File: ssh-proxy.rst

package info (click to toggle)
libvirt 11.8.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 208,540 kB
  • sloc: ansic: 534,712; xml: 319,206; python: 11,974; perl: 2,629; sh: 2,185; makefile: 448; javascript: 126; cpp: 22
file content (85 lines) | stat: -rw-r--r-- 2,785 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
=================
Libvirt SSH proxy
=================

Sometimes it's necessary to run some commands inside a guest. While libvirt
already provides a `NSS module <nss.html>`__ that can translate guest name to
IP address it has some limitations (e.g. guest has to have a network interface
plugged into a libvirt-managed network). To resolve some of these limitations,
libvirt offers a SSH proxy. It consists of a SSH client config file
(``/etc/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf``) and a small binary. Both
are automatically installed by ``libvirt-ssh-proxy`` package which is dragged
in by ``libvirt-client``, ``libvirt-daemon-qemu`` and/or ``daemon-kvm`` RPM
packages. After running either of:

::

    ssh user@qemu:system/virtualMachine
    ssh user@qemu:session/virtualMachine

the configuration file instructs SSH client to start the binary helper which
finds a VSOCK device inside the ``virtualMachine`` and establishes a connection
to it.

For now, only QEMU domains are implemented and the lookup of the
``virtualMachine`` is done under ``qemu:///system`` URI  for ``qemu:system`` or
under ``qemu:///session`` URI for ``qemu:session``.

For convenience, there's also another alternative:

::

    ssh user@qemu/virtualMachine

where the ``virtualMachine`` is looked up under ``qemu:///system`` first,
possibly followed by ``qemu:///session`` (for cases where ssh client runs as
non-root, since there's no ``qemu:///session`` for root).

Accepted values for ``virtualMachine`` are: domain name (as reported by e.g.
`virsh list`), domain UUID and finally domain ID.

Guest OS requirements
---------------------

It is obvious that the SSH daemon inside the guest needs to be configured to
listen for incoming connections on a VSOCK. There are couple of ways to achieve
this:

* Run systemd-v256 or newer inside the guest.

  In this release, systemd started to deploy ``systemd-ssh-generator`` which
  should configure socket activation for SSHD automagically.

* Set up socket activation for VSOCK.

  We can take an inspiration in the unit file generated by
  ``systemd-ssh-generator``:

::

    [Unit]
    Description=OpenSSH Server Socket (systemd-ssh-generator, AF_VSOCK)
    Documentation=man:systemd-ssh-generator(8)
    Wants=ssh-access.target
    Before=ssh-access.target

    [Socket]
    ListenStream=vsock::22
    Accept=yes
    PollLimitIntervalSec=30s
    PollLimitBurst=50

* Run a service that forwards VSOCK <=> SSHD communication

  For instance:

::

    socat VSOCK-LISTEN:22,reuseaddr,fork TCP:localhost:22

Libvirt domain XML configuration
--------------------------------

Since the SSH proxy uses a VSOCK to communicate with the SSH daemon running
inside the guest, it is a must to configure VSOCK in the `domain XML
<formatdomain.html#vsock>`__.