PVECert parameter in VNC

tincboy

Active Member
Apr 13, 2010
453
2
38
I've my own code which will connect to VNC of each VM from inside my web application, this feature was fine with Proxmox 1.9 but it seems Proxmox 2 have add a PVECert parameter
My question about this parameter is if it's unique for each VNC session or it's unique for each VM or each Proxmox serve?
And what about PASSWORD parameter? which kind of encryption does it use?
 
Last edited:

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,529
328
103
Austria
www.proxmox.com
New VNC is encrypted using TLS with VEncrytAuthPlain, so you need a client which supports that (tigervnc).

You get all needed parameters when you create the vncproxy with the API (/nodes/<node>/qemu<VMID>/vncproxy).

Try:

# pvesh create /nodes/localhost/qemu/10000/vncproxy

to get an idea
 

tincboy

Active Member
Apr 13, 2010
453
2
38
Thanks dietmar,
I've run the command below, but it gots me connection timeout errors, also how can I specify which port I want VNC to listen on?
Code:
pvesh create /nodes/c43/qemu/4333/vncproxy
no connection : Connection timed out
command '/bin/nc -l -p 5900 -w 10 -c '/usr/sbin/qm vncproxy 4333 2>/dev/null'' failed: exit code 1
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,529
328
103
Austria
www.proxmox.com
Thanks dietmar,
I've run the command below, but it gots me connection timeout errors,
Do you use the latest version? And do you run that on the same node the VM is on?

also how can I specify which port I want VNC to listen on?
There is currently no way to specify the port.
 

tincboy

Active Member
Apr 13, 2010
453
2
38
I guess it's final version, because I've isntalled it last week,
Code:
pveversion -v
pve-manager: 2.0-38 (pve-manager/2.0/af81df02)
running kernel: 2.6.32-7-pve
proxmox-ve-2.6.32: 2.0-60
pve-kernel-2.6.32-7-pve: 2.6.32-60
lvm2: 2.02.88-2pve1
clvm: 2.02.88-2pve1
corosync-pve: 1.4.1-1
openais-pve: 1.1.4-2
libqb: 0.10.1-2
redhat-cluster-pve: 3.1.8-3
resource-agents-pve: 3.9.2-3
fence-agents-pve: 3.1.7-1
pve-cluster: 1.0-23
qemu-server: 2.0-25
pve-firmware: 1.0-15
libpve-common-perl: 1.0-17
libpve-access-control: 1.0-17
libpve-storage-perl: 2.0-12
vncterm: 1.0-2
vzctl: 3.0.30-2pve1
vzprocps: 2.0.11-2
vzquota: 3.0.12-3
pve-qemu-kvm: 1.0-5
ksm-control-daemon: 1.1-1
 

tincboy

Active Member
Apr 13, 2010
453
2
38
And do you run that on the same node the VM is on
Yes, it on the same server
I guess it's final version, because I've isntalled it last week,
Code:
pveversion -v
pve-manager: 2.0-38 (pve-manager/2.0/af81df02)
running kernel: 2.6.32-7-pve
proxmox-ve-2.6.32: 2.0-60
pve-kernel-2.6.32-7-pve: 2.6.32-60
lvm2: 2.02.88-2pve1
clvm: 2.02.88-2pve1
corosync-pve: 1.4.1-1
openais-pve: 1.1.4-2
libqb: 0.10.1-2
redhat-cluster-pve: 3.1.8-3
resource-agents-pve: 3.9.2-3
fence-agents-pve: 3.1.7-1
pve-cluster: 1.0-23
qemu-server: 2.0-25
pve-firmware: 1.0-15
libpve-common-perl: 1.0-17
libpve-access-control: 1.0-17
libpve-storage-perl: 2.0-12
vncterm: 1.0-2
vzctl: 3.0.30-2pve1
vzprocps: 2.0.11-2
vzquota: 3.0.12-3
pve-qemu-kvm: 1.0-5
ksm-control-daemon: 1.1-1
 

