On Fri, Apr 19, 2024 at 12:12:32PM +0200, Michal Privoznik wrote: > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > docs/docs.rst | 3 +++ > docs/meson.build | 1 + > docs/nss.rst | 7 ++++++ > docs/ssh-proxy.rst | 60 ++++++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 71 insertions(+) > create mode 100644 docs/ssh-proxy.rst > diff --git a/docs/ssh-proxy.rst b/docs/ssh-proxy.rst > new file mode 100644 > index 0000000000..8528b6b9a8 > --- /dev/null > +++ b/docs/ssh-proxy.rst > @@ -0,0 +1,60 @@ > +================= > +Libvirt SSH proxy > +================= > + > +Sometimes it's necessary to run some commands inside a gust. While libvirt s/gust/guest/ > +already provides `NSS module <nss.html>`__ that can translate guest name to IP s/provides/provides a/ > +address it has some limitations (e.g. guest has to have a network interface > +plugged into a libvirt managed network). To resolve some of these limitations, > +libvirt offers SSH proxy. It consists of a SSH client config file s/offers SSH/offers a SSH/ > +(``/etc/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf``) and a small binary. Both > +are automatically installed by ``libvirt-client`` package. After running: > + > +``ssh user@qemu/virtualMachine`` > + > +the configuration file instructs SSH client to start the binary helper which > +finds a VSOCK device inside the ``virtualMachine`` and establishes a connection > +to it. > + > +For now, only QEMU domains are implemented and the lookup of the > +``virtualMachine`` is done under ``qemu:///system`` URI first, followed by > +``qemu:///session``. Accepted values for ``virtualMachine`` are: domain name > +(as reported by e.g. `virsh list`), domain UUID and finally domain ID. > + > +Guest requirements > +------------------ s/Guest/Guest OS/ > + > +It is obvious that SSH daemon inside the guest needs to be configured to listen s/that SSH/that the SSH/ > +for incoming connections on a VSOCK. There are couple of ways to achieve this: > + > +* Run systemd-v256 or newer inside the guest. > + > + In this release, systemd started to deploy ``systemd-ssh-generator`` which > + should configure socket activation for SSHD automagically. > + > +* Set up socket activation for VSOCK. > + > + We can take an inspiration in the unit file generated by > + ``systemd-ssh-generator``: > + > +:: > + > + [Unit] > + Description=OpenSSH Server Socket (systemd-ssh-generator, AF_VSOCK) > + Documentation=man:systemd-ssh-generator(8) > + Wants=ssh-access.target > + Before=ssh-access.target > + > + [Socket] > + ListenStream=vsock::22 > + Accept=yes > + PollLimitIntervalSec=30s > + PollLimitBurst=50 > + > +* Run a service that forwards VSOCK <=> SSHD communication > + > + For instance: > + > +:: > + > + socat VSOCK-LISTEN:22,reuseaddr,fork TCP:localhost:22 We should mention the guest XML for host to add VSOCK to QEMU, under a "Libvirt domain XML configuration" heading With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
