Wiki

User Tools

Site Tools

You are here: start » public » kvm » access » remote_vhost
public:kvm:access:remote_vhost

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
public:kvm:access:remote_vhost [2018/06/08 17:43] – adapted chapter links wiki.tkpublic:kvm:access:remote_vhost [2018/06/08 19:53] (current) – strongly extended content wiki.tk
Line 1: Line 1:
 +==== Remote vhost access ====
 +Every virtual host running on KVM can have a [[wp>Virtual_Network_Computing|vnc]] or a [[wp>Simple_Protocol_for_Independent_Computing_Environments|spice]] graphical interface.\\ 
 +The spice interface was neither used nor tested so far and thus is not further described here.\\ 
 +There are two opportunities to access the vnc interface of a vhost remotely:
 +  * the program 'virt-viewer'
 +  * any other vnc client
 +=== virt-viewer ===
 +The program 'virt-viewer' has to be installed on the client host. Once this is done, it can be used to access the vhost GUIs via remote access.
 +== ssh access ==
 +For ssh access to the KVM server the command line is:
 +  virt-viewer -c qemu+ssh://kvm55/system <vhostname>
 +The big advantage of ssh access: The command above tunnels the vnc access to the localhost address of the KVM server. The vnc interfaces of the vhosts need only to be bound to localhost which is the default. Thus the interfaces are not directly accessible over the network. As the ssh access can be also kerberized, neither ssh authorized keys or ssh passwords are necessary for this access.
 +== tcp access ==
 +For tcp access to the KVM server the command line is:
 +  virt-viewer -c qemu+tcp://kvm55/system <vhostname>
 +Prerequisite for tcp access is the kerberization of 'qemu' additionally to to the kerberization of 'libvirt' on the KVM host which is also [[http://stuff.iain.cx/2011/05/08/libvirtd-kerberos/|described here]]. This was not implemented for the following reasons:
 +  * vnc interfaces of the vhosts have to be bound to a public IP address to be accessible via TCP
 +    * using public IP addresses for vnc access is a security risk
 +    * while migrating vhosts among KVM servers the IP address for vnc is not properly adapted
 +    * thus migration renders the vnc interface inaccessible
 +  * on Debian 9 (squeeze) virt-viewer access to public IP addresses generates a segmentation fault
 +=== vnc client ===
 +When ssh access is possible from a client with GUI (Linux or Windows) to a KVM host, it is rather simple to access the vnc interface of a virtual host.\\
 +
 +While vhosts are defined, a distinct vnc port is assigned to every vhost. Therefore the vnc port has to be found out before accessing it:
 +  root@kvm55:~# virsh vncdisplay <vhostname>
 +  root@kvm55:~# 127.0.0.1:1
 +The port displayed behind '127.0.0.1' ('1') has to be added to the vnc base port (5900) to get the intended vnc port of the desired vhost. Afterwards an arbitrary local port (e.g. port 5910) is tunneled via ssh to the intended vnc port. Tunneling is necessary, because the vnc interface is only bound by default to KVM localhost for security reasons:
 +  root@client:~# ssh –L 5910:localhost:5901 root@kvm55
 +Afterwards vnc access is possible on an additional console:  
 +  root@client:~# vnc localhost:5910
 +\\ 
 +[[public:kvm:access:remote_libvirt|previous chapter]] | [[public:kvm:access|contents]] | [[public:kvm:backup|next chapter]]