Deploying a Test Windows Environment in a KVM Infrastucture
I was recently playing with KVM and needed to setup a domain controller for testing reasons. A great introduction to KVM can be seen in William’s “Ipost”. It has all the steps on how to set deploy and configure it. All of the below instructions are assuming that you already have a KVM server up and running.
Connect to the KVM Server with Virtual Machine Manager (virt-manager)
If you don’t have Virtual Machine Manager installed, go ahead and install it:
sudo yum install virt-manager
Depending on where your ISOs are stored you have a couple of options. If the ISOs are stored on the KVM server then you will have to use SSH X-Forwarding to do the initial setup, and after the initial install you can manage the VMs with virt-manager via qemu+ssh protocol instead of SSH X-Forwarding. The reason for this is because you can’t browse local directories from virt-manager remotely. From ‘Chapter 12. Managing Storage’
Using the file browser by clicking on Browse is not possible when operating from remote.
It’s possible but all the ISOs would have to be in one big directory without sub-directories, from the same page:
CD/DVD ISO images
In order to be able to access CD/DVD iso images on the VM Host Server from remote, they also need to be placed in a storage pool.
There was an NFS export shared to the KVM server and the ISOs were organized by folders, so adding that directory/export as a storage pool didn’t help out since all the ISOs need to be in one big directory. We could add each subdirectory as a storage pool but that would be a lot work. This was discussed in this forum. If the ISOs were local to the your machine, then you can just launch virt-manager locally and connect to the KVM server using SSH and then point to the local ISO.
So let’s login to our KVM server with SSH with X-Forwarding enabled:
[elatov@klaptop ~]$ ssh -X virtuser@kvm
Then from the remote machine let’s launch virt-manager:
[virtuser@kvm ~]$ virt-manager
At this point you should see the following:
As you can see it will auto connect to the local instance (if properly configured). You will see a list of the VMs that are currently running and small performance graphs on the right as well. You can go to “Edit” -> “Connection Details”:
After selecting that you will see the following window:
From here you can see: connection details, configured Storage Pools, and Configured Networks.
Create a New VM with Virt-Manager
From the main virt-manager window click on the “New” button:
And that will start the “Create New VM” Wizard:
At the first step: name the VM as you desire, select “Local install media” (since we are going to use the ISO that is locally stored on the KVM server), and then click “Forward”:
Then you will see the 2nd step of the wizard: 
Select “Use ISO image”, click on “Browse”, and then you will see the available Storage Pools:
This will show you the img files for already running VMs. If we had a storage pool with one big directory of ISOs then you could just select the ISO from that Storage pool (but this wasn’t the case for us). Next click on “Browse Local” which is only available if we are connecting locally or with SSH with X-Forwarding. Then we will see the “Browse for ISO” dialogue:
At this point just browse to the location of the ISOs and select your Win2k8 ISO. After that is done, here how step 2 of the wizard will look like:
Then click “Forward” and then we will get to step 3 of the wizard:
We have to choose CPU and RAM settings, looking over this microsoft page, we can see their minimum requirements:
I just kept 1CPU and 1GB of RAM and clicked “Forward”, at which point I saw step 4 of the wizard:
I did other installs of the Win2K8R2 and after all the windows updates it ended up using about 20GB, so that is what I setup. Here is how my final step 4 looked like:
I then clicked “Forward” and it took to the 5th step (the last step):
Here you can select the networking setup for the VM. We were using “bridged”, so I left the defaults and clicked “Finish”. At that point the console to the VM started up:
Keep going through the install as you would usually do. Here is a screenshot of the install process going:
Connect to the KVM Server Remotely with virt-manager
After the initial install of the OS is finished you don’t need to use SSH X-Forwarding to connect to the KVM server. Install virt-manager locally and then fire it up and when it starts up it will try to automatically connect to a hyper-visor:
Since we are not running one locally you will get error like this:
You can just close that and then you will see your virt-manager in a disconnected state:
At this point go to “File” -> “Add Connection”:
Then go ahead and fill out the necessary information:
If you hit connect it will ask for you the virtuser password:
It will actually keep asking for the password when you launch VMs. The best thing to do is use SSH keys so you don’t have to keep typing in the password. First generate your own pair of SSH keys:
[elatov@klaptop ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/elatov/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/elatov/.ssh/id_rsa.
Your public key has been saved in /home/elatov/.ssh/id_rsa.pub.
