KVM – How to Create KVM Guest with SPICE Graphics and TLS Disabled Using Virt-Install

I am using virt-install (see below) to create a guest. All seems fine up to the point where it complains about auto-allocation of the SPICE TLS port.

Here's what I am running and the full output:

# sudo virt-install --name vmname --ram 1024 --os-type=linux --os-variant=ubuntutrusty --disk path=/data/vm/vmname_sda.qcow2,bus=virtio,size=10,sparse=false --noautoconsole --console pty,target_type=virtio --accelerate --hvm --network=network:default --graphics spice,port=20001,listen=127.0.0.1

Starting install...
Retrieving file MANIFEST...                                                                                  | 2.1 kB     00:00 ...
Retrieving file MANIFEST...                                                                                  | 2.1 kB     00:00 ...
Retrieving file linux...                                                                                     |  11 MB     00:00 ...
Retrieving file initrd.gz...                                                                                 |  41 MB     00:00 ...
ERROR    unsupported configuration: Auto allocation of spice TLS port requested but spice TLS is disabled in qemu.conf
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start vmname
otherwise, please restart your installation.

The error is:

ERROR unsupported configuration: Auto allocation of spice TLS port requested but spice TLS is disabled in qemu.conf

and indeed in my /etc/libvirt/qemu.conf I have:

spice_tls = 0

(and intentionally so).

So how can I create a KVM guest using the SPICE protocol for graphics, but with TLS disabled?

I doubt it is of relevance, but the reason I want to disable TLS is because I am tunneling the connection to SPICE via SSH already. No need for an extra layer of encryption.

The host system is Ubuntu 14.04.1. Package versions are:

virtinst: 0.600.4-3ubuntu2
qemu-kvm: 2.0.0+dfsg-2ubuntu1.2

(all up to date as far as apt-get is concerned)

Best Answer

Okay, I worked around it on my own. In the option:

--graphics spice,port=20001,listen=127.0.0.1

remove the port parameter such that it becomes:

--graphics spice,listen=127.0.0.1

You need to configure the <graphics /> element in the libvirt XML configuration file then. My invocation of virt-install gave me this:

<graphics type='spice' autoport='yes' listen='127.0.0.1'>
  <listen type='address' address='127.0.0.1'/>
</graphics>

There is one caveat. I finished the installation while SPICE was still connected to the default auto-connected port (5900 in my case). If you shut down the guest prior to finishing the installation the whole process initiated by virt-install will be interrupted.

In order to change it one should shut down the guest and the edit the XML to something like the following, using virsh edit vmname (where vmname should be replaced with your name):

<graphics type='spice' autoport='no' port='20001' listen='127.0.0.1'>
  <listen type='address' address='127.0.0.1'/>
</graphics>

Possible workaround for "port in use" conflicts. Use any of the local net addresses other than 127.0.0.1 from 127.0.0.0/24, e.g. 127.0.0.2 etc to listen on.

NOTE: If someone can come up with a better (i.e. actual) solution, I'll accept that other answer. This writeup is mostly for others that may run into the same issue.

Best Answer

Related Solutions

Faster graphics in KVM guest

Related Question