tincboy

Active Member
Apr 13, 2010
453
2
38
output for not existing vmid:
Code:
pvesh create /nodes/localhost/qemu/8888/vncproxy
no connection : Connection timed out
command '/bin/nc -l -p 5900 -w 10 -c '/usr/sbin/qm vncproxy 8888 2>/dev/null'' failed: exit code 1
200 OK
{
   "cert" : "-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIJAICXJAdaqrphMA0GCSqGSIb3DQEBBQUAMHIxJDAiBgNV\nBAMTG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEpMCcGA1UECxMgYWI2ZDgx\nYjhlZWJhNDNiZjE2ODk4ZDIwYWMyYmFlNWQxHzAdBgNVBAoTFlBWRSBDbHVzdGVy\nIE1hbmFnZXIgQ0EwHhcNMTIwMzE3MTMyNjAxWhcNMjIwMzE1MTMyNjAxWjByMSQw\nIgYDVQQDExtQcm94bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIGFi\nNmQ4MWI4ZWViYTQzYmYxNjg5OGQyMGFjMmJhZTVkMR8wHQYDVQQKExZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n5Jrpsbam/nknztPDyzsJtiVy32GROvxmSbxgQOyhF6k1xFa9Z33xXl25CxSHkOei\nH4fLKTGhtwC7XoVCaPmBq9Wnyu0DiguPY7tPs5R+YJAWNzK9/vaAakYpcA43deBl\nd/KOdvZNlqiOqzG3QLL/M84+yZt961QTTFBOErjGW6BEMnJqzxk7LSeujsrNZRZ5\noaCUUHDFpMbw/A8Hijy7tFK8LKTnq1bssV3tAZHxU/RHo4IvDMhbWuiDN2RZtEov\nf8Mpy2+7JYBrWkIyp3rix5EMeMPcixkP9KIQb+btn3myNKMcSTvQxteGXoCoTPd4\nWZFAS3vtoje/tBgZW7HrSQIDAQABo4HXMIHUMB0GA1UdDgQWBBR8znH2R1ktEXBq\nqwlPHFZg96XESDCBpAYDVR0jBIGcMIGZgBR8znH2R1ktEXBqqwlPHFZg96XESKF2\npHQwcjEkMCIGA1UEAxMbUHJveG1veCBWaXJ0dWFsIEVudmlyb25tZW50MSkwJwYD\nVQQLEyBhYjZkODFiOGVlYmE0M2JmMTY4OThkMjBhYzJiYWU1ZDEfMB0GA1UEChMW\nUFZFIENsdXN0ZXIgTWFuYWdlciBDQYIJAICXJAdaqrphMAwGA1UdEwQFMAMBAf8w\nDQYJKoZIhvcNAQEFBQADggEBAMZ4hXMWYtJSNq79PhiDnzrJp8LQjQvBs6Q0dZMg\nOT6ZfN6GhMYiEwKN0hHJlxe1GyqQMPG7Kod0UR8RjzGEM6U+QYi9otqNlJlVzNyS\ndn/7qmqvGr9+U6l++SOZkiexUnlaa52ZBiCwCs46B9MjkyCRwEUk7daIhBxFgrAw\nBrQTbkm4TwADXABozQFQPAFt69yokEvLBHdOUidWxmh5fQdO0QUJauLeyF28KTX3\nTqUtZzdpPzE39KRCOwPjeeA79QoTb1Bk7b33gIXmxUTbdPgGGOVJZA4DGRFiELX5\nCckZHgAZqNNZhN/dMzqTpvU1ZNpSZqViwm37SZyfOmtAOwE=\n-----END CERTIFICATE-----\n",
   "port" : 5900,
   "ticket" : "PVEVNC:4F7481E8::OHjcIAAY99aIN6kRKkwv7RO30Quox9XfeTfM1Ae2DsLaMfhkXI2jFzjgA+b6eIKN65ylLXhJc1Hw4ugLoA3lNO34zeHZDYk3FazPLymb5ZGodL3QB0R0KE9if3sjWGR2BmVDiwzUj4ZHknafl9qZxJBy0xQvQ8UAQkFM32S9AAFhpWVTRqPccgf0Dhb3fE4b8XPT5eyJQ3SLT1rP8x7KHa6VayXSOCBa58B0MxlRKbx6SKoK2ulkLgRf+Xu9KBxxxpssAkV7M3W4Xen3Uluby2eDtv7tosKIT/YB3l547kRffCYKPHovWzqMvfYnQcX9EnbJD3a9zqUADco+cTfQkw==",
   "upid" : "UPID:c43:00084C2E:05558C53:4F7481E8:vncproxy:8888:root@pam:",
   "user" : "[EMAIL="root@pam"]root@pam[/EMAIL]"
}
output for existing vmid:
Code:
pvesh create /nodes/localhost/qemu/4333/vncproxy
