1 | <?xml version="1.0" encoding="UTF-8"?>
|
---|
2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
---|
4 | <chapter>
|
---|
5 | <title>Remote virtual machines</title>
|
---|
6 |
|
---|
7 | <sect1>
|
---|
8 | <title id="vrde">Remote display (VRDP support)</title>
|
---|
9 |
|
---|
10 | <para>VirtualBox can display virtual machines remotely, meaning that a
|
---|
11 | virtual machine can execute on one machine even though the machine will be
|
---|
12 | displayed on a second computer, and the machine will be controlled from
|
---|
13 | there as well, as if the virtual machine was running on that second
|
---|
14 | computer.</para>
|
---|
15 |
|
---|
16 | <para>For maximum flexibility, starting with VirtualBox 4.0, VirtualBox
|
---|
17 | implements remote machine display through a generic extension interface,
|
---|
18 | the VirtualBox Remote Desktop Extension (VRDE). The base open-source
|
---|
19 | VirtualBox package only provides this interface, while implementations can
|
---|
20 | be supplied by third parties with VirtualBox extension packages, which
|
---|
21 | must be installed separately from the base package. See <xref
|
---|
22 | linkend="intro-installing" /> for more information.</para>
|
---|
23 |
|
---|
24 | <para>Oracle provides support for the <emphasis role="bold">VirtualBox
|
---|
25 | Remote Display Protocol (VRDP)</emphasis> in such a VirtualBox extension
|
---|
26 | package. When this package is installed, VirtualBox versions 4.0 and later
|
---|
27 | support VRDP the same way as binary (non-open-source) versions of
|
---|
28 | VirtualBox before 4.0 did.</para>
|
---|
29 |
|
---|
30 | <para>VRDP is a backwards-compatible extension to Microsoft's Remote
|
---|
31 | Desktop Protocol (RDP). Typically graphics updates and audio are sent from
|
---|
32 | the remote machine to the client, while keyboard and mouse events are sent
|
---|
33 | back. As a result, you can use any standard RDP client to control the
|
---|
34 | remote VM.</para>
|
---|
35 |
|
---|
36 | <para>Even when the extension is installed, the VRDP server is disabled by
|
---|
37 | default. It can easily be enabled on a per-VM basis either in the
|
---|
38 | VirtualBox Manager in the "Display" settings (see <xref
|
---|
39 | linkend="settings-display" />) or with
|
---|
40 | <computeroutput>VBoxManage</computeroutput>:<screen>VBoxManage modifyvm "VM name" --vrde on</screen></para>
|
---|
41 |
|
---|
42 | <para>If you use <computeroutput>VBoxHeadless</computeroutput> (described
|
---|
43 | further below), VRDP support will be automatically enabled since
|
---|
44 | VBoxHeadless has no other means of output.</para>
|
---|
45 |
|
---|
46 | <sect2 id="rdp-viewers">
|
---|
47 | <title>Common third-party RDP viewers</title>
|
---|
48 |
|
---|
49 | <para>Since VRDP is backwards-compatible to RDP, you can use any
|
---|
50 | standard RDP viewer to connect to such a remote virtual machine
|
---|
51 | (examples follow below). For this to work, you must specify the
|
---|
52 | <emphasis role="bold">IP address</emphasis> of your
|
---|
53 | <emphasis>host</emphasis> system (not of the virtual machine!) as the
|
---|
54 | server address to connect to, as well as the <emphasis role="bold">port
|
---|
55 | number</emphasis> that the RDP server is using.</para>
|
---|
56 |
|
---|
57 | <para>By default, VRDP uses TCP port
|
---|
58 | <computeroutput>3389</computeroutput>. You will need to change the
|
---|
59 | default port if you run more than one VRDP server, since the port can
|
---|
60 | only be used by one server at a time; you might also need to change it
|
---|
61 | on Windows hosts since the default port might already be used by the RDP
|
---|
62 | server that is built into Windows itself. Ports 5000 through 5050 are
|
---|
63 | typically not used and might be a good choice.</para>
|
---|
64 |
|
---|
65 | <para>The port can be changed either in the "Display" settings of the
|
---|
66 | graphical user interface or with
|
---|
67 | <computeroutput>--vrdeport</computeroutput> option of the
|
---|
68 | <computeroutput>VBoxManage modifyvm</computeroutput> command. You can
|
---|
69 | specify a comma-separated list of ports or ranges of ports. Use a dash
|
---|
70 | between two port numbers to specify a range. The VRDP server will bind
|
---|
71 | to <emphasis role="bold">one</emphasis> of available ports from the
|
---|
72 | specified list. For example, <computeroutput>VBoxManage modifyvm "VM
|
---|
73 | name" --vrdeport 5000,5010-5012</computeroutput> will configure the
|
---|
74 | server to bind to one of the ports 5000, 5010, 5011 or 5012. See <xref
|
---|
75 | linkend="vboxmanage-modifyvm" /> for details.</para>
|
---|
76 |
|
---|
77 | <para>The actual port used by a running VM can be either queried with
|
---|
