From nobody Sun Feb 8 16:46:35 2026 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1715080402680333.055735864752; Tue, 7 May 2024 04:13:22 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 84F861770; Tue, 7 May 2024 07:13:21 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id BD9D61DB4; Tue, 7 May 2024 07:08:22 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 44B661A02; Tue, 7 May 2024 07:08:10 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id B35D11AFA for ; Tue, 7 May 2024 07:08:08 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-563-VrFQTOnSNnOFUBSMjK1EUw-1; Tue, 07 May 2024 07:08:07 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D04EC8007BC for ; Tue, 7 May 2024 11:08:06 +0000 (UTC) Received: from maggie.brq.redhat.com (unknown [10.43.3.102]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7B8271C066AB for ; Tue, 7 May 2024 11:08:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: VrFQTOnSNnOFUBSMjK1EUw-1 From: Michal Privoznik To: devel@lists.libvirt.org Subject: [PATCH v2 2/3] docs: Document SSH proxy Date: Tue, 7 May 2024 13:08:01 +0200 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: 3VJ3MBJF6UZUUXWHBBZ5MHKASJQ2O5Z4 X-Message-ID-Hash: 3VJ3MBJF6UZUUXWHBBZ5MHKASJQ2O5Z4 X-MailFrom: mprivozn@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1715080402828100001 Signed-off-by: Michal Privoznik --- docs/docs.rst | 3 ++ docs/meson.build | 1 + docs/nss.rst | 7 +++++ docs/ssh-proxy.rst | 68 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+) create mode 100644 docs/ssh-proxy.rst diff --git a/docs/docs.rst b/docs/docs.rst index f57164b9e3..1a958e9cc7 100644 --- a/docs/docs.rst +++ b/docs/docs.rst @@ -47,6 +47,9 @@ Deployment / operation `Hooks `__ Hooks for system specific management =20 +`SSH Proxy `__ + Enable SSH into guests over a VSOCK + `NSS module `__ Enable domain host name translation to IP addresses =20 diff --git a/docs/meson.build b/docs/meson.build index 87d728213c..2dda59f978 100644 --- a/docs/meson.build +++ b/docs/meson.build @@ -97,6 +97,7 @@ docs_rst_files =3D [ 'python', 'remote', 'securityprocess', + 'ssh-proxy', 'storage', 'strategy', 'styleguide', diff --git a/docs/nss.rst b/docs/nss.rst index 8f98330221..53955a3278 100644 --- a/docs/nss.rst +++ b/docs/nss.rst @@ -152,3 +152,10 @@ If there's no record for either of the aforementioned = commands, it's very likely that NSS module won't find anything and vice versa. As of ``v3.0.0`` libvi= rt provides ``libvirt_guest`` NSS module that doesn't have this limitation. However, the statement is still true for the ``libvirt`` NSS module. + +Alternatives +------------ + +As of ``v10.3.0`` libvirt implements an `SSH proxy `__ whi= ch +doesn't require any network interface to SSH into the guest as SSH flows +through a VSOCK device. diff --git a/docs/ssh-proxy.rst b/docs/ssh-proxy.rst new file mode 100644 index 0000000000..830668f8cd --- /dev/null +++ b/docs/ssh-proxy.rst @@ -0,0 +1,68 @@ +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Libvirt SSH proxy +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Sometimes it's necessary to run some commands inside a guest. While libvirt +already provides a `NSS module `__ that can translate guest name= to +IP address it has some limitations (e.g. guest has to have a network inter= face +plugged into a libvirt managed network). To resolve some of these limitati= ons, +libvirt offers a SSH proxy. It consists of a SSH client config file +(``/etc/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf``) and a small binary. = Both +are automatically installed by ``libvirt-client`` package. After running: + +``ssh user@qemu/virtualMachine`` + +the configuration file instructs SSH client to start the binary helper whi= ch +finds a VSOCK device inside the ``virtualMachine`` and establishes a conne= ction +to it. + +For now, only QEMU domains are implemented and the lookup of the +``virtualMachine`` is done under ``qemu:///system`` URI first, followed by +``qemu:///session``. Accepted values for ``virtualMachine`` are: domain na= me +(as reported by e.g. `virsh list`), domain UUID and finally domain ID. + +Guest OS requirements +--------------------- + +It is obvious that the SSH daemon inside the guest needs to be configured = to +listen for incoming connections on a VSOCK. There are couple of ways to ac= hieve +this: + +* Run systemd-v256 or newer inside the guest. + + In this release, systemd started to deploy ``systemd-ssh-generator`` whi= ch + should configure socket activation for SSHD automagically. + +* Set up socket activation for VSOCK. + + We can take an inspiration in the unit file generated by + ``systemd-ssh-generator``: + +:: + + [Unit] + Description=3DOpenSSH Server Socket (systemd-ssh-generator, AF_VSOCK) + Documentation=3Dman:systemd-ssh-generator(8) + Wants=3Dssh-access.target + Before=3Dssh-access.target + + [Socket] + ListenStream=3Dvsock::22 + Accept=3Dyes + PollLimitIntervalSec=3D30s + PollLimitBurst=3D50 + +* Run a service that forwards VSOCK <=3D> SSHD communication + + For instance: + +:: + + socat VSOCK-LISTEN:22,reuseaddr,fork TCP:localhost:22 + +Libvirt domain XML configuration +-------------------------------- + +Since the SSH proxy uses a VSOCK to communicate with the SSH daemon running +inside the guest, it is a must to configure VSOCK in the `domain XML +`__. --=20 2.43.2 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org