[Spice-devel] qemu-kvm tls vs non-tls spice ports

Fernando Lozano fernando at lozano.eti.br
Mon May 6 10:02:54 PDT 2013 

Hi there,

Sorry if I am off-topic, but I got no useful replies on the fedora users 
list and found no spice users list.

I'm trying to configure secure remote access to guest VM consoles. Some 
hosts are RHEL6 machines, others are Fedora 18 ones. Ideally, I'd like 
being able to get direct remote access to the guests from windows 
workstations.

I made a lot of progress but have not reached my goal. Any help will be 
appreciated.

If I use ssh -X (or putty + Xming) I can run virt-manager on the host 
and access the guest consoles. So far no surprises, but this 
remote-graphics-inside-other-remote-graphis is not very eficient.

If I use qemu+ssh URLs for virt-manager and virt-viewer from Linux 
clients I cannot get any console at all on the default setups for Fedora 
and RHEL. I'm disapointed that those tools cannot use the ssh tunnel for 
the consoles, only for libvirtd.

I managed to get virsh and virt-viewer (with both vnc and spice) working 
on windows if I create an ssh tunnel using putty. No surprises here, but 
not very user-friendly. Besides, this needs remote root logins, which I 
want to disable. Same from Linux clients (ssh -L and virt-viewer or 
remote-viewer from another shell).

Then I configured TLS certificates for libvirtd and qemu. Virsh fine 
from both windows and linux using qemu+tls URLs, and virt-manager / 
virt-viewer from linux works fine, but when I open a guest console, 
netstat shows it's using non-secure ports. I can't find how to force 
virt-manager and virt-viewer on Linux to use only the TLS port for VNC 
and Spice. So I don't know if the qemu side is really ok. Virt-manager 
shows all guests have both secure and non-secure ports enabled, both auto.

On both windows and linux, remote-viewer can connect only to the 
non-secure ports. I cannot find how to make it use tls for guest console 
access. TLS setup seems to be configured ok on the clients (both windows 
and linux) but I don't know how to troubleshoot them.

On Windows, I cannot make the bundled virsh and virt-viewer to work, 
tried many builds on windows. I have also another build with virsh only 
and this works but of course cannot open guest consoles. I didn't built 
anything myself, downloaded prebuild windows binaries from spice.org and 
libvirt.org. On Fedora and RHEL, I'm using distro packages.

How do I force remote-viewer to use tls? It won't accept spice+tls or 
vnc+tls URLs.

And as I said, if I try qemu+tls from virt-viewer and virt-manager I get 
a spice or vnc conection using the non-secure port. :-( How to force 
them to use the tls port?

It's very strange: while virt-manager tells my guests are listening on 
127.0.0.1, netstat tells they are listeing on 0.0.0.0.


[]s, Fernando Lozano

More information about the Spice-devel mailing list