78 | <computeroutput>VBoxManage showvminfo</computeroutput> command or seen
|
---|
79 | in the GUI on the "Runtime" tab of the "Session Information Dialog",
|
---|
80 | which is accessible via the "Machine" menu of the VM window.</para>
|
---|
81 |
|
---|
82 | <para>Here follow examples for the most common RDP viewers:<itemizedlist>
|
---|
83 | <listitem>
|
---|
84 | <para>On Windows, you can use the Microsoft Terminal Services
|
---|
85 | Connector (<computeroutput>mstsc.exe</computeroutput>) that ships
|
---|
86 | with Windows. You can start it by bringing up the "Run" dialog
|
---|
87 | (press the Windows key and "R") and typing "mstsc". You can also
|
---|
88 | find it under "Start" -> "All Programs" -> "Accessories"
|
---|
89 | -> "Remote Desktop Connection". If you use the "Run" dialog,
|
---|
90 | you can type in options directly:<screen>mstsc 1.2.3.4[:3389]</screen></para>
|
---|
91 |
|
---|
92 | <para>Replace "1.2.3.4" with the host IP address, and 3389 with a
|
---|
93 | different port if necessary.</para>
|
---|
94 |
|
---|
95 | <note>
|
---|
96 | <para>When connecting to localhost in order to test the
|
---|
97 | connection, the addresses
|
---|
98 | <computeroutput>localhost</computeroutput> and
|
---|
99 | <computeroutput>127.0.0.1</computeroutput> might not work using
|
---|
100 | <computeroutput>mstsc.exe</computeroutput>. Instead, the address
|
---|
101 | <computeroutput>127.0.0.2[:3389]</computeroutput> has to be
|
---|
102 | used.</para>
|
---|
103 | </note>
|
---|
104 | </listitem>
|
---|
105 |
|
---|
106 | <listitem>
|
---|
107 | <para>On other systems, you can use the standard open-source
|
---|
108 | <computeroutput>rdesktop</computeroutput> program. This ships with
|
---|
109 | most Linux distributions, but VirtualBox also comes with a
|
---|
110 | modified variant of rdesktop for remote USB support (see <xref
|
---|
111 | linkend="usb-over-rdp" /> below).</para>
|
---|
112 |
|
---|
113 | <para>With rdesktop, use a command line such as the
|
---|
114 | following:<screen>rdesktop -a 16 -N 1.2.3.4:3389</screen></para>
|
---|
115 |
|
---|
116 | <para>As said for the Microsoft viewer above, replace "1.2.3.4"
|
---|
117 | with the host IP address, and 3389 with a different port if
|
---|
118 | necessary. The <computeroutput>-a 16</computeroutput> option
|
---|
119 | requests a color depth of 16 bits per pixel, which we recommend.
|
---|
120 | (For best performance, after installation of the guest operating
|
---|
121 | system, you should set its display color depth to the same value).
|
---|
122 | The <computeroutput>-N</computeroutput> option enables use of the
|
---|
123 | NumPad keys.</para>
|
---|
124 | </listitem>
|
---|
125 |
|
---|
126 | <listitem>
|
---|
127 | <para>If you run the KDE desktop, you might prefer
|
---|
128 | <computeroutput>krdc</computeroutput>, the KDE RDP viewer. The
|
---|
129 | command line would look like this:<screen>krdc --window --high-quality rdp:/1.2.3.4[:3389]</screen></para>
|
---|
130 |
|
---|
131 | <para>Again, replace "1.2.3.4" with the host IP address, and 3389
|
---|
132 | with a different port if necessary. The "rdp:/" bit is required
|
---|
133 | with krdc to switch it into RDP mode.</para>
|
---|
134 | </listitem>
|
---|
135 | </itemizedlist></para>
|
---|
136 | </sect2>
|
---|
137 |
|
---|
138 | <sect2 id="vboxheadless">
|
---|
139 | <title>VBoxHeadless, the remote desktop server</title>
|
---|
140 |
|
---|
141 | <para>While any VM started from the VirtualBox Manager is capable of
|
---|
142 | running virtual machines remotely, it is not convenient to have to run
|
---|
143 | the full-fledged GUI if you never want to have VMs displayed locally in
|
---|
144 | the first place. In particular, if you are running server hardware whose
|
---|
145 | only purpose is to host VMs, and all your VMs are supposed to run
|
---|
146 | remotely over VRDP, then it is pointless to have a graphical user
|
---|
147 | interface on the server at all -- especially since, on a Linux or
|
---|
148 | Solaris host, the VirtualBox manager comes with dependencies on the Qt
|
---|
149 | and SDL libraries. This is inconvenient if you would rather not have the
|
---|
150 | X Window system on your server at all.</para>
|
---|
151 |
|
---|
152 | <para>VirtualBox therefore comes with yet another front-end called
|
---|
153 | <computeroutput>VBoxHeadless</computeroutput>, which produces no visible
|
---|
154 | output on the host at all, but instead only delivers VRDP data. This
|
---|
155 | front-end has no dependencies on the X Window system on Linux and
|
---|
156 | Solaris hosts.<footnote>
|
---|
157 | <para>Before VirtualBox 1.6, the headless server was called
|
---|
158 | <computeroutput>VBoxVRDP</computeroutput>. For the sake of backwards
|
---|
