[libvirt-users] virt-viewer via ssh to a remote host

Michal Privoznik mprivozn at redhat.com
Wed Jan 2 10:06:34 UTC 2013 

On 31.12.2012 19:25, Marc Haber wrote:
> Hi,
> 
> I have a virtualization host running KVM and libvirt 0.9.12 (on Debian
> unstable). I would like to connect with virt-viewer 0.5.4 from a
> different host to a domain that has Display Spice configured as
> graphics interface.
> 
> I can connect to the KVM host using
> virsh --connect=qemu+ssh://mh@fan.local/system
> and start m KVM domain from there, so I guess that authentication is
> just fine.
> 
> However,
> virt-viewer --connect=qemu+ssh://mh@fan.local/system <domain>
> does not work. The easy issue was that virt viewer issues a "nc
> fan.local 5900" on the remote host, while the Display Spice agent
> listens on 127.0.0.1 only. I could fix that by checking the "listen on
> all IP addresses" box in the Display Spice configuration in
> virt-manager. After that, I could see the TCP connection to the Spice
> agent on the remote host succeed when tcpdumping on the KVM host's lo
> interface.
> 
> When I invoke virt-viewer when the domain is not running, it says
> "Waiting for the guest domain to start", and changes to "Connecting to
> graphic server" when I start the domain. When I invoke virt-viewer
> when the domain is already running, it immediately says "Connecting to
> graphic server", but the domain's console does never show up.
> 
> When I invoke
> virt-viewer --connect=qemu:///system <domain>
> directly on the KVM host, the console shows up alright.
> On the KVM host,
> virt-viewer --connect=qemu+ssh:///system <domain>
> gives the same behavior as the remote invocation, while
> virt-viewer --direct --connect=qemu+ssh:///system <domain>
> does. So I guess there is something wrong with the tunneling of the
> Spice session through ssh.
> 
> Am I doing something wrong? I would appreciate any hints.
> 
> Greetings
> Marc
> 

The Spice session isn't tunneled over libvirt's connection whereas
libvirt's APIs are tunneled. virt-viewer finds the desired domain, then
asks for XML and cut 'listen' attribute
(/domain/devices/graphics/@listen). Same goes for 'port'. Obtained
values are used to establish a new TCP connection to Spice session. If
you want the connection to inherit usage of ssh from libvirt connection,
don't use '--direct' then. Or if you want to connect directly, without
any tunnel magic, use '--direct'.

There were some attempts to tunnel Spice/VNC over libvirt connection,
but the patches aren't pushed yet:

https://www.redhat.com/archives/libvir-list/2012-December/msg00399.html

Michal

More information about the libvirt-users mailing list