Remote Spice access *without* using web manager

Jonas S.

Member
Sep 21, 2016
15
7
23
38
[...]

Hi Jonas,

I'm trying to use your script, but there is no information how to create the necessary TOKEN and corresponding secret for pvespiceconnect.sh
Can you elaborate on how to get this information?

Cheers and thanks
Christoph.
You are correct, I tried to google for an easy explanation on how to create API Tokens, I gave up after a short while, but I am pretty sure the info is somewhere. I invested the time to write down the GUI way.

Here you go:

First go to Datacenter -> Permissions -> API Tokens and click on Add

APIToken01.jpg

In the following UI you have to choose a user that is connected to the API token and a name for that token. I think a nice comment for the token would be wise, but it is optional. Click on Add.

APIToken02.jpg
Next you are shown some important stuff, note it down, this is what you will use in the script.

APIToken03.jpg

You should see your token now.

APIToken04.jpg

Unfortunately the token is useless as it is now, the next step is to configure the permissions for the token.
Go to Datacenter -> Permissions and click on Add -> Api Token Permission

APIToken05.jpg

In the next UI Element you have to choose the accessible API Path, the API Token you have just created and a Role.
If you choose those as shown in the next picture it should definitely work to connect to a VM via Spice.
You may want to harden security by only allowing a certain Path. In the example I have choosen the root / Path which will allow I think at least read Access to anything in it. I am not entirely sure which minimal Path is needed for the script to work, as the script is using an API call which I didn´t find any documentation on. Link to Api Documentation

APIToken06.jpg

Click on Add and your Token including Permissions should be shown.

APIToken07.jpg

To see more go back to Datacenter -> Permissions -> API Tokens select a Token and click on Show Permissions.

Hope I could help you figure it out.

Best Regards,
Jonas Stunkat
 

Docop2

Member
Nov 20, 2021
60
3
8
43
View attachment 33075

Click on Add and your Token including Permissions should be shown.

View attachment 33076

To see more go back to Datacenter -> Permissions -> API Tokens select a Token and click on Show Permissions.

Hope I could help you figure it out.

Best Regards,
Jonas Stunkat
Small precision, how did you get Spice as permission ? I only get listing of the vm# if set to... Mostly in Role, from all available list it's only: Pvevmuser, pvevmadmin, administrator... there is no Spice listed, as you show. Did you create a specific role ?

And if i set path to only : / i don't get allowed perm. only if i do direct on /vms/105. But perhaps related to role as well..
 

Jonas S.

Member
Sep 21, 2016
15
7
23
38
Small precision, how did you get Spice as permission ? I only get listing of the vm# if set to... Mostly in Role, from all available list it's only: Pvevmuser, pvevmadmin, administrator... there is no Spice listed, as you show. Did you create a specific role ?

And if i set path to only : / i don't get allowed perm. only if i do direct on /vms/105. But perhaps related to role as well..
Ups, now that you mention it, I did create that role ;).
but its pretty simple, I just took the needed permissions from the API documentation. And did read up on Permissions in the wiki.
Link to wiki about Permissions
In effect all the Spice role grants is VM.audit and VM.Console.
Some screenshots:
createSpiceRole1.png

createSpiceRole2.png

Best Regards
Jonas Stunkat
 
  • Like
Reactions: tw9mini and Docop2

tw9mini

New Member
Sep 22, 2021
4
0
1
44
Ups, now that you mention it, I did create that role ;).
but its pretty simple, I just took the needed permissions from the API documentation. And did read up on Permissions in the wiki.
Link to wiki about Permissions
In effect all the Spice role grants is VM.audit and VM.Console.
Some screenshots:


Best Regards
Jonas Stunkat
Hi Jonas,

thanks for your help, however, I'm having still trouble running your powershell script without an error.
I tried PS version 5.1 and also 7.2.
In 5.1 the error is:

Invoke-RestMethod : A parameter cannot be found that matches parameter name 'StatusCodeVariable'. At line:44 char:31

So I'm guessing Invoke-RestMethod in 5.1 doesn't support this parameter?

In 7.2 the error is:

Invoke-RestMethod: The remote certificate is invalid because of errors in the certificate chain: PartialChain

Any help appreciated.
 

Docop2

Member
Nov 20, 2021
60
3
8
43
Just to confirm something about using remmina.. is just installing spice-plugin is enought or we need to install spice-viewer as well ? i see the script from 2018.. but not sure on how to run it.. Or if the need of installing spice.. does it mean using remmina is actually not usefull ?
thanks
 
  • Like
Reactions: jebbam

pawlakm

New Member
May 24, 2022
3
2
3
Hi,

I just created a gitlab repository where I put an updated version of the `pvespiceconnect.sh` script some other contributors posted here on this thread. I externalized the configuration in order to easily connect to various VMs, added some features, streamlined other ones, added a documentation page explaining how to use the script, and how to configure PVE as well in order to be able to use this script.

https://gitlab.com/pawlakm/pve-spice-connect

I hope this will be usefull to others and that it will be easier for people to find this script and use it.

Your comments are welcome,

M.
 
  • Like
Reactions: tw9mini and UdoB

tbh

Member
Jun 10, 2020
3
0
6
36
Hi,

I just created a gitlab repository where I put an updated version of the `pvespiceconnect.sh` script some other contributors posted here on this thread. I externalized the configuration in order to easily connect to various VMs, added some features, streamlined other ones, added a documentation page explaining how to use the script, and how to configure PVE as well in order to be able to use this script.

https://gitlab.com/pawlakm/pve-spice-connect

I hope this will be usefull to others and that it will be easier for people to find this script and use it.

Your comments are welcome,

M.
Awesome work with this!! I am having an issue though. I keep getting the error:

[d] Searching for VMID '100' in LXC containers of node 'pve'
[d] LXC_RESPONSE: {"data":[]}
[e] Error: VMTYPE could not be detected!
[e] Exiting!

I have tried with different containers and vms and keep getting this same error.
What am I missing??


I also tried with cv4pve-pepper and when virt-viewer starts it presents the error:
Failed to connect: No running virtual machine found

If I download the .vv file from proxmox web interface and run it directly with virt-viewer I get the same error:
Failed to connect: No running virtual machine found
 
Last edited:

pawlakm

New Member
May 24, 2022
3
2
3
Hi,

I just read you question. Sorry if you have an issue with the script. It's difficult to answer without having more information. So I asked you some questions in a private conversation.

Meantime I had a look at the code and there was an error in the part that builds URLs for lxc containers. I fixed it and now it works both LXC containers and QEMU VMs. You can "git pull" and try this new version, however, given the error message you shared, I don't think your issue is related to this bug.

Let's try to fix it in private and once we find the error reason share the answer with everybody (and in a FAQ in the project repository)

M.

P.S. This type of error message may be logged if a non-existing VM or CT ID is provided OR if no token/role has been set in the VM's permissions. I also improved the logs to suggest it.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!