.
I don't, since I want authentication and encryption. I would like virt-viewer --connect=qemu+ssh://mh@fan.zugschlus.de/system <domain> to work as advertised without tweaks. I think I'm getting something wrong here. What am I doing wrong? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 31958061 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 31958062
participants (2)
-
Marc Haber -
Michal Privoznik