I'm hooking Foreman into two servers which run KVM & Libvirt. I'm following 5.2.5
Libvirt Notes
<https://www.theforeman.org/manuals/1.11/index.html#5.2.5LibvirtNotes>, and
I created a SSH Key for testing. I can successfully reach the remote
hypervisors with a command like virsh -c qemu+ssh://hypervisor.example.com/system list.
How do I add the passphrase to Foreman so that Foreman can log in to the
remote server to manage the compute resources? I see some mention of rake
tasks at https://www.theforeman.org/manuals/1.11/index.html#5.2.10PasswordEncryption
, but I'm confused if that applies to what I am trying to do, or how to
encrypt something like a passphrase for libvirt.
> I'm hooking Foreman into two servers which run KVM & Libvirt. I'm following 5.2.5
> Libvirt Notes
> <https://www.theforeman.org/manuals/1.11/index.html#5.2.5LibvirtNotes>, and
> I created a SSH Key for testing. I can successfully reach the remote
> hypervisors with a command like virsh -c > qemu+ssh://hypervisor.example.com/system list.
If you've set up qemu+ssh so that a password is needed, I'm afraid you'd
have to create a feature request (Issues - Foreman).
You have to change your hypervisor /etc/ssh/sshd_config to allow root
login without-password and ensure your ssh public key is in the
hypervisor /root/.ssh/authorized_keys
> How do I add the passphrase to Foreman so that Foreman can log in to the
> remote server to manage the compute resources? I see some mention of rake
> tasks at https://www.theforeman.org/manuals/1.11/index.html#5.2.10PasswordEncryption
> , but I'm confused if that applies to what I am trying to do, or how to
> encrypt something like a passphrase for libvirt.
that's unrelated, it applies to the password in other compute resources,
libvirt does not have that field.
> > I'm hooking Foreman into two servers which run KVM & Libvirt. I'm
> following 5.2.5
> > Libvirt Notes
> > <https://www.theforeman.org/manuals/1.11/index.html#5.2.5LibvirtNotes>,
> and
> > I created a SSH Key for testing. I can successfully reach the remote
> > hypervisors with a command like virsh -c > > qemu+ssh://hypervisor.example.com/system list.
>
> If you've set up qemu+ssh so that a password is needed, I'm afraid you'd
> have to create a feature request (Issues - Foreman).
>
> You have to change your hypervisor /etc/ssh/sshd_config to allow root
> login without-password and ensure your ssh public key is in the
> hypervisor /root/.ssh/authorized_keys
>
You don't actually have to use the root user, you can configure policykit
to allow connected to libvirt connection from another user, Google'ing
"libvirt non root user" should help you out there.
···
On Wed, Sep 28, 2016 at 10:53 AM, Daniel Lobato Garcia wrote:
> On 09/27, Stefan Lasiewski wrote:
How do I add the passphrase to Foreman so that Foreman can log in to the
remote server to manage the compute resources? I see some mention of rake
tasks at https://www.theforeman.org/manuals/1.11/index.html#5.2.10Pas
swordEncryption
, but I’m confused if that applies to what I am trying to do, or how to
encrypt something like a passphrase for libvirt.
that’s unrelated, it applies to the password in other compute resources,
libvirt does not have that field.
We definitely don't want to SSH into servers as root with an unencrypted
key. I'll look into the PolicyKit to allow SSH as another user.
I'll also note that problems with unencrypted keys can be mitigated a bit
by hardcoding a whitelist of allowed commands and IPs in authorized_keys.
> If you've set up qemu+ssh so that a password is needed
Well, that's not quite the right way to phrase it. I'm simply using
qemu+ssh in it's default configuration, and SSH best practices recommend a
passphrase. I was hoping that Foreman would work with this, or would
somehow encrypt a passphrase. I'll look into filing an enhancement request.
···
On Wed, Sep 28, 2016 at 9:21 AM, Sean O'Keeffe wrote:
On Wed, Sep 28, 2016 at 10:53 AM, Daniel Lobato Garcia < > elobatocs@gmail.com> wrote:
On 09/27, Stefan Lasiewski wrote:
I’m hooking Foreman into two servers which run KVM & Libvirt. I’m
following 5.2.5
Libvirt Notes https://www.theforeman.org/manuals/1.11/index.html#5.2.5LibvirtNotes,
and
I created a SSH Key for testing. I can successfully reach the remote
hypervisors with a command like virsh -c qemu+ssh://hypervisor.example.com/system list.
You have to change your hypervisor /etc/ssh/sshd_config to allow root
login without-password and ensure your ssh public key is in the
hypervisor /root/.ssh/authorized_keys
You don’t actually have to use the root user, you can configure policykit
to allow connected to libvirt connection from another user, Google’ing
“libvirt non root user” should help you out there.
How do I add the passphrase to Foreman so that Foreman can log in to the
remote server to manage the compute resources? I see some mention of rake
tasks at https://www.theforeman.org/manuals/1.11/index.html#5.2.10Pas
swordEncryption
, but I’m confused if that applies to what I am trying to do, or how to
encrypt something like a passphrase for libvirt.
that’s unrelated, it applies to the password in other compute resources,
libvirt does not have that field.
Irgendwann am Thu, Sep 29, 2016 um 10:24:57AM -0700, schrieb Stefan Lasiewski:
> Hmm, rats.
>
> We definitely don't want to SSH into servers as root with an unencrypted
> key. I'll look into the PolicyKit to allow SSH as another user.
>
> I'll also note that problems with unencrypted keys can be mitigated a bit
> by hardcoding a whitelist of allowed commands and IPs in authorized_keys.
>
> > If you've set up qemu+ssh so that a password is needed
>
> Well, that's not quite the right way to phrase it. I'm simply using
> qemu+ssh in it's default configuration, and SSH best practices recommend a
> passphrase. I was hoping that Foreman would work with this, or would
> somehow encrypt a passphrase. I'll look into filing an enhancement request.
I have not specifically tried this in foreman's context, but it should
also be possible to configure sshd to use Kerberos principal based
authentication. For this sshd must be configured to use GSSAPI auth
mechanism and rest is transparent to the applications.
