Remote Spice access *without* using web manager

blackpaw

Renowned Member
Nov 1, 2013
295
19
83
Is it possible to access the Spice Console for a specific VM without going through the web manager?

We're interested in using proxmox as a windows desktop server and being able to settup a short cut that launched remote-viewer to directly open a vm console would be exceedingly useful.

Thanks.
 
The option of get access to the Spice Console for a specific VM without going through the web manager would be great, i am waiting that this option is enabled.

Can PVE team add this option?. because for common users of the LAN will be more easy for get access and use it (for example enabling by IP/segment/subred or in any way)

In any case the PVE team make a excelent work with Proxmox

Best regards
Cesar
 
Last edited:
I see from other threads thats its possible with a little scripting.

here a small bash script (for linux client)

the main idea is to generate the spiceproxy ticket through proxmox api.

Code:
#!/bin/bash


USERNAME=root@pam
PASSWORD=yourpassword
VMID=198
NODE=proxmoxhost1
PROXY=proxmoxhost1.test.com


TICKET=`curl -k -d "username=$USERNAME&password=$PASSWORD"  https://$PROXY:8006/api2/json/access/ticket | sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g' | grep -w ticket |  awk -F "|" '{print $2}'`
echo $TICKET
curl -k -b "PVEAuthCookie=$TICKET" https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY > spiceproxy
remote-viewer spiceproxy
 
  • Like
Reactions: bleakczar
here a small bash script (for linux client)

the main idea is to generate the spiceproxy ticket through proxmox api.
@ spirit. Could you please help me to diagnose this NO working script ?
Code:
#    cat Spice5214.sh 
#!/bin/bash

USERNAME=root@pam
PASSWORD=mipasswordhere
VMID=5214
NODE=proxmox179
PROXY=proxmox179

TICKET=`curl -k -d "username=$USERNAME&password=$PASSWORD"  https://$PROXY:8006/api2/json/access/ticket | sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g' | grep -w ticket |  awk -F "|" '{print $2}'`
echo $TICKET
echo "-end of ticket-"
curl -k -b "PVEAuthCookie=$TICKET" https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY > spiceproxy
remote-viewer spiceproxy
Result is :
Code:
# ./Spice5214.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1117  100  1080  100    37  13540    463 --:--:-- --:--:-- --:--:-- 13670
PVE:root@pam:52776014::AQom+k6U4pGcgswUTqLpFX6WJurK8y2/9v52L7TUOUN0ZwPSlHgc6YzwIDn9zIsrTD0sVQKjpIk8bxiMdnjE7ytIxrmJdGSMTnrp3Ij9wyyWPu3BP7GNnpCQ7OG4YTTVgXisCiVdCiTu+QjZ1tmufZIriRvYLQon2COA2Yi18+Q5CSjyjpDuDBqFSoHS6h9RuR7PoprUnoY385vcy1LlZXiKGQ4wvDUJ9EmOzpE772Ov8bPkmUKiDwVr09miTN+742afr6uTS2vxVluY8aKjNMzVbQMXyeFJhRgaVu6p7tZcbOTscnZEt0J4RTLitUfCqWBwF+yUWdELUlS8xy0oDg==
-end of ticket-
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
No protocol specified

** (remote-viewer:12596): WARNING **: Could not open X display
No protocol specified
No se puede abrir el visor:  Corriendo ‘remote-viewer –help’ para ver una lista completa de las opciones disponibles de línea de comando
#
At the end spiceproxy is empty (0 bytes), so remote-viewer does not work..

https://proxmox179:8006 is correctly resolved...

I'm on pve-nosubscription (does it mind ?)

Workstation is Fedora 19 xfce.

