This page describes details about how VNC works in a typical ConVirt 2.0 environment.
CMS Server : Physical host running CMS Server Managed Server : Server running virtualization platform and runs one or more Virtual Machine. VNC Proxy Host : This is by default CMS server. (We will assume this simple setup) vm-vnc-port : VNC port on which the Virtual machine is exposing its frame buffer
The connection path for the VNC connection from Browser is as follows.
- Browser/Applet ---tcp/ip--> CMS Server:socat listen:6900-6999 --ssh--> Managed Server:socat --> Managed Server:vm-vnc-port
- * On receiving request to view console, CMS fires up socat that listens on one of the available port between 6900:6999.
- * Browser/Applet connects to the port setup by socat on CMS server.
- * socat on receiving connection from Applet would execute ssh to the managed server using ssh keys and run another socat.
- * This socat on the managed server, in turn connects to the vm-vnc-port using local interface 127.0.0.1:vm-vnc-port.
This is setup using the following command.
socat -d -d -d -d TCP-LISTEN:6900 EXEC:'/usr/bin/ssh root@srv-001 socat - TCP\:127.0.0.1\:5902' > /tmp/6900_5902_qKhAFc.log 2>&1 &
where 6900 is port chose on CMS Server to listen on, srv-001 is managed server and 5902 is vm-vnc-port.
You can try this as the CMS Linux user on the CMS server and start a VNC client as
vncviewer cms_server :6900
- If you have not deployed patch bundle #1, please do so. Visit patches for details. [ NOTE : This is only for OSS users. These fixes are folded in to Enterprise Release ]
- Login to CMS server using Linux user that starts CMS.
- Make sure that ~/.ssh/cms_id_rsa is present. If it doe not exist, something went wrong at the time of CMS installation. OR installed CMS as one user and trying to start using another.
- To generate the CMS id,
ssh-keygen -t rsa -f ~/.ssh/cms_id_rsa chmod 0600 ~/.ssh/cms_id_rsa*
- Run the following command to start ssh-agent and load the key.
eval `ssh-agent -s` ssh-add ~/.ssh/cms_id_rsa
- Now login to managed server from the same shell window.
- This should NOT prompt for any password. If it does, then there is something wrong with the ssh key setup. There are two ways to fix this. Select one of the two.
a. Edit Server using ConVirt application. Steps Login to ConVirt application via browser select managed server from the navigator select 'Edit Server' menu item Enter the root password for the server and make sure that use_ssh keys is checked. b. copy ~/.ssh/cms_id_rsa.pub on the managed server and append it to ~/.ssh/authorized_keys file. scp ~/.ssh/cms_id_rsa.pub root@managed-server:/root/.ssh/vnc_proxy_id_rsa.pub ssh root@managed-server (You would be prompted for password.) cat ~/.ssh/vnc_proxy_id_rsa.pub >> ~/.ssh/authorized_keys
- Validate that now you can connect to the managed server without getting prompted for password.
a. If it still does not work. Consider disabling SELINUX. Here is a relevant HowTo
- Make sure socat is available on the managed server. This is part of "Preparing Managed Server", but if you have not done so, please install it now.
- On the CMS host, open up firewall ports between 6900:6999
iptables -I INPUT -m state --state NEW -p tcp --dport 6900:6999 -j ACCEPT
Use platform specific instructions to make it survive reboot.