From: David Vossel <dvossel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Michal Privoznik <mprivozn@redhat.com>,
Fabian Deutsch <fdeutsch@redhat.com>
Subject: guest agent public ssh key add/remove support?
Date: Tue, 18 Aug 2020 09:25:56 -0400 [thread overview]
Message-ID: <CAPjOJFsjqFg6jO==Y5ExhL2+mZXA0Z1vce2pmUCODLtyS6Z7Yw@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1528 bytes --]
Hey,
- Quick background
I'm investigating a feature for the KubeVirt project [1] (virtual machines
on Kubernetes) and ran into an area that I think the qemu guest agent might
help us solve.
A common usage pattern for nearly every Iaas platform (AWS, GCP, OpenStack,
Azure) is the ability to inject public ssh keys into VMs in order to grant
access to the VM for automation tools (like ansible) and users. One of the
more straightforward ways to do this is using cloud-init, which injects ssh
keys at boot.
However, in KubeVirt we're interested in taking this a step further by
allowing public ssh keys to be dynamically granted and revoked on live
"running" VMs. To accomplish this, we need something for our control plane
to coordinate with that is running within the actual VM guest.
- Guest Agent SSH add/remove Support?
As a PoC, I cobbled together some guest agent exec and file write client
commands which can technically achieve the desired result of
adding/removing entries in a /home/<user>/.ssh/authorized_keys file. It's a
little unwieldy, but it works.
This got me thinking, an officially supported guest agent api for this ssh
key management would be really nice. There's already a somewhat related
precedent with the "guest-set-user-password" guest agent command.
So here's the question. What would you all think about the guest agent API
being expanded with new commands for adding/removing ssh public keys from
authorized_keys files?
Thanks
- David
1. https://github.com/kubevirt/kubevirt
[-- Attachment #2: Type: text/html, Size: 2082 bytes --]
next reply other threads:[~2020-08-18 13:41 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-18 13:25 David Vossel [this message]
2020-08-18 18:35 ` guest agent public ssh key add/remove support? Christian Schoenebeck
2020-08-19 13:49 ` David Vossel
2020-08-19 14:17 ` Christian Schoenebeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPjOJFsjqFg6jO==Y5ExhL2+mZXA0Z1vce2pmUCODLtyS6Z7Yw@mail.gmail.com' \
--to=dvossel@redhat.com \
--cc=fdeutsch@redhat.com \
--cc=mprivozn@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).