Remote Spice access without using web manager

blackpaw · Nov 2, 2013

Is it possible to access the Spice Console for a specific VM without going through the web manager?

We're interested in using proxmox as a windows desktop server and being able to settup a short cut that launched remote-viewer to directly open a vm console would be exceedingly useful.

Thanks.

cesarpk · Nov 4, 2013

The option of get access to the Spice Console for a specific VM without going through the web manager would be great, i am waiting that this option is enabled.

Can PVE team add this option?. because for common users of the LAN will be more easy for get access and use it (for example enabling by IP/segment/subred or in any way)

In any case the PVE team make a excelent work with Proxmox

Best regards
Cesar

blackpaw · Nov 4, 2013

I see from other threads thats its possible with a little scripting.

spirit · Nov 4, 2013

blackpaw said:
I see from other threads thats its possible with a little scripting.

here a small bash script (for linux client)

the main idea is to generate the spiceproxy ticket through proxmox api.

Code:

#!/bin/bash


USERNAME=root@pam
PASSWORD=yourpassword
VMID=198
NODE=proxmoxhost1
PROXY=proxmoxhost1.test.com


TICKET=`curl -k -d "username=$USERNAME&password=$PASSWORD"  https://$PROXY:8006/api2/json/access/ticket | sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g' | grep -w ticket |  awk -F "|" '{print $2}'`
echo $TICKET
curl -k -b "PVEAuthCookie=$TICKET" https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY > spiceproxy
remote-viewer spiceproxy

vcp_ai · Nov 4, 2013

spirit said:
here a small bash script (for linux client)

the main idea is to generate the spiceproxy ticket through proxmox api.

@ spirit. Could you please help me to diagnose this NO working script ?

Code:

#    cat Spice5214.sh 
#!/bin/bash

USERNAME=root@pam
PASSWORD=mipasswordhere
VMID=5214
NODE=proxmox179
PROXY=proxmox179

TICKET=`curl -k -d "username=$USERNAME&password=$PASSWORD"  https://$PROXY:8006/api2/json/access/ticket | sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g' | grep -w ticket |  awk -F "|" '{print $2}'`
echo $TICKET
echo "-end of ticket-"
curl -k -b "PVEAuthCookie=$TICKET" https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY > spiceproxy
remote-viewer spiceproxy

Result is :

Code:

# ./Spice5214.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1117  100  1080  100    37  13540    463 --:--:-- --:--:-- --:--:-- 13670
PVE:root@pam:52776014::AQom+k6U4pGcgswUTqLpFX6WJurK8y2/9v52L7TUOUN0ZwPSlHgc6YzwIDn9zIsrTD0sVQKjpIk8bxiMdnjE7ytIxrmJdGSMTnrp3Ij9wyyWPu3BP7GNnpCQ7OG4YTTVgXisCiVdCiTu+QjZ1tmufZIriRvYLQon2COA2Yi18+Q5CSjyjpDuDBqFSoHS6h9RuR7PoprUnoY385vcy1LlZXiKGQ4wvDUJ9EmOzpE772Ov8bPkmUKiDwVr09miTN+742afr6uTS2vxVluY8aKjNMzVbQMXyeFJhRgaVu6p7tZcbOTscnZEt0J4RTLitUfCqWBwF+yUWdELUlS8xy0oDg==
-end of ticket-
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
No protocol specified

** (remote-viewer:12596): WARNING **: Could not open X display
No protocol specified
No se puede abrir el visor:  Corriendo ‘remote-viewer –help’ para ver una lista completa de las opciones disponibles de línea de comando
#

At the end spiceproxy is empty (0 bytes), so remote-viewer does not work..

https://proxmox179:8006 is correctly resolved...

I'm on pve-nosubscription (does it mind ?)

Workstation is Fedora 19 xfce.

Regards

spirit · Nov 4, 2013

What's the output of curl ?

