Re: libvirt tools and keyfiles
On Sun, 03 Apr 2022 10:45:06 +0200
didier gaumet wrote:
>
>
> Hello,
>
> - Yes, I was suggesting both running VMs as an ordinary user instead of
> root and running VMs as session instead of system
> - But myself not running any VM as a server, I was not aware of the
> limitations inherent to the use of "session" compared to "system"
Got it. Some of my VMs are servers and some are not, so I suppose I
could run some as "session," but right now I'm just running everything
under a single "system" libvirt.
> - SSH tunnel: I was just saying it is possible to use a SSH tunnel or a
> direct SSH connection ("--direct")
Got it. I haven't really looked into the distinction, although I did
notice it in the documentation, but I'll keep it in mind for the future.
> Glad your problem is solved :-)
Thanks for providing me with the solution!
--
Celejar
Re: libvirt tools and keyfiles
Hello,
- Yes, I was suggesting both running VMs as an ordinary user instead of
root and running VMs as session instead of system
- But myself not running any VM as a server, I was not aware of the
limitations inherent to the use of "session" compared to "system"
- SSH tunnel: I was just saying it is possible to use a SSH tunnel or a
direct SSH connection ("--direct")
Glad your problem is solved :-)
Re: libvirt tools and keyfiles
On Sat, 02 Apr 2022 09:53:18 +0200 didier gaumet wrote: ... > - double authentication: "When using a SSH tunnel to connect to a SPICE > console, it's recommended to have ssh-agent running to avoid getting > multiple authentication prompts." > > (take a look at virtsh, virt-manager, virt-viewer manpages) Thank you - this works! Specifically, starting an agent on the client machine, and then running virt-manager under the agent avoids the second prompt. I still think that the failure of virt-manager to use the provided keyfile for the console access should count as a bug: after all, if I've provided a keyfile, the location of which virt-manager has stored in its configuration, then why isn't it using it for console access? I understand that I can get around this by using an agent, but why should I have to? Celejar
Re: libvirt tools and keyfiles
On Sat, 02 Apr 2022 22:40:30 +0200 Linux-Fan wrote: > Celejar writes: > > > Hi, > > > > I'm trying to use virt-manager / virt-viewer to access the console of > > some qemu / kvm virtual machines on a remote system over ssh. I have > > public key access to root@remote_system. When I do: > > > > virt-manager -c 'qemu+ssh://root@remote_system/system? > > keyfile=path_to_private_key' > > > > the connection to libvirt on the remote system comes up fine, and I can > > see the various VMs running there, but when I try to access a VM > > console (via the "Open" button or "Edit / Virtual Machine Details"), I > > get prompted for the password for "root@remote_system" (which doesn't > > even work, since password access is disabled in the ssh server > > configuration). > > What do you insert for `remote_system`? A hostname or an IP? A hostname (resolved via /etc/hosts on the client machine). > IIRC I once tried to use an IP address directly > (qemu+ssh://u...@192.168.yyy.yyy), and while it would perform the initial > connection successfully, subsequent actions would query me for > the password of (user@masysma-...) i.e. change from IP-address-based (which > was configured to use a key in .config/ssh) to hostname based (for which the > key was not specified in the config. I solved this by adding the hostname to > /etc/hosts and configuring SSH and my virt-manager connection to use the > hostnames rather than IP addresses. > > I also remember that I had to add the connection to my GUI user's .ssh/config > > AND my root user's .ssh/config. In my case, I am not specifying the keyfile > as part of the connection, though. Thanks. Celejar
Re: libvirt tools and keyfiles
On Sun, 3 Apr 2022 03:43:10 +1200 Richard Hector wrote: > > > On 2022-04-01, Celejar wrote: > >> > >> > >> What is going on here? Since I'm specifying a keyfile on the command > >> line, and it's being used - otherwise I wouldn't even get the list of > >> VMs - why am I being prompted for the password? > >> > >> Celejar > > Apologies for replying to the wrong message - I've deleted the original. > > Are you really getting prompted for the password for the host system? > You're not talking about the login prompt on the console of the VM? Yes - I'm not getting into the console of the VM at all, and the prompt is for "root@remote_system", not the VM hostname / IP. > Also, by adding my normal user on the host system to the libvirt group, > it's not necessary to ssh as root - I can just use my normal user. In > fact I don't allow root logins, so I can't directly test your commands. Good to know. I was following the examples from the documentation, such as: virsh --connect qemu+ssh://r...@example.com/system from https://wiki.libvirt.org/page/FAQ virt-viewer --direct --connect qemu+ssh://r...@example.org/ guest-name from https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/chap-graphic_user_interface_tools_for_guest_virtual_machine_management But I'll have to look into just adding a user to the libvirt group on the host and logging in as that user. > Oh, and I assume the doubled '-c' is a typo :-) Yes, sorry. > Cheers, > Richard Celejar
Re: libvirt tools and keyfiles
On Sat, 2 Apr 2022 08:05:52 - (UTC)
Curt wrote:
> On 2022-04-01, Celejar wrote:
> >
> >
> > What is going on here? Since I'm specifying a keyfile on the command
> > line, and it's being used - otherwise I wouldn't even get the list of
> > VMs - why am I being prompted for the password?
> >
> > Celejar
> >
> >
>
> Aren't you required to copy the key over to the remote machine
> ('ssh-copy-id')?
The key in question is already present in the authorized_keys file on
the remote machine - that's why the initial login works. Perhaps I'm
missing something, but what would ssh-copy-id accomplish?
