KVM on Debian question

[fyfelka]

Hey all, newbee here.
So I've got a couple servers on my hands for work, and all of them have debian installed on them, with KVM on top, and several virtual machines in KVMs (most of VMs are Windows).
So, initial setup was done by another person, and now I have a question.
I can ssh to every debian server, but if try to run a vncserver on them, I'll get a vnc to one of the VM on this server, not the debian.
This is my first post, so idk what info I should post here, as well as how to efficiently administrate KVMs, so if you need smth - please ask for it, and I'll try to provide any info possible.
Thank you in advance.

[Chrisdb]

We need some extra info:
- Do you have an X server running on the host?
- which commands/tools do you use to connect?
- post contents of '/etc/libvirt/qemu.conf'
- there's probably some port forwarding going on, show us your ssh commands

[CwF]

?
The debian host likely doesn't, and shouldn't have a vncserver. The VM's likely have a host vnc/spice provided "vncserver". Debian VM's could have, additionally, a ssh server that it may not need. A windows guest (VM) may have a vnc server installed, in addtion to the virtual channel supplied by the host.

So from an external connection;
Connect to the host with ssh.
Connect to a windows vm through the host provided virtual vncserver(spice) if configured.
-OR connect to the windows VM through the guest installed vncserver.
--No need to have, but useful for local control in vfio setups.
Connect to a debian VM through the host provided virtual vncserver(spice) if configured.
-OR in a similar way to a windows vm, guest installed vnc or ssh server.
--For local control of a vfio enabled debian, X2X through SSH would be the ticket.

Any VM does NOT need a configured network interface as configured within the vm in order to use the host provided vnc/spice channel.

Any VM can have a configured nic and run any software configured within the VM. This is in addition to the host provided channel.

Generally there is no need to have any guest with any such software since the host can provide it. You can ssh into the debian host and use a local virt-manager on your local computer to view and configure the remote host's VM's.

So many possibilities...

[fyfelka]

So, first thing first.
1. how do I check if X-server is running?
2. I use ssh to connect to debian, and remmina to connect to VNC sessions of VMs, and there is an RDP option as well.
3. qemu.conf is full default
4. ssh host -l login

to CwF
Can you explain more about using virt-manager on local machine through ssh?

[CwF]

Can you explain more about using virt-manager on local machine through ssh?

Yes, I don't do that much, but have. As I remember if a ssh connection is otherwise working then simply add the connection. In "Virtual Machine Manager" on your local machine from "File>Add Connection" you get the dialog. Select the check box "Connect to remote host" and fill in the details, uncheck the "Autoconnect", and if you have no dns resolution of host names use the ip. When everything is happy it works just like local, but slower. You have full access to the domain editor and the domain viewer. Another view option is "virt-viewer -c qemu:///system" with the correct remote ip for 'system' and the command trapped in the correct ssh cli, can't remember that one off hand.

[fyfelka]

Hmm, so I have an working ssh to a server, but if I try to setup a connection in virt-manager - I get an error:Unable to connect to libvirt qemu+ssh://-login@host/system. configure SSH key access for remote host or install an SSH askpass package locally.
EDIT: I have an openssh-askpass installed

[CwF]

I used it a few versions ago. I believe root access has changed, and a user can be used now (?), but I don't know for sure the setup. Look into /etc/polkit-1/rules.d/80-libvirt-manage.rules or something on the remote computer.
Do you get a password dialog?
Can you ssh into "root"?

I'm sure the current version is tighter and you will likley need to edit on the remote computer. I believe you need to setup polkit on the remote computer to respond. This would be a local user with rights, and a policy file to allow remote access. I have no details for you. Hope I didn't point to a broken solution!

Hope my rambling helps some, post back what you find. I may stumble around some more.

[CwF]

Okidoki!
I fired up some stuff and it's now working for me.
On the remote host make sure there is user (not root) to connect to in the libvirt group, and that netcat-openbsd is installed, it doesn't have to be before maybe. You should verify, have verified, that that user is funtional locally.
I'm not sure it is referenced, but for good measure create /etc/polkit-1/rules.d/52-libvirt-manage.rules or something similar

Code: Select all

polkit.addRule(function(action, subject) {
  if (action.id == "org.libvirt.unix.manage" &&
      subject.isInGroup("libvirt") && subject.user == "USER") {
      return polkit.Result.YES;
  }
});

[fyfelka]

Nope, that doesn't work, same error as before, sadly. how hard is to manage VMs with virsh? cause I guess it will be easier to learn to manage VMs from command line, then to setup this properly.

[fyfelka]

Okay, last question, back to the first one.
this the /root/.vnc/xstartup file

Code: Select all

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresourses ] && xrdb $HOME/.Xresourses
xsetroot -solid grey
vncconfig -iconic &
x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
awesome &

why does it launch VM vnc session, if I start vncserver from debian?

[Chrisdb]

why does it launch VM vnc session, if I start vncserver from debian?

