Skip to content

pkg/hostagent: Use in-process SSH client on executing requirement scripts #4333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

pkg/hostagent: Use in-process SSH client on executing requirement scripts #4333

wants to merge 7 commits into from

Conversation

@norio-nomura
Copy link
Contributor

@norio-nomura norio-nomura commented Nov 12, 2025
edited
Loading

Use an in-process SSH client on executing requirement scripts other than starting an SSH ControlMaster process. To fall back to external SSH, add the LIMA_EXTERNAL_SSH_REQUIREMENT environment variable.

  • pkg/sshutil: Add ExecuteScriptViaInProcessClient()

@norio-nomura
Copy link
Contributor Author

norio-nomura commented Nov 12, 2025

This change aims to avoid error: stderr=\"\": read |0: bad file descriptor" on executing requirement scripts.

@norio-nomura norio-nomura force-pushed the use-in-process-ssh-client-to-requirement branch from 6f82138 to bfad23e Compare November 12, 2025 02:44
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 12, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 12, 2025
View reviewed changes
@norio-nomura norio-nomura force-pushed the use-in-process-ssh-client-to-requirement branch 3 times, most recently from 7ac972c to 19da4f8 Compare November 12, 2025 05:08
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 12, 2025
View reviewed changes
@norio-nomura norio-nomura force-pushed the use-in-process-ssh-client-to-requirement branch 2 times, most recently from 75df537 to 11f5967 Compare November 12, 2025 06:29
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 12, 2025
View reviewed changes
@norio-nomura norio-nomura marked this pull request as draft November 12, 2025 07:11
@norio-nomura
Copy link
Contributor Author

norio-nomura commented Nov 12, 2025

This change aims to avoid error: stderr=\"\": read |0: bad file descriptor" on executing requirement scripts.

This error no longer occurs, but instead ssh connection is no longer possible in macOS+QEMU. 😞

@norio-nomura norio-nomura force-pushed the use-in-process-ssh-client-to-requirement branch 7 times, most recently from 776ff21 to 9e82e1a Compare November 13, 2025 03:29
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
@norio-nomura norio-nomura force-pushed the use-in-process-ssh-client-to-requirement branch 3 times, most recently from 56cf488 to 5f12c0b Compare November 13, 2025 07:15
@norio-nomura
pkg/driver/vz: Try SSH handshake to check if SSH port is available.
8ca744e 
Check the SSH server in a way that complies with the SSH protocol using x/crypto/ssh.
This change fixes lima-vm#4334 by falling back to usernet port forwarder on failing SSH connections over VSOCK.

- pkg/networks/usernet: Rename entry point from `/extension/wait_port` to `/extension/wait_ssh_server`
  Because it changed to an SSH server-specific entry point.
  When a client accesses the old entry point, it fails and continues with falling back to the usernet forwarder.

- pkg/sshutil: Add `WaitSSHReady()`
  WaitSSHReady waits until the SSH server is ready to accept connections.
  The dialContext function is used to create a connection to the SSH server.
  The addr, user, privateKeyPath parameter is used for ssh.ClientConn creation.
  The timeoutSeconds parameter specifies the maximum number of seconds to wait.

Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
@norio-nomura norio-nomura force-pushed the use-in-process-ssh-client-to-requirement branch 3 times, most recently from f82a400 to 8f0d92e Compare November 13, 2025 11:29
@norio-nomura
Copy link
Contributor Author

norio-nomura commented Nov 13, 2025

Expecting CI failures will be fixed by #4336 and #4341

@norio-nomura
Copy link
Contributor Author

norio-nomura commented Nov 13, 2025

Expecting CI failures will be fixed by #4336 and #4341

This PR includes #4336 and #4341.

@norio-nomura
feat: Generate SSH server keys in host agent and use them in guest OS
0250449 
This change changes the SSH server keys that have been generated for each boot in guest OS to be generated by hostagent for each boot.
This allows the hostagent to obtain the public key before booting, so that knownhosts can be used with an ssh connection.

The code that uses `ssh.InsecureIgnoreHostKey()` in `x/crypto/ssh` is pointed out in CodeQL as `Use of insecure HostKeyCallback implementation (High)`, so it is an implementation to avoid this.

Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
@norio-nomura
pkg/hostagent: Use in-process SSH client on executing requirement scr…
a6fd933 
…ipts

Use an in-process SSH client on executing requirement scripts other than starting an SSH ControlMaster process.
To fall back to external SSH, add the `LIMA_EXTERNAL_SSH_REQUIREMENT` environment variable.

- pkg/sshutil: Add `ExecuteScriptViaInProcessClient()`

Signed-off-by: Norio Nomura <norio.nomura@gmail.com>

# Conflicts:
#	pkg/sshutil/sshutil.go

# Conflicts:
#	pkg/sshutil/sshutil.go
@norio-nomura
pkg/driver/qemu: Wait for SSH to be ready in AdditionalSetupForSSH()
5fde2e3 
Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
@norio-nomura
.github/workflows/test.yml: Use QEMU 10.1.1 on macOS runner
fdc519a 
QEMU 10.1.2 seems to break on GitHub runners

Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
@norio-nomura
.github/workflows/test.yml: Fix injecting no_timer_check to kernel …
5a52082 
…cmdline

`template:` refers to installed templates. So, it needs to be injected before executing `make install`.

Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
@norio-nomura
Revert "pkg/driver/qemu: Wait for SSH to be ready in `AdditionalSetup…
ad1aad8 
…ForSSH()`"

This reverts commit 5fde2e3.
@norio-nomura norio-nomura force-pushed the use-in-process-ssh-client-to-requirement branch from 8f0d92e to ad1aad8 Compare November 14, 2025 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@norio-nomura