But according to netstatt there is no port 7001. root@xen # netstat -an grep 7001 root@xen # Has anyone a clue why? I also noted the -sandbox on,obsolete=deny,elevateprivileges=allow,spawn=deny,resourcecontrol=deny options. I have a feeling, that qemu runs in a sort of sandbox or enclosed environment and can not open the port. May 25, 2021 Forwarding serial to VMware, Hyper-V or any other environments makes the serial port hardware usage more efficient. If you or any applications on the virtual machine you are working on have to have access to a serial port on host OS, Serial to Ethernet Connector is one of the easiest ways to connect COM port in virtual machine. Serial tunneling between two serial devices: Serial tunneling enables users to establish a link across Ethernet to a serial port on another terminal server. Back to back: This application is designed to solve a wiring problem. For example, a user needs to replace RS-232, RS-422 or RS-485 wire and run their data over Ethernet without making any. Have Xenserver with a few VM's. Unlike vmware, I cant find how to attach a serial port to a vm. I was hoping to use that for a connection to a cisco 3560 switch. Is there any way how to forward (passthrough) physical serial port to XenGuest PV system? I need to be able to configure serial device with virtual server on XenServer 6.2. I’m looking for a solution how to do serial port-forwarding. EDIT: I was more reasonable to buy RS-232 to Ethernet converter.

OpenStack provides a number of different methods to interact with your guests:VNC, SPICE, Serial, RDP or MKS. If configured, these can be accessed by usersthrough the OpenStack dashboard or the command line. This document outlines howthese different technologies can be configured.

Overview¶

It is considered best practice to deploy only one of the consoles types andnot all console types are supported by all compute drivers. Regardless of whatoption is chosen, a console proxy service is required. These proxy services areresponsible for the following:

• Provide a bridge between the public network where the clients live and theprivate network where the servers with consoles live.

• Mediate token authentication.

• Transparently handle hypervisor-specific connection details to provide auniform client experience.

For some combinations of compute driver and console driver, these proxyservices are provided by the hypervisor or another service. For all others,nova provides services to handle this proxying. Consider a noVNC-based VNCconsole connection for example:

1. A user connects to the API and gets an access_url such as,http://ip:port/?path=%3Ftoken%3Dxyz.

2. The user pastes the URL in a browser or uses it as a client parameter.

3. The browser or client connects to the proxy.

4. The proxy authorizes the token for the user, and maps the token to theprivate host and port of the VNC server for an instance.

   The compute host specifies the address that the proxy should use to connectthrough the vnc.server_proxyclient_address option. Inthis way, the VNC proxy works as a bridge between the public network andprivate host network.

5. The proxy initiates the connection to VNC server and continues to proxyuntil the session ends.

This means a typical deployment with noVNC-based VNC consoles will have thefollowing components:

• One or more nova-novncproxy service. Supports browser-based noVNCclients. For simple deployments, this service typically runs on the samemachine as nova-api because it operates as a proxy between thepublic network and the private compute host network.

• One or more nova-compute services. Hosts the instances for whichconsoles are provided.

Todo

The below diagram references nova-consoleauth and needs to beupdated.

This particular example is illustrated below.

noVNC-based VNC console¶

VNC is a graphical console with wide support among many hypervisors andclients. noVNC provides VNC support through a web browser.

Note

It has been reported that versions of noVNC older than 0.6 do not workwith the nova-novncproxy service.

If using non-US key mappings, you need at least noVNC 1.0.0 for a fix.

If using VMware ESX/ESXi hypervisors, you need at least noVNC 1.1.0 fora fix.

Configuration¶

To enable the noVNC VNC console service, you must configure both thenova-novncproxy service and the nova-compute service.Most options are defined in the vnc group.

The nova-novncproxy service accepts the following options:

If using the libvirt compute driver and enabling VNC proxy security, thefollowing additional options are supported:

For example, to configure this via a nova-novncproxy.conf file:

Note

This doesn’t show configuration with security. For information on how toconfigure this, refer to VNC proxy security below.

