If you are running KVM on a console-only server, you still have the option to use the graphical virt-manager. You just need to specify the method of communication (ssh, tls, tcp, etc).
In this article I will show how to use virt-manager from an Ubuntu client desktop to a server running KVM and libvirtd, with the connection being tunneled over ssh and authenticated with PKI.
The remote VNC display for these VMs is sent over this same ssh tunnel.
Using the ssh tunneling solution described in this article, the libvirtd service on the server side does *not* need to enable listening on TCP in “/etc/libvirt/libvirtd.conf”.
SSH prerequisites
The first requirement is that you are able to use ssh to connect to the remote KVM server using the private key for authentication. This article does a good job showing how to configure SSH for public key authentication.
After enabling public key authentication, you should be able to ssh into the remote host using the local private key.
ssh -i <privateKeyFile> <user>@<KVMServer>
Client, virt-manager packages
At the absolute minimum you need the virt-manager GUI and the utility that prompts for the ssh passphrase.
# absolute minimum sudo apt-get install virt-manager ssh-askpass-gnome --no-install-recommends # a more complete install if you are doing any local KVM work sudo apt-get install virt-manager
Client test
The virt-manager GUI dialog does not have a way to specify a non-default ssh port or the private key to use when connecting to the remote server, but this is easily done by starting virt-manager with the ‘-c’ parameter.
virt-manager -c 'qemu+ssh://myuser@192.168.1.139:2222/system?keyfile=id_rsa'
In the example above, we are connecting as ‘myuser’ to the non-default ssh listening port of 2222, and using the private key found in the current directory in the file ‘id_rsa’.
virt-manager should immediately prompt you for the passphrase protecting the private key (this is not the user password!), and once you enter it, you will be looking at virt-manager just like you were sitting at the KVM host locally.
If you want to open a remote console to a VM without being prompted for the password multiple times, then make sure the display (either Spice or VNC is fine) uses all interfaces for its address as shown below.
REFERENCES
Official libvirt documentation on remote connections
Ubuntu official virt-manager doc
Specifying ‘-c’ to pass custom connection definition
NOTES
Specifying VNC port with virt-install
# use static port 5900 --graphics vnc,port=5900 # use autonumbering (5900 for 1st VM, 5901 for 2nd, etc) --graphics vnc,port=-1