Regards
 
  • Like
Reactions: bleakczar
Calling curl with the result of TICKET :
Code:
# curl -k -b "PVEAuthCookie=PVE:root@pam:52776210::m9mzplw8uRRPHC3zn16avOrRb61aky8vub4L9XLXpGTBwdwBJyS/aKrsQ9p37ni9o3W/WcQqUkMt5UqSAx3JbTbkv1jfaaTO1kqWrJBFcJ+JTFaczhSU21A4uIN+NltXCKYbNCLOCo6zSBSQr2Kva9KNPevE91t5hzpwujsxCCfwh8FQz3BKQvn3hj4AJ3pklkbW2vvkHDrRl6mdR5dVhzockV9nbRwitjMkIoerHCRdEZG4srGQ1+7td4VFeaLqOPLEyHTNhpZjnNwwERKtMe3xlvaMztlS0Wjg/Of9v041wDlXhgPwn0tdLIfRVq+gEgbmZW1umAexRfXJOb2+xA==" https://proxmox179:8006/api2/spiceconfig/nodes/5214/qemu/5214/spiceproxy?proxy=proxmox179
produces NO output
 
Same result, no output of curl. Created a new script, just to test:
Code:
$ more test
TICKET=`curl -k -d "username=root@pam&password=*********"  https://proxmox179:8006/api2/json/access/ticket | sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g' | grep -w ticket |  awk -F "|" '{print $2}'`
echo "======================"
OUTP=`curl -k -b "PVEAuthCookie=$TICKET" https://proxmox179:8006/api2/spiceconfig/nodes/proxmox179/qemu/5214/spiceproxy?proxy=proxmox179`

echo "-----"
echo $TICKET
echo "-----"
echo $OUTP
echo "....."
$
And output of 'second' curl is again NULL:
Code:
$../test
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1117  100  1080  100    37  13140    450 --:--:-- --:--:-- --:--:-- 13170
======================
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
-----
PVE:root@pam:5277896A::Q0KqViRAk3zEJIxbR7hieE+rDcauOQ7VG3iY5BgyrtvIB2WaknSOK5vJh+MX9TtHOSZ8GFpfVOrN727IDxD4rB0OVPwVgGgzuue1/RXYhLrCGOnmJTurderrSEKiXRRj9mVpgcSnsE29s2XBbUdbrJaa33/J+OMFIs6bXeyhdvJvt7dP/LVRF8FOP3Nsi4sxAj0ErW8NyOmhd0qtVtZWlfPvfI980TwBLlf7S33XT+ZAvXwaBlZBupHs8G7Gp4tlhdCtUEkkkoG2HpQoK1cphiiLatUTanCS8r779KTR7thb+XaEvMeQ6K5okoQ7iJrk3m3Smchpz84/dyWjfyIH2w==
-----

.....
$
 
I found the problem !!

I was using a wrong node name. I edited manually /etc/hosts with the wrong hostname used in the second curl, hence it was resolved, and I could obtain a TICKET...


Thanks for your help...
 
Hi, I don't know if you could help me? (perhaps other users too)

I'm trying to use php & wget to do the same thing as bash & curl (much more practical on windows, to me)

with this
passthru("wget --no-check-certificate --post-data=\"username=$USERNAME&password=$PASSWORD\" -O ticket.txt https://$PROXY:8006/api2/json/access/ticket")

then I edit ticket.txt to get the ticket string, then

I get the PVEAuthCookie and it seems correct to me, if I compare to cookies stored in web browser when I access web gui:
it's 367 bytes, starts with "PVE:root@pam:" and ends with "==", apart from different content in between, both seem identically made
i save the cookie, prefixed with "PVEAuthCookie=" (as is done in your script, I think) in a "spicecookie" file

then I try
passthru("wget --no-check-certificate --load-cookies spicecookie -O spiceproxy https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY")

but I always get (output a bit anonymized)

"Resolving pve2.myserver.com... 192.168.99.123
Connecting to pve2.myserver.com|192.168.99.123|:8006... connected.
WARNING: cannot verify pve2.myserver.com's certificate, issued by `/CN=Proxmox Virtual Environment/OU=<bunch of numbers>/O=PVE Cluster Manager CA
':
Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 401 No ticket
Authorization failed
."

