×

You can configure SSH access to virtual machines (VMs) by using the following methods:

  • virtctl ssh command

    You create an SSH key pair, add the public key to a VM, and connect to the VM by running the virtctl ssh command with the private key.

    You can add public SSH keys to Red Hat Enterprise Linux (RHEL) 9 VMs at runtime or at first boot to VMs with guest operating systems that can be configured by using a cloud-init data source.

  • virtctl port-forward command

    You add the virtctl port-foward command to your .ssh/config file and connect to the VM by using OpenSSH.

  • Service

    You create a service, associate the service with the VM, and connect to the IP address and port exposed by the service.

  • Secondary network

    You configure a secondary network, attach a virtual machine (VM) to the secondary network interface, and connect to the DHCP-allocated IP address.

Access configuration considerations

Each method for configuring access to a virtual machine (VM) has advantages and limitations, depending on the traffic load and client requirements.

Services provide excellent performance and are recommended for applications that are accessed from outside the cluster.

If the internal cluster network cannot handle the traffic load, you can configure a secondary network.

virtctl ssh and virtctl port-forwarding commands
  • Simple to configure.

  • Recommended for troubleshooting VMs.

  • virtctl port-forwarding recommended for automated configuration of VMs with Ansible.

  • Dynamic public SSH keys can be used to provision VMs with Ansible.

  • Not recommended for high-traffic applications like Rsync or Remote Desktop Protocol because of the burden on the API server.

  • The API server must be able to handle the traffic load.

  • The clients must be able to access the API server.

  • The clients must have access credentials for the cluster.

Cluster IP service
  • The internal cluster network must be able to handle the traffic load.

  • The clients must be able to access an internal cluster IP address.

Node port service
  • The internal cluster network must be able to handle the traffic load.

  • The clients must be able to access at least one node.

Load balancer service
  • A load balancer must be configured.

  • Each node must be able to handle the traffic load of one or more load balancer services.

Secondary network
  • Excellent performance because traffic does not go through the internal cluster network.

  • Allows a flexible approach to network topology.

  • Guest operating system must be configured with appropriate security because the VM is exposed directly to the secondary network. If a VM is compromised, an intruder could gain access to the secondary network.

Using virtctl ssh

You can add a public SSH key to a virtual machine (VM) and connect to the VM by running the virtctl ssh command.

This method is simple to configure. However, it is not recommended for high traffic loads because it places a burden on the API server.

About static and dynamic SSH key management

You can add public SSH keys to virtual machines (VMs) statically at first boot or dynamically at runtime.

Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.

Static SSH key management

You can add a statically managed SSH key to a VM with a guest operating system that supports configuration by using a cloud-init data source. The key is added to the virtual machine (VM) at first boot.

You can add the key by using one of the following methods:

  • Add a key to a single VM when you create it by using the web console or the command line.

  • Add a key to a project by using the web console. Afterwards, the key is automatically added to the VMs that you create in this project.

Use cases
  • As a VM owner, you can provision all your newly created VMs with a single key.

Dynamic SSH key management

You can enable dynamic SSH key management for a VM with Red Hat Enterprise Linux (RHEL) 9 installed. Afterwards, you can update the key during runtime. The key is added by the QEMU guest agent, which is installed with Red Hat boot sources.

You can disable dynamic key management for security reasons. Then, the VM inherits the key management setting of the image from which it was created.

Use cases
  • Granting or revoking access to VMs: As a cluster administrator, you can grant or revoke remote VM access by adding or removing the keys of individual users from a Secret object that is applied to all VMs in a namespace.

  • User access: You can add your access credentials to all VMs that you create and manage.

  • Ansible provisioning:

    • As an operations team member, you can create a single secret that contains all the keys used for Ansible provisioning.

    • As a VM owner, you can create a VM and attach the keys used for Ansible provisioning.

  • Key rotation:

    • As a cluster administrator, you can rotate the Ansible provisioner keys used by VMs in a namespace.

    • As a workload owner, you can rotate the key for the VMs that you manage.

