Remote Spice access *without* using web manager

[...]

Hi Jonas,

I'm trying to use your script, but there is no information how to create the necessary TOKEN and corresponding secret for pvespiceconnect.sh
Can you elaborate on how to get this information?

Cheers and thanks
Christoph.
You are correct, I tried to google for an easy explanation on how to create API Tokens, I gave up after a short while, but I am pretty sure the info is somewhere. I invested the time to write down the GUI way.

Here you go:

First go to Datacenter -> Permissions -> API Tokens and click on Add

APIToken01.jpg

In the following UI you have to choose a user that is connected to the API token and a name for that token. I think a nice comment for the token would be wise, but it is optional. Click on Add.

APIToken02.jpg
Next you are shown some important stuff, note it down, this is what you will use in the script.

APIToken03.jpg

You should see your token now.

APIToken04.jpg

Unfortunately the token is useless as it is now, the next step is to configure the permissions for the token.
Go to Datacenter -> Permissions and click on Add -> Api Token Permission

APIToken05.jpg

In the next UI Element you have to choose the accessible API Path, the API Token you have just created and a Role.
If you choose those as shown in the next picture it should definitely work to connect to a VM via Spice.
You may want to harden security by only allowing a certain Path. In the example I have choosen the root / Path which will allow I think at least read Access to anything in it. I am not entirely sure which minimal Path is needed for the script to work, as the script is using an API call which I didn´t find any documentation on. Link to Api Documentation

APIToken06.jpg

Click on Add and your Token including Permissions should be shown.

APIToken07.jpg

To see more go back to Datacenter -> Permissions -> API Tokens select a Token and click on Show Permissions.

Hope I could help you figure it out.

Best Regards,
Jonas Stunkat
 
View attachment 33075

Click on Add and your Token including Permissions should be shown.

View attachment 33076

To see more go back to Datacenter -> Permissions -> API Tokens select a Token and click on Show Permissions.

Hope I could help you figure it out.

Best Regards,
Jonas Stunkat
Small precision, how did you get Spice as permission ? I only get listing of the vm# if set to... Mostly in Role, from all available list it's only: Pvevmuser, pvevmadmin, administrator... there is no Spice listed, as you show. Did you create a specific role ?

And if i set path to only : / i don't get allowed perm. only if i do direct on /vms/105. But perhaps related to role as well..
 
Small precision, how did you get Spice as permission ? I only get listing of the vm# if set to... Mostly in Role, from all available list it's only: Pvevmuser, pvevmadmin, administrator... there is no Spice listed, as you show. Did you create a specific role ?

And if i set path to only : / i don't get allowed perm. only if i do direct on /vms/105. But perhaps related to role as well..
Ups, now that you mention it, I did create that role ;).
but its pretty simple, I just took the needed permissions from the API documentation. And did read up on Permissions in the wiki.
Link to wiki about Permissions
In effect all the Spice role grants is VM.audit and VM.Console.
Some screenshots:
createSpiceRole1.png

createSpiceRole2.png

Best Regards
Jonas Stunkat
 
  • Like
Reactions: tw9mini and Docop2
Ups, now that you mention it, I did create that role ;).
but its pretty simple, I just took the needed permissions from the API documentation. And did read up on Permissions in the wiki.
Link to wiki about Permissions
In effect all the Spice role grants is VM.audit and VM.Console.
Some screenshots:


Best Regards
Jonas Stunkat
Hi Jonas,

thanks for your help, however, I'm having still trouble running your powershell script without an error.
I tried PS version 5.1 and also 7.2.
In 5.1 the error is:

Invoke-RestMethod : A parameter cannot be found that matches parameter name 'StatusCodeVariable'. At line:44 char:31

So I'm guessing Invoke-RestMethod in 5.1 doesn't support this parameter?

In 7.2 the error is:

Invoke-RestMethod: The remote certificate is invalid because of errors in the certificate chain: PartialChain

Any help appreciated.
 
Just to confirm something about using remmina.. is just installing spice-plugin is enought or we need to install spice-viewer as well ? i see the script from 2018.. but not sure on how to run it.. Or if the need of installing spice.. does it mean using remmina is actually not usefull ?
thanks
 
  • Like
Reactions: jebbam
Hi,

I just created a gitlab repository where I put an updated version of the `pvespiceconnect.sh` script some other contributors posted here on this thread. I externalized the configuration in order to easily connect to various VMs, added some features, streamlined other ones, added a documentation page explaining how to use the script, and how to configure PVE as well in order to be able to use this script.

https://gitlab.com/pawlakm/pve-spice-connect

I hope this will be usefull to others and that it will be easier for people to find this script and use it.

Your comments are welcome,

M.
 
Hi,

I just created a gitlab repository where I put an updated version of the `pvespiceconnect.sh` script some other contributors posted here on this thread. I externalized the configuration in order to easily connect to various VMs, added some features, streamlined other ones, added a documentation page explaining how to use the script, and how to configure PVE as well in order to be able to use this script.

https://gitlab.com/pawlakm/pve-spice-connect

I hope this will be usefull to others and that it will be easier for people to find this script and use it.

Your comments are welcome,

M.
Awesome work with this!! I am having an issue though. I keep getting the error:

[d] Searching for VMID '100' in LXC containers of node 'pve'
[d] LXC_RESPONSE: {"data":[]}
[e] Error: VMTYPE could not be detected!
[e] Exiting!

I have tried with different containers and vms and keep getting this same error.
What am I missing??


I also tried with cv4pve-pepper and when virt-viewer starts it presents the error:
Failed to connect: No running virtual machine found

If I download the .vv file from proxmox web interface and run it directly with virt-viewer I get the same error:
Failed to connect: No running virtual machine found
 
Last edited:
Hi,

I just read you question. Sorry if you have an issue with the script. It's difficult to answer without having more information. So I asked you some questions in a private conversation.

Meantime I had a look at the code and there was an error in the part that builds URLs for lxc containers. I fixed it and now it works both LXC containers and QEMU VMs. You can "git pull" and try this new version, however, given the error message you shared, I don't think your issue is related to this bug.

Let's try to fix it in private and once we find the error reason share the answer with everybody (and in a FAQ in the project repository)

M.

P.S. This type of error message may be logged if a non-existing VM or CT ID is provided OR if no token/role has been set in the VM's permissions. I also improved the logs to suggest it.
 
Last edited:
On the datacenter permissions I had to add another permission for the spice user to access the vm which was additional to the api permission

Thanks a lot @pawlakm for your script. I followed your gitlab instructions and would like to echo @tbh's comment that one step is missing as the permissions section seems to require both the API Token AND the User Permission to be added under the VM permission.
After adding the latter, I got access directly, so thanks a lot for sharing your script and the very detailed instructions for secure API access
 
Thanks a lot @pawlakm for your script. I followed your gitlab instructions and would like to echo @tbh's comment that one step is missing as the permissions section seems to require both the API Token AND the User Permission to be added under the VM permission.
After adding the latter, I got access directly, so thanks a lot for sharing your script and the very detailed instructions for secure API access
Hi, happy to read that the script is useful, but sorry to read that something is still missing in the documentation. Could you please send me a message with exactly what you had to add to make it work ? Thanks in advance !

Note: I only have the API token with the predefined role in the VM's permissions, with VM.audit and VM.console privileges.
 
Last edited:
Hi, happy to read that the script is useful, but sorry to read that something is still missing in the documentation. Could you please send me a message with exactly what you had to add to make it work ? Thanks in advance !

Note: I only have the API token with the predefined role in the VM's permissions, with VM.audit and VM.console privileges.
Similar to @tbh , I had to add the user to the VM in addition to the token.

In the section of your doc, I have modified it to reflect on what worked for me:

Verify that the token has been correctly set​

  1. In the dropdown menu on the left, select Server View
  2. Click on Datacenter, in the right pane a sub-menu should appear.
  3. In the sub-menu, click on the Permissions item, in the right pane a table with two buttons above it should appear
  4. In the table, if you used the values above, you should have:
    1. a line whose Path is /vms/100, User/Group/API Token is spiceuser@pve!spice and Role is Spice.
    2. a line whose Path is /vm/100, User/Group/API Token is spiceuser@pve and Role is Spice
Without 4.2, it does not work for me.

I might be doing something wrong but it works perfectly with 4.2 applied.
 
Last edited:
Hi, happy to read that the script is useful, but sorry to read that something is still missing in the documentation. Could you please send me a message with exactly what you had to add to make it work ? Thanks in advance !

Note: I only have the API token with the predefined role in the VM's permissions, with VM.audit and VM.console privileges.
Hi, thank You very much for the script. Is there any way to specify from the command line how many displays to start? I have 3 monitors at office, but only 1 at home. Need to use checkboxes at the virt-viewer menu. I'm using virt-viewer to specify how many displays is connected to the my VM, but later working from nomachine, because it's faster. There is no way to specify how many displays is connected to VM from nomachine, so I need to start virt-viewer first and specify how many displays I have now. At the VM config file I have vga: qxl3,memory=64
 
Hi,

I just created a gitlab repository where I put an updated version of the `pvespiceconnect.sh` script some other contributors posted here on this thread. I externalized the configuration in order to easily connect to various VMs, added some features, streamlined other ones, added a documentation page explaining how to use the script, and how to configure PVE as well in order to be able to use this script.

https://gitlab.com/pawlakm/pve-spice-connect

I hope this will be usefull to others and that it will be easier for people to find this script and use it.

Your comments are welcome,

M.

Hello,

I like your implementation of this request (as well as its documentation) so I prepped a quick package for Arch Linux users to grab it: https://aur.archlinux.org/packages/pve-spice-connect.git

Also, permissions-wise I found it made sense to give the Spice role to the Spice group over /vms and then assign access to particular VMs per API token. e.g.:

Code:
path       user/group/token     role
/vms       @spice_api           SPICE
/vms/100   spice@pve!server01   SPICE
/vms/105   spice@pve!server05   SPICE

For anyone using Ansible (with this role) to manage their Proxmox configuration, the following role variables will get you most of the way there with ACLs as well. It doesn't (yet?) support configuring API tokens though so that would still require manual configuration.

YAML:
pve_groups:
  - name: spice_api
pve_users:
  - name: spice@pve
    groups:
      - spice_api
pve_roles:
  - name: SPICE
    privileges:
      - "VM.Audit"
      - "VM.Console"
pve_acls:
  - path: /vms
    roles: ["SPICE"]
    groups: ["spice_api"]
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!