159 | compatibility, the VirtualBox installation still installs an
|
---|
160 | executable with that name as well.</para>
|
---|
161 | </footnote></para>
|
---|
162 |
|
---|
163 | <para>To start a virtual machine with
|
---|
164 | <computeroutput>VBoxHeadless</computeroutput>, you have two
|
---|
165 | options:</para>
|
---|
166 |
|
---|
167 | <itemizedlist>
|
---|
168 | <listitem>
|
---|
169 | <para>You can use <screen>VBoxManage startvm "VM name" --type headless</screen>The
|
---|
170 | extra <computeroutput>--type</computeroutput> option causes
|
---|
171 | VirtualBox to use <computeroutput>VBoxHeadless</computeroutput> as
|
---|
172 | the front-end to the internal virtualization engine instead of the
|
---|
173 | Qt front-end.</para>
|
---|
174 | </listitem>
|
---|
175 |
|
---|
176 | <listitem>
|
---|
177 | <para>The alternative is to use
|
---|
178 | <computeroutput>VBoxHeadless</computeroutput> directly, as
|
---|
179 | follows:<screen>VBoxHeadless --startvm <uuid|name></screen></para>
|
---|
180 |
|
---|
181 | <para>This way of starting the VM is preferred because you can see
|
---|
182 | more detailed error messages, especially for early failures before
|
---|
183 | the VM execution is started. If you have trouble with
|
---|
184 | <computeroutput>VBoxManage startvm</computeroutput>, it can help
|
---|
185 | greatly to start <computeroutput>VBoxHeadless</computeroutput>
|
---|
186 | directly to diagnose the problem cause.</para>
|
---|
187 | </listitem>
|
---|
188 | </itemizedlist>
|
---|
189 |
|
---|
190 | <para>Note that when you use
|
---|
191 | <computeroutput>VBoxHeadless</computeroutput> to start a VM, since the
|
---|
192 | headless server has no other means of output, the VRDP server will
|
---|
193 | <emphasis>always</emphasis> be enabled, regardless of whether you had
|
---|
194 | enabled the VRDP server in the VM's settings. If this is undesirable
|
---|
195 | (for example because you want to access the VM via
|
---|
196 | <computeroutput>ssh</computeroutput> only), start the VM like
|
---|
197 | this:<screen>VBoxHeadless --startvm <uuid|name> --vrde=off</screen>To
|
---|
198 | have the VRDP server enabled depending on the VM configuration, as the
|
---|
199 | other front-ends would, use this:<screen>VBoxHeadless --startvm <uuid|name> --vrde=config</screen></para>
|
---|
200 | </sect2>
|
---|
201 |
|
---|
202 | <sect2>
|
---|
203 | <title>Step by step: creating a virtual machine on a headless
|
---|
204 | server</title>
|
---|
205 |
|
---|
206 | <para>The following instructions may give you an idea how to create a
|
---|
207 | virtual machine on a headless server over a network connection. We will
|
---|
208 | create a virtual machine, establish an RDP connection and install a
|
---|
209 | guest operating system -- all without having to touch the headless
|
---|
210 | server. All you need is the following:</para>
|
---|
211 |
|
---|
212 | <para><orderedlist>
|
---|
213 | <listitem>
|
---|
214 | <para>VirtualBox on a server machine with a supported host
|
---|
215 | operating system. The VirtualBox extension pack for the VRDP
|
---|
216 | server must be installed (see the previous section). For the
|
---|
217 | following example, we will assume a Linux server.</para>
|
---|
218 | </listitem>
|
---|
219 |
|
---|
220 | <listitem>
|
---|
221 | <para>An ISO file accessible from the server, containing the
|
---|
222 | installation data for the guest operating system to install (we
|
---|
223 | will assume Windows XP in the following example).</para>
|
---|
224 | </listitem>
|
---|
225 |
|
---|
226 | <listitem>
|
---|
227 | <para>A terminal connection to that host through which you can
|
---|
228 | access a command line (e.g. via
|
---|
229 | <computeroutput>ssh</computeroutput>).</para>
|
---|
230 | </listitem>
|
---|
231 |
|
---|
232 | <listitem>
|
---|
233 | <para>An RDP viewer on the remote client; see <xref
|
---|
234 | linkend="rdp-viewers" /> above for examples.</para>
|
---|
235 | </listitem>
|
---|
236 | </orderedlist>Note again that on the server machine, since we will
|
---|
237 | only use the headless server, neither Qt nor SDL nor the X Window system
|
---|
238 | will be needed.</para>
|
---|
239 |
|
---|
240 | <para><orderedlist>
|
---|
241 | <listitem>
|
---|
242 | <para>On the headless server, create a new virtual machine:</para>
|
---|
243 |
|
---|
244 | <screen>VBoxManage createvm --name "Windows XP" --ostype WindowsXP --register</screen>
|
---|
245 |
|
---|
246 | <para>Note that if you do not specify
|
---|
247 | <computeroutput>--register</computeroutput>, you will have to
|
---|
248 | manually use the <computeroutput>registervm</computeroutput>
|
---|
249 | command later.</para>
|
---|
250 |
|
---|
251 | <para>Note further that you do not need to specify
|
---|
