feat: Add microvm.credentialFiles for passing credentials to guests
#337
Conversation
This commit implements `microvm.credentialFiles` a mechanism for passing credentials into guest vms from the host. Currently only support for qemu is implemented as I want to test the waters to see if you're interested in this feature, Astro. In addition to qmeu cloud-hypervisor can be supported via smbios. But it depends on [this feature being added](cloud-hypervisor/cloud-hypervisor#6951 (comment)), and also astro#336 being merged to microvm.nix cloud-hypervisor could be supported immediately, but then the secrets would be visible in the ps output. A cursory code search shows that the following additional hypervisors could be supported: - crosvm: via fw_cfg, or smbios - alioth: via fw_cfg - stratovirt: via fw_cfg (maybe smbios) kvmtool and firecracker both seem like they cannot be supported. Related: - astro#259 - astro#52
|
NixCI is ready to run on this PR. |
|
That looks well to me. Are you going to try adding the other hypervisors? Where not supported, please add |
Yes I will attempt to implement it in the runners for the other hypervisors, and for those that I can't I'll add an assert. I'll also update the docs. I'd like to implement a test for this too. Could you point me to where in FYI this is how I am able to take advantage of the credential, by setting the SSH host key (which also lets me bootstrap my sops-nix in the guest). # this is part of the guest vms nixos config
microvm.credentialFiles = {
"SSH_HOST_KEY" = "/run/secrets/mymicrovm_sops_ssh_key"; # This file must exist on the host, since I use imperative vms, I have to make it manually.
};
systemd.services.sshd = {
serviceConfig = {
ImportCredential = "SSH_HOST_KEY";
};
preStart = ''
mkdir -p /etc/ssh
cat $CREDENTIALS_DIRECTORY/SSH_HOST_KEY > /etc/ssh/ssh_host_ed25519_key
chmod 0600 /etc/ssh/ssh_host_ed25519_key
'';
};I got ill, so it might be until next week before I'm able to return to these PRs. |
|
The top of Get well soon, and don't feel stressed from open tickets! |
This commit implements
microvm.credentialFilesa mechanism for passingcredentials into guest vms from the host.
Currently only support for qemu is implemented as I want to test the waters to
see if you're interested in this feature, Astro.
In addition to qmeu, cloud-hypervisor can be supported via smbios. But it depends
on this feature being added, and also #336 being merged to microvm.nix
cloud-hypervisor could be supported immediately, but then the secrets would be
visible in the ps output.
A cursory code search shows that the following additional hypervisors could be
supported:
kvmtool and firecracker both seem like they cannot be supported.
Related: