devshell: Support -S/--root-ssh-smbios
#3712
Conversation
Raw format is fine to use on systems that have reflinks for example.
Since it's in systemd it's available as a baseline way to inject things like a SSH key. That said, not all systems support SMBIOS. But for those that do let's support it.
We've built up a *lot* of generically useful qemu code, and I am considering factoring it out into a Go package suitable for sharing in particular with "podman machine" and other use cases. Related to this, I'm building systems now that don't use Ignition by default. We only need a small bit of code to inject a root ssh key via systemd creds over SMBIOS; change things to support that. Concretely with this I can now `cosa run -S --qemu-image ~/build/centos-bootc.raw`
|
OK, got this one past the random CI flakes. Any takers? Should be pretty safe. That said, one thing I am thinking about doing is lifting the qemu library into a distinct separate git repository. |
|
Interesting idea. Why should we do this in COSA and not in say If we do think COSA is the best place to do something like this: since we have the ability to inject kernel args, should we instead consider using the |
They're different but related things. One can already pass credentials via SMBIOS by directly using But The other big thing is that virt-install is Python, whereas this code is in Go and that will make it easier (possible, really) to share with podman-machine and other Go projects in the future. Basically while this change isn't directly useful for FCOS, it starts to generalize our qemu/ssh code to be potentially more sharable with other use cases. |
Yes, we could though ultimately I think that case is going to be solved with using virtiofs for metadata. |
Oh nice. Is there a link where I can learn more about that? |
Right. Those are quite nice additions to a dev/test workflow. I could totally see My concern here is that we are adding features for non-CoreOS users essentially and I don't think our team(s) are in a position to field future feature request or fix bugs when those users have problems.
I'd be hesitant to start maintaining code here (or even in a split out library) that ended up as load bearing in other projects. Most of the code we wrote here was for a specific purpose and I'm not sure it would generalize well. All that being said, I'm interested in what other contributors here think? |
|
Yeah, feels odd to be adding code here that's not really relevant to FCOS/RHCOS. Even if long-term we move away from Ignition, our tools would probably switch over to providing e.g. cloud-init data instead, right?
There's for sure a lot of CoreOS-specific things in there. Though we definitely also have bits that are of the more generic "convenience QEMU wrapper" aspect which I could imagine splitting out. Wrapping QEMU is common enough that it'd make sense to unite efforts a bit. So my strawman is to create that library first (could literally copy/paste |
I'm just wondering why we couldn't contribute these pieces into a library more dedicated to that goal so it's useful for everyone? i.e. https://github.com/digitalocean/go-qemu or https://libvirt.org/go/libvirt |
Wasn't aware of Re. libvirt, I think not requiring a daemon and purely trying to make using the QEMU CLI for ephemeral VMs more convenient is worthwhile. |
No, I don't think we should or can require cloud-init. systemd's credential stuff (which is added here, it's a trivial amount of code) is a good enough baseline bootstrap mechanism to get SSH from a generic disk image (except with apple Virtualization.framework, but that's a distinct issue). |
Depending on libvirt I think is not out of the question, but a baseline requirement is running on MacOS, and libvirt is a really huge dependency there. I don't think there's much excitement about doing that. Also on Linux even; a tricky thing is libvirt doesn't have inherent namespacing, and that can be complex to deal with in general. The other thing is libvirt just kind of breaks the "run a VM as a child process" workflow that we have right now, it gets hard to avoid leaking VMs in corner cases. What I would again narrow in on here is that when you look at coreos-assembler and podman-machine:
It's fine, we don't have to merge this PR, I can just fork the qemu code here and merge it in another place. But, having this here to start would help re-aligning things later. |
|
I think this is related to the discussions in containers/podman-bootc#28. See especially containers/podman-bootc#28 (comment). I.e. in this case for example, I think eventually cosa should instead inherit from a shared space that knows how to do this stuff. And I think in that process, it'd make a lot of sense to move a lot of the qemu code in cosa to that shared tooling. Anyway, let's close this for now. |
qemu: Detect raw format too
Raw format is fine to use on systems that have reflinks for example.
qemu: Support injecting SSH keys via systemd credentials over SMBIOS
Since it's in systemd it's available as a baseline way to
inject things like a SSH key. That said, not all systems
support SMBIOS. But for those that do let's support it.
devshell: Support
-S/--root-ssh-smbiosWe've built up a lot of generically useful qemu code, and
I am considering factoring it out into a Go package
suitable for sharing in particular with "podman machine"
and other use cases.
Related to this, I'm building systems now that don't use Ignition
by default.
We only need a small bit of code to inject a root ssh key
via systemd creds over SMBIOS; change things to support that.
Concretely with this I can now
cosa run -S --qemu-image ~/build/centos-bootc.raw