ssh-generator which makes VMs and containers accessible to ssh via AF_UNIX and AF_VSOCK

TODO

@@ -137,6 +137,13 @@ Features:
   to read them from. This way the data doesn't remain in the SMBIOS blob during
   runtime, but only in the credentials fs.
 
+* machined: make machine registration available via varlink to simplify
+  nspawn/vmspawn, and to have an extensible way to register VM/machine metadata
+
+* ssh-proxy: add support for "ssh machine/foobar" to automatically connect to
+  machined registered machine "foobar". Requires updating machined to track CID
+  and unix-export dir of containers.
+
 * add a new ExecStart= flag that inserts the configured user's shell as first
   word in the command line. (maybe use character '.'). Usecase: tool such as
   uid0 can use that to spawn the target user's default shell.
@@ -301,15 +308,6 @@ Features:
   the realized cgroup, to pin it (and later execute all cgroup operations over,
   once we drop cgroupv1 compat).
 
-* add new "systemd-ssh-generator", which allows basic ssh config via
-  credentials (host key). It generates sshd.socket for IP, but also
-  sshd-vsock.socket for listening on AF_VSOCK when running in a VM, and
-  sshd-unix.socket on AF_UNIX when running in a container. It also generates a
-  matching sshd.service file with a host key passed in on the cmdline via
-  credentials. Then, add a ssh_config drop-in that matches some suitable
-  hostname pattern and has a ProxyCommand set that allows connecting to any
-  local VM/container that way without any networking configured.
-
 * Varlinkification of the following command line tools, to open them up to
   other programs via IPC:
   - bootctl

docs/CONTAINER_INTERFACE.md

@@ -273,6 +273,30 @@ care should be taken to avoid naming conflicts. `systemd` (and in particular
 7. The `/run/host/credentials/` directory is a good place to pass credentials
    into the container, using the `$CREDENTIALS_DIRECTORY` protocol, see above.
 
+8. The `/run/host/unix-export/` directory shall be writable from the container
+   payload, and is where container payload can bind `AF_UNIX` sockets in that
+   shall be *exported* to the host, so that the host can connect to them. The
+   container manager should bind mount this directory on the host side
+   (read-only ideally), so that the host can connect to contained sockets. This
+   is most prominently used by `systemd-ssh-generator` when run in such a
+   container to automatically bind an SSH socket into that directory, which
+   then can be used to connect to the container.
+
+9. The `/run/host/unix-export/ssh` `AF_UNIX` socket will be automatically bound
+   by `systemd-ssh-generator` in the container if possible, and can be used to
+   connect to the container.
+
+10. The `/run/host/userdb/` directory may be used to drop-in additional JSON
+    user records that `nss-systemd` inside the container shall include in the
+    system's user database. This is useful to make host users and their home
+    directories automatically accessible to containers in transitive
+    fashion. See `nss-systemd(8)` for details.
+
+11. The `/run/host/home/` directory may be used to bind mount host home
+    directories of users that shall be made available in the container to. This
+    may be used in combination with `/run/host/userdb/` above: one defines the
+    user record, the other contains the user's home directory.
+
 ## What You Shouldn't Do
 
 1. Do not drop `CAP_MKNOD` from the container. `PrivateDevices=` is a commonly

man/kernel-command-line.xml

@@ -138,6 +138,18 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>systemd.ssh_auto=</varname></term>
+        <term><varname>systemd.ssh_listen=</varname></term>
+        <listitem>
+          <para>These parameters are interpreted by
+          <citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+          and may be used to control SSH sockets the system shall be reachable on.</para>
+
+          <xi:include href="version-info.xml" xpointer="v256"/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>systemd.volatile=</varname></term>
         <listitem>

man/rules/meson.build

@@ -1054,6 +1054,8 @@ manpages = [
  ['systemd-socket-activate', '1', [], ''],
  ['systemd-socket-proxyd', '8', [], ''],
  ['systemd-soft-reboot.service', '8', [], ''],
+ ['systemd-ssh-generator', '8', [], ''],
+ ['systemd-ssh-proxy', '1', [], ''],
  ['systemd-stdio-bridge', '1', [], ''],
  ['systemd-storagetm.service', '8', ['systemd-storagetm'], 'ENABLE_STORAGETM'],
  ['systemd-stub',