Celejar
Re: libvirt tools and keyfiles
On Sat, 02 Apr 2022 09:53:18 +0200 didier gaumet wrote: > > > Hello, > > Disclaimer: I do not use ssh, nor remote virtual machines, so this is > far from an expert answer :-) Thanks for the suggestions! > You could be confronted to several possible problems: > - root access: you could try using an ordinary user instead I'm not sure if I understand what you're saying, but I am using an ordinary user on the client side. The VMs are running on the remote machine using qemu:///system. > - "system" problem: virt-manager/virt-viewer propose "system" and > "session" options and in this case, trying an ordinary user "session" > instead of a root "system" could be beneficial Not sure if I understand what you're saying - as above, the VMs are running on the remote machine using qemu:///system - are you suggesting that I try reconfiguring them to run as qemu:///session? According to the documentation: > You will definitely want to use qemu:///system if your VMs are acting > as servers. VM autostart on host boot only works for 'system', and the > root libvirtd instance has necessary permissions to use proper > networkings via bridges or virtual networks. qemu:///system is > generally what tools like virt-manager default to. > > qemu:///session has a serious drawback: since the libvirtd instance > does not have sufficient privileges, the only out of the box network > option is qemu's usermode networking, which has nonobvious limitations, > so its usage is discouraged. More info on qemu networking options: > http://people.gnome.org/~markmc/qemu-networking.html https://wiki.libvirt.org/page/FAQ#What_is_the_difference_between_qemu:.2F.2F.2Fsystem_and_qemu:.2F.2F.2Fsession.3F_Which_one_should_I_use.3F > - ssh tunnel or not (virt-manager/virt-viewer have different options > for that) I don't understand this point. > - double authentication: "When using a SSH tunnel to connect to a SPICE > console, it's recommended to have ssh-agent running to avoid getting > multiple authentication prompts." Thanks - this might be the solution. I'll have to look into this further. > (take a look at virtsh, virt-manager, virt-viewer manpages) -- Celejar
Re: libvirt tools and keyfiles
Celejar writes: Hi, I'm trying to use virt-manager / virt-viewer to access the console of some qemu / kvm virtual machines on a remote system over ssh. I have public key access to root@remote_system. When I do: virt-manager -c 'qemu+ssh://root@remote_system/system? keyfile=path_to_private_key' the connection to libvirt on the remote system comes up fine, and I can see the various VMs running there, but when I try to access a VM console (via the "Open" button or "Edit / Virtual Machine Details"), I get prompted for the password for "root@remote_system" (which doesn't even work, since password access is disabled in the ssh server configuration). What do you insert for `remote_system`? A hostname or an IP? IIRC I once tried to use an IP address directly (qemu+ssh://u...@192.168.yyy.yyy), and while it would perform the initial connection successfully, subsequent actions would query me for the password of (user@masysma-...) i.e. change from IP-address-based (which was configured to use a key in .config/ssh) to hostname based (for which the key was not specified in the config. I solved this by adding the hostname to /etc/hosts and configuring SSH and my virt-manager connection to use the hostnames rather than IP addresses. I also remember that I had to add the connection to my GUI user's .ssh/config AND my root user's .ssh/config. In my case, I am not specifying the keyfile as part of the connection, though. HTH Linux-Fan ΓΆΓΆ [...] pgpagjTs3CcR0.pgp Description: PGP signature
Re: libvirt tools and keyfiles
On 2022-04-01, Celejar wrote: What is going on here? Since I'm specifying a keyfile on the command line, and it's being used - otherwise I wouldn't even get the list of VMs - why am I being prompted for the password? Celejar Apologies for replying to the wrong message - I've deleted the original. Are you really getting prompted for the password for the host system? You're not talking about the login prompt on the console of the VM? Also, by adding my normal user on the host system to the libvirt group, it's not necessary to ssh as root - I can just use my normal user. In fact I don't allow root logins, so I can't directly test your commands. Oh, and I assume the doubled '-c' is a typo :-) Cheers, Richard
Re: libvirt tools and keyfiles
On 2022-04-01, Celejar wrote:
>
>
> What is going on here? Since I'm specifying a keyfile on the command
> line, and it's being used - otherwise I wouldn't even get the list of
> VMs - why am I being prompted for the password?
>
> Celejar
>
>
Aren't you required to copy the key over to the remote machine
('ssh-copy-id')?
Re: libvirt tools and keyfiles
Hello, Disclaimer: I do not use ssh, nor remote virtual machines, so this is far from an expert answer :-) You could be confronted to several possible problems: - root access: you could try using an ordinary user instead - "system" problem: virt-manager/virt-viewer propose "system" and "session" options and in this case, trying an ordinary user "session" instead of a root "system" could be beneficial - ssh tunnel or not (virt-manager/virt-viewer have different options for that) - double authentication: "When using a SSH tunnel to connect to a SPICE console, it's recommended to have ssh-agent running to avoid getting multiple authentication prompts." (take a look at virtsh, virt-manager, virt-viewer manpages)
libvirt tools and keyfiles
Hi, I'm trying to use virt-manager / virt-viewer to access the console of some qemu / kvm virtual machines on a remote system over ssh. I have public key access to root@remote_system. When I do: virt-manager -c 'qemu+ssh://root@remote_system/system? keyfile=path_to_private_key' the connection to libvirt on the remote system comes up fine, and I can see the various VMs running there, but when I try to access a VM console (via the "Open" button or "Edit / Virtual Machine Details"), I get prompted for the password for "root@remote_system" (which doesn't even work, since password access is disabled in the ssh server configuration). The same thing happens when I run: virt-viewer -c -c 'qemu+ssh://root@remote_system/system? keyfile=path_to_private_key' a list of VMs on the remote system pops up, but when I select one, I get the password prompt. What is going on here? Since I'm specifying a keyfile on the command line, and it's being used - otherwise I wouldn't even get the list of VMs - why am I being prompted for the password? Celejar
