[libvirt PATCH v5 32/32] qemu: implement keyfile auth for ssh disk with nbdkit

Thu Feb 23 22:34:18 UTC 2023

On 2/16/23 10:56 AM, Peter Krempa wrote:
> On Tue, Feb 14, 2023 at 11:08:19 -0600, Jonathon Jongsma wrote:
>> For ssh disks that are served by nbdkit, we can support logging in with
>> an ssh key file. Pass the path to the configured key file and the
>> username to the nbdkit process.
>>
>> The key file may be password protected, and libvirt cannot prompt the
>> user for a password to unlock it. But if the adminstrator adds this key
>> to an ssh agent, they can configure the disk with the path to the unix
>> socket for the ssh agent so libvirt can pass this socket path to nbdkit
>> and we can make use of these keys.
>>
>> Signed-off-by: Jonathon Jongsma <jjongsma at redhat.com>
>> ---
>>   src/conf/domain_conf.c                        | 36 +++++++++++++++----
>>   src/conf/storage_source_conf.c                |  2 ++
>>   src/conf/storage_source_conf.h                |  6 ++--
>>   src/qemu/qemu_nbdkit.c                        | 11 ++++--
>>   .../disk-network-ssh-key.args.disk0           | 10 ++++++
>>   .../disk-network-ssh.args.disk2               |  9 +++++
>>   tests/qemunbdkittest.c                        |  1 +
>>   .../qemuxml2argvdata/disk-network-ssh-key.xml | 33 +++++++++++++++++
>>   8 files changed, 97 insertions(+), 11 deletions(-)
>>   create mode 100644 tests/qemunbdkitdata/disk-network-ssh-key.args.disk0
>>   create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk2
>>   create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-key.xml
>>
>> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
>> index cb9d01dc6d..d5aa92e81b 100644
>> --- a/src/conf/domain_conf.c
>> +++ b/src/conf/domain_conf.c
>> @@ -7214,10 +7214,21 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
>>               return -1;
>>           }
>>       }
>> -    if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH &&
>> -        (tmpnode = virXPathNode("./knownHosts", ctxt))) {
>> -        if (!(src->ssh_known_hosts_file = virXMLPropStringRequired(tmpnode, "path")))
>> -            return -1;
>> +    if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH) {
>> +        if ((tmpnode = virXPathNode("./knownHosts", ctxt))) {
>> +            if (!(src->ssh_known_hosts_file = virXMLPropStringRequired(tmpnode, "path")))
>> +                return -1;
>> +        }
>> +        if ((tmpnode = virXPathNode("./identity", ctxt))) {
>> +            if (!(src->ssh_keyfile = virXMLPropStringRequired(tmpnode, "keyfile")))
>> +                return -1;
> 
> Why is 'keyfile' mandatory ...
> 
>> +
>> +            if (!(src->ssh_user = virXMLPropStringRequired(tmpnode, "username")))
>> +                return -1;
>> +
>> +            /* optional ssh-agent socket location */
>> +            src->ssh_agent = virXMLPropString(tmpnode, "agentsock");
> 
> ... if you can use the agent?
> 
> In case agent is in use I expect that the key is added to the agent by
> the user and then the socket is passed to nbdkit to do the auth. nbdkit
> in that case has no need to look at the keyfile.
> 
> Similarly selinux labelling may be the problem. But we can theoretically
> instruct the user via docs to use one agent per VM. We then can label
> the socket instead.
> 

Yes, I think you're right, it looks like the agent socket does have some 
selinux labeling issues. I'm afraid that I'm still pretty naive about 
selinux in libvirt (and in general, frankly), and I haven't been able to 
find the proper approach to enable access to this socket from nbdkit. 
Any ideas?

Thanks,
Jonathon