On 2/16/23 10:56 AM, Peter Krempa wrote:
On Tue, Feb 14, 2023 at 11:08:19 -0600, Jonathon Jongsma wrote:
For ssh disks that are served by nbdkit, we can support logging in with
an ssh key file. Pass the path to the configured key file and the
username to the nbdkit process.
The key file may be password protected, and libvirt cannot prompt the
user for a password to unlock it. But if the adminstrator adds this key
to an ssh agent, they can configure the disk with the path to the unix
socket for the ssh agent so libvirt can pass this socket path to nbdkit
and we can make use of these keys.
Signed-off-by: Jonathon Jongsma <jjongsma@xxxxxxxxxx>
---
src/conf/domain_conf.c | 36 +++++++++++++++----
src/conf/storage_source_conf.c | 2 ++
src/conf/storage_source_conf.h | 6 ++--
src/qemu/qemu_nbdkit.c | 11 ++++--
.../disk-network-ssh-key.args.disk0 | 10 ++++++
.../disk-network-ssh.args.disk2 | 9 +++++
tests/qemunbdkittest.c | 1 +
.../qemuxml2argvdata/disk-network-ssh-key.xml | 33 +++++++++++++++++
8 files changed, 97 insertions(+), 11 deletions(-)
create mode 100644 tests/qemunbdkitdata/disk-network-ssh-key.args.disk0
create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk2
create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-key.xml
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index cb9d01dc6d..d5aa92e81b 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -7214,10 +7214,21 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
return -1;
}
}
- if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH &&
- (tmpnode = virXPathNode("./knownHosts", ctxt))) {
- if (!(src->ssh_known_hosts_file = virXMLPropStringRequired(tmpnode, "path")))
- return -1;
+ if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH) {
+ if ((tmpnode = virXPathNode("./knownHosts", ctxt))) {
+ if (!(src->ssh_known_hosts_file = virXMLPropStringRequired(tmpnode, "path")))
+ return -1;
+ }
+ if ((tmpnode = virXPathNode("./identity", ctxt))) {
+ if (!(src->ssh_keyfile = virXMLPropStringRequired(tmpnode, "keyfile")))
+ return -1;
Why is 'keyfile' mandatory ...
+
+ if (!(src->ssh_user = virXMLPropStringRequired(tmpnode, "username")))
+ return -1;
+
+ /* optional ssh-agent socket location */
+ src->ssh_agent = virXMLPropString(tmpnode, "agentsock");
... if you can use the agent?
In case agent is in use I expect that the key is added to the agent by
the user and then the socket is passed to nbdkit to do the auth. nbdkit
in that case has no need to look at the keyfile.
Similarly selinux labelling may be the problem. But we can theoretically
instruct the user via docs to use one agent per VM. We then can label
the socket instead.
Yes, I think you're right, it looks like the agent socket does have some
selinux labeling issues. I'm afraid that I'm still pretty naive about
selinux in libvirt (and in general, frankly), and I haven't been able to
find the proper approach to enable access to this socket from nbdkit.
Any ideas?
Thanks,
Jonathon
