Use the two Spice series in a KVM virtual machine (USB mapping, SSL, password, multi-client support)

USB Redirection for 1.spice 1.1 introduction

With USB redirection, the USB drive inserted on the client is redirected to the virtual machine. There are two implementations, automatic redirection (all USB drives inserted in the client are redirected), or manually selecting a USB flash drive that needs to be redirected

USB redirection requires adding the USB2 EHCI driver for the virtual machine, and the number of Spice Channels,spice channels determines how many USB devices a client can be redirected to guest at a time

For more information:

Http://people.freedesktop.org/~teuf/spice-doc/html/ch02s06.html

Http://www.spice-space.org/page/UsbRedir

Http://fedoraproject.org/wiki/Features/UsbNetworkRedirection

1.2 Installing software on the server

grep usbusbredir-0.5. 1-1. El6.x86_64libusb-0.1. el6.x86_64usbutils-003-4. EL6.X86_64LIBUSB1- 1.0. 9-0.6. rc1.el6.x86_64

1.3 Adding USB redirection drivers to the virtual machine XML file

#首先关闭虚拟机, and then modify its XML file to add the following label

<!--remove the other USB devices from the XML file, and then add the following section -<Controllertype= ' USB 'Index= ' 0 'Model= ' Ich9-ehci1 '/><Controllertype= ' USB 'Index= ' 0 'Model= ' Ich9-uhci1 '>  <MasterStartport= ' 0 '/></Controller><Controllertype= ' USB 'Index= ' 0 'Model= ' Ich9-uhci2 '>  <MasterStartport= ' 2 '/></Controller><Controllertype= ' USB 'Index= ' 0 'Model= ' Ich9-uhci3 '>  <MasterStartport= ' 4 '/></Controller><RedirdevBus= ' USB 'type= ' Spicevmc '/><RedirdevBus= ' USB 'type= ' Spicevmc '/><RedirdevBus= ' USB 'type= ' Spicevmc '/><RedirdevBus= ' USB 'type= ' Spicevmc '/>

1.3 is to add the USB driver in the XML file, the corresponding command line parameters are as follows (when starting a virtual machine using the QEMU-KVM command line):

-device Ich9-usb-ehci1,id=usb-device Ich9-usb-uhci1,masterbus=usb.0,firstport=0,multifunction=on-device Ich9-usb-uhci2,masterbus=usb.0,firstport=2-device Ich9-usb-uhci3,masterbus=usb.0,firstport=4-chardev Spicevmc, Name=usbredir,id=usbredirchardev1-device Usb-redir,chardev=usbredirchardev1,id=usbredirdev1-chardev Spicevmc, Name=usbredir,id=usbredirchardev2-device Usb-redir,chardev=usbredirchardev2,id=usbredirdev2-chardev Spicevmc, Name=usbredir,id=usbredirchardev3-device Usb-redir,chardev=usbredirchardev3,id=usbredirdev3

1.4 Client Configuration

The Client Connection tool uses Virt-viewer

Windows7 version of Virt-viewer default does not support USB redirection, need to manually recompile, Linux client can compile the source support USB redirection

Virt-viewer Source: http://virt-manager.org/download/sources/virt-viewer/virt-viewer-1.0.tar.gz

Virt-viewer Windows client: Http://virt-manager.org/download/sources/virt-viewer/virt-viewer-x64-1.0.msi

2 Spice Two-factor authentication with TLS and password

By default, the data transmitted by the client and the virtual machine is unencrypted, and the connection between the client and the virtual machine is encrypted using TLS in the following steps

2.1 Generate CA certificate, server Certificate 2.1.1 Create certificate store directory

cd/etc/PKImkdir libvirt-spicecd libvirt-spice

2.1.2 Create a certificate using the following script

Note: The script generates the Ca-cert.pem file, and the last output variable "SUBJECT" value needs to be copied to the client

#!/bin/Bash Server_key=server-key.pem# Creating a key forOur CAif[!-e Ca-key.pem]; ThenOpenSSL Genrsa-des3-out Ca-key.pem1024x768fi# Creating a CAif[!-e Ca-cert.pem]; ThenOpenSSL req-new-x509-days1095-key Ca-key.pem-out CA-CERT.PEM-SUBJ"/c=il/l=raanana/o=red hat/cn=my CA"fi# Create server keyif[!-e $SERVER _key]; ThenOpenSSL Genrsa-out $SERVER _key1024x768fi# Create a Certificate signing request (CSR)if[!-e SERVER-KEY.CSR]; ThenOpenSSL req-new-key $SERVER _key-out SERVER-KEY.CSR-SUBJ"/c=il/l=raanana/o=red hat/cn=my Server"fi# Signing our servers certificate with this CAif[!-e Server-cert.pem]; ThenOpenSSL x509-req-days1095-inchServer-key.csr-ca Ca-cert.pem-cakey ca-key.pem-set_serial on-out server-Cert.pemfi# Now create a key that doesn't require a passphraseOpenSSL RSA-inch$SERVER _key-Out $SERVER _key.insecureMV$SERVER _key $SERVER _key.secureMV$SERVER _key.insecure $SERVER _key # Show the results (no other effect) OpenSSL RSA-noout-text-inch$SERVER _keyopenssl RSA-noout-text-inchca-Key.pemopenssl req-noout-text-inchserver-Key.csropenssl x509-noout-text-inchserver-Cert.pemopenssl x509-noout-text-inchca-Cert.pem # Copy*.pemfileto/etc/pki/libvirt-Spiceif[[-D"/etc/pki/libvirt-spice" ]] Then CP./*. Pem/etc/pki/libvirt-spiceelse mkdir/etc/pki/libvirt-spice CP./*.pem/etc/pki/libvirt-spicefi # echo SUBJECTech O "SUBJECT is:" \ "' OpenSSL x509-noout-text-in Server-cert.pem | grep Subject: | Cut-f 10--D "" ' \ "

2.2 Virtual Machine Load Certificate

#默认不管vnc还是spice都是监听在127.0.0.1, it's definitely not accessible from the network.

#下面的设置默认会使所有的虚拟机开启两个端口, a normal port, a secure port to use SSL encryption, and listen for all addresses

#vim/etc/libvirt/Qemu.confspice_listen="0.0.0.0"spice_tls=1  Spice_tls_x509_cert_dir="/etc/pki/libvirt-spice""  123456"  #重启libvirtd加载证书/etc/init.d/libvirtd Restart

2.3 Setting the password and secure port in the virtual machine XML file

The security port in the XML file can have a different setup method

A<Graphicstype= ' Spice 'Autoport= ' Yes 'Listen= ' 0.0.0.0 'passwd= ' 123456 '>B<Graphicstype= ' Spice 'Port= ' 5901 'Autoport= ' No 'Listen= ' 0.0.0.0 'passwd= ' 123456 '>C<Graphicstype= ' Spice 'Tlsport= '-1 'Autoport= ' No 'Listen= ' 0.0.0.0 'passwd= ' 123456 '>

A: Each virtual machine is automatically configured with two ports, normal port and secure port, and port number is automatically assigned (5900+n)

B: Do not automatically configure the port, manually specify a normal port, do not open the secure port

C: Do not automatically configure the port, only the secure port is switched on, and the secure port is automatically assigned (5900+n)

passwd=123456 Settings Use password authentication, that is, when a client connects to a virtual machine, the Password verification window pops up

2.4 Using Spice encrypted connections in Windows clients 2.4.1 Copy CA-CERT.PEM Certificate

Copy the script-generated CA-CERT.PEM file from the server to a directory under Windows, such as F:\files\ca\

2.4.2 adding environment variables in windows

variable Name: SUBJECT variable Value: C=il, L=raanana, o=red Hat, Cn=my server  

# (the variable value is the final output of the script), adding an environment variable is not a necessary operation, it is to be able to use the variable%subject%

2.4.3 testing the connection in CMD

Open cmd, enter the directory where the Remote-viewer.exe program is located, default to C:\Program Files\virtviewer\bin

#运行命令remote-viewer.exe--spice-ca-file F:\ca\ca-cert.pem spice://192.168.11.166? tls-port=5905--spice-host-subject= "%subject%"

2.5 using Spice encrypted connections in Linux clients

First install the Virt-viewer client

Yum Install virt-viewerremote-viewer--spice-ca-file'c=il,l=raanana,o=red Hat , cn=my server' spice://192.168.11.166/?tls-port=5903

#也可以把 ' c=il,l=raanana,o=red hat,cn=my server ' section is set to a global environment variable subject to simplify the command

3 Spice Multi-client support for 3.1 multi-monitor support

Spice allows clients to connect to the same virtual machine using multiple monitors, in order to achieve this, the virtual machine must be configured with multiple QXL device drivers (for Windows virtual machines) or a QXL device driver configured to support multiple heads (Linux virtual machines)

In order to support multiple monitors, you must configure the QXL driver for the virtual machine, and you need to install QXL driver Support (XORG-X11-DRV-QXL) in the virtual machine, refer to the guest section in http://www.spice-space.org/download.html

3.1.1 Linux virtual machine configuration

For Linux virtual machines, multi-monitor support is enabled by default after the QXL driver is configured. If the Linux system version is too old, refer to this http://hansdegoede.livejournal.com/12969.html

3.1.2 Windows virtual machine configuration

Modify the XML file, add multiple video tags, and then restart the virtual machine

<video>    <model type='qxl'></video><video>    <model Type='qxl'></video>

3.2 Multi-Client Support

Multi-client support allows multiple users to connect to the same virtual machine, refer to Http://www.spice-space.org/page/Features/MultipleClients

3.2.1 Using the QEMU-KVM command line

For virtual machines created using the QEMU-KVM command line, you only need to add the following environment variables to the host

Export spice_debug_allow_mc=1

Once added, create a virtual machine with the QEMU-KVM command, you can see a line in the output, indicating that spice has enabled multi-client Support

3.2.2 Using Libvirt

For virtual machines that use Libvirt management, adding the above environment variables does not take effect and requires modifying the virtual machine XML file

Pass the variable "SPICE_DEBUG_ALLOW_MC" value to the virtual machine using the qemu:commandline tag

<!--Change the first behavior below -<Domaintype= ' KVM 'Xmlns:qemu= ' http://libvirt.org/schemas/domain/qemu/1.0 '><!--add a similar location below -<Domain>  <Devices>  ...  </Devices>  <Qemu:commandline>    <qemu:envname= ' SPICE_DEBUG_ALLOW_MC 'value= ' 1 '/>  </Qemu:commandline></Domain>

After you add the above, restart the virtual machine to

If you want to verify that the added parameters are in effect, you can view the virtual machine log output when you start the virtual machine (COS_V1)

Tail-f/var/log/libvirt/qemu/cos_v1.log# Below is the output the- A- - Ten: .:10.763+0000: Starting Uplc_all=c path=/sbin:/usr/sbin:/bin:/usr/bin home=/root user=root logname=root qemu_audio_drv=spice SPICE_DEBUG_ALLOW_MC=1/usr/libexec/qemu-kvm-name cos_v1-s-M rhel6.5.0 ......CharDevice redirected to/dev/pts/7((NULL):29858): spice-warning * *: REDS.C:4010:D o_spice_init:spice:allowing multiple client connections (crashy) #这行表明添加成功

Use the two Spice series in a KVM virtual machine (USB mapping, SSL, password, multi-client support)