Every virtual host running on KVM can have a vnc or a spice graphical interface.
The spice interface was neither used nor tested so far and thus is not further described here.
There are two opportunities to access the vnc interface of a vhost remotely:

• the program 'virt-viewer'
• any other vnc client

The program 'virt-viewer' has to be installed on the client host. Once this is done, it can be used to access the vhost GUIs via remote access.

For ssh access to the KVM server the command line is:

virt-viewer -c qemu+ssh://kvm55/system <vhostname>

The big advantage of ssh access: The command above tunnels the vnc access to the localhost address of the KVM server. The vnc interfaces of the vhosts need only to be bound to localhost which is the default. Thus the interfaces are not directly accessible over the network. As the ssh access can be also kerberized, neither ssh authorized keys or ssh passwords are necessary for this access.

For tcp access to the KVM server the command line is:

virt-viewer -c qemu+tcp://kvm55/system <vhostname>

Prerequisite for tcp access is the kerberization of 'qemu' additionally to to the kerberization of 'libvirt' on the KVM host which is also described here. This was not implemented for the following reasons:

• vnc interfaces of the vhosts have to be bound to a public IP address to be accessible via TCP
  • using public IP addresses for vnc access is a security risk
  • while migrating vhosts among KVM servers the IP address for vnc is not properly adapted
  • thus migration renders the vnc interface inaccessible
• on Debian 9 (squeeze) virt-viewer access to public IP addresses generates a segmentation fault

When ssh access is possible from a client with GUI (Linux or Windows) to a KVM host, it is rather simple to access the vnc interface of a virtual host.

While vhosts are defined, a distinct vnc port is assigned to every vhost. Therefore the vnc port has to be found out before accessing it:

root@kvm55:~# virsh vncdisplay <vhostname>
root@kvm55:~# 127.0.0.1:1

The port displayed behind '127.0.0.1' ('1') has to be added to the vnc base port (5900) to get the intended vnc port of the desired vhost. Afterwards an arbitrary local port (e.g. port 5910) is tunneled via ssh to the intended vnc port. Tunneling is necessary, because the vnc interface is only bound by default to KVM localhost for security reasons:

root@client:~# ssh –L 5910:localhost:5901 root@kvm55

Afterwards vnc access is possible on an additional console:

root@client:~# vnc localhost:5910

previous chapter | contents | next chapter