[kvm] Entering into pod #1303
[kvm] Entering into pod #1303
Conversation
| @@ -0,0 +1,12 @@ | |||
| -----BEGIN RSA PRIVATE KEY----- | |||
There was a problem hiding this comment.
Does it mean that anyone (even non-root) who has IP connectivity to the container port 22 will be able to ssh using this well-known "private" key?
There was a problem hiding this comment.
Similar idea as in vagrant. sshd can be also enforced (but this would require rewriting config file in time of image preparation) to run only on particular interface/port (for example on primary interface with /31 netmask configured for... host<->vm connection purpose).
jellonek
force-pushed
the
entering
branch
2 times, most recently
from
c335041
to
a16434f
Compare
|
Ok, I've changed behavior. Instead of using hardcoded key pair, I'm generating such one per host machine, once in run or prepare time, and then I'm copying public key into roots authorized_keys for ssh. So keys are generated once per host, and are copied once per POD. |
jellonek
force-pushed
the
entering
branch
2 times, most recently
from
48d1577
to
cbe96c5
Compare
| } | ||
|
|
||
| err = ensureKeyExistenceInPod(rootfsPath, dataDir) | ||
| if err != nil { |
There was a problem hiding this comment.
it is enough to just return err or even return ensureKeyExistenceInPod(rootfsPath, dataDir)
jellonek
force-pushed
the
entering
branch
2 times, most recently
from
46e85d7
to
76a9b9d
Compare
| return nets[0].IP.String(), nil | ||
| } | ||
|
|
||
| func execToSSH() int { |
There was a problem hiding this comment.
I don't like "int as error code return here" - we should stick with error created by errors.Errorf() and then in main()
func main() {
...
err := execToSSH()
if err != nil {
fmt.Fprintf(os.Stderr, "execToSSH: %v\n", err)
os.Exit(1)
}
}the resposbility how to handle/display error should be left to caller
There was a problem hiding this comment.
So probably You should also comment this same form in stage1/init/init.go
I was only replicating principles from other parts of rkt.
There was a problem hiding this comment.
Your application is completely independent, and there is not need to copy IMHO wrong pattern (also there is no custom to comment existing code within new PR 😏 )
update: I have looked more detailed in init.go, and this pattern was used, because different error codes are returned for every case (in your situation, you return 1 everywhere)
jellonek
force-pushed
the
entering
branch
2 times, most recently
from
15597df
to
84b0444
Compare
jellonek
force-pushed
the
entering
branch
2 times, most recently
from
3019bb1
to
9792e45
Compare
|
typos in commit message... |
|
|
||
| func ensureDirExists(path string) error { | ||
| err := os.MkdirAll(path, 0700) | ||
| if err != nil && os.IsExist(err) { |
There was a problem hiding this comment.
slightly superfluous:
If path is already a directory, MkdirAll does nothing and returns nil.
|
@vcaputo do you have any time to review this one? |
|
|
||
| STAGE1_INSTALL_DIRS += \ | ||
| $(ACIROOTFSDIR)/etc:0755 \ | ||
| $(ACIROOTFSDIR)/root/.ssh:0700 \ |
There was a problem hiding this comment.
Nothing depends on that directory, so it will not be created. Anyway, you create it in the code.
|
Sorry for the lateness, I've started writing this comment a few times over the past week and it keeps getting eaten by my browser. In OOB discussions about this, @philips raised a serious concern about permanently running an SSH server in a pod. Aside from technical concerns (attack vector, resource usage, whatever) there is a conceptual/spec issue. Essentially, we're violating the network contract of the pod: instead of giving the application complete control over the networking namespace/interface(s) we provide them, we've now arbitrarily controlled one of their ports. There were a couple of proposed solutions to mitigate this concern that we thought might be worth exploring:
|
|
Yes, there is a method to spin up ssh server only when it's needed - we can achieve this by socket activation. I planned to add this as next step in separate pull request (it also fixes tests prepared by @ppalucki) but if there is desire for this, in time of this weekend I'll code this. Other thing is port on which ssh is listening (or systemd will wait for connection in inetd style after changing to use socket activation) - if such port will be randomized (some upper ports) - this also potentially increases "security by obscurity", and also gives back 22 port for user usage. |
jellonek
force-pushed
the
entering
branch
3 times, most recently
from
8fb2259
to
994a206
Compare
|
As I mentioned before (or maybe in discussion with @krnowak) I will move this from |
|
Rebased onto master. |
| "-N", "", // no passphrase | ||
| ).Output() | ||
| if err != nil { | ||
| return fmt.Errorf("error in keygen time. ret_val: %v, output: %v", err, string(out[:len(out)])) |
There was a problem hiding this comment.
Isn't string(out[:len(out)]) same as simply string(out)?
There was a problem hiding this comment.
Try it ;)
No, it isn't. It would not trim ending multiple \0
|
Ok, minor nits I haven't noticed before (and this named return value issue that was not addressed yet), but otherwise I'm ready to merge it. Once this is merged, I'll open an issue about stuff that needs to be addressed WRT. entering on KVM. That would be:
|
jellonek
force-pushed
the
entering
branch
2 times, most recently
from
d7965b1
to
c647a4f
Compare
| @@ -0,0 +1,36 @@ | |||
| Port 22 | |||
There was a problem hiding this comment.
This doesn't matter, we are using inetd mode of ssdh running (-i parameter) for "old style" socket activation.
I'll try to remove this line (should be working ok), but at this moment I don't have time to test this, so this could be done after merge in separate small issue.
|
Not ready to merge |
First step on route to implement entering into POD mounted as lkvm VM.
RFC. Especially @krnowak