Daniel P. Berrangé
2022-Feb-10 08:50 UTC
qemu+ssh connections to a remote libvirt fail as ssh banner configured
On Thu, Feb 10, 2022 at 09:33:38AM +0100, Michal Pr?vozn?k wrote:> On 2/10/22 09:02, Daniel P. Berrang? wrote: > > On Thu, Feb 10, 2022 at 09:52:52AM +0800, Yalan Zhang wrote: > >> Hi there, > >> > >> I have a system configured with ssh login banner like as below: > >> # cat ~/.bashrc > >> ... > >> echo > >> "=================================================================================" > >> echo "====== This machine is occupied by xxx for testing now. If you are > >> about to use it, contact xxx first ======" > >> echo > >> "=================================================================================" > >> > >> It works as expected that whenever someone logs into this system by ssh, > >> he/she will see this warning message. > >> But it seems such settings will impact a virsh client connection with ssh, > >> when I try to connect the libvirt daemon on this system, it will error out : > >> # virsh -c qemu+ssh://${my_host}/system list --all > >> root@${my_host}'s password: > >> error: failed to connect to the hypervisor > >> error: packet 1027423545 bytes received from server too large, want 33554432 > > > > Libvirt is tunnelling an RPC protocol over the SSH connection. > > Your bashrc is printing this text onto the SSH conmnection and > > that corrupts the libvirt RPC protocol. > > > > If you want to print something whjen people login use the > > /etc/motd file which is designed for this pupose, don't > > print stuff from a .bashrc. Libvirt gives the options to > > SSH that prevent display of /etc/motd contents, so that > > its RPC protocol doesn't get corrupted. > > One more thing, I wasn't able to reproduce when virt-ssh-helper was > used. But maybe I wasn't trying hard enough.That should be affected in exactly the same way. It still relies on stdout/stdin being clean data channels. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Yalan Zhang
2022-Feb-10 09:47 UTC
qemu+ssh connections to a remote libvirt fail as ssh banner configured
Thank you! I tried /etc/motd, and it does not impact the libvirt connection. Happy to learn something new! On Thu, Feb 10, 2022 at 4:50 PM Daniel P. Berrang? <berrange at redhat.com> wrote:> On Thu, Feb 10, 2022 at 09:33:38AM +0100, Michal Pr?vozn?k wrote: > > On 2/10/22 09:02, Daniel P. Berrang? wrote: > > > On Thu, Feb 10, 2022 at 09:52:52AM +0800, Yalan Zhang wrote: > > >> Hi there, > > >> > > >> I have a system configured with ssh login banner like as below: > > >> # cat ~/.bashrc > > >> ... > > >> echo > > >> > "=================================================================================" > > >> echo "====== This machine is occupied by xxx for testing now. If you > are > > >> about to use it, contact xxx first ======" > > >> echo > > >> > "=================================================================================" > > >> > > >> It works as expected that whenever someone logs into this system by > ssh, > > >> he/she will see this warning message. > > >> But it seems such settings will impact a virsh client connection with > ssh, > > >> when I try to connect the libvirt daemon on this system, it will > error out : > > >> # virsh -c qemu+ssh://${my_host}/system list --all > > >> root@${my_host}'s password: > > >> error: failed to connect to the hypervisor > > >> error: packet 1027423545 bytes received from server too large, want > 33554432 > > > > > > Libvirt is tunnelling an RPC protocol over the SSH connection. > > > Your bashrc is printing this text onto the SSH conmnection and > > > that corrupts the libvirt RPC protocol. > > > > > > If you want to print something whjen people login use the > > > /etc/motd file which is designed for this pupose, don't > > > print stuff from a .bashrc. Libvirt gives the options to > > > SSH that prevent display of /etc/motd contents, so that > > > its RPC protocol doesn't get corrupted. > > > > One more thing, I wasn't able to reproduce when virt-ssh-helper was > > used. But maybe I wasn't trying hard enough. > > That should be affected in exactly the same way. It still relies on > stdout/stdin being clean data channels. > > Regards, > Daniel > -- > |: https://berrange.com -o- > https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- > https://www.instagram.com/dberrange :| > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20220210/040c88bc/attachment.htm>