10.5. Connecting to Virtual Machines and Containers via VNC¶
You can use your favorite VNC clients to connect to and manage containers and virtual machines. To do this, you need to complete these steps:
- (Recommended) Secure VNC connections on the node with SSL.
- Enable VNC access in the desired virtual machine or container.
- Connect to the virtual machine or container with a VNC client.
The sections below describe these steps in detail.
10.5.1. Securing VNC Connections with SSL¶
To set up SSL for all VNC connections on the node, do the following:
Acquire an SSL certificate and key from a trusted certificate authority.
The key for an SSL certificate should not be protected by a passphrase.
Configure the VNC server to use the certificate and key:
# prlsrvctl set --vnc-ssl-certificate <path_to_crt_file> --vnc-ssl-key <path_to_key_file>
The certificate will protect VNC connections to virtual machines started after executing this command.
If you are replacing an expired certificate, you can apply the new one to running VMs by restarting the dispatcher service:
# systemctl restart prl-disp
To disable VNC encryption, specify empty arguments. For example:
# prlsrvctl set --vnc-ssl-certificate '' --vnc-ssl-key ''
10.5.1.1. Using a Certificate Chain to Encrypt VNC Connections¶
If you acquire an SSL certificate from an intermediate certificate authority (CA), you will get an end-user certificate along with a CA bundle that contains the root and intermediate certificates. To be able to use these certificates for VNC encryption, you need to merge them into a chain first. A certificate chain includes the end-user certificate, the certificates of intermediate CAs, and the certificate of a trusted root CA. In this case, an SSL certificate can only be trusted if every certificate in the chain is properly issued and valid.
For example, if you have an end-user certificate, two intermediate CA certificates, and a root CA certificate, you can encrypt all VNC connections on the node as follows:
Create a new certificate file and include all certificates in it in the following order:
# End-user certificate issued by the intermediate CA 1 -----BEGIN CERTIFICATE----- MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1X<...> -----END CERTIFICATE----- # Intermediate CA 1 certificate issued by the intermediate CA 2 -----BEGIN CERTIFICATE----- MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9ON9<...> -----END CERTIFICATE----- # Intermediate CA 2 certificate issued by the root CA -----BEGIN CERTIFICATE----- MIIC8jCCAdqgAwIBAgICZngwDQYJKoZIhvcN<...> -----END CERTIFICATE----- # Root CA certificate -----BEGIN CERTIFICATE----- MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqG<...> -----END CERTIFICATE-----
Specify the full paths to the newly created certificate file and the private key for the end-user certificate in the following command:
# prlsrvctl set --vnc-ssl-certificate <path_to_crt_chain> --vnc-ssl-key <path_to_key_file>
10.5.1.2. Securing Previously Enabled VNC Connections¶
If you enable VNC in a virtual environment and then install an SSL certificate, that VE will not use encryption until you do the following:
Stop the virtual environment:
# prlctl stop MyVE
Disable VNC in the virtual environment:
# prlctl set MyVE --vnc-mode off
Re-enable VNC in the virtual environment as described in the two next sections.
Start the virtual environment.
# prlctl start MyVE
Now SSL encryption is applied to the VNC traffic to and from the virtual environment.
10.5.2. Enabling VNC Access to Virtual Machines¶
To enable VNC access to a virtual machine, you need to do the following:
Enable VNC support in the virtual machine.
Specify the TCP port number on the physical server that will be used to listen to VNC connections to the virtual machine.
A unique port number must be specified for each virtual machine where you plan to connect via VNC.
Set a password to secure your VNC connection.
You can perform all these operations with a single command. For example:
# prlctl set MyVM --vnc-mode manual --vnc-port 5901 --vnc-passwd XXXXXXXX
The changes will come into effect on the next virtual machine start.
10.5.3. Enabling VNC Access to Containers¶
To enable VNC access to a container, you need to do the following:
Make sure you have a valid user account in the container to be able to log into it.
Make sure the container is running.
Set the VNC mode and password for the container, as well as the TCP port number on the physical server that will be used to listen to VNC connections to the container. For example:
# prlctl set MyCT --vnc-mode manual --vnc-port 6501 --vnc-passwd XXXXXXXX
Port number must be unique for each container you open VNC access to. In the auto mode, correct port numbers are assigned automatically. In the manual mode, you need to make sure port numbers are unique yourself.
10.5.4. Connecting with a VNC Client¶
After you have enabled VNC access to the virtual machine or container, you can connect to it with your favorite VNC client. To do this, you need to pass the following parameters to the VNC client:
- IP address of the server where the virtual machine or container is hosted.
- Port number and password you specified when enabling VNC access.
- Valid user account in the virtual machine or container.