[pve-devel] [RFC PATCH 2/2] config: add systemd credentials support
Maximiliano Sandoval
m.sandoval at proxmox.com
Tue Sep 24 16:35:02 CEST 2024
Allows to pass systemd credentials to a VM. See [1] for a description of
systemd credentials. This can be potentially used to provision a VM as
per [2]. Values can be passed either as plain text (which might be
base64 encrypted) or by reading the contents of a snippet.
A VM configuration file which, for example, contains:
systemd.foo: value=bar
systemd.ssh.authorized_keys.root: snippet=local:snippets/id_ed25519.pub
systemd.encoded-foo: value=YmFya=,base64=1
will have the following arguments added to its kvm command:
-smbios 'type=11,value=io.systemd.credential.binary:ssh.authorized_keys.root=c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUZWZkFTYnVHdGdoWXBQQTBUS0w4N3I2dWRYNm5CbEM2L2hLWVZaTTdENzYgZm9vQGJhcgo=' \
-smbios 'type=11,value=io.systemd.credential:foo=bar' \
-smbios 'type=11,value=io.systemd.credential.binary:encoded-foo=YmFy'
On the guest these credentials can be read via:
dmidecode -t 11
In the example above, the SSH key will be added to
/root/.ssh/authorized_keys provided the file did not exist, see [3].
[1] https://systemd.io/CREDENTIALS/
[2] https://www.freedesktop.org/software/systemd/man/latest/systemd.system-credentials.html
[3] https://www.freedesktop.org/software/systemd/man/latest/systemd.system-credentials.html#ssh.authorized_keys.root
Suggested-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Signed-off-by: Maximiliano Sandoval <m.sandoval at proxmox.com>
---
PVE/QemuServer.pm | 77 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 77 insertions(+)
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 1566cf91..3ec21064 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -149,6 +149,26 @@ my $watchdog_fmt = {
};
PVE::JSONSchema::register_format('pve-qm-watchdog', $watchdog_fmt);
+our $systemd_value_fmt = {
+ value => {
+ description => 'The credential value. base64=1 should be specified if the value is base64 encoded.',
+ type => 'string',
+ optional => 1,
+ },
+ snippet => {
+ type => 'string',
+ description => "Specify a snippet containing the credential's value",
+ format => 'pve-volume-id',
+ optional => 1,
+ },
+ base64 => {
+ description => 'Whether the value is base64 encoded.',
+ type => 'boolean',
+ optional => 1,
+ default => 0,
+ },
+};
+
my $agent_fmt = {
enabled => {
description => "Enable/disable communication with a QEMU Guest Agent (QGA) running in the VM.",
@@ -2039,6 +2059,16 @@ sub parse_guest_agent {
return $res;
}
+sub parse_systemd_credential {
+ my ($value) = @_;
+
+ return {} if !$value;
+
+ my $res = eval { parse_property_string($systemd_value_fmt, $value) };
+ warn $@ if $@;
+ return $res;
+}
+
sub get_qga_key {
my ($conf, $key) = @_;
return undef if !defined($conf->{agent});
@@ -2390,6 +2420,12 @@ sub parse_vm_config {
$conf->{$key} = $value;
next;
}
+ if ($key =~ /^systemd\.([a-z][a-z_\.-]*)$/) {
+ # ignore validation of systemd credentials
+ $conf->{'systemd-credentials'}->{$1} = $value;
+ next;
+ }
+
eval { $value = check_type($key, $value); };
if ($@) {
$handle_error->("vm $vmid - unable to parse value of '$key' - $@");
@@ -3514,6 +3550,27 @@ my sub get_vga_properties {
return ($vga, $qxlnum);
}
+sub smbios_11_cred_arg {
+ my ($key, $value, $is_encoded) = @_;
+
+ if ($is_encoded) {
+ return ('-smbios', "type=11,value=io.systemd.credential.binary:$key=$value");
+ } else {
+ return ('-smbios', "type=11,value=io.systemd.credential:$key=$value");
+ }
+}
+
+sub read_systemd_custom_file {
+ my ($storage_conf, $path) = @_;
+
+ my ($vtype, undef) = PVE::Storage::parse_volname($storage_conf, $path);
+
+ die "$path is not in the snippets directory\n" if $vtype ne 'snippets';
+
+ my $full_path = PVE::Storage::abs_filesystem_path($storage_conf, $path, 1);
+ return PVE::Tools::file_get_contents($full_path, 1 * 1024 * 1024);
+}
+
sub config_to_command {
my ($storecfg, $vmid, $conf, $defaults, $forcemachine, $forcecpu,
$live_restore_backing) = @_;
@@ -4142,6 +4199,26 @@ sub config_to_command {
push @$cmd, '-snapshot';
}
+ # set systemd-credentials
+ my $storage_conf;
+ my $systemd_credentials = $conf->{'systemd-credentials'} || {};
+ foreach my $key (keys %$systemd_credentials) {
+ my $opts = parse_systemd_credential($systemd_credentials->{$key});
+ my $is_encoded = $opts->{'base64'} ? 1 : 0;
+ my $value;
+
+ if (my $v = $opts->{'value'}) {
+ $value = $v;
+ } elsif (my $snippet = $opts->{'snippet'}) {
+ $storage_conf = PVE::Storage::config() if !defined($storage_conf);
+ my $contents = read_systemd_custom_file($storage_conf, $snippet);
+ $value = encode_base64($contents, '');
+ $is_encoded = 1;
+ }
+
+ push @$cmd, smbios_11_cred_arg($key, $value, $is_encoded) if $value;
+ }
+
# add custom args
if ($conf->{args}) {
my $aa = PVE::Tools::split_args($conf->{args});
--
2.39.5
More information about the pve-devel
mailing list