Static key management

You can add a statically managed public SSH key when you create a virtual machine (VM) by using the Red Hat OpenShift Service on AWS web console or the command line. The key is added as a cloud-init data source when the VM boots for the first time.

You can also add the key to a project by using the Red Hat OpenShift Service on AWS web console. Afterwards, this key is added automatically to VMs that you create in the project.

Adding a key when creating a VM from a template

You can add a statically managed public SSH key when you create a virtual machine (VM) by using the Red Hat OpenShift Service on AWS web console. The key is added to the VM as a cloud-init data source at first boot. This method does not affect cloud-init user data.

Optional: You can add a key to a project. Afterwards, this key is added automatically to VMs that you create in the project.

Prerequisites
  • You generated an SSH key pair by running the ssh-keygen command.

Procedure
  1. Navigate to VirtualizationCatalog in the web console.

  2. Click a template tile.

    The guest operating system must support configuration from a cloud-init data source.

  3. Click Customize VirtualMachine.

  4. Click Next.

  5. Click the Scripts tab.

  6. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key and select one of the following options:

    • Use existing: Select a secret from the secrets list.

    • Add new:

      1. Browse to the SSH key file or paste the file in the key field.

      2. Enter the secret name.

      3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.

  7. Click Save.

  8. Click Create VirtualMachine.

    The VirtualMachine details page displays the progress of the VM creation.

Verification
  • Click the Scripts tab on the Configuration tab.

    The secret name is displayed in the Authorized SSH key section.

Adding a key when creating a VM from an instance type by using the web console

You can add a statically managed SSH key when you create a virtual machine (VM) from an instance type by using the Red Hat OpenShift Service on AWS web console. The key is added to the VM as a cloud-init data source at first boot. This method does not affect cloud-init user data.

Procedure
  1. In the web console, navigate to VirtualizationCatalog and click the InstanceTypes tab.

  2. Select either of the following options:

    • Select a bootable volume.

      The bootable volume table lists only those volumes in the openshift-virtualization-os-images namespace that have the instancetype.kubevirt.io/default-preference label.

      • Optional: Click the star icon to designate a bootable volume as a favorite. Starred bootable volumes appear first in the volume list.

    • Click Add volume to upload a new volume or use an existing persistent volume claim (PVC), volume snapshot, or data source. Then click Save.

  3. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key in the VirtualMachine details section.

  4. Select one of the following options:

    • Use existing: Select a secret from the secrets list.

    • Add new:

      1. Browse to the public SSH key file or paste the file in the key field.

      2. Enter the secret name.

      3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.

      4. Click Save.

  5. Optional: Click View YAML & CLI to view the YAML file. Click CLI to view the CLI commands. You can also download or copy either the YAML file contents or the CLI commands.

  6. Click Create VirtualMachine.

After the VM is created, you can monitor the status on the VirtualMachine details page.

Adding a key when creating a VM by using the command line

You can add a statically managed public SSH key when you create a virtual machine (VM) by using the command line. The key is added to the VM at first boot.

The key is added to the VM as a cloud-init data source. This method separates the access credentials from the application data in the cloud-init user data. This method does not affect cloud-init user data.

Prerequisites
  • You generated an SSH key pair by running the ssh-keygen command.

Procedure
  1. Create a manifest file for a VirtualMachine object and a Secret object:

    Example manifest
    apiVersion: kubevirt.io/v1
    kind: VirtualMachine
    metadata:
      name: example-vm
      namespace: example-namespace
    spec:
      dataVolumeTemplates:
        - metadata:
            name: example-vm-volume
          spec:
            sourceRef:
              kind: DataSource
              name: rhel9
              namespace: openshift-virtualization-os-images
            storage:
              resources: {}
      instancetype:
        name: u1.medium
      preference:
        name: rhel.9
      running: true
      template:
        spec:
          domain:
            devices: {}
          volumes:
            - dataVolume:
                name: example-vm-volume
              name: rootdisk
            - cloudInitNoCloud: (1)
                userData: |-
                  #cloud-config
                  user: cloud-user
              name: cloudinitdisk
          accessCredentials:
            - sshPublicKey:
                propagationMethod:
                  noCloud: {}
                source:
                  secret:
                    secretName: authorized-keys (2)
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      name: authorized-keys
    data:
      key: c3NoLXJzYSB... (3)
    1 Specify the cloudInitNoCloud data source.
    2 Specify the Secret object name.
    3 Paste the public SSH key.
  2. Create the VirtualMachine and Secret objects by running the following command:

    $ oc create -f <manifest_file>.yaml
  3. Start the VM by running the following command:

    $ virtctl start vm example-vm -n example-namespace
Verification
  • Get the VM configuration:

    $ oc describe vm example-vm -n example-namespace
    Example output
    apiVersion: kubevirt.io/v1
    kind: VirtualMachine
    metadata:
      name: example-vm
      namespace: example-namespace
    spec:
      template:
        spec:
          accessCredentials:
            - sshPublicKey:
                propagationMethod:
                  noCloud: {}
                source:
                  secret:
                    secretName: authorized-keys
    # ...

Dynamic key management

You can enable dynamic key injection for a virtual machine (VM) by using the Red Hat OpenShift Service on AWS web console or the command line. Then, you can update the key at runtime.

Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.

If you disable dynamic key injection, the VM inherits the key management method of the image from which it was created.

Enabling dynamic key injection when creating a VM from a template

You can enable dynamic public SSH key injection when you create a virtual machine (VM) from a template by using the Red Hat OpenShift Service on AWS web console. Then, you can update the key at runtime.

Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.

The key is added to the VM by the QEMU guest agent, which is installed with RHEL 9.

Prerequisites
  • You generated an SSH key pair by running the ssh-keygen command.

Procedure
  1. Navigate to VirtualizationCatalog in the web console.

  2. Click the Red Hat Enterprise Linux 9 VM tile.

  3. Click Customize VirtualMachine.

  4. Click Next.

  5. Click the Scripts tab.

  6. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key and select one of the following options:

    • Use existing: Select a secret from the secrets list.

    • Add new:

      1. Browse to the SSH key file or paste the file in the key field.

      2. Enter the secret name.

      3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.

  7. Set Dynamic SSH key injection to on.

  8. Click Save.

  9. Click Create VirtualMachine.

    The VirtualMachine details page displays the progress of the VM creation.

Verification
  • Click the Scripts tab on the Configuration tab.

    The secret name is displayed in the Authorized SSH key section.

Enabling dynamic key injection when creating a VM from an instance type by using the web console

You can enable dynamic SSH key injection when you create a virtual machine (VM) from an instance type by using the Red Hat OpenShift Service on AWS web console. Then, you can add or revoke the key at runtime.

Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.

The key is added to the VM by the QEMU guest agent, which is installed with RHEL 9.

Procedure
  1. In the web console, navigate to VirtualizationCatalog and click the InstanceTypes tab.

  2. Select either of the following options:

    • Select a bootable volume.

      The bootable volume table lists only those volumes in the openshift-virtualization-os-images namespace that have the instancetype.kubevirt.io/default-preference label.

      • Optional: Click the star icon to designate a bootable volume as a favorite. Starred bootable volumes appear first in the volume list.

    • Click Add volume to upload a new volume or use an existing persistent volume claim (PVC), volume snapshot, or data source. Then click Save.

  3. Click the Red Hat Enterprise Linux 9 VM tile.

  4. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key in the VirtualMachine details section.

  5. Select one of the following options:

    • Use existing: Select a secret from the secrets list.

    • Add new:

      1. Browse to the public SSH key file or paste the file in the key field.

      2. Enter the secret name.

      3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.

      4. Click Save.

  6. Set Dynamic SSH key injection in the VirtualMachine details section to on.

  7. Optional: Click View YAML & CLI to view the YAML file. Click CLI to view the CLI commands. You can also download or copy either the YAML file contents or the CLI commands.

  8. Click Create VirtualMachine.

After the VM is created, you can monitor the status on the VirtualMachine details page.

