[libvirt] connect: ssh: Shall we remove the dependency of netcat ?

Peter Krempa pkrempa at redhat.com
Fri Mar 27 16:25:30 UTC 2015


On Fri, Mar 27, 2015 at 10:54:26 +0800, zhang bo wrote:
> 1 When we connect libvirt with URI "qemu+ssh", it uses 'nc' command to connect to libvirt-sock.
> 
> # virsh -c qemu+ssh://root@9.61.1.74/system list
> Password: //ask users to input passwords here.
>  Id    Name                           State
> ----------------------------------------------------
>  11    pxe                            running
> 
> It in fact uses 'ssh' and 'nc' commands to connect to remote libvirt-sock, such as:
>     ssh -l root 9.61.1.74 sh -c ''nc' -U /var/run/libvirt/libvirt-sock'

Yep.

> 
> The code path is : virConnectOpen->doRemoteOpen->virNetClientNewSSH->virNetSocketNewConnectSSH
> 
> 2 However, netcat(nc) is considered as an insecure tool, because it's too powerful in controlling the network.
>   It's abandoned by some organizations.

Too powerful? That is a ridiculous statement that probably originates
from some kind of misunderstanding when creating a security policy or
stuff like that. If a policy bans nc as "powerful" then it's missing on
a lot of other options how to create listening or outgoing connections
on arbitrary sockets. The only insecure part is that it does not use
encryption, but that's a widely known fact about nc.

> 
> 3 So, is there any good substitution for netcat to realize qemu+ssh?

Currently libvirt doesn't allow this, but I'm planning for a long time
to introduce a standalone libvirt client binary (or perhaps add this as
a mode to virsh) to replace the use of NC but that's due to other
reasons:

1) nc doesn't know where session mode sockets are placed

This is due to the fact that it depends on how libvirt is compiled.
Currently the client side has to provide the path that is used at the
remote side and those may not correspond.

2) errors reported when using the ssh connection transport are not
helpful:

NC is inherently bad at reporting what happened with the unix socket on
the remote side.

3) getting rid of nc as a dependency

This won't happen though ... old libvirt clients would not be able to
connect to newer servers.


In other words. I don't think libvirt will ever get rid of using nc but
we can make stuff better by adding the internal remote client.

Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150327/39093dcc/attachment-0001.sig>


More information about the libvir-list mailing list