Do you have any clue of what's not working? how can I debug what is not working?

Thanks,
Marco
 
Last edited:

link points to this advice
"Error is showing up because your OS doesn’t trust someone who signed the certificate that the website is signed with.You can add –no-check-certificate but this is not necessarily what you wan’t to do as this is just cheating on your OS.Verify who signed your website and if you really trust it or not."

I'm not sure, I'll try tomorrow, but I can get the ticked using the same method
Code:
wget --no-check-certificate
"--no-check-certificate’Don't check the server certificate against the available certificate authorities. Also don't require the URL host name to match the common name presented by the certificate. As of Wget 1.10, the default is to verify the server's certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification fails. Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or otherwise invalid certificates. This option forces an “insecure” mode of operation that turns the certificate verification errors into warnings and allows you to proceed.
If you encounter “certificate verification” errors or ones saying that “common name doesn't match requested host name”, you can use this option to bypass the verification and proceed with the download. Only use this option if you are otherwise convinced of the site's authenticity, or if you really don't care about the validity of its certificate. It is almost always a bad idea not to check the certificates when transmitting confidential or important data. "

which I guess is like this curl option (I may be wrong) in spirit's script.

Code:
curl -k
"-k, --insecure (SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used. "


perhaps should I add some "Set-Cookie" string at cookie start? I never did stuff like this...

I'll try more tomorrow...

Marco
 
Last edited:
I downloaded the certificate from pve server, and passed it to wget with
--ca-certificate pve2.myserver.com.crt

ie:
wget --ca-certificate pve2.myserver.com.crt --keep-session-cookies --load-cookies spicecookie -O spiceproxy https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY

but in this way I get:
"Connecting to pve2.myserver.com|192.168.99.123|:8006... connected.
ERROR: cannot verify pve2.myserver.com's certificate, issued by `/CN=Proxmox Virtual Environment/OU=<bunch of numbers>/O=PVE Cluster Manager CA':
Unable to locally verify the issuer's authority.
To connect to pve2.myserver.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection."

I can't guess how to solve this...

Marco
 
Adding...

I tried to get the spiceproxy on pve server itself, edited spirit's script to use the same ticket both for curl and wget:

Code:
#!/bin/bash

USERNAME=root@pam
PASSWORD=yourpassword
VMID=198
NODE=proxmoxhost1
PROXY=proxmoxhost1.test.com

echo "1) getting ticket from server"
echo "-------------------------------------------"
TICKET=`curl -k -d "username=$USERNAME&password=$PASSWORD"  https://$PROXY:8006/api2/json/access/ticket | sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split$

echo ""
echo "2) writing ticket to spicecookie "
echo "-------------------------------------------"
echo "PVEAuthCookie=$TICKET" > spicecookie
echo "# cut -b -30 spicecookie:"
cut -b -30 spicecookie

echo ""
echo "3) getting spiceproxy with curl"
echo "-------------------------------------------"
curl -k -b "PVEAuthCookie=$TICKET" https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY > spiceproxy
echo ""

echo ""
echo "4) getting spiceproxy with wget (loading spicecookie)"
echo "-------------------------------------------"
wget --no-check-certificate -O spiceproxy2 --load-cookies ./spicecookie https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy?proxy=$PROXY
echo ""

and what I get is

Code:
# ./testspice2.sh
1) getting ticket from server
-------------------------------------------
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1114  100  1080  100    34  20255    637 --:--:-- --:--:-- --:--:-- 20769

2) writing ticket to spicecookie
-------------------------------------------
# cut -b -30 spicecookie:
PVEAuthCookie=PVE:root@pam:530

3) getting spiceproxy with curl
-------------------------------------------
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1885  100  1885    0     0  34743      0 --:--:-- --:--:-- --:--:-- 35566


