Obtaining SSH Credentials for VMs

[sanieldalib]

Hey there, thanks for your awesome work on Orchard. I've been playing around with it and really enjoying it!

I was wondering if there is a way to obtain credentials for the proxied SSH connection to the VMs. I'm specifically looking at the use case of transferring files to a VM via SCP and eventually connecting to VMs via Ansible.

Thanks in advance!

[edigaryev]

Hello Daniel!

I was wondering if there is a way to obtain credentials for the proxied SSH connection to the VMs.

You mean the username and password strings?

These can be obtained from the API, and if they're not set, orchard ssh vm assumes that they're equal to admin:admin: https://github.com/cirruslabs/orchard/blob/316f785a0cb44de2b4dd5686f390f6938e9b1f1e/internal/command/ssh/vm.go#L177-L203

Or you want a separate command for that? It seems the orchard get vm could be of use 🤔

[sanieldalib]

@edigaryev Thanks for the response!

I was primarily referring to the IP and port combination. Looking to grab these and inject them into a call to scp.

Sorry for the initial confusion.

[fkorotkov]

At the moment Orchard controller acts as a proxy and hides worker nodes from potential users so you have security flexibility. For example, you can have Mac Mini workers in one datacenter under a VPC that is direct linked to your AWS account where Orchard Controller is running on a VM. In this scenario to work with VMs you only need access to the controller.

Right now for you use case a workaround will look like using port forwarding. Let's say you've created ventura-base VM like this:

orchard create vm --image ghcr.io/cirruslabs/macos-ventura-base:latest ventura-base

You can locally expose 22 port for future SSHing. Let's say you create bind it on local port 8822:

orchard port-forward vm ventura-base 8822:22

After that you can use scp like this:

scp -P 8822 file.txt admin@127.0.0.1:/Users/admin/

[fkorotkov]

This made me think about potential command like orchard expose vm ventura-base 22 which will expose a particular port of a VM through controller. So if you controller is running on orchard.internal domain, you'll be able to ssh into ventura-base.orchard.internal:22 without using local client. Will discuss this idea with @edigaryev internally.

[fkorotkov]

We talked about that and it seems it might be a potential security issue especially if your controller is publicly accessable and you use an image with admin/admin credentials.

Please check out if the workaround above works for you. If not, please describe you scp/Ansible use case in a bit more details and let's discuss what we can do to help.

[sanieldalib]

The above workaround works great. I'm just spiking Orchard so this is more than enough. Thank you so much!