(proxmox session ticket seem to be ok, so something is wrong in curl)

vcp_ai · Nov 4, 2013

Calling curl with the result of TICKET :

Code:

# curl -k -b "PVEAuthCookie=PVE:root@pam:52776210::m9mzplw8uRRPHC3zn16avOrRb61aky8vub4L9XLXpGTBwdwBJyS/aKrsQ9p37ni9o3W/WcQqUkMt5UqSAx3JbTbkv1jfaaTO1kqWrJBFcJ+JTFaczhSU21A4uIN+NltXCKYbNCLOCo6zSBSQr2Kva9KNPevE91t5hzpwujsxCCfwh8FQz3BKQvn3hj4AJ3pklkbW2vvkHDrRl6mdR5dVhzockV9nbRwitjMkIoerHCRdEZG4srGQ1+7td4VFeaLqOPLEyHTNhpZjnNwwERKtMe3xlvaMztlS0Wjg/Of9v041wDlXhgPwn0tdLIfRVq+gEgbmZW1umAexRfXJOb2+xA==" https://proxmox179:8006/api2/spiceconfig/nodes/5214/qemu/5214/spiceproxy?proxy=proxmox179

produces NO output

spirit · Nov 4, 2013

url seem to be wrong:

https://proxmox179:8006/api2/spiceconfig/nodes/5214/qemu/5214/spiceproxy?proxy=proxmox179

should be

https://proxmox179:8006/api2/spiceconfig/nodes/proxmox179/qemu/5214/spiceproxy?proxy=proxmox179

vcp_ai · Nov 4, 2013

Same result, no output of curl. Created a new script, just to test:

Code:

$ more test
TICKET=`curl -k -d "username=root@pam&password=*********"  https://proxmox179:8006/api2/json/access/ticket | sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g' | grep -w ticket |  awk -F "|" '{print $2}'`
echo "======================"
OUTP=`curl -k -b "PVEAuthCookie=$TICKET" https://proxmox179:8006/api2/spiceconfig/nodes/proxmox179/qemu/5214/spiceproxy?proxy=proxmox179`

echo "-----"
echo $TICKET
echo "-----"
echo $OUTP
echo "....."
$

And output of 'second' curl is again NULL:

Code:

$../test
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1117  100  1080  100    37  13140    450 --:--:-- --:--:-- --:--:-- 13170
======================
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
-----
PVE:root@pam:5277896A::Q0KqViRAk3zEJIxbR7hieE+rDcauOQ7VG3iY5BgyrtvIB2WaknSOK5vJh+MX9TtHOSZ8GFpfVOrN727IDxD4rB0OVPwVgGgzuue1/RXYhLrCGOnmJTurderrSEKiXRRj9mVpgcSnsE29s2XBbUdbrJaa33/J+OMFIs6bXeyhdvJvt7dP/LVRF8FOP3Nsi4sxAj0ErW8NyOmhd0qtVtZWlfPvfI980TwBLlf7S33XT+ZAvXwaBlZBupHs8G7Gp4tlhdCtUEkkkoG2HpQoK1cphiiLatUTanCS8r779KTR7thb+XaEvMeQ6K5okoQ7iJrk3m3Smchpz84/dyWjfyIH2w==
-----

.....
$

vcp_ai · Nov 4, 2013

I found the problem !!

I was using a wrong node name. I edited manually /etc/hosts with the wrong hostname used in the second curl, hence it was resolved, and I could obtain a TICKET...

Thanks for your help...

m.ardito · Feb 25, 2014

Hi, I don't know if you could help me? (perhaps other users too)

I'm trying to use php & wget to do the same thing as bash & curl (much more practical on windows, to me)

with this
passthru("wget --no-check-certificate --post-data=\"username=$USERNAME&password=$PASSWORD\" -O ticket.txt https://$PROXY:8006/api2/json/access/ticket")

then I edit ticket.txt to get the ticket string, then

I get the PVEAuthCookie and it seems correct to me, if I compare to cookies stored in web browser when I access web gui:
it's 367 bytes, starts with "PVE:root@pam:" and ends with "==", apart from different content in between, both seem identically made
i save the cookie, prefixed with "PVEAuthCookie=" (as is done in your script, I think) in a "spicecookie" file

then I try
passthru("wget --no-check-certificate --load-cookies spicecookie -O spiceproxy https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY")

but I always get (output a bit anonymized)

"Resolving pve2.myserver.com... 192.168.99.123
Connecting to pve2.myserver.com|192.168.99.123|:8006... connected.
WARNING: cannot verify pve2.myserver.com's certificate, issued by `/CN=Proxmox Virtual Environment/OU=<bunch of numbers>/O=PVE Cluster Manager CA
':
Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 401 No ticket
Authorization failed."

