1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
<?xml version="1.0" encoding="UTF-8"?>
<?oxygen RNGSchema="http://www.oasis-open.org/docbook/xml/5.0/rng/docbookxi.rng" type="xml"?>
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="basics">
<title>Spice basics</title>
<section xml:id="definitions">
<title>Basic Definitions</title>
<section xml:id="host">
<title>Host</title>
<para>Host is a machine running instance of qemu-kvm.</para>
</section>
<section xml:id="guest">
<title>Guest</title>
<para>Guest is a virtual machine hosted on <link linkend="host">host</link> which will be accessed by using spice client.</para>
</section>
<section xml:id="client">
<title>Client</title>
<para>Client is reffering to a system running spice client (e.g. spicec or spicy).</para>
</section>
</section>
<section xml:id="qemu_basics">
<title>Launching qemu</title>
<para>I'll use qemu-kvm as a name for the executable. If you're using manually built qemu or
qemu without kvm then just replace qemu-kvm with your own binary. I'll use host# client#
guest# shell prompt notation to distinguish wherever should be the command executed. See
section <link xlink:href="definitions">Basic Definitions</link> to be sure that you know
difference between the host, client and guest. You can ignore notation If guest, client
and host are on the same machine.</para>
<para>
<emphasis role="bold">First important thing to do is to create a guest
image.</emphasis> You can use any raw device like clean logical volume, or iSCSI
lun. You may also use file as image for guest. I'll use file created by qemu-img as a demonstration.
</para>
<para>
Following command will allocate 10GB file. See qemu-img manpage for further information.
</para>
<screen>host# qemu-img create /path/to/xp.img 10G</screen>
<para>
So we already have image created and shall now start with image popullation. I assume that you have
locally stored ISO of your favourite operating system so you can use it for installation.
</para>
<screen>host# sudo qemu-kvm -boot order=dc -vga qxl \
-spice port=3001,disable-ticketing -soundhw ac97 \
-device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
-device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
-cdrom /path/to/your.iso /path/to/your.img</screen>
<para>
Let's take just briefly look trough used qemu options. Option -boot order=dc specifies that guest system
should try to boot from first cdrom and then fallback to first disk, -vga qxl specifies that qemu should
emulate qxl device adapter.
</para>
<para> Spice port option define what port will be used for communication with client. Spice
option disable-ticketing is telling us that ticketing <emphasis role="italic">(simple
authentification method)</emphasis> is not used. Virtio and chardev devices are
required by <link xlink:href="SpiceUserManual-Introduction.xml#vdagent">guest
agent</link>.
</para>
</section>
<section xml:id="spicec_basics">
<title>Connecting to guest</title>
<para>
Folliwng section will show you basic usage of spice client. Example connection will be related to qemu
instance executed in <link xlink:href="#qemu_basics">previous section</link>.
</para>
<para>
Be aware that port used for spice communication <emphasis role="italic">(port 3001 in our case)</emphasis> should not be blocked by firewall.
<emphasis role="bold">Host myhost is reffering to machine which is running our qemu instance.</emphasis>
</para>
<screen>client# spicec -h myhost -p 3001</screen>
<figure>
<title>Established connection to Windows 2008 guest</title>
<mediaobject>
<imageobject>
<imagedata fileref="resources/spicec01.png"/>
</imageobject>
</mediaobject>
</figure>
<para>
Spice does not currently suport multiple connections to one qemu instance.
So anybody who will connect to the same host and port can simply take your session.
<emphasis role="bold">You can eliminate this problem by using <link xlink:href="#ticketing">ticketing</link> or SSL.</emphasis>
</para>
<para xml:id="ticketing">
Ticketing is simple authentication system which enables you to set simple ticket to a vm.
Client has to authentificate before connection can be established. See spice option password in
following example.
</para>
<screen>host# sudo qemu-kvm -boot order=dc -vga qxl \
-spice port=3001,password=mysecretpassword -soundhw ac97 \
-device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
-device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
-cdrom /path/to/your.iso /path/to/your.img</screen>
<screen>client# spicec -h myhost -p 3001 -w mysecretpassword</screen>
<para>Spice session won't be established in case that correct ticket wasn't passed to the client.</para>
<para>
You might have figured out that passing ticket as commandline option isn't very safe way at all.
<emphasis role="bold">It's not safe as everybody with access to host can read it from output of ps(1).</emphasis>
To prevent this ticket can be also set by using qemu-console command spice._set_ticket.
</para>
</section>
</chapter>
|
