Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| OVIRT-VMCONSOLE | |
| =============== | |
| OUTLINE | |
| ------- | |
| ovirt-vmconsole enables secure access to virtual machine serial console. It | |
| uses SSH protocol to tunnel the console from customer to destination host. | |
| Two components are available: | |
| ovirt-vmconsole-host | |
| ssh daemon implementation that runs on the host end enables trusted | |
| connections to access the consoles. Consoles are assumed to be unix domain | |
| sockets that are directly attached to qemu virtual serial. | |
| ovirt-vmconsole-proxy | |
| ssh daemon implementation that runs on the end user accessible host, users | |
| access the proxy, based on their public key the authorized consoles are | |
| fetch from a manager, once selected a connection to the host is | |
| established. | |
| The ovirt-vmconsole package cannot be used as-is, it requires customization | |
| to fetch users' authorized keys and users' authorized consoles. | |
| SERVICES | |
| -------- | |
| ovirt-vmconsole-host-sshd | |
| ovirt-vmconsole-proxy-sshd | |
| USAGE | |
| ----- | |
| Access to proxy by user is perform using the following command, a menu with | |
| the available consoles will be presented: | |
| $ ssh -t -p 2222 ovirt-vmconsole@proxy-host connect | |
| Access to specify console can be done using the following command: | |
| $ ssh -t -p 2222 ovirt-vmconsole@proxy-host connect --vm-id=1E12DF323 | |
| List available consoles: | |
| $ ssh -p 2222 ovirt-vmconsole@proxy-host list | |
| Usage: | |
| $ ssh -p 2222 ovirt-vmconsole@proxy-host -- --help | |
| IMPLEMENTATION | |
| -------------- | |
| ssh daemon implementation is based on system provided openssh, daemon is | |
| running under non privileged user. No root access is used. | |
| INSTALLATION | |
| ------------ | |
| PKI ARTIFACTS | |
| PKI artifacts are located at: | |
| /etc/pki/ovirt-vmconsole | |
| Mode Owner File Notes | |
| 0644 root ca.pub | |
| 0600 ovirt-vmconsole host-ssh_host_rsa | |
| 0644 root host-ssh_host_rsa-cert.pub principal:fqdn | |
| 0600 ovirt-vmconsole proxy-ssh_host_rsa | |
| 0644 root proxy-ssh_host_rsa-cert.pub principal:fqdn | |
| 0600 ovirt-vmconsole proxy-ssh_user_rsa | |
| 0644 root proxy-ssh_user_rsa-cert.pub principal:ovirt-vmconsole-proxy | |
| CONSOLES | |
| By default consoles' usocks are assumed to be at: | |
| /var/run/ovirt-vmconsole-console/ | |
| CONFIGURATION | |
| Configuration is located at the following directory, Conf.d structure, | |
| sorted by file name, last wins. | |
| /etc/ovirt-vmconsole/ovirt-vmconsole-{host,proxy}/conf.d | |
| Packages should at least modify the following proxy configuration, refer | |
| to README.API: | |
| - key_list - get a list of authorized keys. | |
| - console_list - get a list of authorized consoles. | |
| PROBLEM DETERMINATION | |
| --------------------- | |
| LOGS | |
| Logs are sent to system log, if you enable debug make sure syslog daemon | |
| writes log records. | |
| Enable log for specific user session can be done using: | |
| $ ssh -t -p 2222 ovirt-vmconsole@proxy-host -- --debug connect | |
| TEST | |
| Create a socket s1 to emulate qemu, Ctrl-A to escape. | |
| socat -,raw,echo=0,escape=1 UNIX-LISTEN:/var/run/ovirt-vmconsole-console/s1,user=ovirt-vmconsole | |
| CUSTOMIZATION | |
| ------------- | |
| It could be needed to change the TCP port the serial-console infrastructure uses | |
| to connect to emulated serial ports. | |
| This can be done manually, but it is not recommended way since it may easily broken by updates. | |
| 1. Override on each virtualization host the default sshd options | |
| using the OPTIONS variable at: | |
| /etc/sysconfig/ovirt-vmconsole-host-sshd | |
| 2. On the proxy host, edit | |
| /etc/sysconfig/ovirt-vmconsole-proxy-sshd | |
| You can create the file mentioned here and in the above bullet point if missing; check | |
| https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details. | |
| 3. On the proxy host, also override the ssh options by dropping a new file in | |
| the `/etc/ovirt-vmconsole/ovirt-vmconsole-proxy/conf.d/` directory, like | |
| /etc/ovirt-vmconsole/ovirt-vmconsole-proxy/conf.d/90-custom-options.conf | |
| Use this option: | |
| console_attach_ssh_args="" | |
| 4. On the proxy host, SELinux should be customized: | |
| # semanage port -a -t ovirt_vmconsole_proxy_port_t -p tcp XXX | |
| 5. On each affected virtualization host, SELinux should be customized as well: | |
| # semanage port -a -t ovirt_vmconsole_host_port_t -p tcp XXX |