[virt-tools-list] virt-manager remote connection woes

[Malte Starostik]

Hi,

I've been using virt-manager (with KVM) for some time, using SSH connections.  
For several reasons, I wanted to try the other alternatives, but nothing 
really worked out.  Now I'd really love to get things running nicely, but I'm 
at a loss as to where to start looking.  I'll list the problems I'm 
experiencing in the hope I'm not alone and/or could get some clues about what 
might be wrong.  I've tried the whole thing with multple libvirtd servers and 
virt-manager clients.  FWIW, the problems are the same no matter if client and 
server are on the same machine or really remote.  I gather some or even all of 
these issues might be in either virt-manager or libvirt, but I really don't 
know.  The lowest common denominator is that all machines are running Gentoo 
Linux, so maybe it's even just a packaging fault?

SSH
As stated above, it's been my choice for a while.  It's easy to set up, 
although I'm not too happy about pubkey auth for root on the target.  
PolicyKit might come to help though (?). Anyway, when using SSH, the ssh child 
processes are never terminated unless and until manually killed.  100% 
reproducible.  Even after killing them, the corresponding nc process on the 
server keeps running.  This results in a DoS situation once libvirtd's client 
connection slots are exhausted.  This happens regardless of how the connection 
is (supposedly) closed: manual disconnect from virt-manager, regular or 
forceful termination of virt-manager, same outcome.  This has happened ever 
since I've started using the tool, maybe around 0.8.3 (?).  Still happens with 
0.8.6, guess I should've reported this as a bug by now.

SASL
Given that there is a Kerberos setup at my disposal, I figured single sign on 
might be nice, so I tried.  Works great on a first glance!  But after varying 
amounts of time, virt-manager deadlocks.  Sometimes it works for some hours, 
sometimes it locks up right after connecting.  Creating a new virtual machine 
is almost impossible, but does work after trying a few times - lockups happen 
at inpredictable stages of the wizard.  Just keeping virt-manager's main 
window open with an established connection will freeze it sooner or later.  
FWIW, same applies to digest-md5 authentication.

TLS
Tried this just to make sure.  If you already have a PKI, this looks like a 
good choice, although I really don't like the hardcoded paths for the client 
stuff.  There was no /etc/pki dir on my machines, but if there was, file names 
like cacert.pem and client{cert,key}.pem sound rather ambiguous in a system-
wide location.  It doesn't allow for per-user auth this way.  Anyway, assuming 
configurability on this part is going to come - the same deadlocks I've seen 
with SASL also happen with TLS :(

One more note on SASL/GSSAPI: once it's turned on for QEMU,  virt-manager can 
only connect to it when using SASL or TLS for the libvirtd connection.  For 
local connections it tries to get a service ticket for vnc/localhost istead of 
using the FQDN, with SSH it wants to tunnel VNC over SSH, breaking Kerberos as 
well.

I'd be glad to get some hints for debugging especially the deadlock problem.
Kind regards,
Malte