From nobody Sat Feb 7 10:08:10 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1596822117; cv=none; d=zohomail.com; s=zohoarc; b=MVHnbX7vlXRlUCVA4LJGSU2piATSxCcFUd+PfRJdBxCnUbtemD+OfBC/T2/cyt01gKJk2Ja/t4ErQnsKXwf596paPv1HCzz36k7IUHv9aofc7GvI6oKs2Obor+hYFhoAlXlc4YiuxngXR08PuTml5daub9XeEFTi27ckbvjpBDA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1596822117; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=b3Efry1mTSbH4YTiz5zU5f6k8KnHirufVtshLs+cd74=; b=NJBiYqcKfPXrCYOHbXJ+cinYZSJ8tyq6q2/LqfCP2HiSsTFWBbd8KrCqU9c1xiYOMxMpDtDwx8Zgu2pzvMWDaqoEbqjgYvE2Auuxzt9yw3P2Unq6XmRvNq9qbXtwA9OCo3N44LyLCt2jaQeFQ9xlrg68YBOmOcNq57hUFj16tes= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 1596822117449978.6836604952825; Fri, 7 Aug 2020 10:41:57 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-458-0KFl1xbTOD68RnACAuQVCQ-1; Fri, 07 Aug 2020 13:41:51 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D4C69101C8A9; Fri, 7 Aug 2020 17:41:45 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B580B8AC05; Fri, 7 Aug 2020 17:41:45 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 834B61809554; Fri, 7 Aug 2020 17:41:45 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 077HfNTM017791 for ; Fri, 7 Aug 2020 13:41:23 -0400 Received: by smtp.corp.redhat.com (Postfix) id 947E35D9E8; Fri, 7 Aug 2020 17:41:23 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.36.110.44]) by smtp.corp.redhat.com (Postfix) with ESMTP id 77BF35D9D5; Fri, 7 Aug 2020 17:41:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1596822116; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=b3Efry1mTSbH4YTiz5zU5f6k8KnHirufVtshLs+cd74=; b=edk3GYH/PGVse5aL5pYj/LwjDGMdM6z7H8pGZ1ggyivVKwtYEwyl4XfkGvpDg2eTsHjcax nKL5EwhhLdUsVZS1MWI0rId3OCWd7dCquox0aosvXMlX0msLOZhp67w8ODN/WRB9Im9yEj fv7r+aB9VcjZsWk/ccjtqG33q9pangY= X-MC-Unique: 0KFl1xbTOD68RnACAuQVCQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v4 10/11] rpc: use new virt-ssh-helper binary for remote tunnelling Date: Fri, 7 Aug 2020 18:40:58 +0100 Message-Id: <20200807174059.312786-11-berrange@redhat.com> In-Reply-To: <20200807174059.312786-1-berrange@redhat.com> References: <20200807174059.312786-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) This wires up support for using the new virt-ssh-helper binary with the ssh, libssh and libssh2 protocols. The new binary will be used preferentially if it is available in $PATH, otherwise we fall back to traditional netcat. The "proxy" URI parameter can be used to force use of netcat e.g. qemu+ssh://host/system?proxy=3Dnetcat or the disable fallback e.g. qemu+ssh://host/system?proxy=3Dnative With use of virt-ssh-helper, we can now support remote session URIs qemu+ssh://host/session and this will only use virt-ssh-helper, with no fallback. This also lets the libvirtd process be auto-started, and connect directly to the modular daemons, avoiding use of virtproxyd back-compat tunnelling. Signed-off-by: Daniel P. Berrang=C3=A9 --- docs/uri.html.in | 24 +++++++++- src/remote/remote_driver.c | 33 ++++++++++++- src/remote/remote_sockets.c | 8 ---- src/rpc/virnetclient.c | 96 +++++++++++++++++++++++++++++-------- src/rpc/virnetclient.h | 30 ++++++++++-- tests/virnetsockettest.c | 7 ++- 6 files changed, 162 insertions(+), 36 deletions(-) diff --git a/docs/uri.html.in b/docs/uri.html.in index 49f92773f8..27e36e099b 100644 --- a/docs/uri.html.in +++ b/docs/uri.html.in @@ -259,6 +259,24 @@ Note that parameter values must be Example: mode=3Ddirect + + + proxy + + auto, netcat, native + +
+
auto
try native, fallback to netcat +
netcat
only use netcat
+
native
only use native
