Remote-access Guide

qemu-kvm remote access

by Adaline Trantow Published 1 year ago Updated 1 year ago
image

How to run remote-viewer on KVM/QEMU?

Note that a combination of SSH and remote-viewer is also possible; but then you would open a „SSH -X“ connection first and run remote-viewer on the KVM/Qemu host and not on the network client system. I will present such a solution in a later article, too. The Spice console of KVM/Qemu offers access to a graphical desktop of a virtual machine guest.

What is KVM/QEMU Spice?

The Spice console of KVM/Qemu offers access to a graphical desktop of a virtual machine guest. Spice clients as „remote-viewer“, „virt-viewer“ and „virt-manager“ can be used locally and remotely. The first two clients offer multiple screens – but all clients provide a one seat solution, only.

How do I connect to a VNC server via QEMU?

You need to attach your vncserver with the guest operating system console. This can be done using any one of the following method: Normally, QEMU (/usr/libexec/qemu-kvm) uses SDL to display the VGA output. With the -vnc option option, you can have QEMU listen on VNC display display and redirect the VGA display over the VNC session.

How do I run QEMU from another computer?

Show activity on this post. To run QEMU remotely, your best option is to use its VNC support; this will disable its SDL window display, and allow you to connect to the graphical display remotely. Use the -vnc option with a target display ( e.g. -vnc :0 to listen on port 5900 and allow connections from anywhere).

image

How do I access KVM remotely?

Use Virtual Network Computing (VNC) to access your Linux Kernel-based Virtual Machine (KVM) host remotely....Accessing your KVM host remotelyFrom the Home page, click the Plug-ins tab.From the Plug-ins tab, under Remote Access, click Setup Remote Control.Change the VNC port to 5900.

How do I access virt-manager remotely?

Start virt-manager. Open the File->Add Connection menu. Input values for the hypervisor type, the connection, Connection->Remote tunnel over SSH, and enter the desired hostname, then click connection.

How do I access KVM GUI?

Issue the virt-manager command on the KVM host to launch the virtual machine manager GUI. The Virtual Machine Manager application user interface gets launched....Click Browse Local. The Locate existing storage window is displayed. ... Select "RuckusNetworkDirector2. qcow2" image from the RND2. ... Click Choose Volume.

Is there a GUI for KVM?

While KVM works in kernel-space, we use QEMU as the machine emulator for user-space. This QEMU KVM combination gives the users lightweight virtualization and good performance (but with no GUI).

How do I log into VM with Virsh?

Open a shell prompt or login using ssh. Login to a host server called server1. Use the virsh console command to log in to a running VM called 'centos7' type: virsh console centos7. To exit a virsh console session, type CTRL + Shift followed by ] .

How do I convert KVM to server?

Using KVM to remotely access your serverStep 1: Log in to KVM.Step 2: Open the KVM page.Step 3: Launch the console.Step 4: Run the file.Step 5: Launch console for Dell Server.Conclusion.

How do you get qemu GUI?

How to install Qemu/KVM and Virt-Manager GUI on Ubuntu 20.04 LTSOpen a command terminal.Install QEMU/KVM on Ubuntu 20.04 Server.Install Virt-Manager GUI for KVM on Linux.Create a New Virtual Machine.Browse the ISO file.Choose Memory and CPU settings.Create a disk image for the KVM virtual machine.Select Network.More items...•

What are the KVM management tool?

Management Tools - KVM. Abiquo is a technology-agnostic solution for enterprises and service providers who want to quickly and simply build, manage and develop public and private clouds based on their existing heterogeneous environments.

Is virt a KVM manager?

The virt-manager application is a desktop user interface for managing virtual machines through libvirt. It primarily targets KVM VMs, but also manages Xen and LXC (linux containers). It presents a summary view of running domains, their live performance & resource utilization statistics.

Is QEMU better than VirtualBox?

VirtualBox is faster and has a better UI than QEMU. It's also a good choice only for x86 and x64 architectures.

Is KVM better than VirtualBox?

KVM, a type 1 hypervisor, is smaller and faster than VirtualBox, but VirtualBox is more scalable. KVM is better integrated with Linux, and while it will work with other guests, it works best with Linux. In short, if you want to install a binary Linux distribution as a guest, it's better to use KVM.

Is there a GUI for QEMU?

JavaQemu, a GUI for QEMU written in Java.

Is there a GUI for QEMU?

JavaQemu, a GUI for QEMU written in Java.

How do you use QEMU GUI?

