Closed mueller-tobias closed 1 year ago
avirtopeanu-ionos
commented
1 year ago Hi! Would you be okay with setting up your desired user / groups in the Cloud Init configuration, and then using a SSH_USER option inside of the Node Template for specifying which user to connect to?
mueller-tobias
commented
1 year ago I don't thinks that's a secure way to manage the connect. I can configure a SSH_User in the node_template. But i'll only add the public ssh key in the cloud init configuration. Without the appropriate private key the driver can't connect to the created vm.
rmocanu-ionos
commented
1 year ago Hello! As far as I understand, the problem with this approach would be in the fact that you do not have access to the public key as it has not been created yet. This being the case, we will add the user configuration in the user data field inside the driver, using the key we are creating. Will doing this when a different user is provided in a SSH_USER flag solve the issue?
Regarding the need for the driver to have the private key, as far as I can see every driver works in this way, using the private key for ssh - so I am not sure I understand your last sentence.
mueller-tobias
commented
1 year ago As far as I understood the proposal of avirtopeanu, we should configure a user in the cloud-init configuration that will be used by the driver? Or was the proposal only to configure our backup/troubleshooting users in the cloud init and the driver will configure it's own user, the name specified in the SSH_User Variable?
rmocanu-ionos
commented
1 year ago We were thinking about the user used by the driver, but looking more at this solution it does not seem possible for you to add it in the cloud init as the keys are generated inside the driver.
It seems that the only way would be for us to add it in the user data inside the driver.
avirtopeanu-ionos
commented
1 year ago Hi! This is included in the latest release: v6.1.0-rc.1. However, this is a release candidate. We will keep this issue open until it is included in a full release.
Have a nice day!
avirtopeanu-ionos
commented
1 year ago Included in v6.1.0
Current SDK Version
Use-cases
Enterprise customer and the BSI doesn't allow root access via ssh. With Version 6.01. we can configure an initial cloud-init configuration. If we disable root access via ssh, what's mandatory for the BSI Compliance, the node driver will fail because no connect via ssh is possible.
Attempted Solutions
You cloud use a solution similar to the vSphere node driver. They'll use the cloud init configuration from the user and add an additional technical user that will be used to connect via ssh.
Proposal
Create a custom technical user with cloud-init and use it when provisioning the vm.