virsh ok with TLS but virt-viewer not
Fernando Lozano
fernando at lozano.eti.br
Fri May 3 17:53:14 UTC 2013
Hi there,
>> I folowed instructions on:
>> http://wiki.libvirt.org/page/TLSSetup
>>
>> To setup TLS conections to a qemu+kvm host, for remote administration. I
>> guess I did everything right, because
>> sudo virsh -c qemu+tls://myhost/system
>>
>> But I cannot open any guest console, be it from virt-manager or from
>> virt-viewer.
>> sudo virt-viewer -c qemu+tls://myhost/system 1
>>
>> I get an error pop-up telling "Unable to connect to graphics server
>> myhost:5900"
>
> Use the virsh command to get to one of the machines and then do a
>
> netstat -lpnt
>
> and verify you have something listening on port 5900. If you don't,
> then the virt console won't work (probably that the vnc server didn't
> start on the guest machine).
All qemu-kvm processes were listening on ports 590x, but on loopback
only. Now it makes sense: virsh / virt-manager conect to libvirtd, but
virt-viewer connect to qemu-kvm. That's why one can work while the other
can't.
I found there's "another" virt-manager web site. Followed the
instructions on
http://virt-manager.et.redhat.com/page/RemoteTLS
And now I can get remote console access from either virt-viewer or
virt-manager.
But also got another serious problem: now each active VM listens on two
ports (For example, 5900 and 5902 for guest 1). One accepts plain text
vnc or spice connections. The other accepts TLS connections, as seen on
virt-manager guest details. My wish is to enable only TLS connections.
Can't do that using iptables rules because port assignment is dynamic.
Worse yet, I found using netstat that virt-viewer and virt-manager
connects to the non-secure port. :-(
I found no way of connecting using remote-viewer to the TLS port, only
to the non-secure port. So I don't really know if my vnc/spice TLS setup
is working.
On the Windows side, I got virsh working with TLS. But not virt-viewer.
The windows port of virt-viewer seems unable to recognize "qemu+tls"
urls, as I did on Linux. :-( And as I don't know how to make TLS
connections using remote-viewer, I haven't got secure guest console
access from windows clients.
[]s, Fernando Lozano
More information about the users
mailing list