On 2/16/23 10:56 AM, Peter Krempa wrote:
On Tue, Feb 14, 2023 at 11:08:19 -0600, Jonathon Jongsma wrote:
For ssh disks that are served by nbdkit, we can support logging in with an ssh key file. Pass the path to the configured key file and the username to the nbdkit process.
The key file may be password protected, and libvirt cannot prompt the user for a password to unlock it. But if the adminstrator adds this key to an ssh agent, they can configure the disk with the path to the unix socket for the ssh agent so libvirt can pass this socket path to nbdkit and we can make use of these keys.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> --- src/conf/domain_conf.c | 36 +++++++++++++++---- src/conf/storage_source_conf.c | 2 ++ src/conf/storage_source_conf.h | 6 ++-- src/qemu/qemu_nbdkit.c | 11 ++++-- .../disk-network-ssh-key.args.disk0 | 10 ++++++ .../disk-network-ssh.args.disk2 | 9 +++++ tests/qemunbdkittest.c | 1 + .../qemuxml2argvdata/disk-network-ssh-key.xml | 33 +++++++++++++++++ 8 files changed, 97 insertions(+), 11 deletions(-) create mode 100644 tests/qemunbdkitdata/disk-network-ssh-key.args.disk0 create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk2 create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-key.xml
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index cb9d01dc6d..d5aa92e81b 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -7214,10 +7214,21 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node, return -1; } } - if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH && - (tmpnode = virXPathNode("./knownHosts", ctxt))) { - if (!(src->ssh_known_hosts_file = virXMLPropStringRequired(tmpnode, "path"))) - return -1; + if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH) { + if ((tmpnode = virXPathNode("./knownHosts", ctxt))) { + if (!(src->ssh_known_hosts_file = virXMLPropStringRequired(tmpnode, "path"))) + return -1; + } + if ((tmpnode = virXPathNode("./identity", ctxt))) { + if (!(src->ssh_keyfile = virXMLPropStringRequired(tmpnode, "keyfile"))) + return -1;
Why is 'keyfile' mandatory ...
+ + if (!(src->ssh_user = virXMLPropStringRequired(tmpnode, "username"))) + return -1; + + /* optional ssh-agent socket location */ + src->ssh_agent = virXMLPropString(tmpnode, "agentsock");
... if you can use the agent?
In case agent is in use I expect that the key is added to the agent by the user and then the socket is passed to nbdkit to do the auth. nbdkit in that case has no need to look at the keyfile.
Similarly selinux labelling may be the problem. But we can theoretically instruct the user via docs to use one agent per VM. We then can label the socket instead.
Yes, I think you're right, it looks like the agent socket does have some selinux labeling issues. I'm afraid that I'm still pretty naive about selinux in libvirt (and in general, frankly), and I haven't been able to find the proper approach to enable access to this socket from nbdkit. Any ideas? Thanks, Jonathon