Contents showStep 1: Download Qemu for Windows.Step 2: Install Qemu.Step 3: Install GUI for QEMU on Windows 10.Step 4: Setup QEMU manager Qtemu GUI.Step 5: Create a Virtual machine.Step 6: Set bootable medium CD/DVD.Step 7: Insert ISO file in QEMU via Qtemu GUI.Step 8: Boot Qemu Virtual Machine via GUI.

How do I start QEMU?

The command to start QEMU To emulate a legacy PC system, use qemu-system-i386 . To emulate a more modern system, use qemu-system-x86_64 .

What is QEMU and KVM?

Qemu is a machine emulator that can run operating systems and programs for one machine on a different machine. Mostly it is not used as emulator but as virtualizer in collaboration with KVM kernel components. In that case it utilizes the virtualization technology of the hardware to virtualize guests.

What is a real remote configuration?

"Real" refers to the fact that both remote-viewer and virt-viewer are parts of a client/server architecture for the Spice protocol: This time we are going to run remote-viewer on the remote system.

What port does UVMa open?

We open local and router based firewalls in our (segmented) LAN for the communication of the client-system with the virtualization server over port 20001. On the KVM-server "MySRV" a privileged user "uvma" starts our already familiar test-VM "debianx" (in my case with a Kali OS on it) via virt-manager. Just for control purposes user "uvma" opens the Spice console on the server with a local remote-viewer instance (with 2 screens), logs in into the VM and starts a VM desktop session:

What port is used for test VM?

We define a specific TCP port ( 20001) to be used for our test-VM. (Another additional VM on the KVM host would require the definition of another port). The " defaultMode ", by which we control whether TLS security measures are required to start the VM, is set to "insecure"; i.e. we neglect TLS encryption for the time being. Note also that I use a "virtio" video device. We made good experiences with it during our last experiments. If the virtio device should not work on your systems replace it by some reasonable QXL configuration.

How to access Spice console?

Method A: We access the Spice console of a VM by using remote-viewer on a remote client-system and interact with the VM via an unencrypted TCP connection to a specific network port on the KVM/Qemu-server.

Does remote viewer offer any advantage over ssh?

So far the client/server approach with remote-viewer does not offer us any advantage over our primitive "ssh -X" scenario for the transfer of graphical data from a local Spice client on the KVM-server to the X11-server on a remote system.

Can you use HW acceleration on a virtual machine?

The HW graphics "acceleration" can be set to "yes" for the "virtio" device. HW acceleration will, however, not be used as long as Spice has the setting "<gl enable=no>". [You may try change this - good luck then with Nvidia cards and their proprietary drivers (it won't work). I will not cover HW acceleration of the virtual graphics in this series.]

Does Qemu support TLS?

So far Qemu is prepared to support TLS on the KVM-server - if and when the use of TLS is requested. We, therefore, still have to define that TLS should be used for connections to the Spice console of our specific test-VM "debianx".

Does TLS encryption to the VM work locally, too?

An interesting question is whether we can have encryption locally on the KVM/Qemu-server, too. The answer is: Yes, but you still have to provide the FQDN of the server; the network request will nevertheless be handled over the "lo"-device. This at least enables you to test your VM settings locally. But local encryption could also be interesting in some multi-user scenarios.

How to run QEMU remotely?

To run QEMU remotely, your best option is to use its VNC support; this will disable its SDL window display, and allow you to connect to the graphical display remotely. Use the -vnc option with a target display ( e.g. -vnc :0 to listen on port 5900 and allow connections from anywhere). If you’re not using a US English keyboard, you’ll also need to specify the keyboard layout with the -k option.

Does Xen support VNC?

This also works with KVM if you’d rather use that. (KVM uses QEMU for its I/O.) Xen supports VNC too.

How would we specify an URI, which points to a Unix-socket, for remote-viewer?

To force remote-viewer to use a Unix socket we first have to find out how we specify an URI pointing to such a socket. Well, the first of the named articles above together with the man-pages for remote-viewer gives us an idea. The right form for a local access is:

What is remote viewer?

I discussed " remote-viewer " - a tool to access the graphical Spice console of a virtual machine [VM] on a KVM/Qemu host. Although remote-viewer is thought to be used over network connections, you can also use it locally on the virtualization host itself, e.g. in a desktop virtualization scenario.

How does remote viewer work?

Remote-viewer works very well with a local Unix socket instead of a TCP socket as the interface to the Qemu-emulator process of the VM. A socket based local access scenario to a Spice console can easily be configured via respective settings in the XML-definition file of a VM. However, to improve security you should avoid adding a standard user who wants to use remote-viewer to the "qemu" group. Involving ACL rights will help you to confine users to access the Spice console of specific VMs via placing a socket into a specific directory and controlling access to it and its contents.