no connection : Connection timed out
command '/bin/nc -l -p 5900 -w 10 -c '/usr/sbin/qm vncproxy 4333 2>/dev/null'' failed: exit code 1
200 OK
{
   "cert" : "-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIJAICXJAdaqrphMA0GCSqGSIb3DQEBBQUAMHIxJDAiBgNV\nBAMTG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEpMCcGA1UECxMgYWI2ZDgx\nYjhlZWJhNDNiZjE2ODk4ZDIwYWMyYmFlNWQxHzAdBgNVBAoTFlBWRSBDbHVzdGVy\nIE1hbmFnZXIgQ0EwHhcNMTIwMzE3MTMyNjAxWhcNMjIwMzE1MTMyNjAxWjByMSQw\nIgYDVQQDExtQcm94bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIGFi\nNmQ4MWI4ZWViYTQzYmYxNjg5OGQyMGFjMmJhZTVkMR8wHQYDVQQKExZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n5Jrpsbam/nknztPDyzsJtiVy32GROvxmSbxgQOyhF6k1xFa9Z33xXl25CxSHkOei\nH4fLKTGhtwC7XoVCaPmBq9Wnyu0DiguPY7tPs5R+YJAWNzK9/vaAakYpcA43deBl\nd/KOdvZNlqiOqzG3QLL/M84+yZt961QTTFBOErjGW6BEMnJqzxk7LSeujsrNZRZ5\noaCUUHDFpMbw/A8Hijy7tFK8LKTnq1bssV3tAZHxU/RHo4IvDMhbWuiDN2RZtEov\nf8Mpy2+7JYBrWkIyp3rix5EMeMPcixkP9KIQb+btn3myNKMcSTvQxteGXoCoTPd4\nWZFAS3vtoje/tBgZW7HrSQIDAQABo4HXMIHUMB0GA1UdDgQWBBR8znH2R1ktEXBq\nqwlPHFZg96XESDCBpAYDVR0jBIGcMIGZgBR8znH2R1ktEXBqqwlPHFZg96XESKF2\npHQwcjEkMCIGA1UEAxMbUHJveG1veCBWaXJ0dWFsIEVudmlyb25tZW50MSkwJwYD\nVQQLEyBhYjZkODFiOGVlYmE0M2JmMTY4OThkMjBhYzJiYWU1ZDEfMB0GA1UEChMW\nUFZFIENsdXN0ZXIgTWFuYWdlciBDQYIJAICXJAdaqrphMAwGA1UdEwQFMAMBAf8w\nDQYJKoZIhvcNAQEFBQADggEBAMZ4hXMWYtJSNq79PhiDnzrJp8LQjQvBs6Q0dZMg\nOT6ZfN6GhMYiEwKN0hHJlxe1GyqQMPG7Kod0UR8RjzGEM6U+QYi9otqNlJlVzNyS\ndn/7qmqvGr9+U6l++SOZkiexUnlaa52ZBiCwCs46B9MjkyCRwEUk7daIhBxFgrAw\nBrQTbkm4TwADXABozQFQPAFt69yokEvLBHdOUidWxmh5fQdO0QUJauLeyF28KTX3\nTqUtZzdpPzE39KRCOwPjeeA79QoTb1Bk7b33gIXmxUTbdPgGGOVJZA4DGRFiELX5\nCckZHgAZqNNZhN/dMzqTpvU1ZNpSZqViwm37SZyfOmtAOwE=\n-----END CERTIFICATE-----\n",
   "port" : 5900,
   "ticket" : "PVEVNC:4F74825B::RSl8dc71OVwwQqc3n7PooT0vq7H2gP7CZ3QRvNC0yq7E+pDVsdbEn1sJj8FFRAQMnnM6fWfPCU6wUUf66Dh1b48NkHCsrViss0FZ600Jq8kRfsbt6mhGWgHhoRN62XSmk9AL/sOtlDKDmY2g4uoIKhRZHQAikT7yTAd8ltov5omaMak9JJnr1g67uS+DYGvRXJ+OTieAKoxezYP6T4dsvd6GA6pEIxeDjHizzNm9njzBi40TyLnt/nTC3truFftIzZfdYTqiutwvGNzBz5tJMXI2/oZB4PaX3h+OQyf2CKcsU7NnrGcFWfZ3K6/+C7dUg9O7gZlErpQiS8fupJUAHQ==",
   "upid" : "UPID:c43:00084D02:0555B91B:4F74825B:vncproxy:4333:root@pam:",
   "user" : "[EMAIL="root@pam"]root@pam[/EMAIL]"
}
Thanks for your attention
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,529
328
103
Austria
www.proxmox.com
So it works as expected - You can use the returned parameters for VNC (use ticket as password).
 

