VNC Failed to connect to server

Hi,

I have set-up a private on OpenNebula with xen hypervisor. I have created a VM with CentOS image available on the market and the VM is running fine but I am not able to see the VNC console. Below are the screen shots of my template configuration and the error I am getting.

I have also tried creating another VM with ubuntu image and it does not show any error but a blank screen.

Kindly suggest how can I get it working.

Regards,
Arshad

anything in the logfiles?

cheers
t.

Hi,
I usually use KVM and VMWARE as hypervisor so I’ve no experience with Xen and VNC but maybe you can check this post (https://forum.opennebula.io/t/vnc-novnc-ready-native-websockets-canvas-rendering-error/3022). In that post I try to explain some things you can check just to be sure that basic VNC settings are there (VNC proxy is running, port is listening, firewall is not blocking connections… so on).

Try to read it and if you need any help we’ll try to help, and as Thomas says maybe logs in /var/log/one can give you more info.

Cheers!

in your first screenshot, the listen address is set to 127.0.0.1, can you try if you do see any VNC if you set the listen address to 0.0.0.0 ?

It shows the same error. No change.

Regards,
Arshad

Hi!,
though I can’t see it in your screenshots, are you using an AdBlocker extension?

In this post (https://forum.opennebula.io/t/vnc-novnc-ready-native-websockets-canvas-rendering-error/30221) I try to explain some things you can check just to be sure that basic VNC settings are there (VNC proxy is running, port is listening, firewall is not blocking connections… so on).

Could you provide us more info so we know what you’ve tried and what else we could check together?

Cheers!

Hi Miguel,

No there is no Adblocker extension. I am getting the following when I run the command: ss -ntap | grep 29876

Regards,
Arshad

Hi Arshad.
Ok! then let’s do more tests!

  1. In the Xen nodes are you running a firewall (iptables, ufw, firewall-cmd) that may be blocking connections from the frontend to the nodes where the VMs are running? Ports 5900 TCP onwards should be alllowed from the frontend so the proxy can establish connections.
  2. Are you using SSL with Sunstone? In that case maybe the problem is that you must enable secure websockets in Sunstone. I’d suggest you reading this old post (http://opennebula.org/opennebula-securing-sunstones-novnc-connections-with-secure-websocket-and-your-own-certificate-authority/)
  3. In your browser you can enable the Developer Tools (Ctrl + Shift + I) so you can check in Console possible errors that are preventing VNC to work as expected.

From your feedback we’ll check more things.

Cheers!

Also when I run nmap on my frontend since it is also one of the hosts, I get the following result.

One more thing in my template for my vm the vnc port that I have specified is 5905 should I change it to 5900? Does VNC by default run on 5900 port?

Regards,
Arshad

Hi Arshad,
in OpenNebula VNC ports are assigned like this (hope I explain it well :blush: :

  • If no VNC port is set in your template, by default the following port will be used 5900 + VMID. Example if you have a VM with ID 5, the port will be 5905 and if VM ID is 15, the VNC port would be 5915. That’s why you should open ports 5900 TCP onwards in your nodes firewall for traffic with Frontend as source. I usually don’t specify any VNC port as OpenNebula provides one for each VM but that’s a personal choice!
  • Each VM has its own VNC port so no, 5900 is not the port for every VM. A VNC proxy runs in the frontend in port 29876 and redirects VNC traffic to each node and port (5905, 5915, 59whatever…)

In your case you have set port 5905 so if you use nmap -p 5905 X.X.X.X (where X.X.X.X is the IP address of the node where your VM is running) and the port is closed, you should have to open it in your firewall.

Cheers!

Hi Miguel,

  1. In the Xen nodes are you running a firewall (iptables, ufw, firewall-cmd) that may be blocking connections from the frontend to the nodes where the VMs are running? Ports 5900 TCP onwards should be alllowed from the frontend so the proxy can establish connections.
    I dont think so theres any firewall or iptables running. Also How can I confirm that the nodes allow frontend to establish proxy connection on these ports.

  2. Are you using SSL with Sunstone?
    No I am not

  3. In your browser you can enable the Developer Tools (Ctrl + Shift + I) so you can check in Console possible errors that are preventing VNC to work as expected.
    I am getting the following output

Hi!
from the frontend you can run nmap and try with -p port_number if that port is open or closed. What OS and version are you running in your nodes, so I can help you to check if you have a firewall running.

In your node you can run ss -ntap | grep 5905 and check if your VM is listening on 5905 port it that was the port you set in the VM template as you’ve mentioned.

Cheers!

Hey Miguel,

I am going to update my templates and open the ports on the nodes so one final stupid question, in the template what should be the listen ip of vnc? Should I specify frontend’s IP or 0.0.0.0?

Hi Arshad,
no stupid question!

I’d use default 0.0.0.0, that only means that the VNC will listen on any IP address from the nodes, so that would work fine.

If you have any problems with VNC later we’re here to help you.

Cheers

Looking at the screenshot with the 29876 port, it seems it’s listening on 127.0.0.1:29876.
EDIT: nevermind, my bad, it shows as *:29876
If I understand correctly, VNC traffic from port 59XX on a hypervisor is directed to the websocket on port 29876.

[qemu proces with VNC] --> [socket on sunstone 29876] --> [sunstone webinterface]

can you try from one of your hypervisors if you can reach port 29876 on opennebula master ?

Another option to get more info is starting novnc from commandline, as described here:
http://lists.opennebula.org/pipermail/users-opennebula.org/2014-October/046355.html

command: python /usr/share/one/websockify/websocketproxy.py --target-config=/var/lib/one/sunstone_vnc_tokens 29876

This should show more info in the terminal about the novnc socket / traffic.

Hey Miguel,

Is there any best way to open those tcp ports on ubuntu nodes?
I am thinking of using: iptables -A INPUT -p tcp --match multiport --dports 5900:6000 -j ACCEPT

But I have read that there are sometimes problems with this one.

Regards,
Arshad

Hi,
what Ubuntu version are you running? I’m a CentOS/RedHat guy but I’ll try to help

Cheers!

Ubuntu 14.05 LTS.

Regards,
Arshad

Ok!
if iptables is ready I’d try this:

iptables -I INPUT -p tcp -s X.X.X.X/32 --dport 5900:65535 -m state --state NEW,ESTABLISHED -j ACCEPT where X.X.X.X should be your frontend’s IP addres

Check if that works for you, and if does remember that you’ll have to make that rule persistent!

This is a superb tutorial by Digital Ocean on how to work with iptables: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04

Tell me how it goes!