252 | <computeroutput>--ostype</computeroutput>, but doing so selects
|
---|
253 | some sane default values for certain VM parameters, for example
|
---|
254 | the RAM size and the type of the virtual network device. To get a
|
---|
255 | complete list of supported operating systems you can use</para>
|
---|
256 |
|
---|
257 | <screen>VBoxManage list ostypes</screen>
|
---|
258 | </listitem>
|
---|
259 |
|
---|
260 | <listitem>
|
---|
261 | <para>Make sure the settings for this VM are appropriate for the
|
---|
262 | guest operating system that we will install. For example:<screen>VBoxManage modifyvm "Windows XP" --memory 256 --acpi on --boot1 dvd --nic1 nat</screen></para>
|
---|
263 | </listitem>
|
---|
264 |
|
---|
265 | <listitem>
|
---|
266 | <para>Create a virtual hard disk for the VM (in this case, 10GB in
|
---|
267 | size):<screen>VBoxManage createhd --filename "WinXP.vdi" --size 10000</screen></para>
|
---|
268 | </listitem>
|
---|
269 |
|
---|
270 | <listitem>
|
---|
271 | <para>Add an IDE Controller to the new VM:<screen>VBoxManage storagectl "Windows XP" --name "IDE Controller"
|
---|
272 | --add ide --controller PIIX4</screen></para>
|
---|
273 | </listitem>
|
---|
274 |
|
---|
275 | <listitem>
|
---|
276 | <para>Set the VDI file created above as the first virtual hard
|
---|
277 | disk of the new VM:<screen>VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
|
---|
278 | --port 0 --device 0 --type hdd --medium "WinXP.vdi"</screen></para>
|
---|
279 | </listitem>
|
---|
280 |
|
---|
281 | <listitem>
|
---|
282 | <para>Attach the ISO file that contains the operating system
|
---|
283 | installation that you want to install later to the virtual
|
---|
284 | machine, so the machine can boot from it:<screen>VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
|
---|
285 | --port 0 --device 1 --type dvddrive --medium /full/path/to/iso.iso</screen></para>
|
---|
286 | </listitem>
|
---|
287 |
|
---|
288 | <listitem>
|
---|
289 | <para>Start the virtual machine using VBoxHeadless:<screen>VBoxHeadless --startvm "Windows XP"</screen></para>
|
---|
290 |
|
---|
291 | <para>If everything worked, you should see a copyright notice. If,
|
---|
292 | instead, you are returned to the command line, then something went
|
---|
293 | wrong.</para>
|
---|
294 | </listitem>
|
---|
295 |
|
---|
296 | <listitem>
|
---|
297 | <para>On the client machine, fire up the RDP viewer and try to
|
---|
298 | connect to the server (see <xref linkend="rdp-viewers" /> above
|
---|
299 | for how to use various common RDP viewers).</para>
|
---|
300 |
|
---|
301 | <para>You should now be seeing the installation routine of your
|
---|
302 | guest operating system remotely in the RDP viewer.</para>
|
---|
303 | </listitem>
|
---|
304 | </orderedlist></para>
|
---|
305 | </sect2>
|
---|
306 |
|
---|
307 | <sect2 id="usb-over-rdp">
|
---|
308 | <title>Remote USB</title>
|
---|
309 |
|
---|
310 | <para>As a special feature on top of the VRDP support, VirtualBox
|
---|
311 | supports remote USB devices over the wire as well. That is, the
|
---|
312 | VirtualBox guest that runs on one computer can access the USB devices of
|
---|
313 | the remote computer on which the VRDP data is being displayed the same
|
---|
314 | way as USB devices that are connected to the actual host. This allows
|
---|
315 | for running virtual machines on a VirtualBox host that acts as a server,
|
---|
316 | where a client can connect from elsewhere that needs only a network
|
---|
317 | adapter and a display capable of running an RDP viewer. When USB devices
|
---|
318 | are plugged into the client, the remote VirtualBox server can access
|
---|
319 | them.</para>
|
---|
320 |
|
---|
321 | <para>For these remote USB devices, the same filter rules apply as for
|
---|
322 | other USB devices, as described with <xref linkend="settings-usb" />.
|
---|
323 | All you have to do is specify "Remote" (or "Any") when setting up these
|
---|
324 | rules.</para>
|
---|
325 |
|
---|
326 | <para>Accessing remote USB devices is only possible if the RDP client
|
---|
327 | supports this extension. On Linux and Solaris hosts, the VirtualBox
|
---|
328 | installation provides a suitable VRDP client called
|
---|
329 | <computeroutput>rdesktop-vrdp</computeroutput>. RDP clients for other
|
---|
330 | platforms will be provided in future VirtualBox versions.</para>
|
---|
331 |
|
---|
332 | <para>To make a remote USB device available to a VM,
|
---|
333 | <computeroutput>rdesktop-vrdp</computeroutput> should be started as
|
---|
334 | follows:<screen>rdesktop-vrdp -r usb -a 16 -N my.host.address</screen>Note
|
---|
335 | that <computeroutput>rdesktop-vrdp</computeroutput> can access USB
|
---|
336 | devices only through <computeroutput>/proc/bus/usb</computeroutput>.