+
+ Can also be set in libvirt.conf as remote_pro= xy + + + + + Example: proxy=3Dnative + command @@ -296,8 +314,10 @@ Note that parameter values must be ssh, libssh2, libssh The name of the netcat command on the remote machine. - The default is nc. For ssh transport, libvirt - constructs an ssh command which looks like: + The default is nc. This is not permitted + when using the native proxy mode. For ssh + transport, libvirt constructs an ssh command which looks + like: =20 
command -p port [-l username] hostname netcat -U socket
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index d56f4b7260..88eb52ec4b 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -761,12 +761,14 @@ doRemoteOpen(virConnectPtr conn, g_autofree char *knownHosts =3D NULL; g_autofree char *mode_str =3D NULL; g_autofree char *daemon_name =3D NULL; + g_autofree char *proxy_str =3D NULL; bool sanity =3D true; bool verify =3D true; #ifndef WIN32 bool tty =3D true; #endif int mode; + int proxy; =20 if (inside_daemon && !conn->uri->server) { mode =3D REMOTE_DRIVER_MODE_DIRECT; @@ -774,6 +776,14 @@ doRemoteOpen(virConnectPtr conn, mode =3D REMOTE_DRIVER_MODE_AUTO; } =20 + /* Historically we didn't allow ssh tunnel with session mode, + * since we can't construct the accurate path remotely, + * so we can default to modern virt-ssh-helper */ + if (flags & VIR_DRV_OPEN_REMOTE_USER) + proxy =3D VIR_NET_CLIENT_PROXY_NATIVE; + else + proxy =3D VIR_NET_CLIENT_PROXY_AUTO; + /* We handle *ALL* URIs here. The caller has rejected any * URIs we don't care about */ =20 @@ -813,6 +823,7 @@ doRemoteOpen(virConnectPtr conn, EXTRACT_URI_ARG_STR("known_hosts_verify", knownHostsVerify); EXTRACT_URI_ARG_STR("tls_priority", tls_priority); EXTRACT_URI_ARG_STR("mode", mode_str); + EXTRACT_URI_ARG_STR("proxy", proxy_str); EXTRACT_URI_ARG_BOOL("no_sanity", sanity); EXTRACT_URI_ARG_BOOL("no_verify", verify); #ifndef WIN32 @@ -865,6 +876,17 @@ doRemoteOpen(virConnectPtr conn, (mode =3D remoteDriverModeTypeFromString(mode_str)) < 0) goto failed; =20 + if (conf && !proxy_str && + virConfGetValueString(conf, "remote_proxy", &proxy_str) < 0) + goto failed; + + if (proxy_str && + (proxy =3D virNetClientProxyTypeFromString(proxy_str)) < 0) { + virReportError(VIR_ERR_INVALID_ARG, + _("Unnkown proxy type '%s'"), proxy_str); + goto failed; + } + /* Sanity check that nothing requested !direct mode by mistake */ if (inside_daemon && !conn->uri->server && mode !=3D REMOTE_DRIVER_MOD= E_DIRECT) { virReportError(VIR_ERR_INVALID_ARG, "%s", @@ -949,8 +971,11 @@ doRemoteOpen(virConnectPtr conn, knownHosts, knownHostsVerify, sshauth, + proxy, netcat, sockname, + name, + flags & VIR_DRV_OPEN_REMOTE_= RO, auth, conn->uri); if (!priv->client) @@ -970,8 +995,11 @@ doRemoteOpen(virConnectPtr conn, knownHosts, knownHostsVerify, sshauth, + proxy, netcat, sockname, + name, + flags & VIR_DRV_OPEN_REMOTE_R= O, auth, conn->uri); if (!priv->client) @@ -1011,8 +1039,11 @@ doRemoteOpen(virConnectPtr conn, !tty, !verify, keyfile, + proxy, netcat, - sockname))) + sockname, + name, + flags & VIR_DRV_OPEN_REMOT= E_RO))) goto failed; =20 priv->is_secure =3D 1; diff --git a/src/remote/remote_sockets.c b/src/remote/remote_sockets.c index 854775f401..7c69ed9e7f 100644 --- a/src/remote/remote_sockets.c +++ b/src/remote/remote_sockets.c @@ -108,14 +108,6 @@ remoteGetUNIXSocketHelper(remoteDriverTransport transp= ort, g_autofree char *userdir =3D NULL; =20 if (session) { - if (transport !