The nova-compute service requires the following options to configurenoVNC-based VNC console support:

If using the VMware compute driver, the following additional options aresupported:

For example, to configure this via a nova.conf file:

Replace IP_ADDRESS with the IP address from which the proxy is accessibleby the outside world. For example, this may be the management interface IPaddress of the controller or the VIP.

VNC proxy security¶

Deploy the public-facing interface of the VNC proxy with HTTPS to preventattacks from malicious parties on the network between the tenant user and proxyserver. When using HTTPS, the TLS encryption only applies to data between thetenant user and proxy server. The data between the proxy server and Computenode instance will still be unencrypted. To provide protection for the latter,it is necessary to enable the VeNCrypt authentication scheme for VNC in boththe Compute nodes and noVNC proxy server hosts.

QEMU/KVM Compute node configuration¶

Ensure each Compute node running QEMU/KVM with libvirt has a set ofcertificates issued to it. The following is a list of the requiredcertificates:

• /etc/pki/libvirt-vnc/server-cert.pem

  An x509 certificate to be presented by the VNC server. The CommonNameshould match the primary hostname of the compute node. Use ofsubjectAltName is also permitted if there is a need to use multiplehostnames or IP addresses to access the same Compute node.

• /etc/pki/libvirt-vnc/server-key.pem

  The private key used to generate the server-cert.pem file.

• /etc/pki/libvirt-vnc/ca-cert.pem

  The authority certificate used to sign server-cert.pem and sign the VNCproxy server certificates.

The certificates must have v3 basic constraints 2 present to indicate thepermitted key use and purpose data.

We recommend using a dedicated certificate authority solely for the VNCservice. This authority may be a child of the master certificate authority usedfor the OpenStack deployment. This is because libvirt does not currently havea mechanism to restrict what certificates can be presented by the proxy server.

For further details on certificate creation, consult the QEMU manual pagedocumentation on VNC server certificate setup 1.

Configure libvirt to enable the VeNCrypt authentication scheme for the VNCserver. In /etc/libvirt/qemu.conf, uncomment the following settings:

• vnc_tls=1

  This instructs libvirt to enable the VeNCrypt authentication scheme whenlaunching QEMU, passing it the certificates shown above.

• vnc_tls_x509_verify=1

  This instructs QEMU to require that all VNC clients present a valid x509certificate. Assuming a dedicated certificate authority is used for the VNCservice, this ensures that only approved VNC proxy servers can connect to theCompute nodes.

After editing qemu.conf, the libvirtd service must be restarted:

Changes will not apply to any existing running guests on the Compute node, sothis configuration should be done before launching any instances.

Buy Serial Port

noVNC proxy server configuration¶

The noVNC proxy server initially only supports the none authenticationscheme, which does no checking. Therefore, it is necessary to enable thevencrypt authentication scheme by editing the nova.conf file toset.

The vnc.auth_schemes values should be listed in orderof preference. If enabling VeNCrypt on an existing deployment which already hasinstances running, the noVNC proxy server must initially be allowed to usevencrypt and none. Once it is confirmed that all Compute nodes haveVeNCrypt enabled for VNC, it is possible to remove the none option from thelist of the vnc.auth_schemes values.

At that point, the noVNC proxy will refuse to connect to any Compute node thatdoes not offer VeNCrypt.

As well as enabling the authentication scheme, it is necessary to providecertificates to the noVNC proxy.

• /etc/pki/nova-novncproxy/client-cert.pem

  An x509 certificate to be presented to the VNC server. While libvirt/QEMUwill not currently do any validation of the CommonName field, futureversions will allow for setting up access controls based on theCommonName. The CommonName field should match the primary hostnameof the controller node. If using a HA deployment, the Organizationfield can also be configured to a value that is common across all consoleproxy instances in the deployment. This avoids the need to modify eachcompute node’s whitelist every time a console proxy instance is added orremoved.

• /etc/pki/nova-novncproxy/client-key.pem

  The private key used to generate the client-cert.pem file.

• /etc/pki/nova-novncproxy/ca-cert.pem

  The certificate authority cert used to sign client-cert.pem and sign thecompute node VNC server certificates.

The certificates must have v3 basic constraints 2 present to indicate thepermitted key use and purpose data.

Once the certificates have been created, the noVNC console proxy service mustbe told where to find them. This requires editing nova.conf to set.

SPICE console¶

The VNC protocol is fairly limited, lacking support for multiple monitors,bi-directional audio, reliable cut-and-paste, video streaming and more. SPICEis a new protocol that aims to address the limitations in VNC and provide goodremote desktop support.

SPICE support in OpenStack Compute shares a similar architecture to the VNCimplementation. The OpenStack dashboard uses a SPICE-HTML5 widget in itsconsole tab that communicates with the nova-spicehtml5proxy serviceby using SPICE-over-websockets. The nova-spicehtml5proxy servicecommunicates directly with the hypervisor process by using SPICE.

Configuration¶

Important

VNC must be explicitly disabled to get access to the SPICE console. Set thevnc.enabled option to False to disable theVNC console.

To enable the SPICE console service, you must configure both thenova-spicehtml5proxy service and the nova-computeservice. Most options are defined in the spice group.

The nova-spicehtml5proxy service accepts the following options.

For example, to configure this via a nova-spicehtml5proxy.conf file:

The nova-compute service requires the following options to configureSPICE console support.

For example, to configure this via a nova.conf file:

Replace IP_ADDRESS with the IP address from which the proxy is accessibleby the outside world. For example, this may be the management interface IPaddress of the controller or the VIP.

Serial¶

Serial consoles provide an alternative to graphical consoles like VNC or SPICE.They work a little differently to graphical consoles so an example isbeneficial. The example below uses these nodes:

• controller node with IP 192.168.50.100

• compute node 1 with IP 192.168.50.104

• compute node 2 with IP 192.168.50.105

Here’s the general flow of actions:

1. The user requests a serial console connection string for an instancefrom the REST API.

2. The nova-api service asks the nova-compute service,which manages that instance, to fulfill that request.

3. That connection string gets used by the user to connect to thenova-serialproxy service.

4. The nova-serialproxy service then proxies the console interactionto the port of the compute node where the instance is running. That portgets forwarded by the hypervisor (or ironic conductor, for ironic) to theguest.

Configuration¶

To enable the serial console service, you must configure both thenova-serialproxy service and the nova-compute service.Most options are defined in the serial_console group.

The nova-serialproxy service accepts the following options.

For example, to configure this via a nova-serialproxy.conf file:

The nova-compute service requires the following options to configureserial console support.

For example, to configure this via a nova.conf file:

Replace IP_ADDRESS with the IP address from which the proxy is accessibleby the outside world. For example, this may be the management interface IPaddress of the controller or the VIP.

There are some things to keep in mind when configuring these options:

• serial_console.serialproxy_host is the address thenova-serialproxy service listens to for incoming connections.

• serial_console.serialproxy_port must be the same valueas the port in the URI of serial_console.base_url.

• The URL defined in serial_console.base_url will formpart of the response the user will get when asking for a serial consoleconnection string. This means it needs to be an URL the user can connect to.

• serial_console.proxyclient_address will be used by thenova-serialproxy service to determine where to connect to forproxying the console interaction.

RDP¶

RDP is a graphical console primarily used with Hyper-V. Nova does not provide aconsole proxy service for RDP - instead, an external proxy service, such as thewsgate application provided by FreeRDP-WebConnect, should beused.

Configuration¶

To enable the RDP console service, you must configure both a console proxyservice like wsgate and the nova-compute service. Alloptions for the latter service are defined in the rdpgroup.