man/systemd-ssh-generator.xml

@@ -0,0 +1,141 @@
+<?xml version="1.0"?>
+<!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY % entities SYSTEM "custom-entities.ent" >
+%entities;
+]>
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+<refentry id="systemd-ssh-generator"
+          xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>systemd-ssh-generator</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>systemd-ssh-generator</refentrytitle>
+    <manvolnum>8</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>systemd-ssh-generator</refname>
+    <refpurpose>Generator for binding a socket-activated SSH server to local <constant>AV_VSOCK</constant>
+    and <constant>AF_UNIX</constant> sockets</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <para><filename>/usr/lib/systemd/system-generators/systemd-ssh-generator</filename></para>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><command>systemd-ssh-generator</command> binds a socket-activated SSH server to local
+    <constant>AV_VSOCK</constant> and <constant>AF_UNIX</constant> sockets under certain conditions. It only
+    has an effect if the <citerefentry
+    project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> binary is
+    installed. Specifically, it does the following:</para>
+
+    <itemizedlist>
+      <listitem><para>If invoked in a VM with <constant>AF_VSOCK</constant> support, a socket-activated SSH
+      per-connection service is bound to <constant>AF_VSOCK</constant> port 22.</para></listitem>
+
+      <listitem><para>If invoked in a container environment with a writable directory
+      <filename>/run/host/unix-export/</filename> pre-mounted it binds SSH to an <constant>AF_UNIX</constant>
+      socket <filename>/run/host/unix-export/ssh</filename>. The assumption is that this directory is bind
+      mounted to the host side as well, and can be used to connect to the container from there. See <ulink
+      url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> for more information about
+      this interface.</para></listitem>
+
+      <listitem><para>A local <constant>AF_UNIX</constant> socket
+      <filename>/run/ssh-unix-local/socket</filename> is also bound, unconditionally. This may be used for
+      SSH communication from the host to itself, without involving networking, for example to traverse
+      security boundaries safely and with secure authentication.</para></listitem>
+
+      <listitem><para>Additional <constant>AF_UNIX</constant> and <constant>AF_VSOCK</constant> sockets are
+      optionally bound, based on the <varname>systemd.ssh_listen=</varname> kernel command line option or the
+      <filename>ssh.listen</filename> system credential (see below).</para></listitem>
+    </itemizedlist>
+
+    <para>See
+    <citerefentry><refentrytitle>systemd-ssh-proxy</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
+    details on how to connect to these sockets via the <command>ssh</command> client.</para>
+
+    <para>The generator will use a packaged <filename>sshd@.service</filename> service template file if one
+    exists, and otherwise generate a suitable service template file.</para>
+
+    <para><filename>systemd-ssh-generator</filename> implements
+    <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Kernel Command Line</title>
+
+    <para><filename>systemd-ssh-generator</filename> understands the following
+    <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+    parameters:</para>
+
+    <variablelist class='kernel-commandline-options'>
+      <varlistentry>
+        <term><varname>systemd.ssh_auto=</varname></term>
+
+        <listitem><para>This option takes an optional boolean argument, and defaults to yes. If enabled, the
+        automatic binding to the <constant>AF_VSOCK</constant> and <constant>AF_UNIX</constant> sockets
+        listed above is done. If disable, this is not done, except for those explicitly requested via
+        <varname>systemd.ssh_listen=</varname> on the kernel command line or via the
+        <varname>ssh.listen</varname> system credential.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>systemd.ssh_listen=</varname></term>
+
+        <listitem><para>This option configures an additional socket to bind SSH to. It may be used multiple
+        times to bind multiple sockets. The syntax should follow the one of <varname>ListenStream=</varname>,
+        see
+        <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        for details. This functionality supports all socket families systemd supports, including
+        <constant>AF_INET</constant> and <constant>AF_INET6</constant>.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Credentials</title>
+
+    <para><command>systemd-ssh-generator</command> supports the system credentials logic. The following
+    credentials are used when passed in:</para>
+
+    <variablelist class='system-credentials'>
+      <varlistentry>
+        <term><varname>ssh.listen</varname></term>
+
+        <listitem><para>This credential should be a text file, with each line referencing one additional
+        socket to bind SSH to. The syntax should follow the one of <varname>ListenStream=</varname>, see
+        <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        for details. This functionality supports all socket families systemd supports, including
+        <constant>AF_INET</constant> and <constant>AF_INET6</constant>.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+    <para><simplelist type="inline">
+      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd.system-credentials</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+      <member><citerefentry project="man-pages"><refentrytitle>vsock</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+      <member><citerefentry project="man-pages"><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+      <member><citerefentry project="man-pages"><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+    </simplelist></para>
+  </refsect1>
+</refentry>

