I have set-up a private on OpenNebula with xen hypervisor. I have created a VM with CentOS image available on the market and the VM is running fine but I am not able to see the VNC console. Below are the screen shots of my template configuration and the error I am getting.
Hi,
I usually use KVM and VMWARE as hypervisor so I’ve no experience with Xen and VNC but maybe you can check this post (https://forum.opennebula.io/t/vnc-novnc-ready-native-websockets-canvas-rendering-error/3022). In that post I try to explain some things you can check just to be sure that basic VNC settings are there (VNC proxy is running, port is listening, firewall is not blocking connections… so on).
Try to read it and if you need any help we’ll try to help, and as Thomas says maybe logs in /var/log/one can give you more info.
In the Xen nodes are you running a firewall (iptables, ufw, firewall-cmd) that may be blocking connections from the frontend to the nodes where the VMs are running? Ports 5900 TCP onwards should be alllowed from the frontend so the proxy can establish connections.
In your browser you can enable the Developer Tools (Ctrl + Shift + I) so you can check in Console possible errors that are preventing VNC to work as expected.
Hi Arshad,
in OpenNebula VNC ports are assigned like this (hope I explain it well :
If no VNC port is set in your template, by default the following port will be used 5900 + VMID. Example if you have a VM with ID 5, the port will be 5905 and if VM ID is 15, the VNC port would be 5915. That’s why you should open ports 5900 TCP onwards in your nodes firewall for traffic with Frontend as source. I usually don’t specify any VNC port as OpenNebula provides one for each VM but that’s a personal choice!
Each VM has its own VNC port so no, 5900 is not the port for every VM. A VNC proxy runs in the frontend in port 29876 and redirects VNC traffic to each node and port (5905, 5915, 59whatever…)
In your case you have set port 5905 so if you use nmap -p 5905 X.X.X.X (where X.X.X.X is the IP address of the node where your VM is running) and the port is closed, you should have to open it in your firewall.
In the Xen nodes are you running a firewall (iptables, ufw, firewall-cmd) that may be blocking connections from the frontend to the nodes where the VMs are running? Ports 5900 TCP onwards should be alllowed from the frontend so the proxy can establish connections. I dont think so theres any firewall or iptables running. Also How can I confirm that the nodes allow frontend to establish proxy connection on these ports.
Are you using SSL with Sunstone? No I am not
In your browser you can enable the Developer Tools (Ctrl + Shift + I) so you can check in Console possible errors that are preventing VNC to work as expected. I am getting the following output
Hi!
from the frontend you can run nmap and try with -p port_number if that port is open or closed. What OS and version are you running in your nodes, so I can help you to check if you have a firewall running.
In your node you can run ss -ntap | grep 5905 and check if your VM is listening on 5905 port it that was the port you set in the VM template as you’ve mentioned.
I am going to update my templates and open the ports on the nodes so one final stupid question, in the template what should be the listen ip of vnc? Should I specify frontend’s IP or 0.0.0.0?
Looking at the screenshot with the 29876 port, it seems it’s listening on 127.0.0.1:29876.
EDIT: nevermind, my bad, it shows as *:29876
If I understand correctly, VNC traffic from port 59XX on a hypervisor is directed to the websocket on port 29876.
[qemu proces with VNC] --> [socket on sunstone 29876] --> [sunstone webinterface]
can you try from one of your hypervisors if you can reach port 29876 on opennebula master ?
Is there any best way to open those tcp ports on ubuntu nodes?
I am thinking of using: iptables -A INPUT -p tcp --match multiport --dports 5900:6000 -j ACCEPT
But I have read that there are sometimes problems with this one.