The key fingerprint is:
a8:42:e5:7e:fd:99:ab:24:94:96:15:e4:da:21:2e:05 elatov@klaptop
The key's randomart image is:
+--[ RSA 2048]----+
| E .o |
| . . . |
| . o + |
| o o O . |
| . o O S |
| . . = . |
| . o o o |
| . . o . o |
| ..=. |
+-----------------+
If you have ssh-agent running then you will just have to type in that password once and you will be set. Now go ahead and add your SSH public key to the KVM server:
[elatov@klaptop ~]$ ssh-copy-id virtuser@kvm
virtuser@kvm's password:
Now try logging into the machine, with "ssh 'virtuser@kvm'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
Now if you try to connect to the KVM server with virt-manager via qemu+ssh you won’t have to enter the virtuser password every time. When you use virt-manager remotely you will only see CPU usage like so:
Setup a Windows Active Directory Server
Most of the instructions are laid out here. After Windows 2008 R2 is installed, launch the Server Manager by entering:
servermanager.msc
In the run dialog and you will see the following:
Then go to “Roles” and click on “Add Roles”:
From the list select “Active Directory Domain Services”:
Then click “Next” and couple of times, followed by a “Finish”. After the install is done you will see the following:
Now let’s actually configure it. To do that run:
dcpromo.exe
from the Run dialog and you will see the following:
Click “Next” a couple of times and you see the “Choose Deployment Configuration” window:
I didn’t have an existing domain, so I selected “Create a New Domain in a new forest” and clicked next:
For my domain I chose “elatov.local”:
After clicking “Next” I was presented with the following screen:
I wasn’t planning on using anything below Server 2003, so I left the default option and clicked “Next”. At this point I saw the following:
Same thing here, I left the default and clicked “Next”. I was then asked to setup a DNS server:
I didn’t have a local DNS server in the environment so I decided to set one up. I left the “DNS server” selected and clicked “Next” and saw the following:
I left the defaults here as well and clicked “Next”, at this point I was asked to enter the “Restore Domain Administrator” Password:
After that I was presented with the “Summary” page:
After clicking “Next” the install process started, after the install was finished I saw the following:
Selecting “Finish” from the above window prompted for a restart. After the restart I saw the following at the login screen:
Indicating that I was part of the “elatov” domain :) After I logged in I checked the IP settings and I saw the following:
C:\Users\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc
Primary Dns Suffix . . . . . . . : elatov.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : elatov.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139C+ Fast Ethernet NIC
Physical Address. . . . . . . . . : 52-54-00-07-BA-A3
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.250.47(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.250.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
SETUP AN IIS SERVER
Now let’s install an IIS Server. From the Run Dialogue, enter
servermanager.msc
You will then start up the Server Manager:
Click on “Roles”:
Then click on “Add Roles”, and you will see the “Add Roles Wizard”:
Select “Web Server (IIS)”:
Then click “Next” until you get to the “Select Role Services”:
From here you can select the necessary components of IIS that you need. After you have selected the necessary components, click “Next” and then finally click “Install” to start the install:
After the install is finished, open Internet Explorer and point it to http://localhost you should see the following:
Now let’s go ahead and enable SSL on our IIS Server. From the Run Dialog enter
inetmgr
and you will see the following:
Then click on IIS Instance and on the right side you will see a lot of options. Among those options you will see “Server Certificates”:
Then double click on “Server Certificates” and you will see the following:
Then from the “Right Pane” select “Create Self-Signed Certificate” and the Wizard will start up. Enter the name of the site:
Then click “OK”. You will then see the following under the “Server Certificates”:
Now that we have an SSL certificate, we need to enable IIS to listen on port 443. This is done by expanding IIS Instance then expanding the Sites folder and selecting “Default Web Site”:
On the right you will see an option called “Binding”. Click on that and the following will show up:
Then click “add” and you see the following:
Then change the type to ‘https” and select the SSL certificate that we created. In the end it will look like this:
Then click “OK” and “Close” and you should be all set. From Internet Explorer go to https://localhost and make you see the same page as before:
Setup A Windows 7 Client
Install Windows 7 on another VM. Give it an IP and make sure the primary DNS points to the new DC server that we setup. Here is how the IP configuration looked like on my Windows 7 Client:
C:\Users\elatov>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : client
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139C+ Fast Ethernet NIC
Physical Address. . . . . . . . . : 52-54-00-5D-FB-1D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.101.47(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.101.1
DNS Servers . . . . . . . . . . . : 192.168.250.47
192.168.101.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Do a test on the client, run nslookup to make sure it works:
C:\Users\elatov>nslookup dc.elatov.local
