07 February 2019

KVM Virtualization, VMM, and Spice on Ubuntu

Topics: Linux, Debian and Ubuntu
Tags: kvm, spice
Linux Kernel Virtualization is a great and free tool for running a virtual environment for a home lab or small business. Linode and Digital Ocean, two of the most popular independent Virtual Hosting Providers, both use KVM (with a lot of custom in house tooling). While it is powerful and free it isn't always as slick and polished as VMWare Workstation on Windows.

The first issue you’re going to encounter is that the networking setup is a little complex and manual. My first recommendation is that on your host you’ll want to install ifupdown and resolvconf to switch away from NetPlan if your host is on NetPlan. There are plenty of other guides and articles that will help you install and configure Bridged Networking.

Another issue you’ll encounter is that video performance is pretty poor if you’re trying to crate a Virtual Desktop environment. The current workaround is to install extra video cards to give each virtual desktop a dedicated video card. I’ve read that improvements are in the works, but I’m still running Windows on hardware not KVM (I rarely need Windows anyway).

KVM supports two virtual display drivers: VNC and Spice. The newer Spice Driver offers better performance than legacy VNC. However, Virtual Machine Manager (VMM) does not work work well with Spice on Debian based distros. I’ve gotten it to work occasionally, hunted the internet for fixes, when it doesn’t; by the way by occasionally I mean literally had it randomly working some of the time, not got it working and some update broke it. Meanwhile, the popular remote desktop viewers: Gnome’s Vinaigre, KDE’s Remote Viewer, and Remmina, all support Spice.

To use another viewer, open a virtual machine in VMM, the tab will open with the connection error. Click the information icon and scroll down to Display Spice to see what port it is on. Then you can open your preferred viewer to make the connection.

By default Spice uses unencrypted communications. If you have the host listen on all interfaces anyone will be able to connect to your spice console, and if you left a session logged in have immediately access to that session. When you create a new Virtual Machine you’ll want to confirm that it is listening only to local connections. I always review a newly created vm before starting it.

The first time you try this you might want to let your vm listen for spice on all interfaces (if your workstation and virtualization host are different machines). After that, you’ll want to use an ssh tunnel to the virtualization host to connect to the spice session, and make sure all of your guests are only listening for spice locally.

If you want to secure Spice without using ssh tunnels for security you’ll need to install a certificate and configure the spice server to use it, optionally you can also add client certificates. You can add a password to your virtual machines by specifying passwd=”****” in the<graphics ….> tag that assigns the port.

Another issue is that your hosts will be randomly assigned ports for spice viewer, beginning with the VNC port of 5900. To see what ports are in use virsh will pass commands through to qemu-monitor, which is a useful trick to remember any time you are trying to get information not directly available through documented virsh commands.

virsh qemu-monitor-command $host --hmp info spice

Assigning the Spice Port

While you can do this through VMM I prefer to edit the config file directly. On the virtualization host ‘virsh edit hostname’,

Find the section:

<graphics type='spice' autoport='yes'>   <listen type='address'/></graphics>

and replace it:

<graphics type='spice' port='6001' autoport='no' listen='127.0.0.1'>   <listen type='address' address='127.0.0.1'/></graphics>

I start my manually numbered ports at 6000 to stay far away from the auto-assigned ports which begin at 5900.

After saving the change you should be able to see the changed xml file in /etc/libvirt/qemu (qemu is an older emulator which still provides a lot of functionality to kvm, the two have become entwined, it is still possible to qemu without kvm).

I’ve also written a short script to list the VMs and their spice listening ports from a shell on the hosting server. Save this in your path as lsspice.

lsspice source at https://gist.github.com/brainbuz/3fb0139a2116ede60e687bf372379592

Topics

Audio and Video Configuration Management Database Debian and Ubuntu Home Improvement Linux Messaging Perl Security Version Control Web Development Web Servers Windows

Tags

acrobat active-directory aegis ansible apache backup bridgetown build from source catalyst certbot certificates cpanminus exchange expect fluentd form-diva git gnome gnome-network-manager grav iis jekyll keepalived keepass kvm landesk linux-mint load-balancers lumens mint mojo-template mojolicious msi openshot otp owasp payload perl-build perlbrew pi pulse-audio pulseaudio qemu sbc sinatra sms solr spice splunk ssh systemd telephone template-toolkit ubuntu voip votecount voting vrrp wmi