=3D REMOTE_DRIVER_TRANSPORT_UNIX) { - virReportError(VIR_ERR_OPERATION_UNSUPPORTED, - _("Connecting to session instance without " - "socket path is not supported by the %s " - "transport"), - remoteDriverTransportTypeToString(transport)); - return NULL; - } userdir =3D virGetUserRuntimeDirectory(); =20 sockname =3D g_strdup_printf("%s/%s-sock", userdir, sock_prefix); diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c index 72ece28f59..46a875a0cb 100644 --- a/src/rpc/virnetclient.c +++ b/src/rpc/virnetclient.c @@ -50,6 +50,10 @@ enum { VIR_NET_CLIENT_MODE_COMPLETE, }; =20 +VIR_ENUM_IMPL(virNetClientProxy, + VIR_NET_CLIENT_PROXY_LAST, + "auto", "netcat", "native"); + struct _virNetClientCall { int mode; =20 @@ -414,23 +418,64 @@ virNetClientDoubleEscapeShell(const char *str) } =20 char * -virNetClientSSHHelperCommand(const char *netcatPath, - const char *socketPath) -{ - g_autofree char *netcatPathSafe =3D virNetClientDoubleEscapeShell(netc= atPath); - - if (!netcatPath) - netcatPath =3D "nc"; +virNetClientSSHHelperCommand(virNetClientProxy proxy, + const char *netcatPath, + const char *socketPath, + const char *driverURI, + bool readonly) +{ + g_autofree char *netcatPathSafe =3D virNetClientDoubleEscapeShell(netc= atPath ? netcatPath : "nc"); + g_autofree char *driverURISafe =3D virNetClientDoubleEscapeShell(drive= rURI); + g_autofree char *nccmd =3D NULL; + g_autofree char *helpercmd =3D NULL; + + /* If user gave a 'netcat' path in the URI, we must + * assume they want the legacy 'nc' based proxy, not + * our new virt-ssh-helper + */ + if (proxy =3D=3D VIR_NET_CLIENT_PROXY_AUTO && + netcatPath !=3D NULL) { + proxy =3D VIR_NET_CLIENT_PROXY_NETCAT; + } =20 - return g_strdup_printf( - "sh -c " - "'if '%s' -q 2>&1 | grep \"requires an argument\" >/dev/null 2>&1;= then " - "ARG=3D-q0;" + nccmd =3D g_strdup_printf( + "if '%s' -q 2>&1 | grep \"requires an argument\" >/dev/null 2>&1; = then " + "ARG=3D-q0;" "else " - "ARG=3D;" + "ARG=3D;" "fi;" - "'%s' $ARG -U %s'", + "'%s' $ARG -U %s", netcatPathSafe, netcatPathSafe, socketPath); + + helpercmd =3D g_strdup_printf("virt-ssh-helper%s'%s'", + readonly ? " -r " : " ", + driverURISafe); + + switch (proxy) { + case VIR_NET_CLIENT_PROXY_AUTO: + return g_strdup_printf("sh -c 'which virt-nc 1>/dev/null 2>&1; " + "if test $? =3D 0; then " + " %s; " + "else" + " %s; " + "fi'", helpercmd, nccmd); + + case VIR_NET_CLIENT_PROXY_NETCAT: + return g_strdup_printf("sh -c '%s'", nccmd); + + case VIR_NET_CLIENT_PROXY_NATIVE: + if (netcatPath) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("netcat path not valid with native proxy mode= ")); + return NULL; + } + return g_strdup_printf("sh -c '%s'", helpercmd); + + case VIR_NET_CLIENT_PROXY_LAST: + default: + virReportEnumRangeError(virNetClientProxy, proxy); + return NULL; + } } =20 =20 @@ -445,15 +490,18 @@ virNetClientPtr virNetClientNewSSH(const char *nodena= me, bool noTTY, bool noVerify, const char *keyfile, + virNetClientProxy proxy, const char *netcatPath, - const char *socketPath) + const char *socketPath, + const char *driverURI, + bool readonly) { virNetSocketPtr sock; g_autofree char *command =3D NULL; =20 - DEFAULT_VALUE(netcatPath, "nc"); - - command =3D virNetClientSSHHelperCommand(netcatPath, socketPath); + if (!(command =3D virNetClientSSHHelperCommand(proxy, netcatPath, sock= etPath, + driverURI, readonly))) + return NULL; =20 if (virNetSocketNewConnectSSH(nodename, service, binary, username, noT= TY, noVerify, keyfile, command, &sock) < 0) @@ -470,8 +518,11 @@ virNetClientPtr virNetClientNewLibSSH2(const char *hos= t, const char *knownHostsPath, const char *knownHostsVerify, const char *authMethods, + virNetClientProxy proxy, const char *netcatPath, const char *socketPath, + const char *driverURI, + bool readonly, virConnectAuthPtr authPtr, virURIPtr uri) { @@ -510,7 +561,9 @@ virNetClientPtr virNetClientNewLibSSH2(const char *host, DEFAULT_VALUE(username, "root"); DEFAULT_VALUE(knownHostsVerify, "normal"); =20 - command =3D virNetClientSSHHelperCommand(netcatPath, socketPath); + if (!