|
---|
337 | Please refer to <xref linkend="usb_linux" /> for further details on how
|
---|
338 | to properly set up the permissions. Furthermore it is advisable to
|
---|
339 | disable automatic loading of any host driver on the remote host which
|
---|
340 | might work on USB devices to ensure that the devices are accessible by
|
---|
341 | the RDP client. If the setup was properly done on the remote host,
|
---|
342 | plug/unplug events are visible on the VBox.log file of the VM.</para>
|
---|
343 | </sect2>
|
---|
344 |
|
---|
345 | <sect2 id="vbox-auth">
|
---|
346 | <title>RDP authentication</title>
|
---|
347 |
|
---|
348 | <para>For each virtual machine that is remotely accessible via RDP, you
|
---|
349 | can individually determine if and how client connections are
|
---|
350 | authenticated. For this, use <computeroutput>VBoxManage
|
---|
351 | modifyvm</computeroutput> command with the
|
---|
352 | <computeroutput>--vrdeauthtype</computeroutput> option; see <xref
|
---|
353 | linkend="vboxmanage-modifyvm" /> for a general introduction. Three
|
---|
354 | methods of authentication are available:<itemizedlist>
|
---|
355 | <listitem>
|
---|
356 | <para>The "null" method means that there is no authentication at
|
---|
357 | all; any client can connect to the VRDP server and thus the
|
---|
358 | virtual machine. This is, of course, very insecure and only to be
|
---|
359 | recommended for private networks.</para>
|
---|
360 | </listitem>
|
---|
361 |
|
---|
362 | <listitem>
|
---|
363 | <para>The "external" method provides external authentication
|
---|
364 | through a special authentication library. VirtualBox ships with
|
---|
365 | two such authentication libraries:<orderedlist>
|
---|
366 | <listitem>
|
---|
367 | <para>The default authentication library,
|
---|
368 | <computeroutput>VBoxAuth</computeroutput>, authenticates
|
---|
369 | against user credentials of the hosts. Depending on the host
|
---|
370 | platform, this means:<itemizedlist>
|
---|
371 | <listitem>
|
---|
372 | <para>On Linux hosts,
|
---|
373 | <computeroutput>VBoxAuth.so</computeroutput>
|
---|
374 | authenticates users against the host's PAM
|
---|
375 | system.</para>
|
---|
376 | </listitem>
|
---|
377 |
|
---|
378 | <listitem>
|
---|
379 | <para>On Windows hosts,
|
---|
380 | <computeroutput>VBoxAuth.dll</computeroutput>
|
---|
381 | authenticates users against the host's WinLogon
|
---|
382 | system.</para>
|
---|
383 | </listitem>
|
---|
384 |
|
---|
385 | <listitem>
|
---|
386 | <para>On Mac OS X hosts,
|
---|
387 | <computeroutput>VBoxAuth.dylib</computeroutput>
|
---|
388 | authenticates users against the host's directory
|
---|
389 | service.<footnote>
|
---|
390 | <para>Support for Mac OS X was added in version
|
---|
391 | 3.2.</para>
|
---|
392 | </footnote></para>
|
---|
393 | </listitem>
|
---|
394 | </itemizedlist></para>
|
---|
395 |
|
---|
396 | <para>In other words, the "external" method per default
|
---|
397 | performs authentication with the user accounts that exist on
|
---|
398 | the host system. Any user with valid authentication
|
---|
399 | credentials is accepted, i.e. the username does not have to
|
---|
400 | correspond to the user running the VM.</para>
|
---|
401 | </listitem>
|
---|
402 |
|
---|
403 | <listitem>
|
---|
404 | <para>An additional library called
|
---|
405 | <computeroutput>VBoxAuthSimple</computeroutput> performs
|
---|
406 | authentication against credentials configured in the
|
---|
407 | "extradata" section of a virtual machine's XML settings
|
---|
408 | file. This is probably the simplest way to get
|
---|
409 | authentication that does not depend on a running and
|
---|
410 | supported guest (see below). The following steps are
|
---|
411 | required:<orderedlist>
|
---|
412 | <listitem>
|
---|
413 | <para>Enable
|
---|
414 | <computeroutput>VBoxAuthSimple</computeroutput> with
|
---|
415 | the following command:</para>
|
---|
416 |
|
---|
417 | <para><screen>VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple"</screen></para>
|
---|
418 | </listitem>
|
---|
419 |
|
---|
420 | <listitem>
|
---|
421 | <para>To enable the library for a particular VM, you
|
---|
422 | must then switch authentication to external:<screen>VBoxManage modifyvm <vm> --vrdeauthtype external</screen></para>
|
---|
423 |
|
---|
424 | <para>Replace
|
---|
425 | <computeroutput><vm></computeroutput> with the
|
---|
426 | VM name or UUID.</para>
|
---|
427 | </listitem>
|
---|
428 |
|
---|
429 | <listitem>
|
---|
430 | <para>You will then need to configure users and
|
---|
431 | passwords by writing items into the machine's
|
---|
432 | extradata. Since the XML machine settings file, into
|
---|
433 | whose "extradata" section the password needs to be
|
---|
434 | written, is a plain text file, VirtualBox uses hashes
|
---|
435 | to encrypt passwords. The following command must be
|
---|
436 | used:<screen>VBoxManage setextradata <vm> "VBoxAuthSimple/users/<user>" <hash></screen></para>
|
---|
437 |
|
---|
438 | <para>Replace
|
---|
439 | <computeroutput><vm></computeroutput> with the
|
---|
440 | VM name or UUID,
|
---|
441 | <computeroutput><user></computeroutput> with the
|
---|
442 | user name who should be allowed to log in and
|
---|
443 | <computeroutput><hash></computeroutput> with the
|
---|
444 | encrypted password. As an example, to obtain the hash
|
---|
445 | value for the password "secret", you can use the
|
---|
446 | following command:<screen>VBoxManage internalcommands passwordhash "secret"</screen></para>
|
---|
447 |
|
---|
448 | <para>This will print
|
---|
449 | "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b".
