Access a KVM VM's console when all hope is lost
It's pretty simple for the Linux gurus I'm sure...but I ran into the following scenario with one of my clients.
Longtime Linux admin leaves - he built all the systems - and a temp admin takes over (part of a takeover). New management decrees security policies, so he resets all of the old ssh account passwords - the changes are not documented. The takeover falls apart, the temp admin is no longer an employee, and control is handed back to the original company. They are left with no admin, and no passwords.
The original admin did a great (maybe slightly paranoid) job of setting up and hardening the servers, so of course root has no ssh. This can be overcome by logging on to the console, no problem.
One of the other projects the original admin set up was a couple of KVM clusters - they worked great, but one cluster had weird issues (probably hardware/networking, but the original admin left before it could be resolved), and since the temp Linux admin couldn't figure them out, the original management team said forget it...move all the VMs over to our VMware clusters.
With the temp admin gone, I was contracted on to help out. Going back to the KVM issue...the problem is that there was no console method to access the KVM VMs. No console, no ssh...no access. Bad news bears, right?
Well, there is of course a way to get console access, but you have to be a Linux admin/power user to get that. (I am neither, really) SSH forwarding! You forward the X11 session back to your computer, run virt-manager, and bam! Access! Unfortunately, this is super easy if you're using Linux as your workstation OS...and of course super not-easy if you're using Windows.
Google (lots...and lots...of google) to the rescue!
Longtime Linux admin leaves - he built all the systems - and a temp admin takes over (part of a takeover). New management decrees security policies, so he resets all of the old ssh account passwords - the changes are not documented. The takeover falls apart, the temp admin is no longer an employee, and control is handed back to the original company. They are left with no admin, and no passwords.
The original admin did a great (maybe slightly paranoid) job of setting up and hardening the servers, so of course root has no ssh. This can be overcome by logging on to the console, no problem.
One of the other projects the original admin set up was a couple of KVM clusters - they worked great, but one cluster had weird issues (probably hardware/networking, but the original admin left before it could be resolved), and since the temp Linux admin couldn't figure them out, the original management team said forget it...move all the VMs over to our VMware clusters.
With the temp admin gone, I was contracted on to help out. Going back to the KVM issue...the problem is that there was no console method to access the KVM VMs. No console, no ssh...no access. Bad news bears, right?
Well, there is of course a way to get console access, but you have to be a Linux admin/power user to get that. (I am neither, really) SSH forwarding! You forward the X11 session back to your computer, run virt-manager, and bam! Access! Unfortunately, this is super easy if you're using Linux as your workstation OS...and of course super not-easy if you're using Windows.
Google (lots...and lots...of google) to the rescue!
- Configure Putty to use X11 forwarding
- Install Xming on your Windows workstation (without this you get connection rejected errors in your putty log - CTRL + right-click on your session window!!!)
- Ensure the KVM hosts themselves have functional X11 forwarding (sshd_config, ssh_config) - without this you get authentication/authorization errors
- When you connect with Putty, if things are good you should get a 'localhost' line if you run this: echo $DISPLAY (if you're not running xming on your workstation, you'll get a blank line, among other errors)
- Run virt-manager (you'll need the root password, too)
- It'll pop up - job done!
Of course, this only worked because we had console access to the KVM hosts.
Side note: Some would say, oh, but there is a console access method for KVM VMs! You set up a serial TTY port and whatnot, you can directly connect from the KVM host console! Very much so...but you have to first configure something inside the VM (via ssh, of course), and if you don't have SSH access or console access...well...ya.
Another side note: I had to bypass a lot of security stuff to get this far, so don't forget to turn all that back on once you're done!
- This has some good troubleshooting/overview: http://www.cyberciti.biz/faq/x11-connection-rejected-because-of-wrong-authentication/
- And here: http://superuser.com/questions/292506/enable-putty-users-to-have-x11-forwarding-redhat-5-server
- And here: http://froebe.net/blog/2008/11/14/getting-xlib-putty-x11-proxy-wrong-authentication-protocol-attempted-i-have-the-answer/
- Relevant info here, too: https://www.centos.org/forums/viewtopic.php?t=21812
Comments
Post a Comment