It would be easier for us to help you if you provided us with more detailed steps.

From what I can tell, you connect from your local pc to the Debian host through ssh with the command 'ssh someuser@host', correct?
Inside this ssh session, you start vnc with the command 'vncserver', right? What is the output here? Any errors, warnings?
What makes you think that the VM vnc session is launched? Do you see a windows login screen?

Another question, is the awesome WM on the host installed/configured correctly?

[fyfelka]

Yes, steps are right.
1 ssh host -l login // to connect to debian server
2 su // go to root
3 vncserver // start a vnc, standard message, vnc server started on display 2
4 now there is an open vnc port, and I can connect to vnc session, but it's from one of VMs, and yeah, I see a windows login screen


about awesome WM - I can't really help you, since I didn't install it, and never saw it running on this machine, cause I can't connect to it xD
EDIT: WM should be configured correctly, since I recall that previous guy used virt-manager on host machine, so it's probably alright
EDIT_2: I can't connect directly to root through ssh for obv security reasons

[Chrisdb]

Yes, steps are right.
1 ssh host -l login // to connect to debian server
2 su // go to root
3 vncserver // start a vnc, standard message, vnc server started on display 2
4 now there is an open vnc port, and I can connect to vnc session, but it's from one of VMs, and yeah, I see a windows login screen


about awesome WM - I can't really help you, since I didn't install it, and never saw it running on this machine, cause I can't connect to it xD
EDIT: WM should be configured correctly, since I recall that previous guy used virt-manager on host machine, so it's probably alright
EDIT_2: I can't connect directly to root through ssh for obv security reasons

hmm, seems ok...

What settings are you using for 'remmina'? do you connect through an ssh tunnel? Are you using the correct ip/port?

[fyfelka]

I use default settings for remmina, I do not use ssh tunnel, ip/ports are correct.
Also, what does stale mean in vncserver -list output?

Code: Select all

X DISPLAY #      RFB PORT #       PROCESS ID
:1               5901             2200 (stale)

[Chrisdb]

I use default settings for remmina, I do not use ssh tunnel, ip/ports are correct.
Also, what does stale mean in vncserver -list output?

Code: Select all

X DISPLAY #      RFB PORT #       PROCESS ID
:1               5901             2200 (stale)

From the info I can find, 'stale' basically means the process hasn't been (correctly) terminated for a while.
Just to be sure, try to kill the process and restart it again.

Can you try to connect with remmina through an ssh tunnel and let us know how it turns out? FWIW, using an SSH tunnel is more secure anyway.

[CwF]

Seems like lots of variables here?

Keep in mind, the VMM usage I've tried to convey does not require any prior or separate steps to work, ie. no external terminal to log in through. It operates independent of other connections, and doesn't even require VMM to be running on the remote computer. The connection info is saved in the local VMM, click the connection, askpass dialog, and bam connected!

There entire time I was setting it up I was connected to the remote computer with SSH-X2X, looking at the actual monitor. I disconnected the X2X, reconnected, and ran a separate terminal doing a multi-gig scp to and fro. Local VMM stayed stable and connected. I didn't say, but my examples are debian 9 controlling and debian 10 remote, both on XFCE. On the debian 10 I needed to export a key, import into local 9. I got some wonderful errors telling me 10's security is better. The 10 has a fully functional root desktop I can locally log into through lightdm, so password is good, and with the actual password I still couldn't touch anything coming in through ssh from 9, so good.

I also found a bug. the local VMM can leave a process orphaned if the remote nc call fails without an entered password, found it still lingering hours after my testing...5.2MB!

Also keep in mind you could have many connections at the same time. If you are connecting 'somehow' to a vncserver from a windows vm, that means you are calling out the vm ip address and not the address of the remote host itself. There is no mechanism I know of that will feed a vm connection automagically if you call out the host ip. So it sounds like you are not using the correct ip addresses for the action you expect.

Virsh through SSH should also work independently and concurrently with VMM and any other connections. Likewise, multiple virt-viewer sessions could be called. The 'remmina' variable I can't speak to, personally I'd remove it, same for any vnc software. I'd only use an 'extra' vnc type service on a vm with a physical vfio nic to offer up to non-VMM viewers. IE, from another winders machine using vnc, call the vm's ip. For VMM or virt-viewer use the host ip and the "-d vm_name' switch.

Also be aware that it is possible to configure storage on the remote for which there is no possible management access remotely, only access as served from the vm. That's a pickle.

The more I think about it I think you are using a vm ip and not the host ip..

Excessive...</rambleoff>

[fyfelka]

CwF, I love you.
Also, I'm dumb, so sorry for this long and stupid adventure.
I got it running, because I had openssh-askpass pkg installed, and I needed x11-ssh-askpass pkg. After installation of latter - all working, all nice and cool, thank you very much!

[CwF]

Wohoo! Thanks for the trip, happy to ride along.