PVECert parameter in VNC

tincboy

Renowned Member
Apr 13, 2010
466
3
83
I've my own code which will connect to VNC of each VM from inside my web application, this feature was fine with Proxmox 1.9 but it seems Proxmox 2 have add a PVECert parameter
My question about this parameter is if it's unique for each VNC session or it's unique for each VM or each Proxmox serve?
And what about PASSWORD parameter? which kind of encryption does it use?
 
Last edited:
New VNC is encrypted using TLS with VEncrytAuthPlain, so you need a client which supports that (tigervnc).

You get all needed parameters when you create the vncproxy with the API (/nodes/<node>/qemu<VMID>/vncproxy).

Try:

# pvesh create /nodes/localhost/qemu/10000/vncproxy

to get an idea
 
Thanks dietmar,
I've run the command below, but it gots me connection timeout errors, also how can I specify which port I want VNC to listen on?
Code:
pvesh create /nodes/c43/qemu/4333/vncproxy
no connection : Connection timed out
command '/bin/nc -l -p 5900 -w 10 -c '/usr/sbin/qm vncproxy 4333 2>/dev/null'' failed: exit code 1
 
Thanks dietmar,
I've run the command below, but it gots me connection timeout errors,

Do you use the latest version? And do you run that on the same node the VM is on?

also how can I specify which port I want VNC to listen on?

There is currently no way to specify the port.
 
I guess it's final version, because I've isntalled it last week,
Code:
pveversion -v
pve-manager: 2.0-38 (pve-manager/2.0/af81df02)
running kernel: 2.6.32-7-pve
proxmox-ve-2.6.32: 2.0-60
pve-kernel-2.6.32-7-pve: 2.6.32-60
lvm2: 2.02.88-2pve1
clvm: 2.02.88-2pve1
corosync-pve: 1.4.1-1
openais-pve: 1.1.4-2
libqb: 0.10.1-2
redhat-cluster-pve: 3.1.8-3
resource-agents-pve: 3.9.2-3
fence-agents-pve: 3.1.7-1
pve-cluster: 1.0-23
qemu-server: 2.0-25
pve-firmware: 1.0-15
libpve-common-perl: 1.0-17
libpve-access-control: 1.0-17
libpve-storage-perl: 2.0-12
vncterm: 1.0-2
vzctl: 3.0.30-2pve1
vzprocps: 2.0.11-2
vzquota: 3.0.12-3
pve-qemu-kvm: 1.0-5
ksm-control-daemon: 1.1-1
 
And do you run that on the same node the VM is on
Yes, it on the same server
I guess it's final version, because I've isntalled it last week,
Code:
pveversion -v
pve-manager: 2.0-38 (pve-manager/2.0/af81df02)
running kernel: 2.6.32-7-pve
proxmox-ve-2.6.32: 2.0-60
pve-kernel-2.6.32-7-pve: 2.6.32-60
lvm2: 2.02.88-2pve1
clvm: 2.02.88-2pve1
corosync-pve: 1.4.1-1
openais-pve: 1.1.4-2
libqb: 0.10.1-2
redhat-cluster-pve: 3.1.8-3
resource-agents-pve: 3.9.2-3
fence-agents-pve: 3.1.7-1
pve-cluster: 1.0-23
qemu-server: 2.0-25
pve-firmware: 1.0-15
libpve-common-perl: 1.0-17
libpve-access-control: 1.0-17
libpve-storage-perl: 2.0-12
vncterm: 1.0-2
vzctl: 3.0.30-2pve1
vzprocps: 2.0.11-2
vzquota: 3.0.12-3
pve-qemu-kvm: 1.0-5
ksm-control-daemon: 1.1-1
 