Do you have any clue of what's not working? how can I debug what is not working?

Thanks,
Marco

thheo · Feb 25, 2014

http://mbicz.wordpress.com/2012/07/03/wget-ssl-error-unable-to-locally-verify-the-issuers-authority/

m.ardito · Feb 25, 2014

thheo said:
http://mbicz.wordpress.com/2012/07/03/wget-ssl-error-unable-to-locally-verify-the-issuers-authority/

link points to this advice
"Error is showing up because your OS doesn’t trust someone who signed the certificate that the website is signed with.You can add –no-check-certificate but this is not necessarily what you wan’t to do as this is just cheating on your OS.Verify who signed your website and if you really trust it or not."

I'm not sure, I'll try tomorrow, but I can get the ticked using the same method

Code:

wget --no-check-certificate

"--no-check-certificate’Don't check the server certificate against the available certificate authorities. Also don't require the URL host name to match the common name presented by the certificate. As of Wget 1.10, the default is to verify the server's certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification fails. Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or otherwise invalid certificates. This option forces an “insecure” mode of operation that turns the certificate verification errors into warnings and allows you to proceed.
If you encounter “certificate verification” errors or ones saying that “common name doesn't match requested host name”, you can use this option to bypass the verification and proceed with the download. Only use this option if you are otherwise convinced of the site's authenticity, or if you really don't care about the validity of its certificate. It is almost always a bad idea not to check the certificates when transmitting confidential or important data. "

which I guess is like this curl option (I may be wrong) in spirit's script.

Code:

curl -k

"-k, --insecure (SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used. "

perhaps should I add some "Set-Cookie" string at cookie start? I never did stuff like this...

I'll try more tomorrow...

Marco

m.ardito · Feb 26, 2014

I downloaded the certificate from pve server, and passed it to wget with
--ca-certificate pve2.myserver.com.crt

ie:
wget --ca-certificate pve2.myserver.com.crt --keep-session-cookies --load-cookies spicecookie -O spiceproxy https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY

but in this way I get:
"Connecting to pve2.myserver.com|192.168.99.123|:8006... connected.
ERROR: cannot verify pve2.myserver.com's certificate, issued by `/CN=Proxmox Virtual Environment/OU=<bunch of numbers>/O=PVE Cluster Manager CA':
Unable to locally verify the issuer's authority.
To connect to pve2.myserver.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection."

I can't guess how to solve this...

Marco

m.ardito · Feb 26, 2014

Adding...

I tried to get the spiceproxy on pve server itself, edited spirit's script to use the same ticket both for curl and wget:

Code:

#!/bin/bash

USERNAME=root@pam
PASSWORD=yourpassword
VMID=198
NODE=proxmoxhost1
PROXY=proxmoxhost1.test.com

echo "1) getting ticket from server"
echo "-------------------------------------------"
TICKET=`curl -k -d "username=$USERNAME&password=$PASSWORD"  https://$PROXY:8006/api2/json/access/ticket | sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split$

echo ""
echo "2) writing ticket to spicecookie "
echo "-------------------------------------------"
echo "PVEAuthCookie=$TICKET" > spicecookie
echo "# cut -b -30 spicecookie:"
cut -b -30 spicecookie

echo ""
echo "3) getting spiceproxy with curl"
echo "-------------------------------------------"
curl -k -b "PVEAuthCookie=$TICKET" https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY > spiceproxy
echo ""

echo ""
echo "4) getting spiceproxy with wget (loading spicecookie)"
echo "-------------------------------------------"
wget --no-check-certificate -O spiceproxy2 --load-cookies ./spicecookie https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY
echo ""

and what I get is

Code:

# ./testspice2.sh
1) getting ticket from server
-------------------------------------------
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1114  100  1080  100    34  20255    637 --:--:-- --:--:-- --:--:-- 20769

2) writing ticket to spicecookie
-------------------------------------------
# cut -b -30 spicecookie:
PVEAuthCookie=PVE:root@pam:530

