From: Дамјан Георгиевски <gdamjan@gmail.com>
Date: Mon, 20 May 2024 14:36:56 +0000 (+0200)
Subject: vsock-mux ssh proxy
X-Git-Tag: v257-rc1~1192
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d357f129b2fbc1538bbeb020acc193b0f361898c;p=thirdparty%2Fsystemd.git

vsock-mux ssh proxy

allow the ssh-proxy to connect to cloud-hypervisor/Firecracker guests,
via their unix-domain socket to AF_VSOCK multiplexer:

https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/vsock.md
https://github.com/firecracker-microvm/firecracker/blob/main/docs/vsock.md
---

diff --git a/man/systemd-ssh-proxy.xml b/man/systemd-ssh-proxy.xml
index d9615ff62ca..68bb6cbf3c7 100644
--- a/man/systemd-ssh-proxy.xml
+++ b/man/systemd-ssh-proxy.xml
@@ -24,7 +24,7 @@
 
   <refsynopsisdiv>
     <programlisting>
-Host unix/* vsock/*
+Host unix/* vsock/* vsock-mux/*
     ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
     ProxyUseFdpass yes
 </programlisting>
@@ -46,7 +46,7 @@ Host unix/* vsock/*
     configuration fragment like the following:</para>
 
     <programlisting>
-Host unix/* vsock/*
+Host unix/* vsock/* vsock-mux/*
     ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
     ProxyUseFdpass yes
     CheckHostIP no
@@ -64,7 +64,14 @@ Host .host
     <constant>AF_UNIX</constant> file system path to a socket will be directed to the specified socket, which
     must be of type <constant>SOCK_STREAM</constant>. Similar, SSH connections to <literal>vsock/</literal>
     followed by an <constant>AF_VSOCK</constant> CID will result in an SSH connection made to that
-    CID. Moreover connecting to <literal>.host</literal> will connect to the local host via SSH, without
+    CID. <literal>vsock-mux/</literal> followed by an absolute <constant>AF_UNIX</constant> file system
+    path to a socket is similar but for cloud-hypervisor/firecracker which don't allow
+    direct <constant>AF_VSOCK</constant> communication between the host and guests, and provide their own
+    multiplexer over <constant>AF_UNIX</constant> sockets. See
+    <ulink url="https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/vsock.md">cloud-hypervisor VSOCK support</ulink>
+    and <ulink url="https://github.com/firecracker-microvm/firecracker/blob/main/docs/vsock.md">Using the Firecracker Virtio-vsock Device</ulink>.</para>
+
+    <para>Moreover connecting to <literal>.host</literal> will connect to the local host via SSH, without
     involving networking.</para>
 
     <para>This tool is supposed to be used together with
@@ -89,6 +96,12 @@ Host .host
       <title>Talk to a local VM with CID 4711</title>
 
       <programlisting>ssh vsock/4711</programlisting>
+  </example>
+
+    <example>
+      <title>Talk to a VM guest hosted with cloud-hypervisor/firecracker</title>
+
+      <programlisting>ssh vsock-mux/run/vm-1234.sock</programlisting>
     </example>
 
     <example>
diff --git a/src/ssh-generator/ssh-proxy.c b/src/ssh-generator/ssh-proxy.c
index 4884c934d77..1145f1f738d 100644
--- a/src/ssh-generator/ssh-proxy.c
+++ b/src/ssh-generator/ssh-proxy.c
@@ -5,6 +5,7 @@
 #include <unistd.h>
 
 #include "fd-util.h"
+#include "io-util.h"
 #include "iovec-util.h"
 #include "log.h"
 #include "main-func.h"
@@ -79,6 +80,50 @@ static int process_unix(const char *path) {
         return 0;
 }
 
+static int process_vsock_mux(const char *path, const char *port) {
+        int r;
+
+        assert(path);
+        assert(port);
+
+        /* We assume the path is absolute unless it starts with a dot (or is already explicitly absolute) */
+        _cleanup_free_ char *prefixed = NULL;
+        if (!STARTSWITH_SET(path, "/", "./")) {
+                prefixed = strjoin("/", path);
+                if (!prefixed)
+                        return log_oom();
+
+                path = prefixed;
+        }
+
+        _cleanup_close_ int fd = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
+        if (fd < 0)
+                return log_error_errno(errno, "Failed to allocate AF_UNIX socket: %m");
+
+        r = connect_unix_path(fd, AT_FDCWD, path);
+        if (r < 0)
+                return log_error_errno(r, "Failed to connect to AF_UNIX socket %s: %m", path);
+
+        /* Based on the protocol as defined here:
+         * https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/vsock.md
+         * https://github.com/firecracker-microvm/firecracker/blob/main/docs/vsock.md */
+        _cleanup_free_ char *connect_cmd = NULL;
+        connect_cmd = strjoin("CONNECT ", port, "\n");
+        if (!connect_cmd)
+                return log_oom();
+
+        r = loop_write(fd, connect_cmd, SIZE_MAX);
+        if (r < 0)
+                return log_error_errno(r, "Failed to send CONNECT to %s:%s: %m", path, port);
+
+        r = send_one_fd_iov(STDOUT_FILENO, fd, &IOVEC_NUL_BYTE, /* n_iovec= */ 1, /* flags= */ 0);
+        if (r < 0)
+                return log_error_errno(r, "Failed to send socket via STDOUT: %m");
+
+        log_debug("Successfully sent AF_UNIX socket via STDOUT.");
+        return 0;
+}
+
 static int run(int argc, char* argv[]) {
 
         log_setup();
@@ -96,6 +141,10 @@ static int run(int argc, char* argv[]) {
         if (p)
                 return process_unix(p);
 
+        p = startswith(host, "vsock-mux/");
+        if (p)
+                return process_vsock_mux(p, port);
+
         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Don't know how to parse host name specification: %s", host);
 }