10.9. Connecting to Virtual Machines and Containers via VNC

You can use your favorite VNC clients to connect to and manage containers and virtual machines. To do this, you need to complete these steps:

  1. (Recommended) Secure VNC connections on the node with SSL.

  2. Enable VNC access in the desired virtual machine or container.

  3. Connect to the virtual machine or container with a VNC client.

The sections below describe these steps in detail.

10.9.1. Securing VNC Connections with SSL

To set up SSL for all VNC connections on the node, do the following:

  1. Acquire an SSL certificate and key from a trusted certificate authority.

    Note

    The key for an SSL certificate should not be protected by a passphrase.

  2. Configure the VNC server to use the certificate and key:

    # prlsrvctl set --vnc-ssl-certificate <path_to_crt_file> --vnc-ssl-key <path_to_key_file>
    

The certificate will protect VNC connections to virtual machines started after executing this command.

If you are replacing an expired certificate, you can apply the new one to running VMs by restarting the dispatcher service:

# systemctl restart prl-disp

To disable VNC encryption, specify empty arguments. For example:

# prlsrvctl set --vnc-ssl-certificate '' --vnc-ssl-key ''

10.9.1.1. Using a Certificate Chain to Encrypt VNC Connections

If you acquire an SSL certificate from an intermediate certificate authority (CA), you will get an end-user certificate along with a CA bundle that contains the root and intermediate certificates. To be able to use these certificates for VNC encryption, you need to merge them into a chain first. A certificate chain includes the end-user certificate, the certificates of intermediate CAs, and the certificate of a trusted root CA. In this case, an SSL certificate can only be trusted if every certificate in the chain is properly issued and valid.

For example, if you have an end-user certificate, two intermediate CA certificates, and a root CA certificate, you can encrypt all VNC connections on the node as follows:

  1. Create a new certificate file and include all certificates in it in the following order:

    # End-user certificate issued by the intermediate CA 1
    -----BEGIN CERTIFICATE-----
    MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1X<...>
    -----END CERTIFICATE-----
    # Intermediate CA 1 certificate issued by the intermediate CA 2
    -----BEGIN CERTIFICATE-----
    MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9ON9<...>
    -----END CERTIFICATE-----
    # Intermediate CA 2 certificate issued by the root CA
    -----BEGIN CERTIFICATE-----
    MIIC8jCCAdqgAwIBAgICZngwDQYJKoZIhvcN<...>
    -----END CERTIFICATE-----
    # Root CA certificate
    -----BEGIN CERTIFICATE-----
    MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqG<...>
    -----END CERTIFICATE-----
    
  2. Specify the full paths to the newly created certificate file and the private key for the end-user certificate in the following command:

    # prlsrvctl set --vnc-ssl-certificate <path_to_crt_chain> --vnc-ssl-key <path_to_key_file>
    

10.9.1.2. Securing Previously Enabled VNC Connections

If you enable VNC in a virtual environment and then install an SSL certificate, that VE will not use encryption until you do the following:

  1. Stop the virtual environment:

    # prlctl stop MyVE
    
  2. Disable VNC in the virtual environment:

    # prlctl set MyVE --vnc-mode off
    
  3. Re-enable VNC in the virtual environment as described in the two next sections.

  4. Start the virtual environment.

    # prlctl start MyVE
    

Now SSL encryption is applied to the VNC traffic to and from the virtual environment.

10.9.2. Enabling VNC Access to Virtual Machines and Containers

To enable VNC access to a virtual machine or container, do the following:

  • Select a VNC mode: auto or manual.

  • Set a password to secure your VNC connection or choose to disable it.

  • Specify a TCP port number on the host that will be used to listen to VNC connections.

The port number must be unique. In the auto mode, unique port numbers are assigned automatically. In the manual mode, you need to make sure that port numbers are unique.

A VNC port can be set for both running and stopped virtual machines and containers. The VNC mode and password can only be set for stopped virtual environments.

You can perform all these operations with a single command. For example:

# prlctl set MyVM --vnc-mode manual --vnc-passwd XXXXXXXX --vnc-port 5901

Or

# prlctl set MyVM --vnc-mode auto --vnc-passwd XXXXXXXX

10.9.3. Connecting with a VNC Client

After you have enabled VNC access to the virtual machine or container, you can connect to it with your favorite VNC client. To do this, you need to pass the following parameters to the VNC client:

  • IP address of the server where the virtual machine or container is hosted.

  • Port number and password you specified when enabling VNC access.

  • Valid user account in the virtual machine or container.

You can set a VNC IP address to newly created VMs. For this, do the following:

# prlsrvctl set --vnc-default-address <ip>

Also, we can set a VNC IP address for already existing VMs with the following command:

# prlctl set MyVM --vnc-address <address>

You can copy and paste the text into your virtual environment. To enable or disable the option of copying to the clipboard, use the following command:

# prlsrvctl set --vnc-clipboard <on|off>

To be able to copy and paste the text into a virtual environment, do the following:

Note

Please note that after the dispatcher config edit, changes will only apply to newly created VMs. If you already have a VM that requires VNC copy-and-paste functionality:

  1. Execute virsh edit.

  2. For Windows or Linux, in the dispatcher config editor, add the following at the end of the file before the </domain> entry:

    <qemu:commandline>
      <qemu:arg value='-chardev'/>
      <qemu:arg value='qemu-vdagent,id=vdagent,clipboard=on'/>
      <qemu:arg value='-device'/>
      <qemu:arg value='virtserialport,chardev=vdagent,name=com.redhat.spice.0'/>
    </qemu:commandline>
    
  1. Stop the dispatcher on the node:

    # systemctl stop prl-disp.service
    

    Note

    While the dispatcher is stopped, you cannot manage and collect stats of VMs and containers. Running VMs and containers are not stopped.

  2. In /etc/vz/dispatcher.xml, set EnableClipboard to 1.

  3. Start the dispatcher:

    # systemctl start prl-disp.service
    
  4. Install the SPICE agent into the virtual environment.

    On Linux, you can install the spice-vdagent package. On Windows, you can install a corresponding SPICE agent binary.

    If you deploy virtual environments from ready images, consider adding the SPICE agent to them to have this functionality out of the box.

Note the following:

  • With copying and pasting enabled, virtual environments cannot be migrated live to older versions of Virtuozzo Hybrid Server.

  • The SPICE agent requires a graphical user interface (GUI), e.g., X Window System on Linux.

  • Not all VNC clients fully support copy and paste functionality.