Gregory's ServerHere's another little feature we scheduled for the next systemd release. Everyone knows SSH well, and it's great to connect to hosts remotely, and even do file transfer. It's probably *the* single most relevant way to talk to some host for administration and various other tasks. It's a bit fragile though: it requires networking, and that even if we talk to a local VM or full OS container. But precisely networking is one of the things you might want to administer via SSH, hence you have a cyclic…
 5 comments
the network. AF_VSOCK is an address family that is supported on many hypervisors (including kvm/qemu), that allows talking to VMs without bothering with a real network. It's modeled after IP but can be vastly simpler since there's no routing or anything. The aforementioned generator just binds ssh to AV_VSOCK port 22, via socket activation (this is hence more or less "free"), and only if sshd is actually installed. Moreover, if a container mgr mounts /run/host/unix-export/ into the container… … the generator will bind an AF_UNIX socket into it also providing ssh. The idea is that that dir is mounted both into the container and into the host, so that the AF_UNIX is accessible from both. The other side of the equation is that a tiny plugin for the ssh client which allows connecting to AF_VSOCK/AF_UNIX sockets. In effect: without any further manual configuration full OS containers and VMs are now accessible from the host without any networking. Just run "ssh vsock/4711" or … @siosm anyway, the PR is here: https://github.com/systemd/systemd/pull/30777 The PR is almost ready, I just need to add some test cases. Enjoy. |
…and risky dependency. But for the VM and full OS container case there's no real need to use SSH via the network: these things run on the local system, hence why bother with IP? To address that we are adding a small generator (that means: a plugin for systemd that generates units on the fly, based on system state, configuration) which binds SSH to a local AF_VSOCK socket in a VM, and to an AF_UNIX socket in a container. You can then use these to directly connect to the system without involving…