Closed sspreitzer closed 2 years ago
ping @dmacvicar
I do not not understand how, but this problem does no longer exist.
The server side permission problem however was solved by using a non-root user who is part of the libvirt
group to access the libvirt socket on the server. Apparently some OpenSSH servers are compiled with the restriction, that root
may never be able to forward ports/sockets.
Creating a user virt
, being part of group libvirt
solved the problem.
The ssh key was copied to the virt user on the target server.
/etc/libvirt/libvirtd.conf
on the server (needs restart of libvirt daemon):
# This is restricted to 'root' by default.
unix_sock_group = "libvirt"
Effects:
[sspreitzer@voyager k8s]$ ssh virt@10.1.1.2
Last login: Sun Jan 2 13:53:33 2022 from 10.1.1.100
[virt@vm2 ~]$ id
uid=1000(virt) gid=1000(virt) groups=1000(virt),992(libvirt) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[virt@vm2 ~]$ ls -al /var/run/libvirt/libvirt-sock
srwxrwx---. 1 root libvirt 0 8. Jul 08:12 /var/run/libvirt/libvirt-sock
The provider config:
provider "libvirt" {
uri = "qemu+ssh://virt@10.1.1.2/system"
}
Perhaps we should document this.
System Information
Linux distribution
Client: Gentoo Server: RHEL 7.7
Terraform version
Description of Issue/Question
When running
terraform plan
on the client, the client produces:The provider config is:
The server log is reporting:
SSH version installed is the latest ssh version available for RHEL 7 (7.9):
Conclusion is, that the builtin ssh client of the plugin is not supporting the servers rsa,dsa,ecdsa and ed25519 hostkeys. The ssh server version is not capable of producing and using sk-* hostkeys.
Suggestion is to make the hostkey type acceptance configurable or compatible to rsa, dsa, ecdsa and ed25519. Otherwise many server systems will be excluded from being usable.