tincboy

Active Member
Apr 13, 2010
453
2
38
I'm using the data, but would you please let me know if the name of HOST parameter is changed? because the VNC shows me nothing not even any error just a white screen.
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,529
328
103
Austria
www.proxmox.com

tincboy

Active Member
Apr 13, 2010
453
2
38
Thank you dietmar,
I've implement my code just like what you did in start_vnc_viewer,
But the issue is not gone, I didn't find out how to pass the HOST ip to the applet, and white screen is still what I got from the applet.
Would you please let me know if there's any thing else I should consider?
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,529
328
103
Austria
www.proxmox.com
But the issue is not gone, I didn't find out how to pass the HOST ip to the applet, and white screen is still what I got from the applet.
You can only connect to the host where you started the proxy. Sorry, but I do not really know what you are trying to do.
 

tincboy

Active Member
Apr 13, 2010
453
2
38
I'm a VPS provider, in my website I've a section which my clients can reboot/shut down/vnc to their servers,
This was simply done with Proxmox 1.9 but in Proxmox 2 I didn't get any success to show VNC console in my web site to my clients,
It is important for me to let my clients control their servers via inside of their client area and not going to different address,
 

tincboy

Active Member
Apr 13, 2010
453
2
38
Any help on this?
Do you think running the qm vncproxy manually by myself will help me in this situation?
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,529
328
103
Austria
www.proxmox.com
Do you think running the qm vncproxy manually by myself will help me in this situation?
Again, I do not know your setup in detail, and you did not wrote any details about the problem. In general, you need a VNC server, and connect that to the VNC client. You have the complete source code, so it should be easy to debug.
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,529
328
103
Austria
www.proxmox.com
As it seems the source code of VNC appelet is not available would you please let me know if the applete supports remote server to connect to?
The VNC applet is part of the 'vncterm' package. That package include the whole tigervnc sources.
 

tincboy

Active Member
Apr 13, 2010
453
2
38
Security question,
As I want to show the applet to my clients on my own website, I've to pass the username & password to the applet, So does the ticket value contains critical data? and can be abused be who knows it?
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,529
328
103
Austria
www.proxmox.com
So does the ticket value contains critical data? and can be abused be who knows it?
I guess you talk about the ticket returned by the create vncproxy API? That is a special ticket only valid for a very limited time (1 min). That ticket allows access to that VNC console for that time, so you should not make it public.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!