man/systemd-ssh-proxy.xml

@@ -0,0 +1,116 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="systemd-ssh-proxy"
+    xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>systemd-ssh-proxy</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>systemd-ssh-proxy</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>systemd-ssh-proxy</refname>
+    <refpurpose>SSH client plugin for connecting to <constant>AF_VSOCK</constant> and
+    <constant>AF_UNIX</constant> sockets</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <programlisting>
+Host unix/* vsock/*
+    ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
+    ProxyUseFdpass yes
+</programlisting>
+    <cmdsynopsis>
+      <command>/usr/lib/systemd/systemd-ssh-proxy</command> <arg>ADDRESS</arg> <arg>PORT</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><command>systemd-ssh-proxy</command> is a small "proxy" plugin for the <citerefentry
+    project="man-pages"><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+    tool that allows connecting to <constant>AF_UNIX</constant> and <constant>AF_VSOCK</constant> sockets. It
+    implements the interface defined by <filename>ssh</filename>'s <varname>ProxyCommand</varname>
+    configuration option. It's supposed to be used with an <citerefentry
+    project="man-pages"><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    configuration fragment like the following:</para>
+
+    <programlisting>
+Host unix/* vsock/*
+    ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
+    ProxyUseFdpass yes
+    CheckHostIP no
+
+Host .host
+    ProxyCommand /usr/lib/systemd/systemd-ssh-proxy unix/run/ssh-unix-local/socket %p
+    ProxyUseFdpass yes
+    CheckHostIP no
+</programlisting>
+
+    <para>A configuration fragment along these lines is by default installed into
+    <filename>/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf.in</filename>.</para>
+
+    <para>With this in place, SSH connections to host string <literal>unix/</literal> followed by an absolute
+    <constant>AF_UNIX</constant> file system path to a socket will be directed to the specified socket, which
+    must be of type <constant>SOCK_STREAM</constant>. Similar, SSH connections to <literal>vsock/</literal>
+    followed by an <constant>AF_VSOCK</constant> CID will result in an SSH connection made to that
+    CID. Moreover connecting to <literal>.host</literal> will connect to the local host via SSH, without
+    involving networking.</para>
+
+    <para>This tool is supposed to be used together with
+    <citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    which when run inside a VM or container will bind SSH to suitable
+    addresses. <command>systemd-ssh-generator</command> is supposed to run in the container of VM guest, and
+    <command>systemd-ssh-proxy</command> is run on the host, in order to connect to the container or VM
+    guest.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Exit status</title>
+
+    <para>On success, 0 is returned, a non-zero failure code
+    otherwise.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <example>
+      <title>Talk to a local VM with CID 4711</title>
+
+      <programlisting>ssh vsock/4711</programlisting>
+    </example>
+
+    <example>
+      <title>Talk to the local host via ssh</title>
+
+      <programlisting>ssh .host</programlisting>
+
+      <para>or equivalent:</para>
+
+      <programlisting>ssh unix/run/ssh-unix-local/socket</programlisting>
+    </example>
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+    <para><simplelist type="inline">
+      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+      <member><citerefentry project="man-pages"><refentrytitle>vsock</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+      <member><citerefentry project="man-pages"><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+      <member><citerefentry project="man-pages"><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+    </simplelist></para>
+  </refsect1>
+</refentry>

man/systemd.system-credentials.xml

@@ -217,6 +217,17 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>ssh.listen</varname></term>
+        <listitem>
+          <para>May be used to configure SSH sockets the system shall be reachable on. See
+          <citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+          for details.</para>
+
+          <xi:include href="version-info.xml" xpointer="v256"/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>sysusers.extra</varname></term>
         <listitem>