3) getting spiceproxy with curl
-------------------------------------------
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1885  100  1885    0     0  34743      0 --:--:-- --:--:-- --:--:-- 35566


4) getting spiceproxy with wget (loading spicecookie)
-------------------------------------------
--2014-02-26 10:37:55--  https://proxmoxhost1.test.com:8006/api2/spiceconfig/nodes/pve2/qemu/198/spiceproxy?proxy=proxmoxhost1.test.com
Resolving proxmoxhost1.test.com (proxmoxhost1.test.com)... 192.168.99.123
Connecting to proxmoxhost1.test.com (proxmoxhost1.test.com)|192.168.99.123|:8006... connected.
WARNING: The certificate of `proxmoxhost1.test.com' is not trusted.
WARNING: The certificate of `proxmoxhost1.test.com' hasn't got a known issuer.
HTTP request sent, awaiting response... 401 No ticket
Authorization failed.

So, its not matter of how cookie text is done, but what it is? certificate should be ignored both by curl and wget (so no authentication, only encryption), or not?

what am I missing here?

Marco

dietmar · Feb 26, 2014

m.ardito said:
what am I missing here?

That script does not work at all with current code from pve-no-subscription repository, because of an API change.
I am working on a fix.

m.ardito · Feb 26, 2014

Good to know! Thanks.
In the end, I was able to do that on windows, with php/curl
I'm using (stable repository), pve 3.1-24.
Could not guess why wget version is not working, and why it says "401 no ticket" error...

Marco

sdutremble · May 10, 2014

dietmar said:
That script does not work at all with current code from pve-no-subscription repository, because of an API change.
I am working on a fix.

I can not find any reference to say if this is now fixed in the pve-no-subscription repository.

Could you please provide an update?

Thanks for a great product.

Serge

snowman66 · May 10, 2014

Code:

#!/bin/bash

# needs pve-manager >= 3.1-44

USERNAME=user@pve or @pam
PASSWORD=pass
# select VM
VMID=id of vm

NODE=node name
PROXY=node ip

DATA=`curl -k -d "username=$USERNAME&password=$PASSWORD"  https://$PROXY:8006/api2/json/access/ticket` 

TICKET=`echo $DATA|sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g'|grep -w ticket|  awk -F "|" '{print $2}'`

CSRF=`echo $DATA|sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g'|grep -w CSRFPreventionToken| awk -F "|" '{print $2}'`

curl -k -b "PVEAuthCookie=$TICKET" -H "CSRFPreventionToken: $CSRF" https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy -d "proxy=$PROXY" > /tmp/spiceproxy

remote-viewer /tmp/spiceproxy

sdutremble · May 17, 2014

snowman66 said:

Code:

#!/bin/bash

# needs pve-manager >= 3.1-44

USERNAME=user@pve or @pam
PASSWORD=pass
# select VM
VMID=id of vm

NODE=node name
PROXY=node ip

DATA=`curl -k -d "username=$USERNAME&password=$PASSWORD"  https://$PROXY:8006/api2/json/access/ticket` 

TICKET=`echo $DATA|sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g'|grep -w ticket|  awk -F "|" '{print $2}'`

CSRF=`echo $DATA|sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g'|grep -w CSRFPreventionToken| awk -F "|" '{print $2}'`

curl -k -b "PVEAuthCookie=$TICKET" -H "CSRFPreventionToken: $CSRF" https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy -d "proxy=$PROXY" > /tmp/spiceproxy

remote-viewer /tmp/spiceproxy

I am getting DATA, TICKET and CSRF from the script above.

spiceproxy looks OK although it gets deleted after the call to virt-viewer.

I get the two dialogs attached as errors and then back to command prompt. (Sorry, I can seem to be able to delete multiples...)

Linux MINT with virt-viewer version 0.5.6
PVE 3.2 latest.

Do you have any other ideas?

Serge

Remote Spice access *without* using web manager

Renowned Member

Well-Known Member

Renowned Member

Distinguished Member

Renowned Member

Distinguished Member

Renowned Member

Distinguished Member

Renowned Member

Renowned Member

Famous Member

Renowned Member

Famous Member

Famous Member

Famous Member

Proxmox Staff Member

Famous Member

Renowned Member

Active Member

Renowned Member

Remote Spice access without using web manager