output for not existing vmid:
Code:
pvesh create /nodes/localhost/qemu/8888/vncproxy
no connection : Connection timed out
command '/bin/nc -l -p 5900 -w 10 -c '/usr/sbin/qm vncproxy 8888 2>/dev/null'' failed: exit code 1
200 OK
{
   "cert" : "-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIJAICXJAdaqrphMA0GCSqGSIb3DQEBBQUAMHIxJDAiBgNV\nBAMTG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEpMCcGA1UECxMgYWI2ZDgx\nYjhlZWJhNDNiZjE2ODk4ZDIwYWMyYmFlNWQxHzAdBgNVBAoTFlBWRSBDbHVzdGVy\nIE1hbmFnZXIgQ0EwHhcNMTIwMzE3MTMyNjAxWhcNMjIwMzE1MTMyNjAxWjByMSQw\nIgYDVQQDExtQcm94bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIGFi\nNmQ4MWI4ZWViYTQzYmYxNjg5OGQyMGFjMmJhZTVkMR8wHQYDVQQKExZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n5Jrpsbam/nknztPDyzsJtiVy32GROvxmSbxgQOyhF6k1xFa9Z33xXl25CxSHkOei\nH4fLKTGhtwC7XoVCaPmBq9Wnyu0DiguPY7tPs5R+YJAWNzK9/vaAakYpcA43deBl\nd/KOdvZNlqiOqzG3QLL/M84+yZt961QTTFBOErjGW6BEMnJqzxk7LSeujsrNZRZ5\noaCUUHDFpMbw/A8Hijy7tFK8LKTnq1bssV3tAZHxU/RHo4IvDMhbWuiDN2RZtEov\nf8Mpy2+7JYBrWkIyp3rix5EMeMPcixkP9KIQb+btn3myNKMcSTvQxteGXoCoTPd4\nWZFAS3vtoje/tBgZW7HrSQIDAQABo4HXMIHUMB0GA1UdDgQWBBR8znH2R1ktEXBq\nqwlPHFZg96XESDCBpAYDVR0jBIGcMIGZgBR8znH2R1ktEXBqqwlPHFZg96XESKF2\npHQwcjEkMCIGA1UEAxMbUHJveG1veCBWaXJ0dWFsIEVudmlyb25tZW50MSkwJwYD\nVQQLEyBhYjZkODFiOGVlYmE0M2JmMTY4OThkMjBhYzJiYWU1ZDEfMB0GA1UEChMW\nUFZFIENsdXN0ZXIgTWFuYWdlciBDQYIJAICXJAdaqrphMAwGA1UdEwQFMAMBAf8w\nDQYJKoZIhvcNAQEFBQADggEBAMZ4hXMWYtJSNq79PhiDnzrJp8LQjQvBs6Q0dZMg\nOT6ZfN6GhMYiEwKN0hHJlxe1GyqQMPG7Kod0UR8RjzGEM6U+QYi9otqNlJlVzNyS\ndn/7qmqvGr9+U6l++SOZkiexUnlaa52ZBiCwCs46B9MjkyCRwEUk7daIhBxFgrAw\nBrQTbkm4TwADXABozQFQPAFt69yokEvLBHdOUidWxmh5fQdO0QUJauLeyF28KTX3\nTqUtZzdpPzE39KRCOwPjeeA79QoTb1Bk7b33gIXmxUTbdPgGGOVJZA4DGRFiELX5\nCckZHgAZqNNZhN/dMzqTpvU1ZNpSZqViwm37SZyfOmtAOwE=\n-----END CERTIFICATE-----\n",
   "port" : 5900,
   "ticket" : "PVEVNC:4F7481E8::OHjcIAAY99aIN6kRKkwv7RO30Quox9XfeTfM1Ae2DsLaMfhkXI2jFzjgA+b6eIKN65ylLXhJc1Hw4ugLoA3lNO34zeHZDYk3FazPLymb5ZGodL3QB0R0KE9if3sjWGR2BmVDiwzUj4ZHknafl9qZxJBy0xQvQ8UAQkFM32S9AAFhpWVTRqPccgf0Dhb3fE4b8XPT5eyJQ3SLT1rP8x7KHa6VayXSOCBa58B0MxlRKbx6SKoK2ulkLgRf+Xu9KBxxxpssAkV7M3W4Xen3Uluby2eDtv7tosKIT/YB3l547kRffCYKPHovWzqMvfYnQcX9EnbJD3a9zqUADco+cTfQkw==",
   "upid" : "UPID:c43:00084C2E:05558C53:4F7481E8:vncproxy:8888:root@pam:",
   "user" : "[EMAIL="root@pam"]root@pam[/EMAIL]"
}

