Re: [libvirt PATCH v5 32/32] qemu: implement keyfile auth for ssh disk with nbdkit

On Tue, Feb 14, 2023 at 11:08:19 -0600, Jonathon Jongsma wrote: > For ssh disks that are served by nbdkit, we can support logging in with > an ssh key file. Pass the path to the configured key file and the > username to the nbdkit process. > > The key file may be password protected, and libvirt cannot prompt the > user for a password to unlock it. But if the adminstrator adds this key > to an ssh agent, they can configure the disk with the path to the unix > socket for the ssh agent so libvirt can pass this socket path to nbdkit > and we can make use of these keys. > > Signed-off-by: Jonathon Jongsma <jjongsma(a)redhat.com&gt; > --- > src/conf/domain_conf.c | 36 +++++++++++++++---- > src/conf/storage_source_conf.c | 2 ++ > src/conf/storage_source_conf.h | 6 ++-- > src/qemu/qemu_nbdkit.c | 11 ++++-- > .../disk-network-ssh-key.args.disk0 | 10 ++++++ > .../disk-network-ssh.args.disk2 | 9 +++++ > tests/qemunbdkittest.c | 1 + > .../qemuxml2argvdata/disk-network-ssh-key.xml | 33 +++++++++++++++++ > 8 files changed, 97 insertions(+), 11 deletions(-) > create mode 100644 tests/qemunbdkitdata/disk-network-ssh-key.args.disk0 > create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk2 > create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-key.xml > > diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c > index cb9d01dc6d..d5aa92e81b 100644 > --- a/src/conf/domain_conf.c > +++ b/src/conf/domain_conf.c > @@ -7214,10 +7214,21 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node, > return -1; > } > } > - if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH && > - (tmpnode = virXPathNode("./knownHosts", ctxt))) { > - if (!(src->ssh_known_hosts_file = virXMLPropStringRequired(tmpnode, "path"))) > - return -1; > + if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH) { > + if ((tmpnode = virXPathNode("./knownHosts", ctxt))) { > + if (!(src->ssh_known_hosts_file = virXMLPropStringRequired(tmpnode, "path"))) > + return -1; > + } > + if ((tmpnode = virXPathNode("./identity", ctxt))) { > + if (!(src->ssh_keyfile = virXMLPropStringRequired(tmpnode, "keyfile"))) > + return -1; Why is 'keyfile' mandatory ... > + > + if (!(src->ssh_user = virXMLPropStringRequired(tmpnode, "username"))) > + return -1; > + > + /* optional ssh-agent socket location */ > + src->ssh_agent = virXMLPropString(tmpnode, "agentsock"); ... if you can use the agent? In case agent is in use I expect that the key is added to the agent by the user and then the socket is passed to nbdkit to do the auth. nbdkit in that case has no need to look at the keyfile. Similarly selinux labelling may be the problem. But we can theoretically instruct the user via docs to use one agent per VM. We then can label the socket instead.