Hi there,
I folowed instructions on:
http://wiki.libvirt.org/page/TLSSetup
To setup TLS conections to a qemu+kvm host, for remote administration. I guess I did everything right, because
sudo virsh -c qemu+tls://myhost/system
Works fine. So far every command I tried is ok. Giving the same URL to virt-manager also works.
But I cannot open any guest console, be it from virt-manager or from virt-viewer.
If I try:
sudo virt-viewer -c qemu+tls://myhost/system 1
I get an error pop-up telling "Unable to connect to graphics server myhost:5900"
And from virt-manager, the guest console shows "Connecting to graphical console for guest" and nothing happens. No error message, not even timeout. :-( But I can inspect and even change the guest details.
On the guest details, it shows "Display Spice" at addres 127.0.0.1 and port 5900 with auto TLS port, and no password. Should I change those settings to get remote access to a guest console? If so, how, as I cannot find info at either libvirt.org nor virt-manager.org.
If I use a qemu+ssh URL it works for virsh and virt-manager, including gest consoles, but using virt-viewer won't work even using ssh. So I suppose something is missing, but I have no idea what.
The end goal is being able to use both virsh and virt-viewer under Windows, and their README state that ssh connections won't work yet.
[]s, Fernando Lozano
On 05/03/2013 08:34 AM, Fernando Lozano issued this missive:
Hi there,
I folowed instructions on:
http://wiki.libvirt.org/page/TLSSetup
To setup TLS conections to a qemu+kvm host, for remote administration. I guess I did everything right, because
sudo virsh -c qemu+tls://myhost/system
Works fine. So far every command I tried is ok. Giving the same URL to virt-manager also works.
But I cannot open any guest console, be it from virt-manager or from virt-viewer.
If I try:
sudo virt-viewer -c qemu+tls://myhost/system 1
I get an error pop-up telling "Unable to connect to graphics server myhost:5900"
Use the virsh command to get to one of the machines and then do a
netstat -lpnt
and verify you have something listening on port 5900. If you don't, then the virt console won't work (probably that the vnc server didn't start on the guest machine). ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - I'm telling you that the kernel is stable not because it's a - - kernel, but because I refuse to listen to arguments like this. - - -- Linus Torvalds - ----------------------------------------------------------------------
Hi there,
I folowed instructions on: http://wiki.libvirt.org/page/TLSSetup
To setup TLS conections to a qemu+kvm host, for remote administration. I guess I did everything right, because sudo virsh -c qemu+tls://myhost/system
But I cannot open any guest console, be it from virt-manager or from virt-viewer. sudo virt-viewer -c qemu+tls://myhost/system 1
I get an error pop-up telling "Unable to connect to graphics server myhost:5900"
Use the virsh command to get to one of the machines and then do a
netstat -lpntand verify you have something listening on port 5900. If you don't, then the virt console won't work (probably that the vnc server didn't start on the guest machine).
All qemu-kvm processes were listening on ports 590x, but on loopback only. Now it makes sense: virsh / virt-manager conect to libvirtd, but virt-viewer connect to qemu-kvm. That's why one can work while the other can't.
I found there's "another" virt-manager web site. Followed the instructions on
http://virt-manager.et.redhat.com/page/RemoteTLS
And now I can get remote console access from either virt-viewer or virt-manager.
But also got another serious problem: now each active VM listens on two ports (For example, 5900 and 5902 for guest 1). One accepts plain text vnc or spice connections. The other accepts TLS connections, as seen on virt-manager guest details. My wish is to enable only TLS connections. Can't do that using iptables rules because port assignment is dynamic.
Worse yet, I found using netstat that virt-viewer and virt-manager connects to the non-secure port. :-(
I found no way of connecting using remote-viewer to the TLS port, only to the non-secure port. So I don't really know if my vnc/spice TLS setup is working.
On the Windows side, I got virsh working with TLS. But not virt-viewer. The windows port of virt-viewer seems unable to recognize "qemu+tls" urls, as I did on Linux. :-( And as I don't know how to make TLS connections using remote-viewer, I haven't got secure guest console access from windows clients.
[]s, Fernando Lozano
-
Fernando Lozano -
Rick Stevens