Why does UVMA fail?

fails due to insufficient access rights. Obviously, the user "uvma" needs write rights on the specified "stream" socket.

Can you use a Unix socket on a VM?

Yes, we can - by working with a Unix socket on the VM host. This is the subject of this article. While we prepare a Spice socket configuration for remote-viewer we also answer the question which sockets the libvirtd daemon offers for its client.

Does libvirt work with Qemu?

In the drawing I also indicated that libvirt-based tools (as virt-manager, virt-viewer), which do not directly interact with the qemu-emulator, use a specific socket which is automatically created at a standard location on Opensuse Leap 15.x systems.

Does Remote Viewer support multi screen?

We verified that remote-viewer supports a multi-screen presentation of any major graphical Linux desktop started on the VM. Present versions of KDE and Gnome on a Kali/Debian/Opensuse guest automatically adapt to changes of the user's Spice client windows (on the host's desktop). XFCE, however, requires a manual configuration of the virtual screens with tools of the guest OS.

What is a virt manager in KVM?

KVM: virt-manager to connect to a remote console using qemu+ssh. If you are running KVM on a console-only server, you still have the option to use the graphical virt-manager. You just need to specify the method of communication (ssh, tls, tcp, etc).

Does libvirtd need to listen to TCP?

Using the ssh tunneling solution described in this article, the libvirtd service on the server side does *not* need to enable listening on TCP in “/etc/libvirt/libvirtd.conf”.

Can you open a remote console to a VM without being prompted for the password multiple times?

If you want to open a remote console to a VM without being prompted for the password multiple times, then make sure the display (either Spice or VNC is fine) uses all interfaces for its address as shown below.

Does virt manager require passphrase?

virt-manager should immediately prompt you for the passphrase protecting the private key (this is not the user password!), and once you enter it, you will be looking at virt-manager just like you were sitting at the KVM host locally.

Where is the VM config file?

You need to edit your VM config file which is in XML format. The config file is located at /etc/libvirt/qemu directory. In this example, edit centos1.xml as follows:#N## vi /etc/libvirt/qemu/centos1.xml#N#Append the following line before final </devices>:

How Do I Password Protect My VNC Session?

The passwd attribute provides a VNC password in clear text (so make sure your xml config file is only readable by root user). Edit centos1.xml file as follows:

What is type=vnc?

type=’vnc’: The graphics element has a mandatory type attribute which takes the value “sdl”, “vnc”, “rdp” or “desktop”. In this case it is set to VNC for remote access.

Limitations

Unfortunately, I have to reduce expectations of readers who are out for " multi-user remote desktop solutions". This is not what the present Spice solutions with the named clients will offer you. See below.

Spice with multiple screens requires a non default configuration of the VM's QXL device

For a basic Spice setup there is not too much to do; " just " choose Spice for the display-settings of your VM and configure the VM's QXL graphics device. Such a device corresponds to something like a virtual graphics card. Well, it sounds easy, but when I tried it myself, I had to experiment.

Conclusion

The Spice console of KVM/Qemu offers access to a graphical desktop of a virtual machine guest. Spice clients as "remote-viewer", "virt-viewer" and "virt-manager" can be used locally and remotely. The first two clients offer multiple screens - but all clients provide a one seat solution, only. This may, however, be sufficient for many use cases.

Links

Spice console and Spice protocol https://linuxhint.com/configure_spice_server_debian_10/ https://www.spice-space.org/spice-user-manual.html https://www.spice-space.org/spice-for-newbies.html

Further articles in this series

Dieser Eintrag wurde veröffentlicht in Leap 15.2, Virtualisierung, KVM, Xen und verschlagwortet mit graphical access to VMs, KVM, multi-screen console, one seat solution, Opensuse Leap 15.2, qemu, QXL, remote connections, Spice, Spice console, Spice-Clients, SSH, TLS, virtual machines von eremo. Permanenter Link zum Eintrag .

image

Documentation? Not Really …

Spice Access Via A Socket

Off Topic: What Sockets Are Used by virt-manager and Virt-Viewer?

How Would We Specify An Uri, Which Points to A Unix-Socket, For Remote-Viewer?

You Cannot Use The Libvirtd-Sockets with Remote-Viewer!

remote-viewer with A Local Unix Socket

Security Considerations

Conclusion

  • Remote-viewer works very well with a local Unix socket instead of a TCP socket as the interface to the Qemu-emulator process of the VM. A socket based local access scenario to a Spice console can easily be configured via respective settings in the XML-definition file of a VM. However, to improve security you should avoid adding a standard user who ...
See more on linux-blog.anracom.com

Links

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9