(command =3D virNetClientSSHHelperCommand(proxy, netcatPath, sock= etPath, + driverURI, readonly))) + return NULL; =20 if (virNetSocketNewConnectLibSSH2(host, port, family, @@ -530,8 +583,11 @@ virNetClientPtr virNetClientNewLibssh(const char *host, const char *knownHostsPath, const char *knownHostsVerify, const char *authMethods, + virNetClientProxy proxy, const char *netcatPath, const char *socketPath, + const char *driverURI, + bool readonly, virConnectAuthPtr authPtr, virURIPtr uri) { @@ -570,7 +626,9 @@ virNetClientPtr virNetClientNewLibssh(const char *host, DEFAULT_VALUE(username, "root"); DEFAULT_VALUE(knownHostsVerify, "normal"); =20 - command =3D virNetClientSSHHelperCommand(netcatPath, socketPath); + if (!(command =3D virNetClientSSHHelperCommand(proxy, netcatPath, sock= etPath, + driverURI, readonly))) + return NULL; =20 if (virNetSocketNewConnectLibssh(host, port, family, diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h index 6fdc370083..4789316e32 100644 --- a/src/rpc/virnetclient.h +++ b/src/rpc/virnetclient.h @@ -30,9 +30,22 @@ #include "virobject.h" #include "viruri.h" =20 +typedef enum { + VIR_NET_CLIENT_PROXY_AUTO, + VIR_NET_CLIENT_PROXY_NETCAT, + VIR_NET_CLIENT_PROXY_NATIVE, + + VIR_NET_CLIENT_PROXY_LAST, +} virNetClientProxy; + +VIR_ENUM_DECL(virNetClientProxy); + char * -virNetClientSSHHelperCommand(const char *netcatPath, - const char *socketPath); +virNetClientSSHHelperCommand(virNetClientProxy proxy, + const char *netcatPath, + const char *socketPath, + const char *driverURI, + bool readonly); =20 virNetClientPtr virNetClientNewUNIX(const char *path, bool spawnDaemon, @@ -49,8 +62,11 @@ virNetClientPtr virNetClientNewSSH(const char *nodename, bool noTTY, bool noVerify, const char *keyfile, - const char *netcat, - const char *socketPath); + virNetClientProxy proxy, + const char *netcatPath, + const char *socketPath, + const char *driverURI, + bool readonly); =20 virNetClientPtr virNetClientNewLibSSH2(const char *host, const char *port, @@ -60,8 +76,11 @@ virNetClientPtr virNetClientNewLibSSH2(const char *host, const char *knownHostsPath, const char *knownHostsVerify, const char *authMethods, + virNetClientProxy proxy, const char *netcatPath, const char *socketPath, + const char *driverURI, + bool readonly, virConnectAuthPtr authPtr, virURIPtr uri); =20 @@ -73,8 +92,11 @@ virNetClientPtr virNetClientNewLibssh(const char *host, const char *knownHostsPath, const char *knownHostsVerify, const char *authMethods, + virNetClientProxy proxy, const char *netcatPath, const char *socketPath, + const char *driverURI, + bool readonly, virConnectAuthPtr authPtr, virURIPtr uri); =20 diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c index 31fe1f86f4..93835af62f 100644 --- a/tests/virnetsockettest.c +++ b/tests/virnetsockettest.c @@ -469,8 +469,11 @@ static int testSocketSSH(const void *opaque) virNetSocketPtr csock =3D NULL; /* Client socket */ int ret =3D -1; char buf[1024]; - g_autofree char *command =3D virNetClientSSHHelperCommand(data->netcat, - data->path); + g_autofree char *command =3D virNetClientSSHHelperCommand(VIR_NET_CLIE= NT_PROXY_AUTO, + data->netcat, + data->path, + "qemu:///sessi= on", + true); =20 if (virNetSocketNewConnectSSH(data->nodename, data->service, --=20 2.26.2