Server: UnKnown
Address: 192.168.250.47
Name: dc.elatov.local
Address: 192.168.250.47
Now let’s join our Windows 7 client to our domain. From the Run dialogue type in
sysdm.cpl
and then you will see the following:
Then click “Change” and fill out the Computer Name and the domain you want to join:
Then click “OK” and you will need to enter the Domain Administrator’s credentials to allow this machine to join:
If all is successful you will see the following prompt:
And then it will ask you restart the machine. While the machine is restarting go the DC Server and run:
dsa.msc
That should show you the “Active Directory Users and Computers” dialogue:
Expand your domain (elatov.local), then go to “Computers” and you should see the newly added computer there:
In the same window add a new user by right clicking on the “Users” folder and selecting “Add” -> “User”:
Here is an example of one user I added:
After we are done adding the user we will see it in the User’s list:
Then from the client log in with that user, like so:
To login to the local user, hit switch user and then type: .\elatov along the password:
Another check you can do is make sure the machine was added to DNS. From the DC/DNS Server run:
dnsmgmt.msc
and you will see the following:
Expand the “Forward Lookup Zones” and then select your domain (elatov.local), on the right side you will see an “A” record for the newly joined machine:
Connect To KVM Virtual Machines from a Local Machine Using VNCViewer
If you don’t want to go through the virt-manager to open up a console, you can use virsh to determine what vncdisplay a VM is using and then connect to that from your local machine. First determine the vncdisplay of the desired VM:
[elatov@klaptop ~]$ virsh -c qemu+ssh://virtuser@kvm/system list
Id Name State
----------------------------------------------------
1 VM1 running
2 VM2 running
16 kelatov_win7_client running
20 kelatov_Win2k8_DC running
23 kelatov_win2k8_iis running
and then this:
[elatov@klaptop ~]$ virsh -c qemu+ssh://virtuser@kvm/system vncdisplay kelatov_win2k8_iis
:15
now we know the VNC display is :15, so let’s connect to that VNC display:
[elatov@klaptop ~]$ vncviewer kvm:15
If don’t want to open up a the firewall to allow the port range for VNC Connections (ie 5900 - 5999), you could use the KVM Host as an SSH tunnel. Here is how the command would look for that:
[elatov@klaptop ~]$ vncviewer -via virtuser@kvm 127.0.0.1:15
Enabling Copy and Paste on a Windows KVM VM
To enable Copy and paste within any KVM VM, we need to use Spice, more information on Spice can be seen at their home here). This is done by checking if the following RPMs are installed:
[virtuser@kvm ~]$ rpm -qa | grep spice
spice-gtk-python-0.6-2.el6.x86_64
spice-server-0.8.2-5.el6.x86_64
spice-glib-0.6-2.el6.x86_64
spice-gtk-0.6-2.el6.x86_64
If those are installed then we can enable Spice on our VMs. To enable Spice on a KVM machine, first shut off the VM. Then from Virt-Manager select the VM, and then go to “Edit” -> “Virtual Machine Details”:
Notice the VM is a “Shutoff” state, at that point the Console to the VM will open:
Right Next to the “Console” button there is a “Details” button, by clicking that you will see the following:
From the left pane, select “Video” and you will see this:
Change the Model from “vga” to “qxl”:
Then select “Apply” and then select “Display VNC” and you will see the following:
Then change the “Type” from “VNC” to “Spice”, and then click on “Apply”, as soon as you hit apply you will see the following pop up:
Click “Yes”, after you click “Yes” you will see a new device added called “Channel” like so:
From there you can click “Run” and the VM will start booting, don’t forget to switch from “Details” to “Console” to see the VM’s boot process.
After the VM is booted up we need to install the Spice Guest Tools. Open a browse from within the VM and go to www.spice-space.org/download.html:
Scroll down until you see the “Windows guest tools”:
Download the tools onto the desktop:
Then double click on the installer and follow the onscreen instructions:
After the install is done, restart the VM one more time. After the VM reboots you should be able to copy and paste from the console of virt-manager. If you check for running tasks you will see the following processes:
C:\Users\Administrator>tasklist | findstr vd
vdservice.exe 612 Services 0 3,512 K
vdagent.exe 912 Console 1 3,488 K
I actually copied that from the guest :)
Using Spice Clients to Connect to Spice-Enabled VMs
If you don’t want to use the virt-manager console, we can use other Spice clients. First we need to determine what port is used for the Spice connection:
[elatov@klaptop ~]$ virsh -c qemu+ssh://virtuser@kvm/system dumpxml kelatov_win7_client | grep spice | grep port
## <graphics type='spice' port='5913' tlsPort='-1' autoport='yes'></graphics>
So we are on port 5913, now let’s setup an SSH tunnel:
[elatov@klaptop ~]$ ssh -L 5913:localhost:5913 virtuser@kvm
Then we can use a spice client:
- spicec (from the spice-client package)
- spicy (from the spice-gtk-tools package)
- remote-viewer (from the virt-viewer package)
and connect to localhost:5913
Here are examples of each:
[elatov@klaptop ~]$ spicec -h localhost -p 5913
Here is how it looks like:
or with remote-viewer:
[elatov@klaptop ~]$ remote-viewer spice://localhost:5913
Here is how that will look:
and lastly with spicy:
[elatov@klaptop ~]$ spicy
That will launch a GUI and then you can fill out the necessary information, like so:
and then you will see the following:
