Configuring SSH access to virtual machines

You can configure SSH access to virtual machines (VMs) by using the following methods:

• virtctl ssh command

  You create an SSH key pair, add the public key to a VM, and connect to the VM by running the virtctl ssh command with the private key.

  You can add public SSH keys to Fedora 9 VMs at runtime or at first boot to VMs with guest operating systems that can be configured by using a cloud-init data source.

• virtctl port-forward command

  You add the virtctl port-foward command to your .ssh/config file and connect to the VM by using OpenSSH.

• Service

  You create a service, associate the service with the VM, and connect to the IP address and port exposed by the service.

• Secondary network

  You configure a secondary network, attach a virtual machine (VM) to the secondary network interface, and connect to the DHCP-allocated IP address.

Access configuration considerations

Each method for configuring access to a virtual machine (VM) has advantages and limitations, depending on the traffic load and client requirements.

Services provide excellent performance and are recommended for applications that are accessed from outside the cluster.

If the internal cluster network cannot handle the traffic load, you can configure a secondary network.

virtctl ssh and virtctl port-forwarding commands

• Simple to configure.

• Recommended for troubleshooting VMs.

• virtctl port-forwarding recommended for automated configuration of VMs with Ansible.

• Dynamic public SSH keys can be used to provision VMs with Ansible.

• Not recommended for high-traffic applications like Rsync or Remote Desktop Protocol because of the burden on the API server.

• The API server must be able to handle the traffic load.

• The clients must be able to access the API server.

• The clients must have access credentials for the cluster.

Cluster IP service

• The internal cluster network must be able to handle the traffic load.

• The clients must be able to access an internal cluster IP address.

Node port service

• The internal cluster network must be able to handle the traffic load.

• The clients must be able to access at least one node.

Load balancer service

• A load balancer must be configured.

• Each node must be able to handle the traffic load of one or more load balancer services.

Secondary network

• Excellent performance because traffic does not go through the internal cluster network.

• Allows a flexible approach to network topology.

• Guest operating system must be configured with appropriate security because the VM is exposed directly to the secondary network. If a VM is compromised, an intruder could gain access to the secondary network.

Using virtctl ssh

You can add a public SSH key to a virtual machine (VM) and connect to the VM by running the virtctl ssh command.

This method is simple to configure. However, it is not recommended for high traffic loads because it places a burden on the API server.

About static and dynamic SSH key management

You can add public SSH keys to virtual machines (VMs) statically at first boot or dynamically at runtime.

Static SSH key management

You can add a statically managed SSH key to a VM with a guest operating system that supports configuration by using a cloud-init data source. The key is added to the virtual machine (VM) at first boot.

You can add the key by using one of the following methods:

• Add a key to a single VM when you create it by using the web console or the command line.

• Add a key to a project by using the web console. Afterwards, the key is automatically added to the VMs that you create in this project.

Use cases

• As a VM owner, you can provision all your newly created VMs with a single key.

Dynamic SSH key management

You can enable dynamic SSH key management for a VM with Fedora 9 installed. Afterwards, you can update the key during runtime. The key is added by the QEMU guest agent, which is installed with Red Hat boot sources.

You can disable dynamic key management for security reasons. Then, the VM inherits the key management setting of the image from which it was created.

Use cases

• Granting or revoking access to VMs: As a cluster administrator, you can grant or revoke remote VM access by adding or removing the keys of individual users from a Secret object that is applied to all VMs in a namespace.

• User access: You can add your access credentials to all VMs that you create and manage.

• Ansible provisioning:

  • As an operations team member, you can create a single secret that contains all the keys used for Ansible provisioning.

  • As a VM owner, you can create a VM and attach the keys used for Ansible provisioning.

• Key rotation:

  • As a cluster administrator, you can rotate the Ansible provisioner keys used by VMs in a namespace.

  • As a workload owner, you can rotate the key for the VMs that you manage.

Static key management

You can add a statically managed public SSH key when you create a virtual machine (VM) by using the OKD web console or the command line. The key is added as a cloud-init data source when the VM boots for the first time.

Adding a key when creating a VM from a template

You can add a statically managed public SSH key when you create a virtual machine (VM) by using the OKD web console. The key is added to the VM as a cloud-init data source at first boot. This method does not affect cloud-init user data.

Optional: You can add a key to a project. Afterwards, this key is added automatically to VMs that you create in the project.

Prerequisites

• You generated an SSH key pair by running the ssh-keygen command.

Procedure

1. Navigate to Virtualization → Catalog in the web console.

2. Click a template tile.

   The guest operating system must support configuration from a cloud-init data source.

3. Click Customize VirtualMachine.

4. Click Next.

5. Click the Scripts tab.

6. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key and select one of the following options:

   • Use existing: Select a secret from the secrets list.

   • Add new:

     1. Browse to the SSH key file or paste the file in the key field.

     2. Enter the secret name.

     3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.

1. Click Save.

2. Click Create VirtualMachine.

   The VirtualMachine details page displays the progress of the VM creation.

Verification

1. Click the Scripts tab on the Configuration tab.

   The secret name is displayed in the Authorized SSH key section.

Adding a key when creating a VM from an instance type

You can add a statically managed SSH key when you create a virtual machine (VM) from an instance type by using the OKD web console. The key is added to the VM as a cloud-init data source at first boot. This method does not affect cloud-init user data.

Procedure

1. In the web console, navigate to Virtualization → Catalog and click the InstanceTypes tab.

2. Select a bootable volume.

   The volume table only lists volumes in the openshift-virtualization-os-images namespace that have the instancetype.kubevirt.io/default-preference label.

3. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key in the VirtualMachine details section.

4. Select one of the following options:

   • Use existing: Select a secret from the secrets list.

   • Add new:

     1. Browse to the public SSH key file or paste the file in the key field.

     2. Enter the secret name.

     3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.

     4. Click Save.

1. Optional: Click View YAML & CLI to view the YAML file. Click CLI to view the CLI commands. You can also download or copy either the YAML file contents or the CLI commands.

2. Click Create VirtualMachine.

After the VM is created, you can monitor the status on the VirtualMachine details page.

Adding a key when creating a VM by using the command line

You can add a statically managed public SSH key when you create a virtual machine (VM) by using the command line. The key is added to the VM at first boot.

The key is added to the VM as a cloud-init data source. This method separates the access credentials from the application data in the cloud-init user data. This method does not affect cloud-init user data.

Prerequisites

• You generated an SSH key pair by running the ssh-keygen command.

Procedure

1. Create a manifest file for a VirtualMachine object and a Secret object:

   apiVersion: kubevirt.io/v1
   kind: VirtualMachine
   metadata:
     name: example-vm
     namespace: example-namespace
   spec:
     dataVolumeTemplates:
     - apiVersion: cdi.kubevirt.io/v1beta1
       kind: DataVolume
       metadata:
         name: example-vm-disk
       spec:
         sourceRef:
           kind: DataSource
           name: rhel9
           namespace: openshift-virtualization-os-images
         storage:
           resources:
             requests:
               storage: 30Gi
     running: false
     template:
       metadata:
         labels:
           kubevirt.io/domain: example-vm
       spec:
         domain:
           cpu:
             cores: 1
             sockets: 2
             threads: 1
           devices:
             disks:
             - disk:
                 bus: virtio
               name: rootdisk
             - disk:
                 bus: virtio
               name: cloudinitdisk
             interfaces:
             - masquerade: {}
               name: default
             rng: {}
           features:
             smm:
               enabled: true
           firmware:
             bootloader:
               efi: {}
           resources:
             requests:
               memory: 8Gi
         evictionStrategy: LiveMigrate
         networks:
         - name: default
           pod: {}
         volumes:
         - dataVolume:
             name: example-volume
           name: example-vm-disk
           - cloudInitNoCloud: (1)
               userData: |-
                 #cloud-config
                 user: cloud-user
                 password: <password>
                 chpasswd: { expire: False }
             name: cloudinitdisk
         accessCredentials:
           - sshPublicKey:
               propagationMethod:
                 configDrive: {}
               source:
                 secret:
                   secretName: authorized-keys (2)
   ---
   apiVersion: v1
   kind: Secret
   metadata:
     name: authorized-keys
   data:
     key:  |
         MIIEpQIBAAKCAQEAulqb/Y... (3)

   1	Specify the cloudInitNoCloud data source.
   2	Specify the Secret object name.
   3	Paste the public SSH key.

2. Create the VirtualMachine and Secret objects:

   $ oc create -f <manifest_file>.yaml

3. Start the VM:

   $ virtctl start vm example-vm

Verification

1. Get the VM configuration:

   $ oc describe vm example-vm -n example-namespace

   Example output

   apiVersion: kubevirt.io/v1
   kind: VirtualMachine
   metadata:
     name: example-vm
     namespace: example-namespace
   spec:
     template:
       spec:
         accessCredentials:
           - sshPublicKey:
               propagationMethod:
                 configDrive: {}
               source:
                 secret:
                   secretName: authorized-keys

Dynamic key management

You can enable dynamic key injection for a virtual machine (VM) by using the OKD web console or the command line. Then, you can update the key at runtime.

If you disable dynamic key injection, the VM inherits the key management method of the image from which it was created.

Enabling dynamic key injection when creating a VM from a template

You can enable dynamic public SSH key injection when you create a virtual machine (VM) from a template by using the OKD web console. Then, you can update the key at runtime.

The key is added to the VM by the QEMU guest agent, which is installed with Fedora 9.

Prerequisites

• You generated an SSH key pair by running the ssh-keygen command.

Procedure

1. Navigate to Virtualization → Catalog in the web console.

2. Click the Red Hat Enterprise Linux 9 VM tile.

3. Click Customize VirtualMachine.

4. Click Next.

5. Click the Scripts tab.

6. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key and select one of the following options:

   • Use existing: Select a secret from the secrets list.

   • Add new:

     1. Browse to the SSH key file or paste the file in the key field.

     2. Enter the secret name.

     3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.

1. Set Dynamic SSH key injection to on.

2. Click Save.

3. Click Create VirtualMachine.

   The VirtualMachine details page displays the progress of the VM creation.

Verification

1. Click the Scripts tab on the Configuration tab.

   The secret name is displayed in the Authorized SSH key section.

Enabling dynamic key injection when creating a VM from an instance type

You can enable dynamic SSH key injection when you create a virtual machine (VM) from an instance type by using the OKD web console. Then, you can add or revoke the key at runtime.

The key is added to the VM by the QEMU guest agent, which is installed with Fedora 9.

Procedure

1. In the web console, navigate to Virtualization → Catalog and click the InstanceTypes tab.

2. Select a bootable volume.

   The volume table only lists volumes in the openshift-virtualization-os-images namespace that have the instancetype.kubevirt.io/default-preference label.

3. Click the Red Hat Enterprise Linux 9 VM tile.

4. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key in the VirtualMachine details section.

5. Select one of the following options:

   • Use existing: Select a secret from the secrets list.

   • Add new:

     1. Browse to the public SSH key file or paste the file in the key field.

     2. Enter the secret name.

     3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.

     4. Click Save.

1. Set Dynamic SSH key injection in the VirtualMachine details section to on.

2. Optional: Click View YAML & CLI to view the YAML file. Click CLI to view the CLI commands. You can also download or copy either the YAML file contents or the CLI commands.

3. Click Create VirtualMachine.

After the VM is created, you can monitor the status on the VirtualMachine details page.

Enabling dynamic SSH key injection by using the web console

You can enable dynamic key injection for a virtual machine (VM) by using the OKD web console. Then, you can update the public SSH key at runtime.

The key is added to the VM by the QEMU guest agent, which is installed with Fedora 9.

Prerequisites

• The guest operating system is Fedora 9.

Procedure

1. Navigate to Virtualization → VirtualMachines in the web console.

2. Select a VM to open the VirtualMachine details page.

3. On the Configure tab, click Scripts.

4. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key and select one of the following options:

   • Use existing: Select a secret from the secrets list.

   • Add new:

     1. Browse to the SSH key file or paste the file in the key field.

     2. Enter the secret name.

     3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.

1. Set Dynamic SSH key injection to on.

2. Click Save.

Enabling dynamic key injection by using the command line

You can enable dynamic key injection for a virtual machine (VM) by using the command line. Then, you can update the public SSH key at runtime.

The key is added to the VM by the QEMU guest agent, which is installed automatically with Fedora 9.

Prerequisites

• You generated an SSH key pair by running the ssh-keygen command.

Procedure

1. Create a manifest file for a VirtualMachine object and a Secret object:

   apiVersion: kubevirt.io/v1
   kind: VirtualMachine
   metadata:
     name: example-vm
     namespace: example-namespace
   spec:
     dataVolumeTemplates:
     - apiVersion: cdi.kubevirt.io/v1beta1
       kind: DataVolume
       metadata:
         name: example-vm-disk
       spec:
         sourceRef:
           kind: DataSource
           name: rhel9
           namespace: openshift-virtualization-os-images
         storage:
           resources:
             requests:
               storage: 30Gi
     running: false
     template:
       metadata:
         labels:
           kubevirt.io/domain: example-vm
       spec:
         domain:
           cpu:
             cores: 1
             sockets: 2
             threads: 1
           devices:
             disks:
             - disk:
                 bus: virtio
               name: rootdisk
             - disk:
                 bus: virtio
               name: cloudinitdisk
             interfaces:
             - masquerade: {}
               name: default
             rng: {}
           features:
             smm:
               enabled: true
           firmware:
             bootloader:
               efi: {}
           resources:
             requests:
               memory: 8Gi
         evictionStrategy: LiveMigrate
         networks:
         - name: default
           pod: {}
         volumes:
         - dataVolume:
             name: example-volume
           name: example-vm-disk
           - cloudInitNoCloud: (1)
               userData: |-
                 #cloud-config
                 user: cloud-user
                 password: <password>
                 chpasswd: { expire: False }
                 runcmd:
                   - [ setsebool, -P, virt_qemu_ga_manage_ssh, on ]
             name: cloudinitdisk
         accessCredentials:
           - sshPublicKey:
               propagationMethod:
                 qemuGuestAgent:
                   users: ["user1","user2","fedora"] (2)
               source:
                 secret:
                   secretName: authorized-keys (3)
   ---
   apiVersion: v1
   kind: Secret
   metadata:
     name: authorized-keys
   data:
     key:  |
         MIIEpQIBAAKCAQEAulqb/Y... (4)

   1	Specify the cloudInitNoCloud data source.
   2	Specify the user names.
   3	Specify the Secret object name.
   4	Paste the public SSH key.

2. Create the VirtualMachine and Secret objects:

   $ oc create -f <manifest_file>.yaml

3. Start the VM:

   $ virtctl start vm example-vm

Verification

1. Get the VM configuration:

   $ oc describe vm example-vm -n example-namespace

   Example output

   apiVersion: kubevirt.io/v1
   kind: VirtualMachine
   metadata:
     name: example-vm
     namespace: example-namespace
   spec:
     template:
       spec:
         accessCredentials:
           - sshPublicKey:
               propagationMethod:
                 qemuGuestAgent:
                   users: ["user1","user2","fedora"]
               source:
                 secret:
                   secretName: authorized-keys

Using the virtctl ssh command

You can access a running virtual machine (VM) by using the virtcl ssh command.

Prerequisites

• You installed the virtctl command line tool.

• You added a public SSH key to the VM.

• You have an SSH client installed.

• The environment where you installed the virtctl tool has the cluster permissions required to access the VM. For example, you ran oc login or you set the KUBECONFIG environment variable.

Procedure

• Run the virtctl ssh command:

  $ virtctl -n <namespace> ssh <username>@example-vm -i <ssh_key> (1)

  1	Specify the namespace, user name, and the SSH private key. The default SSH key location is /home/user/.ssh. If you save the key in a different location, you must specify the path.

  Example

  $ virtctl -n my-namespace ssh cloud-user@example-vm -i my-key

Using the virtctl port-forward command

You can access a running virtual machine (VM) by using a local OpenSSH client and the virtctl port-forward command. You can use this method with Ansible to automate the configuration of VMs.

This method is recommended for low-traffic applications because port-forwarding traffic is sent over the control plane. This method is not recommended for high-traffic applications such as Rsync or Remote Desktop Protocol because it places a heavy burden on the API server.

Prerequisites

• You have OpenSSH installed.

• You installed the virtctl command line tool.

• The environment where you installed virtctl has the cluster permissions required to access the VM. For example, you ran oc login or you set the KUBECONFIG environment variable.

Procedure

1. Add the following text to the ~/.ssh/config file on your client machine:

   Host vm/*
     ProxyCommand virtctl port-forward --stdio=true %h %p

2. Connect to the VM by running the following command:

   $ ssh <user>@vm/<vm_name>.<namespace>

Using a service for SSH access

You can create a service for a virtual machine (VM) and connect to the IP address and port exposed by the service.

Services provide excellent performance and are recommended for applications that are accessed from outside the cluster or within the cluster. Ingress traffic is protected by firewalls.

If the cluster network cannot handle the traffic load, consider using a secondary network for VM access.

About services

A Kubernetes service exposes network access for clients to an application running on a set of pods. Services offer abstraction, load balancing, and, in the case of the NodePort and LoadBalancer types, exposure to the outside world.

ClusterIP

Exposes the service on an internal IP address and as a DNS name to other applications within the cluster. A single service can map to multiple virtual machines. When a client tries to connect to the service, the client’s request is load balanced among available backends. ClusterIP is the default service type.

NodePort

Exposes the service on the same port of each selected node in the cluster. NodePort makes a port accessible from outside the cluster, as long as the node itself is externally accessible to the client.

LoadBalancer

Creates an external load balancer in the current cloud (if supported) and assigns a fixed, external IP address to the service.

Creating a service

You can create a service to expose a virtual machine (VM) by using the OKD web console, virtctl command line tool, or a YAML file.

Enabling load balancer service creation by using the web console

You can enable the creation of load balancer services for a virtual machine (VM) by using the OKD web console.

Prerequisites

• You have configured a load balancer for the cluster.

• You are logged in as a user with the cluster-admin role.

Procedure

1. Navigate to Virtualization → Overview.

2. On the Settings tab, click Cluster.

3. Expand General settings and SSH configuration.

4. Set SSH over LoadBalancer service to on.

Creating a service by using the web console

You can create a node port or load balancer service for a virtual machine (VM) by using the OKD web console.

Prerequisites

• You configured the cluster network to support either a load balancer or a node port.

• To create a load balancer service, you enabled the creation of load balancer services.

Procedure

1. Navigate to VirtualMachines and select a virtual machine to view the VirtualMachine details page.

2. On the Details tab, select SSH over LoadBalancer from the SSH service type list.

3. Optional: Click the copy icon to copy the SSH command to your clipboard.

Verification

• Check the Services pane on the Details tab to view the new service.

Creating a service by using virtctl

You can create a service for a virtual machine (VM) by using the virtctl command line tool.

Prerequisites

• You installed the virtctl command line tool.

• You configured the cluster network to support the service.

• The environment where you installed virtctl has the cluster permissions required to access the VM. For example, you ran oc login or you set the KUBECONFIG environment variable.