|
---|
450 | You can then use VBoxManage setextradata to store this
|
---|
451 | value in the machine's "extradata" section.</para>
|
---|
452 |
|
---|
453 | <para>As example, combined together, to set the
|
---|
454 | password for the user "john" and the machine "My VM"
|
---|
455 | to "secret", use this command:<screen>VBoxManage setextradata "My VM" "VBoxAuthSimple/users/john"
|
---|
456 | 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</screen></para>
|
---|
457 | </listitem>
|
---|
458 | </orderedlist></para>
|
---|
459 | </listitem>
|
---|
460 | </orderedlist></para>
|
---|
461 | </listitem>
|
---|
462 |
|
---|
463 | <listitem>
|
---|
464 | <para>Finally, the "guest" authentication method performs
|
---|
465 | authentication with a special component that comes with the Guest
|
---|
466 | Additions; as a result, authentication is not performed on the
|
---|
467 | host, but with the <emphasis>guest</emphasis> user
|
---|
468 | accounts.</para>
|
---|
469 |
|
---|
470 | <para>This method is currently still in testing and not yet
|
---|
471 | supported.</para>
|
---|
472 | </listitem>
|
---|
473 | </itemizedlist></para>
|
---|
474 |
|
---|
475 | <para>In addition to the methods described above, you can replace the
|
---|
476 | default "external" authentication module with any other module. For
|
---|
477 | this, VirtualBox provides a well-defined interface that allows you to
|
---|
478 | write your own authentication module. This is described in detail in the
|
---|
479 | VirtualBox Software Development Kit (SDK) reference; please see <xref
|
---|
480 | linkend="VirtualBoxAPI" /> for details.</para>
|
---|
481 | </sect2>
|
---|
482 |
|
---|
483 | <sect2 id="vrde-crypt">
|
---|
484 | <title>RDP encryption</title>
|
---|
485 |
|
---|
486 | <para>RDP features data stream encryption, which is based on the RC4
|
---|
487 | symmetric cipher (with keys up to 128bit). The RC4 keys are being
|
---|
488 | replaced in regular intervals (every 4096 packets).</para>
|
---|
489 |
|
---|
490 | <para>RDP provides three different authentication methods:<orderedlist>
|
---|
491 | <listitem>
|
---|
492 | <para>Historically, RDP4 authentication was used, with which the
|
---|
493 | RDP client does not perform any checks in order to verify the
|
---|
494 | identity of the server it connects to. Since user credentials can
|
---|
495 | be obtained using a "man in the middle" (MITM) attack, RDP4
|
---|
496 | authentication is insecure and should generally not be
|
---|
497 | used.</para>
|
---|
498 | </listitem>
|
---|
499 |
|
---|
500 | <listitem>
|
---|
501 | <para>RDP5.1 authentication employs a server certificate for which
|
---|
502 | the client possesses the public key. This way it is guaranteed
|
---|
503 | that the server possess the corresponding private key. However, as
|
---|
504 | this hard-coded private key became public some years ago, RDP5.1
|
---|
505 | authentication is also insecure and cannot be recommended.</para>
|
---|
506 | </listitem>
|
---|
507 |
|
---|
508 | <listitem>
|
---|
509 | <para>RDP5.2 authentication is based on TLS 1.0 with
|
---|
510 | customer-supplied certificates. The server supplies a certificate
|
---|
511 | to the client which must be signed by a certificate authority (CA)
|
---|
512 | that the client trusts (for the Microsoft RDP Client 5.2, the CA
|
---|
513 | has to be added to the Windows Trusted Root Certificate
|
---|
514 | Authorities database). VirtualBox allows you to supply your own CA
|
---|
515 | and server certificate and uses OpenSSL for encryption.</para>
|
---|
516 | </listitem>
|
---|
517 | </orderedlist></para>
|
---|
518 |
|
---|
519 | <para>While VirtualBox supports all of the above, only RDP5.2
|
---|
520 | authentication should be used in environments where security is a
|
---|
521 | concern. As the client that connects to the server determines what type
|
---|
522 | of encryption will be used, with rdesktop, the Linux RDP viewer, use the
|
---|
523 | <computeroutput>-4</computeroutput> or
|
---|
524 | <computeroutput>-5</computeroutput> options.</para>
|
---|
525 | </sect2>
|
---|
526 |
|
---|
527 | <sect2 id="vrde-multiconnection">
|
---|
528 | <title>Multiple connections to the VRDP server</title>
|
---|
529 |
|
---|
530 | <para>The VRDP server of VirtualBox supports multiple simultaneous
|
---|
531 | connections to the same running VM from different clients. All connected
|
---|
532 | clients see the same screen output and share a mouse pointer and
|
---|
533 | keyboard focus. This is similar to several people using the same
|
---|
534 | computer at the same time, taking turns at the keyboard.</para>
|
---|
535 |
|
---|
536 | <para>The following command enables multiple connection mode: <screen>VBoxManage modifyvm "VM name" --vrdemulticon on</screen></para>
|
---|
537 | </sect2>
|
---|
538 |
|
---|
539 | <sect2 id="vrde-multimonitor">
|
---|
540 | <title>Multiple remote monitors</title>
|
---|
541 |
|
---|
542 | <para>To access two or more remote VM displays you have to enable the
|
---|
543 | VRDP multiconnection mode (see <xref
|
---|
544 | linkend="vrde-multiconnection" />).</para>
|
---|
545 |
|
---|
546 | <para>The RDP client can select the virtual monitor number to connect to
|
---|
547 | using the <computeroutput>domain</computeroutput> logon parameter
|
---|
548 | (<computeroutput>-d</computeroutput>). If the parameter ends with
|
---|
549 | <computeroutput>@</computeroutput> followed by a number, VirtualBox
|
---|
550 | interprets this number as the screen index. The primary guest screen is
|
---|
551 | selected with <computeroutput>@1</computeroutput>, the first secondary
|
---|
552 | screen is <computeroutput>@2</computeroutput>, etc.</para>
|
---|
553 |
|
---|
554 | <para>The Microsoft RDP6 client does not let you specify a separate
|
---|
555 | domain name. Instead, use
|
---|
556 | <computeroutput>domain\username</computeroutput> in the
|
---|
557 | <computeroutput>Username:</computeroutput> field -- for example,
|
---|
558 | <computeroutput>@2\name</computeroutput>.