Information on configuring an RDP console proxy service, such aswsgate, is not provided here. However, more information can be foundat cloudbase.it.

The nova-compute service requires the following options to configureRDP console support.

For example, to configure this via a nova.conf file:

Replace IP_ADDRESS with the IP address from which the proxy is accessibleby the outside world. For example, this may be the management interface IPaddress of the controller or the VIP.

MKS¶

MKS is the protocol used for accessing the console of a virtual machine runningon VMware vSphere. It is very similar to VNC. Due to the architecture of theVMware vSphere hypervisor, it is not necessary to run a console proxy service.

Configuration¶

To enable the MKS console service, only the nova-compute servicemust be configured. All options are defined in the mksgroup.

The nova-compute service requires the following options to configureMKS console support.

For example, to configure this via a nova.conf file:

XVP-based VNC console¶

VNC is a graphical console with wide support among many hypervisors andclients. Xen VNC Proxy (XVP) provides VNC support via a simple Java client.

Deprecated since version 19.0.0: nova-xvpvnxproxy is deprecated since 19.0.0 (Stein) and will beremoved in an upcoming release.

Configuration¶

To enable the XVP VNC console service, you must configure both thenova-xvpvncproxy service and the nova-compute service.Most options are defined in the vnc group.

The nova-xvpvncproxy service accepts the following options.

For example, to configure this via a nova-xvpvncproxy.conf file:

The nova-compute service requires the following options to configureXVP-based VNC support.

For example, to configure this via a nova.conf file:

Replace IP_ADDRESS with the IP address from which the proxy is accessibleby the outside world. For example, this may be the management interface IPaddress of the controller or the VIP.

About nova-consoleauth¶

The now-removed nova-consoleauth service was previously used toprovide a shared service to manage token authentication that the client proxiesoutlined below could leverage. Token authentication was moved to the database in18.0.0 (Rocky) and the service was removed in 20.0.0 (Train).

Frequently Asked Questions¶

• Q: What is the difference between ``nova-xvpvncproxy`` and``nova-novncproxy``?

  A: nova-xvpvncproxy, which ships with OpenStack Compute, is a proxy thatsupports a simple Java client. nova-novncproxy uses noVNC to provide VNCsupport through a web browser.

• Q: I want VNC support in the OpenStack dashboard. What services do Ineed?

  A: You need nova-novncproxy and correctly configured compute hosts.

• Q: My VNC proxy worked fine during my all-in-one test, but now it doesn’twork on multi host. Why?

  A: The default options work for an all-in-one install, but changes must bemade on your compute hosts once you start to build a cluster. As an example,suppose you have two servers:

  Your nova-compute configuration file must set the following values:

  Note

  novncproxy_base_url and xvpvncproxy_base_url use a public IP; thisis the URL that is ultimately returned to clients, which generally do nothave access to your private network. Your PROXYSERVER must be able toreach server_proxyclient_address, because that is the address overwhich the VNC connection is proxied.

• Q: My noVNC does not work with recent versions of web browsers. Why?

  A: Make sure you have installed python-numpy, which is required tosupport a newer version of the WebSocket protocol (HyBi-07+).

• Q: How do I adjust the dimensions of the VNC window image in the OpenStackdashboard?

  A: These values are hard-coded in a Django HTML template. To alter them, editthe _detail_vnc.html template file. The location of this file variesbased on Linux distribution. On Ubuntu 14.04, the file is at/usr/share/pyshared/horizon/dashboards/nova/instances/templates/instances/_detail_vnc.html.

  Modify the width and height options, as follows:

• Q: My noVNC connections failed with ValidationError: Origin header protocoldoes not match. Why?

  A: Make sure the base_url match your TLS setting. If you are using httpsconsole connections, make sure that the value of novncproxy_base_url isset explicitly where the nova-novncproxy service is running.

Xenserver Serial Port Passthrough

References¶

Serial Port Xenserver 2

1

2(1,2)