Unfortunately VNC is unsecure and anyway QEMU only binds VNC on 127.0.0.1. It would be easy to create an SSH tunnel, but this is administratively prohibited here and it is cumbersome to temporarily modify
sshd_config(5)
each time. So I tried a Netfilter DNAT rule as a workaround but Linux' network stack contains a very annoying line of code which checks that packets destined 127.0.0.1 comes from 127.0.0.1 as well. If you see some logs like this, you have probably been biten by it too:Jun 2 18:14:20 srv kernel: martian destination 127.0.0.1 from 10.1.2.2, dev br0
So I gave up VNC and configured the KVM domain to use the serial port like any other headless server.
Supposedly your VM is already running so we will make the changes here first. There are three things to be told to use the serial console, which are in time-order:
- the bootloader (GRUB here);
- the kernel;
init(8)
for the login prompt.
On Debian, the first two things can be done easily through
/etc/default/grub
.# Bootloader part.
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"
# Kernel command-line ("quiet" has no matter in our business):
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,9600n8 quiet"
Then regen the
grub.cfg
:# upgrade-grub
If you do not use Debian, here is the relevant part of the generated
/boot/grub/grub.cfg
:serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1
if terminal_input serial ; then true ; else
# For backward compatibility with versions of terminal.mod that don't
# understand terminal_input
terminal serial
fi
if terminal_output serial ; then true ; else
# For backward compatibility with versions of terminal.mod that don't
# understand terminal_output
terminal serial
fi
menuentry "Linux 2.6.32-trunk-amd64" {
insmod ext2
set root='(hd0,1)'
search --no-floppy --fs-uuid --set 9245a9e3-8ea5-4170-a19b-17d10051c107
echo Loading Linux 2.6.32-trunk-amd64 ...
linux /vmlinuz-2.6.32-trunk-amd64 root=/dev/mapper/vg0-root ro console=tty0 console=ttyS0,9600n8 quiet
echo Loading initial ramdisk ...
initrd /initrd.img-2.6.32-trunk-amd64
}
Regarding the login prompt on serial console, edit
/etc/inittab
:T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100
Now your VM is configured, let's configure your KVM domain. Dump the configuration of your vm, and change the
<serial>
and <console>
part to use a PTY (you can choose an arbitrary PTY, /dev/pts/24
here, as it seems to be redefined each time the VM is started). Other interfaces are possible, like TCP, pipe, stdio... (see the libvirt domain XML format) but I chose PTY because it can be easily attached using screen(1)
and cannot be easily snooped:# virsh dumpxml mykvm > mykvm.xml
# vi mykvm.xml
<serial type='pty'>
<source path='/dev/pts/24'/>
<target port='0'/>
</serial>
<console type='pty' tty='/dev/pts/24'>
<source path='/dev/pts/24'/>
<target port='0'/>
</console>
Then stop your VM, redefine your KVM domain and restart it:
# virsh shutdown mykvm # or run shutdown(8) inside the VM
# virsh undefine mykvm
# virsh define mykvm.xml
# virsh start mykvm
You can attach the console using:
# virsh console mykvm
To detach, use
Ctrl + $
If you attach quickly enough after starting it, you will even see the Grub menu!