|
---|
559 | <computeroutput>name</computeroutput> must be supplied, and must be the
|
---|
560 | name used to log in if the VRDP server is set up to require credentials.
|
---|
561 | If it is not, you may use any text as the username.</para>
|
---|
562 | </sect2>
|
---|
563 |
|
---|
564 | <sect2 id="vrde-videochannel">
|
---|
565 | <title>VRDP video redirection</title>
|
---|
566 |
|
---|
567 | <para>Starting with VirtualBox 3.2, the VRDP server can redirect video
|
---|
568 | streams from the guest to the RDP client. Video frames are compressed
|
---|
569 | using the JPEG algorithm allowing a higher compression ratio than
|
---|
570 | standard RDP bitmap compression methods. It is possible to increase the
|
---|
571 | compression ratio by lowering the video quality.</para>
|
---|
572 |
|
---|
573 | <para>The VRDP server automatically detects video streams in a guest as
|
---|
574 | frequently updated rectangular areas. As a result, this method works
|
---|
575 | with any guest operating system without having to install additional
|
---|
576 | software in the guest; in particular, the Guest Additions are not
|
---|
577 | required.</para>
|
---|
578 |
|
---|
579 | <para>On the client side, however, currently only the Windows 7 Remote
|
---|
580 | Desktop Connection client supports this feature. If a client does not
|
---|
581 | support video redirection, the VRDP server falls back to regular bitmap
|
---|
582 | updates.</para>
|
---|
583 |
|
---|
584 | <para>The following command enables video redirection: <screen>VBoxManage modifyvm "VM name" --vrdevideochannel on</screen></para>
|
---|
585 |
|
---|
586 | <para>The quality of the video is defined as a value from 10 to 100
|
---|
587 | percent, representing a JPEG compression level (where lower numbers mean
|
---|
588 | lower quality but higher compression). The quality can be changed using
|
---|
589 | the following command: <screen>VBoxManage modifyvm "VM name" --vrdevideochannelquality 75</screen></para>
|
---|
590 | </sect2>
|
---|
591 |
|
---|
592 | <sect2 id="vrde-customization">
|
---|
593 | <title>VRDP customization</title>
|
---|
594 |
|
---|
595 | <para>With VirtualBox 4.0 it is possible to disable display output,
|
---|
596 | mouse and keyboard input, audio, remote USB or clipboard individually in
|
---|
597 | the VRDP server.</para>
|
---|
598 |
|
---|
599 | <para>The following commands change corresponding server
|
---|
600 | settings:</para>
|
---|
601 |
|
---|
602 | <screen>VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableDisplay=1
|
---|
603 | VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableInput=1
|
---|
604 | VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableUSB=1
|
---|
605 | VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableAudio=1
|
---|
606 | VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableClipboard=1
|
---|
607 | VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableUpstreamAudio=1</screen>
|
---|
608 |
|
---|
609 | <para>To reenable a feature use a similar command without the trailing
|
---|
610 | 1. For example: <screen>VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableDisplay=</screen></para>
|
---|
611 |
|
---|
612 | <para>These properties were introduced with VirtualBox 3.2.10. However,
|
---|
613 | in the 3.2.x series, it was necessary to use the following commands to
|
---|
614 | alter these settings instead:</para>
|
---|
615 |
|
---|
616 | <screen>VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableDisplay" 1
|
---|
617 | VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableInput" 1
|
---|
618 | VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableUSB" 1
|
---|
619 | VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableAudio" 1
|
---|
620 | VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableClipboard" 1</screen>
|
---|
621 |
|
---|
622 | <para>To reenable a feature use a similar command without the trailing
|
---|
623 | 1. For example: <screen>VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableDisplay"</screen></para>
|
---|
624 | </sect2>
|
---|
625 | </sect1>
|
---|
626 |
|
---|
627 | <sect1 id="teleporting">
|
---|
628 | <title>Teleporting</title>
|
---|
629 |
|
---|
630 | <para>Starting with version 3.1, VirtualBox supports "teleporting" -- that
|
---|
631 | is, moving a virtual machine over a network from one VirtualBox host to
|
---|
632 | another, while the virtual machine is running. This works regardless of
|
---|
633 | the host operating system that is running on the hosts: you can teleport
|
---|
634 | virtual machines between Solaris and Mac hosts, for example.</para>
|
---|
635 |
|
---|
636 | <para>Teleporting requires that a machine be currently running on one
|
---|
637 | host, which is then called the <emphasis role="bold">"source"</emphasis>.
|
---|
638 | The host to which the virtual machine will be teleported will then be
|
---|
639 | called the <emphasis role="bold">"target"</emphasis>; the machine on the
|
---|
640 | target is then configured to wait for the source to contact the target.
|
---|
641 | The machine's running state will then be transferred from the source to
|
---|
642 | the target with minimal downtime.</para>
|
---|
643 |
|
---|
644 | <para>Teleporting happens over any TCP/IP network; the source and the
|
---|
645 | target only need to agree on a TCP/IP port which is specified in the
|
---|
646 | teleporting settings.</para>
|
---|
647 |
|
---|
648 | <para>At this time, there are a few prerequisites for this to work,
|
---|
649 | however:<orderedlist>
|
---|
650 | <listitem>
|
---|
651 | <para>On the target host, you must configure a virtual machine in
|
---|
652 | VirtualBox with exactly the same hardware settings as the machine on
|
---|
653 | the source that you want to teleport. This does not apply to
|
---|
654 | settings which are merely descriptive, such as the VM name, but
|
---|
655 | obviously for teleporting to work, the target machine must have the
|
---|
656 | same amount of memory and other hardware settings. Otherwise
|
---|
657 | teleporting will fail with an error message.</para>
|
---|
658 | </listitem>
|
---|
659 |
|
---|
660 | <listitem>
|
---|
661 | <para>The two virtual machines on the source and the target must
|
---|
662 | share the same storage (hard disks as well as floppy and CD/DVD
|
---|
663 | images). This means that they either use the same iSCSI targets or
|
---|
664 | that the storage resides somewhere on the network and both hosts
|
---|
665 | have access to it via NFS or SMB/CIFS.</para>
|
---|
666 |
|
---|
667 | <para>This also means that neither the source nor the target machine
|
---|
668 | can have any snapshots.</para>
|
---|
669 | </listitem>
|
---|
670 | </orderedlist></para>
|
---|
671 |
|
---|
672 | <para>Then perform the following steps:<orderedlist>
|
---|
673 | <listitem>
|
---|
674 | <para>On the <emphasis>target</emphasis> host, configure the virtual
|
---|
675 | machine to wait for a teleport request to arrive when it is started,
|
---|
676 | instead of actually attempting to start the machine. This is done
|
---|
677 | with the following VBoxManage command:<screen>VBoxManage modifyvm <targetvmname> --teleporter on --teleporterport <port></screen></para>
|
---|
678 |
|
---|
679 | <para>where <computeroutput><targetvmname></computeroutput> is
|
---|
680 | the name of the virtual machine on the target host and
|
---|
681 | <computeroutput><port></computeroutput> is a TCP/IP port
|
---|
682 | number to be used on both the source and the target hosts. For
|
---|
683 | example, use 6000. For details, see <xref
|
---|
684 | linkend="vboxmanage-modifyvm-teleport" />.</para>
|
---|
685 | </listitem>
|
---|
686 |
|
---|
687 | <listitem>
|
---|
688 | <para>Start the VM on the target host. You will see that instead of
|
---|
689 | actually running, it will show a progress dialog. indicating that it
|
---|
690 | is waiting for a teleport request to arrive.</para>
|
---|
691 | </listitem>
|
---|
692 |
|
---|
693 | <listitem>
|
---|
694 | <para>Start the machine on the <emphasis>source</emphasis> host as
|
---|
695 | usual. When it is running and you want it to be teleported, issue
|
---|
696 | the following command on the source host:<screen>VBoxManage controlvm <sourcevmname> teleport --host <targethost> --port <port></screen></para>
|
---|
697 |
|
---|
698 | <para>where <computeroutput><sourcevmname></computeroutput> is
|
---|
699 | the name of the virtual machine on the source host (the machine that
|
---|
700 | is currently running),
|
---|
701 | <computeroutput><targethost></computeroutput> is the host or
|
---|
702 | IP name of the target host on which the machine is waiting for the
|
---|
703 | teleport request, and <computeroutput><port></computeroutput>
|
---|
704 | must be the same number as specified in the command on the target
|
---|
705 | host. For details, see <xref
|
---|
706 | linkend="vboxmanage-controlvm" />.</para>
|
---|
707 | </listitem>
|
---|
708 | </orderedlist></para>
|
---|
709 |
|
---|
710 | <para>For testing, you can also teleport machines on the same host; in
|
---|
711 | that case, use "localhost" as the hostname on both the source and the
|
---|
712 | target host.<note>
|
---|
713 | <para>In rare cases, if the CPUs of the source and the target are very
|
---|
714 | different, teleporting can fail with an error message, or the target
|
---|
715 | may hang. This may happen especially if the VM is running application
|
---|
716 | software that is highly optimized to run on a particular CPU without
|
---|
717 | correctly checking that certain CPU features are actually present.
|
---|
718 | VirtualBox filters what CPU capabilities are presented to the guest
|
---|
719 | operating system. Advanced users can attempt to restrict these virtual
|
---|
720 | CPU capabilities with the <computeroutput>VBoxManage --modifyvm
|
---|
721 | --cpuid</computeroutput> command; see <xref
|
---|
722 | linkend="vboxmanage-modifyvm-teleport" />.</para>
|
---|
723 | </note></para>
|
---|
724 | </sect1>
|
---|
725 | </chapter>
|
---|