Procedure

• Create a service by running the following command:

  $ virtctl expose vm <vm_name> --name <service_name> --type <service_type> --port <port> (1)

  1	Specify the ClusterIP, NodePort, or LoadBalancer service type.

  Example

  $ virtctl expose vm example-vm --name example-service --type NodePort --port 22

Verification

• Verify the service by running the following command:

  $ oc get service

Next steps

After you create a service with virtctl, you must add special: key to the spec.template.metadata.labels stanza of the VirtualMachine manifest. See Creating a service by using the command line.

Creating a service by using the command line

You can create a service and associate it with a virtual machine (VM) by using the command line.

Prerequisites

• You configured the cluster network to support the service.

Procedure

1. Edit the VirtualMachine manifest to add the label for service creation:

   apiVersion: kubevirt.io/v1
   kind: VirtualMachine
   metadata:
     name: example-vm
     namespace: example-namespace
   spec:
     running: false
     template:
       metadata:
         labels:
           special: key (1)
   # ...

   1	Add special: key to the spec.template.metadata.labels stanza.

   Labels on a virtual machine are passed through to the pod. The special: key label must match the label in the spec.selector attribute of the Service manifest.

2. Save the VirtualMachine manifest file to apply your changes.

3. Create a Service manifest to expose the VM:

   apiVersion: v1
   kind: Service
   metadata:
     name: example-service
     namespace: example-namespace
   spec:
   # ...
     selector:
       special: key (1)
     type: NodePort (2)

   1	Specify the label that you added to the spec.template.metadata.labels stanza of the VirtualMachine manifest.
   2	Specify ClusterIP, NodePort, or LoadBalancer.

4. Save the Service manifest file.

5. Create the service by running the following command:

   $ oc create -f example-service.yaml

6. Restart the VM to apply the changes.

Verification

• Query the Service object to verify that it is available:

  $ oc get service -n example-namespace

Connecting to a VM exposed by a service by using SSH

You can connect to a virtual machine (VM) that is exposed by a service by using SSH.

Prerequisites

• You created a service to expose the VM.

• You have an SSH client installed.

• You are logged in to the cluster.

Procedure

• Run the following command to access the VM:

  $ ssh <user_name>@<ip_address> -p <port> (1)

  1	Specify the cluster IP for a cluster IP service, the node IP for a node port service, or the external IP address for a load balancer service.

Using a secondary network for SSH access

You can configure a secondary network, attach a virtual machine (VM) to the secondary network interface, and connect to the DHCP-allocated IP address by using SSH.

See the Multus and SR-IOV documentation in the OKD Virtualization Tuning & Scaling Guide for additional information about networking options.

Prerequisites

• You configured a secondary network such as Linux bridge or SR-IOV.

• You created a network attachment definition for a Linux bridge network or the SR-IOV Network Operator created a network attachment definition when you created an SriovNetwork object.

Configuring a VM network interface by using the web console

You can configure a network interface for a virtual machine (VM) by using the OKD web console.

Prerequisites

• You created a network attachment definition for the network.

Procedure

1. Navigate to Virtualization → VirtualMachines.

2. Click a VM to view the VirtualMachine details page.

3. On the Configuration tab, click the Network interfaces tab.

4. Click Add network interface.

5. Enter the interface name and select the network attachment definition from the Network list.

6. Click Save.

7. Restart the VM to apply the changes.

Connecting to a VM attached to a secondary network by using SSH

You can connect to a virtual machine (VM) attached to a secondary network by using SSH.

Prerequisites

• You attached a VM to a secondary network with a DHCP server.

• You have an SSH client installed.

Procedure

1. Obtain the IP address of the VM by running the following command:

   $ oc describe vm <vm_name>

   Example output

   # ...
   Interfaces:
     Interface Name:  eth0
     Ip Address:      10.244.0.37/24
     Ip Addresses:
       10.244.0.37/24
       fe80::858:aff:fef4:25/64
     Mac:             0a:58:0a:f4:00:25
     Name:            default
   # ...

2. Connect to the VM by running the following command:

   $ ssh <user_name>@<ip_address> -i <ssh_key>

   Example

   $ ssh cloud-user@10.244.0.37 -i ~/.ssh/id_rsa_cloud-user