Enabling dynamic SSH key injection by using the web console

You can enable dynamic key injection for a virtual machine (VM) by using the Red Hat OpenShift Service on AWS web console. Then, you can update the public SSH key at runtime.

The key is added to the VM by the QEMU guest agent, which is installed with Red Hat Enterprise Linux (RHEL) 9.

Prerequisites
  • The guest operating system is RHEL 9.

Procedure
  1. Navigate to VirtualizationVirtualMachines in the web console.

  2. Select a VM to open the VirtualMachine details page.

  3. On the Configuration tab, click Scripts.

  4. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key and select one of the following options:

    • Use existing: Select a secret from the secrets list.

    • Add new:

      1. Browse to the SSH key file or paste the file in the key field.

      2. Enter the secret name.

      3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.

  5. Set Dynamic SSH key injection to on.

  6. Click Save.

Enabling dynamic key injection by using the command line

You can enable dynamic key injection for a virtual machine (VM) by using the command line. Then, you can update the public SSH key at runtime.

Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.

The key is added to the VM by the QEMU guest agent, which is installed automatically with RHEL 9.

Prerequisites
  • You generated an SSH key pair by running the ssh-keygen command.

Procedure
  1. Create a manifest file for a VirtualMachine object and a Secret object:

    Example manifest
    apiVersion: kubevirt.io/v1
    kind: VirtualMachine
    metadata:
      name: example-vm
      namespace: example-namespace
    spec:
      dataVolumeTemplates:
        - metadata:
            name: example-vm-volume
          spec:
            sourceRef:
              kind: DataSource
              name: rhel9
              namespace: openshift-virtualization-os-images
            storage:
              resources: {}
      instancetype:
        name: u1.medium
      preference:
        name: rhel.9
      running: true
      template:
        spec:
          domain:
            devices: {}
          volumes:
            - dataVolume:
                name: example-vm-volume
              name: rootdisk
            - cloudInitNoCloud: (1)
                userData: |-
                  #cloud-config
                  runcmd:
                  - [ setsebool, -P, virt_qemu_ga_manage_ssh, on ]
              name: cloudinitdisk
          accessCredentials:
            - sshPublicKey:
                propagationMethod:
                  qemuGuestAgent:
                    users: ["cloud-user"]
                source:
                  secret:
                    secretName: authorized-keys (2)
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      name: authorized-keys
    data:
      key: c3NoLXJzYSB... (3)
    1 Specify the cloudInitNoCloud data source.
    2 Specify the Secret object name.
    3 Paste the public SSH key.
  2. Create the VirtualMachine and Secret objects by running the following command:

    $ oc create -f <manifest_file>.yaml
  3. Start the VM by running the following command:

    $ virtctl start vm example-vm -n example-namespace
Verification
  • Get the VM configuration:

    $ oc describe vm example-vm -n example-namespace
    Example output
    apiVersion: kubevirt.io/v1
    kind: VirtualMachine
    metadata:
      name: example-vm
      namespace: example-namespace
    spec:
      template:
        spec:
          accessCredentials:
            - sshPublicKey:
                propagationMethod:
                  qemuGuestAgent:
                    users: ["cloud-user"]
                source:
                  secret:
                    secretName: authorized-keys
    # ...

Using the virtctl ssh command

You can access a running virtual machine (VM) by using the virtcl ssh command.

Prerequisites
  • You installed the virtctl command line tool.

  • You added a public SSH key to the VM.

  • You have an SSH client installed.

  • The environment where you installed the virtctl tool has the cluster permissions required to access the VM. For example, you ran oc login or you set the KUBECONFIG environment variable.

Procedure
  • Run the virtctl ssh command:

    $ virtctl -n <namespace> ssh <username>@example-vm -i <ssh_key> (1)
    1 Specify the namespace, user name, and the SSH private key. The default SSH key location is /home/user/.ssh. If you save the key in a different location, you must specify the path.
    Example
    $ virtctl -n my-namespace ssh cloud-user@example-vm -i my-key

You can copy the virtctl ssh command in the web console by selecting Copy SSH command from the options kebab menu beside a VM on the VirtualMachines page.

Using the virtctl port-forward command

You can use your local OpenSSH client and the virtctl port-forward command to connect to a running virtual machine (VM). You can use this method with Ansible to automate the configuration of VMs.

This method is recommended for low-traffic applications because port-forwarding traffic is sent over the control plane. This method is not recommended for high-traffic applications such as Rsync or Remote Desktop Protocol because it places a heavy burden on the API server.

Prerequisites
  • You have installed the virtctl client.

  • The virtual machine you want to access is running.

  • The environment where you installed the virtctl tool has the cluster permissions required to access the VM. For example, you ran oc login or you set the KUBECONFIG environment variable.

Procedure
  1. Add the following text to the ~/.ssh/config file on your client machine:

    Host vm/*
      ProxyCommand virtctl port-forward --stdio=true %h %p
  2. Connect to the VM by running the following command:

    $ ssh <user>@vm/<vm_name>.<namespace>

Using a service for SSH access

You can create a service for a virtual machine (VM) and connect to the IP address and port exposed by the service.

Services provide excellent performance and are recommended for applications that are accessed from outside the cluster or within the cluster. Ingress traffic is protected by firewalls.

If the cluster network cannot handle the traffic load, consider using a secondary network for VM access.

About services

A Kubernetes service exposes network access for clients to an application running on a set of pods. Services offer abstraction, load balancing, and, in the case of the NodePort and LoadBalancer types, exposure to the outside world.

ClusterIP

Exposes the service on an internal IP address and as a DNS name to other applications within the cluster. A single service can map to multiple virtual machines. When a client tries to connect to the service, the client’s request is load balanced among available backends. ClusterIP is the default service type.

NodePort

Exposes the service on the same port of each selected node in the cluster. NodePort makes a port accessible from outside the cluster, as long as the node itself is externally accessible to the client.

LoadBalancer

Creates an external load balancer in the current cloud (if supported) and assigns a fixed, external IP address to the service.

Creating a service

You can create a service to expose a virtual machine (VM) by using the Red Hat OpenShift Service on AWS web console, virtctl command line tool, or a YAML file.

Enabling load balancer service creation by using the web console

You can enable the creation of load balancer services for a virtual machine (VM) by using the Red Hat OpenShift Service on AWS web console.

Prerequisites
  • You have configured a load balancer for the cluster.

  • You are logged in as a user with the cluster-admin role.

Procedure
  1. Navigate to VirtualizationOverview.

  2. On the Settings tab, click Cluster.

  3. Expand General settings and SSH configuration.

  4. Set SSH over LoadBalancer service to on.

Creating a service by using the web console

You can create a node port or load balancer service for a virtual machine (VM) by using the Red Hat OpenShift Service on AWS web console.

Prerequisites
  • You configured the cluster network to support either a load balancer or a node port.

  • To create a load balancer service, you enabled the creation of load balancer services.

Procedure
  1. Navigate to VirtualMachines and select a virtual machine to view the VirtualMachine details page.

  2. On the Details tab, select SSH over LoadBalancer from the SSH service type list.

  3. Optional: Click the copy icon to copy the SSH command to your clipboard.

Verification
  • Check the Services pane on the Details tab to view the new service.

Creating a service by using virtctl

You can create a service for a virtual machine (VM) by using the virtctl command line tool.

Prerequisites
  • You installed the virtctl command line tool.

  • You configured the cluster network to support the service.

  • The environment where you installed virtctl has the cluster permissions required to access the VM. For example, you ran oc login or you set the KUBECONFIG environment variable.

Procedure
  • Create a service by running the following command:

    $ virtctl expose vm <vm_name> --name <service_name> --type <service_type> --port <port> (1)
    1 Specify the ClusterIP, NodePort, or LoadBalancer service type.
    Example
    $ virtctl expose vm example-vm --name example-service --type NodePort --port 22
Verification
  • Verify the service by running the following command:

    $ oc get service
Next steps

After you create a service with virtctl, you must add special: key to the spec.template.metadata.labels stanza of the VirtualMachine manifest. See Creating a service by using the command line.