output for existing vmid:
Code:
pvesh create /nodes/localhost/qemu/4333/vncproxy
no connection : Connection timed out
command '/bin/nc -l -p 5900 -w 10 -c '/usr/sbin/qm vncproxy 4333 2>/dev/null'' failed: exit code 1
200 OK
{
   "cert" : "-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIJAICXJAdaqrphMA0GCSqGSIb3DQEBBQUAMHIxJDAiBgNV\nBAMTG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEpMCcGA1UECxMgYWI2ZDgx\nYjhlZWJhNDNiZjE2ODk4ZDIwYWMyYmFlNWQxHzAdBgNVBAoTFlBWRSBDbHVzdGVy\nIE1hbmFnZXIgQ0EwHhcNMTIwMzE3MTMyNjAxWhcNMjIwMzE1MTMyNjAxWjByMSQw\nIgYDVQQDExtQcm94bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIGFi\nNmQ4MWI4ZWViYTQzYmYxNjg5OGQyMGFjMmJhZTVkMR8wHQYDVQQKExZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n5Jrpsbam/nknztPDyzsJtiVy32GROvxmSbxgQOyhF6k1xFa9Z33xXl25CxSHkOei\nH4fLKTGhtwC7XoVCaPmBq9Wnyu0DiguPY7tPs5R+YJAWNzK9/vaAakYpcA43deBl\nd/KOdvZNlqiOqzG3QLL/M84+yZt961QTTFBOErjGW6BEMnJqzxk7LSeujsrNZRZ5\noaCUUHDFpMbw/A8Hijy7tFK8LKTnq1bssV3tAZHxU/RHo4IvDMhbWuiDN2RZtEov\nf8Mpy2+7JYBrWkIyp3rix5EMeMPcixkP9KIQb+btn3myNKMcSTvQxteGXoCoTPd4\nWZFAS3vtoje/tBgZW7HrSQIDAQABo4HXMIHUMB0GA1UdDgQWBBR8znH2R1ktEXBq\nqwlPHFZg96XESDCBpAYDVR0jBIGcMIGZgBR8znH2R1ktEXBqqwlPHFZg96XESKF2\npHQwcjEkMCIGA1UEAxMbUHJveG1veCBWaXJ0dWFsIEVudmlyb25tZW50MSkwJwYD\nVQQLEyBhYjZkODFiOGVlYmE0M2JmMTY4OThkMjBhYzJiYWU1ZDEfMB0GA1UEChMW\nUFZFIENsdXN0ZXIgTWFuYWdlciBDQYIJAICXJAdaqrphMAwGA1UdEwQFMAMBAf8w\nDQYJKoZIhvcNAQEFBQADggEBAMZ4hXMWYtJSNq79PhiDnzrJp8LQjQvBs6Q0dZMg\nOT6ZfN6GhMYiEwKN0hHJlxe1GyqQMPG7Kod0UR8RjzGEM6U+QYi9otqNlJlVzNyS\ndn/7qmqvGr9+U6l++SOZkiexUnlaa52ZBiCwCs46B9MjkyCRwEUk7daIhBxFgrAw\nBrQTbkm4TwADXABozQFQPAFt69yokEvLBHdOUidWxmh5fQdO0QUJauLeyF28KTX3\nTqUtZzdpPzE39KRCOwPjeeA79QoTb1Bk7b33gIXmxUTbdPgGGOVJZA4DGRFiELX5\nCckZHgAZqNNZhN/dMzqTpvU1ZNpSZqViwm37SZyfOmtAOwE=\n-----END CERTIFICATE-----\n",
   "port" : 5900,
   "ticket" : "PVEVNC:4F74825B::RSl8dc71OVwwQqc3n7PooT0vq7H2gP7CZ3QRvNC0yq7E+pDVsdbEn1sJj8FFRAQMnnM6fWfPCU6wUUf66Dh1b48NkHCsrViss0FZ600Jq8kRfsbt6mhGWgHhoRN62XSmk9AL/sOtlDKDmY2g4uoIKhRZHQAikT7yTAd8ltov5omaMak9JJnr1g67uS+DYGvRXJ+OTieAKoxezYP6T4dsvd6GA6pEIxeDjHizzNm9njzBi40TyLnt/nTC3truFftIzZfdYTqiutwvGNzBz5tJMXI2/oZB4PaX3h+OQyf2CKcsU7NnrGcFWfZ3K6/+C7dUg9O7gZlErpQiS8fupJUAHQ==",
   "upid" : "UPID:c43:00084D02:0555B91B:4F74825B:vncproxy:4333:root@pam:",
   "user" : "[EMAIL="root@pam"]root@pam[/EMAIL]"
}

Thanks for your attention
 
So it works as expected - You can use the returned parameters for VNC (use ticket as password).
 
I'm using the data, but would you please let me know if the name of HOST parameter is changed? because the VNC shows me nothing not even any error just a white screen.
 
But the issue is not gone, I didn't find out how to pass the HOST ip to the applet, and white screen is still what I got from the applet.

You can only connect to the host where you started the proxy. Sorry, but I do not really know what you are trying to do.
 
I'm a VPS provider, in my website I've a section which my clients can reboot/shut down/vnc to their servers,
This was simply done with Proxmox 1.9 but in Proxmox 2 I didn't get any success to show VNC console in my web site to my clients,
It is important for me to let my clients control their servers via inside of their client area and not going to different address,
 
Any help on this?
Do you think running the qm vncproxy manually by myself will help me in this situation?
 
Do you think running the qm vncproxy manually by myself will help me in this situation?

Again, I do not know your setup in detail, and you did not wrote any details about the problem. In general, you need a VNC server, and connect that to the VNC client. You have the complete source code, so it should be easy to debug.
 
As it seems the source code of VNC appelet is not available would you please let me know if the applete supports remote server to connect to?

The VNC applet is part of the 'vncterm' package. That package include the whole tigervnc sources.
 
Security question,
As I want to show the applet to my clients on my own website, I've to pass the username & password to the applet, So does the ticket value contains critical data? and can be abused be who knows it?
 
So does the ticket value contains critical data? and can be abused be who knows it?

I guess you talk about the ticket returned by the create vncproxy API? That is a special ticket only valid for a very limited time (1 min). That ticket allows access to that VNC console for that time, so you should not make it public.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!