Re: [libvirt PATCH v5 32/32] qemu: implement keyfile auth for ssh disk with nbdkit

Peter Krempa <pkrempa@xxxxxxxxxx> · Thu, 16 Feb 2023 17:56:16 +0100

On Tue, Feb 14, 2023 at 11:08:19 -0600, Jonathon Jongsma wrote:
> For ssh disks that are served by nbdkit, we can support logging in with
> an ssh key file. Pass the path to the configured key file and the
> username to the nbdkit process.
> 
> The key file may be password protected, and libvirt cannot prompt the
> user for a password to unlock it. But if the adminstrator adds this key
> to an ssh agent, they can configure the disk with the path to the unix
> socket for the ssh agent so libvirt can pass this socket path to nbdkit
> and we can make use of these keys.
> 
> Signed-off-by: Jonathon Jongsma <jjongsma@xxxxxxxxxx>
> ---
>  src/conf/domain_conf.c                        | 36 +++++++++++++++----
>  src/conf/storage_source_conf.c                |  2 ++
>  src/conf/storage_source_conf.h                |  6 ++--
>  src/qemu/qemu_nbdkit.c                        | 11 ++++--
>  .../disk-network-ssh-key.args.disk0           | 10 ++++++
>  .../disk-network-ssh.args.disk2               |  9 +++++
>  tests/qemunbdkittest.c                        |  1 +
>  .../qemuxml2argvdata/disk-network-ssh-key.xml | 33 +++++++++++++++++
>  8 files changed, 97 insertions(+), 11 deletions(-)
>  create mode 100644 tests/qemunbdkitdata/disk-network-ssh-key.args.disk0
>  create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk2
>  create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-key.xml
> 
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index cb9d01dc6d..d5aa92e81b 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -7214,10 +7214,21 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
>              return -1;
>          }
>      }
> -    if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH &&
> -        (tmpnode = virXPathNode("./knownHosts", ctxt))) {
> -        if (!(src->ssh_known_hosts_file = virXMLPropStringRequired(tmpnode, "path")))
> -            return -1;
> +    if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH) {
> +        if ((tmpnode = virXPathNode("./knownHosts", ctxt))) {
> +            if (!(src->ssh_known_hosts_file = virXMLPropStringRequired(tmpnode, "path")))
> +                return -1;
> +        }
> +        if ((tmpnode = virXPathNode("./identity", ctxt))) {
> +            if (!(src->ssh_keyfile = virXMLPropStringRequired(tmpnode, "keyfile")))
> +                return -1;

Why is 'keyfile' mandatory ...

> +
> +            if (!(src->ssh_user = virXMLPropStringRequired(tmpnode, "username")))
> +                return -1;
> +
> +            /* optional ssh-agent socket location */
> +            src->ssh_agent = virXMLPropString(tmpnode, "agentsock");

... if you can use the agent?

In case agent is in use I expect that the key is added to the agent by
the user and then the socket is passed to nbdkit to do the auth. nbdkit
in that case has no need to look at the keyfile.

Similarly selinux labelling may be the problem. But we can theoretically
instruct the user via docs to use one agent per VM. We then can label
the socket instead.