Creating a service by using the command line

You can create a service and associate it with a virtual machine (VM) by using the command line.

Prerequisites
  • You configured the cluster network to support the service.

Procedure
  1. Edit the VirtualMachine manifest to add the label for service creation:

    apiVersion: kubevirt.io/v1
    kind: VirtualMachine
    metadata:
      name: example-vm
      namespace: example-namespace
    spec:
      running: false
      template:
        metadata:
          labels:
            special: key (1)
    # ...
    1 Add special: key to the spec.template.metadata.labels stanza.

    Labels on a virtual machine are passed through to the pod. The special: key label must match the label in the spec.selector attribute of the Service manifest.

  2. Save the VirtualMachine manifest file to apply your changes.

  3. Create a Service manifest to expose the VM:

    apiVersion: v1
    kind: Service
    metadata:
      name: example-service
      namespace: example-namespace
    spec:
    # ...
      selector:
        special: key (1)
      type: NodePort (2)
      ports: (3)
        protocol: TCP
        port: 80
        targetPort: 9376
        nodePort: 30000
    1 Specify the label that you added to the spec.template.metadata.labels stanza of the VirtualMachine manifest.
    2 Specify ClusterIP, NodePort, or LoadBalancer.
    3 Specifies a collection of network ports and protocols that you want to expose from the virtual machine.
  4. Save the Service manifest file.

  5. Create the service by running the following command:

    $ oc create -f example-service.yaml
  6. Restart the VM to apply the changes.

Verification
  • Query the Service object to verify that it is available:

    $ oc get service -n example-namespace

Connecting to a VM exposed by a service by using SSH

You can connect to a virtual machine (VM) that is exposed by a service by using SSH.

Prerequisites
  • You created a service to expose the VM.

  • You have an SSH client installed.

  • You are logged in to the cluster.

Procedure
  • Run the following command to access the VM:

    $ ssh <user_name>@<ip_address> -p <port> (1)
    1 Specify the cluster IP for a cluster IP service, the node IP for a node port service, or the external IP address for a load balancer service.

Using a secondary network for SSH access

You can configure a secondary network, attach a virtual machine (VM) to the secondary network interface, and connect to the DHCP-allocated IP address by using SSH.

Secondary networks provide excellent performance because the traffic is not handled by the cluster network stack. However, the VMs are exposed directly to the secondary network and are not protected by firewalls. If a VM is compromised, an intruder could gain access to the secondary network. You must configure appropriate security within the operating system of the VM if you use this method.

See the Multus and SR-IOV documentation in the OpenShift Virtualization Tuning & Scaling Guide for additional information about networking options.

Prerequisites

Configuring a VM network interface by using the web console

You can configure a network interface for a virtual machine (VM) by using the Red Hat OpenShift Service on AWS web console.

Prerequisites
  • You created a network attachment definition for the network.

Procedure
  1. Navigate to VirtualizationVirtualMachines.

  2. Click a VM to view the VirtualMachine details page.

  3. On the Configuration tab, click the Network interfaces tab.

  4. Click Add network interface.

  5. Enter the interface name and select the network attachment definition from the Network list.

  6. Click Save.

  7. Restart the VM to apply the changes.

Connecting to a VM attached to a secondary network by using SSH

You can connect to a virtual machine (VM) attached to a secondary network by using SSH.

Prerequisites
  • You attached a VM to a secondary network with a DHCP server.

  • You have an SSH client installed.

Procedure
  1. Obtain the IP address of the VM by running the following command:

    $ oc describe vm <vm_name> -n <namespace>
    Example output
    # ...
    Interfaces:
      Interface Name:  eth0
      Ip Address:      10.244.0.37/24
      Ip Addresses:
        10.244.0.37/24
        fe80::858:aff:fef4:25/64
      Mac:             0a:58:0a:f4:00:25
      Name:            default
    # ...
  2. Connect to the VM by running the following command:

    $ ssh <user_name>@<ip_address> -i <ssh_key>
    Example
    $ ssh cloud-user@10.244.0.37 -i ~/.ssh/id_rsa_cloud-user