4) getting spiceproxy with wget (loading spicecookie)
-------------------------------------------
--2014-02-26 10:37:55--  https://proxmoxhost1.test.com:8006/api2/spiceconfig/nodes/pve2/qemu/198/spiceproxy?proxy=proxmoxhost1.test.com
Resolving proxmoxhost1.test.com (proxmoxhost1.test.com)... 192.168.99.123
Connecting to proxmoxhost1.test.com (proxmoxhost1.test.com)|192.168.99.123|:8006... connected.
WARNING: The certificate of `proxmoxhost1.test.com' is not trusted.
WARNING: The certificate of `proxmoxhost1.test.com' hasn't got a known issuer.
HTTP request sent, awaiting response... 401 No ticket
Authorization failed.


So, its not matter of how cookie text is done, but what it is? certificate should be ignored both by curl and wget (so no authentication, only encryption), or not?

what am I missing here?

Marco
 
Last edited:
Good to know! Thanks.
In the end, I was able to do that on windows, with php/curl
I'm using (stable repository), pve 3.1-24.
Could not guess why wget version is not working, and why it says "401 no ticket" error...

Marco
 
That script does not work at all with current code from pve-no-subscription repository, because of an API change.
I am working on a fix.

I can not find any reference to say if this is now fixed in the pve-no-subscription repository.

Could you please provide an update?

Thanks for a great product.

Serge
 
Code:
#!/bin/bash

# needs pve-manager >= 3.1-44

USERNAME=user@pve or @pam
PASSWORD=pass
# select VM
VMID=id of vm

NODE=node name
PROXY=node ip

DATA=`curl -k -d "username=$USERNAME&password=$PASSWORD"  https://$PROXY:8006/api2/json/access/ticket` 

TICKET=`echo $DATA|sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g'|grep -w ticket|  awk -F "|" '{print $2}'`

CSRF=`echo $DATA|sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g'|grep -w CSRFPreventionToken| awk -F "|" '{print $2}'`

curl -k -b "PVEAuthCookie=$TICKET" -H "CSRFPreventionToken: $CSRF" https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy -d "proxy=$PROXY" > /tmp/spiceproxy

remote-viewer /tmp/spiceproxy
 
Code:
#!/bin/bash

# needs pve-manager >= 3.1-44

USERNAME=user@pve or @pam
PASSWORD=pass
# select VM
VMID=id of vm

NODE=node name
PROXY=node ip

DATA=`curl -k -d "username=$USERNAME&password=$PASSWORD"  https://$PROXY:8006/api2/json/access/ticket` 

TICKET=`echo $DATA|sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g'|grep -w ticket|  awk -F "|" '{print $2}'`

CSRF=`echo $DATA|sed 's/\\\\\//\//g' | sed 's/[{}]//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | sed 's/\"\:\"/\|/g' | sed 's/[\,]/ /g' | sed 's/\"// g'|grep -w CSRFPreventionToken| awk -F "|" '{print $2}'`

curl -k -b "PVEAuthCookie=$TICKET" -H "CSRFPreventionToken: $CSRF" https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy -d "proxy=$PROXY" > /tmp/spiceproxy

remote-viewer /tmp/spiceproxy

I am getting DATA, TICKET and CSRF from the script above.

spiceproxy looks OK although it gets deleted after the call to virt-viewer.

Screenshot from 2014-05-17 10:10:33.pngScreenshot from 2014-05-17 10:10:12.pngScreenshot from 2014-05-17 10:10:33.pngScreenshot from 2014-05-17 10:10:12.png
I get the two dialogs attached as errors and then back to command prompt. (Sorry, I can seem to be able to delete multiples...)

Linux MINT with virt-viewer version 0.5.6
PVE 3.2 latest.

Do you have any other ideas?

SergeScreenshot from 2014-05-17 10:10:33.pngScreenshot from 2014-05-17 10:10:12.png
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!