Hey,
- Quick background
I'm investigating a feature for the KubeVirt project [1] (virtual machines on Kubernetes) and ran into an area that I think the qemu guest agent might help us solve.
A common usage pattern for nearly every Iaas platform (AWS, GCP, OpenStack, Azure) is the ability to inject public ssh keys into VMs in order to grant access to the VM for automation tools (like ansible) and users. One of the more straightforward ways to do this is using cloud-init, which injects ssh keys at boot.
However, in KubeVirt we're interested in taking this a step further by allowing public ssh keys to be dynamically granted and revoked on live "running" VMs. To accomplish this, we need something for our control plane to coordinate with that is running within the actual VM guest.
- Guest Agent SSH add/remove Support?
As a PoC, I cobbled together some guest agent exec and file write client commands which can technically achieve the desired result of adding/removing entries in a /home/<user>/.ssh/authorized_keys file. It's a little unwieldy, but it works.
This got me thinking, an officially supported guest agent api for this ssh key management would be really nice. There's already a somewhat related precedent with the "guest-set-user-password" guest agent command.
So here's the question. What would you all think about the guest agent API being expanded with new commands for adding/removing ssh public keys from authorized_keys files?
Thanks
- David