Hi, I have a virtualization host running KVM and libvirt 0.9.12 (on Debian unstable). I would like to connect with virt-viewer 0.5.4 from a different host to a domain that has Display Spice configured as graphics interface. I can connect to the KVM host using virsh --connect=qemu+ssh://mh at fan.local/system and start m KVM domain from there, so I guess that authentication is just fine. However, virt-viewer --connect=qemu+ssh://mh at fan.local/system <domain> does not work. The easy issue was that virt viewer issues a "nc fan.local 5900" on the remote host, while the Display Spice agent listens on 127.0.0.1 only. I could fix that by checking the "listen on all IP addresses" box in the Display Spice configuration in virt-manager. After that, I could see the TCP connection to the Spice agent on the remote host succeed when tcpdumping on the KVM host's lo interface. When I invoke virt-viewer when the domain is not running, it says "Waiting for the guest domain to start", and changes to "Connecting to graphic server" when I start the domain. When I invoke virt-viewer when the domain is already running, it immediately says "Connecting to graphic server", but the domain's console does never show up. When I invoke virt-viewer --connect=qemu:///system <domain> directly on the KVM host, the console shows up alright. On the KVM host, virt-viewer --connect=qemu+ssh:///system <domain> gives the same behavior as the remote invocation, while virt-viewer --direct --connect=qemu+ssh:///system <domain> does. So I guess there is something wrong with the tunneling of the Spice session through ssh. Am I doing something wrong? I would appreciate any hints. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 31958061 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 31958062
Michal Privoznik
2013-Jan-02 10:06 UTC
[libvirt-users] virt-viewer via ssh to a remote host
On 31.12.2012 19:25, Marc Haber wrote:> Hi, > > I have a virtualization host running KVM and libvirt 0.9.12 (on Debian > unstable). I would like to connect with virt-viewer 0.5.4 from a > different host to a domain that has Display Spice configured as > graphics interface. > > I can connect to the KVM host using > virsh --connect=qemu+ssh://mh at fan.local/system > and start m KVM domain from there, so I guess that authentication is > just fine. > > However, > virt-viewer --connect=qemu+ssh://mh at fan.local/system <domain> > does not work. The easy issue was that virt viewer issues a "nc > fan.local 5900" on the remote host, while the Display Spice agent > listens on 127.0.0.1 only. I could fix that by checking the "listen on > all IP addresses" box in the Display Spice configuration in > virt-manager. After that, I could see the TCP connection to the Spice > agent on the remote host succeed when tcpdumping on the KVM host's lo > interface. > > When I invoke virt-viewer when the domain is not running, it says > "Waiting for the guest domain to start", and changes to "Connecting to > graphic server" when I start the domain. When I invoke virt-viewer > when the domain is already running, it immediately says "Connecting to > graphic server", but the domain's console does never show up. > > When I invoke > virt-viewer --connect=qemu:///system <domain> > directly on the KVM host, the console shows up alright. > On the KVM host, > virt-viewer --connect=qemu+ssh:///system <domain> > gives the same behavior as the remote invocation, while > virt-viewer --direct --connect=qemu+ssh:///system <domain> > does. So I guess there is something wrong with the tunneling of the > Spice session through ssh. > > Am I doing something wrong? I would appreciate any hints. > > Greetings > Marc >The Spice session isn't tunneled over libvirt's connection whereas libvirt's APIs are tunneled. virt-viewer finds the desired domain, then asks for XML and cut 'listen' attribute (/domain/devices/graphics/@listen). Same goes for 'port'. Obtained values are used to establish a new TCP connection to Spice session. If you want the connection to inherit usage of ssh from libvirt connection, don't use '--direct' then. Or if you want to connect directly, without any tunnel magic, use '--direct'. There were some attempts to tunnel Spice/VNC over libvirt connection, but the patches aren't pushed yet: https://www.redhat.com/archives/libvir-list/2012-December/msg00399.html Michal