Continuing on this foolish path to manage some virtual machines on a remote host with TLS and peer authentication, here I'm going to configure VNC.
The trick here is we're really configuring
itself provides the VNC server. On my Debian system the default configuration
/etc/libvirt/qemu.conf. By default, TLS for VNC is not
vnc_listen = "0.0.0.0" vnc_tls = 1 vnc_tls_x509_verify = 1
The default certificates directories are either the default
/etc/pki/qemu/ca-cert.pem /etc/pki/qemu/server-cert.pem /etc/pki/qemu/server-key.pem
qemu VNC certificate directory.
/etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
I chose to copy them to the latter.
VNC ports are allocated by
qemu starting a port 5900 by default. I'm going to
assume these are reused when either a domain is destroyed or deleted and
allowed the port range 5900:5910 through the firewall.
I could only find limited documentation about where
virt-viewer expects the certificates to be installed for
making VNC connections. I ended up using
strace to see where it was trying to
read them from.
I was a bit surprised to find they actually expect the client certificates in
different paths. Here is where
virt-manager reads certificates.
~/.pki/CA/cacert.pem ~/.pki/libvirt-vnc/clientcert.pem ~/.pki/libvirt-vnc/private/clientkey.pem
virt-viewer here, which partially overlaps where libvirt reads its
~/.pki/CA/cacert.pem ~/.pki/libvirt/clientcert.pem ~/.pki/libvirt/private/clientkey.pem
After copying the missing certificates we should be ready to go.
To create a new virtual machines with a graphical installer, which is what I wanted to do, I still need to download the installer ISO disk image on the server.
$ wget https://channels.nixos.org/nixos-23.05/latest-nixos-gnome-x86_64-linux.iso -P /var/kvm/installers/
I can also script the virtual machine creation with
virt-install which will
virt-viewer VNC client. A list of possible
can be found run running
virt-install --osinfo list.
$ virt-install \ --connect 'qemu+tls://hypervisor.tarnbarford.net:16514/system' \ --name demo \ --memory 2048 \ --vcpus 2 \ --disk size=20 \ --cdrom /var/kvm/installers/latest-nixos-gnome-x86_64-linux.iso \ --boot cdrom,hd \ --os-variant nixos-22.05 \ --graphics vnc Starting install... Allocating 'demo.qcow2' | 3.1 MB 00:00:03 ... Creating domain... | 0 B 00:00:00 Running graphical console command: virt-viewer --connect qemu+tls://hypervisor.tarnbarford.net:16514/system --wait demo
virt-viewer window appears displying the install media boot screen.
This is pretty great, I can now quickly and easily create new virtual machines on the server and immediately connect to their display and input devices using VPN client.
I'm still not fully satisfied, when I create virtual machines on my laptop I always prefer SPICE over VPN. The main reason is that SPICE has a feature "Redirect USB device" which works really well for many of my workflows that rely on my USB security key. The reason I didn't setup SPICE initially is that it doesn't support TLS peer authentication (!). I have an idea how I could make this work which I'd like to try, but I'll leave that for another time.