Difference between revisions of "VPP/HostStack/LDP/sshd"
Florin.coras (Talk | contribs) (→Server configuration) |
Florin.coras (Talk | contribs) |
||
(17 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | Example of how to run sshd via | + | = sshd with LD_PRELOAD = |
+ | |||
+ | Example of how to run sshd via ldp and vcl on top of vpp's host stack. Although OpenSSH 7.6p1 on Ubuntu 18.04.1 used to work unchanged with vpp as of [https://gerrit.fd.io/r/#/c/16342/ gerrit 16342], 8.6p1 requires some patching to work with vpp 21.06 and Ubuntu 20.04. In particular: | ||
+ | * privilege separation is no longer compatible with ldp so it must be disabled (<code>use_privsep = 0</code> in sshd.c) | ||
+ | * <code>closefrom(REEXEC_DEVCRYPTO_RESERVED_FD)</code> in sshd.c must be commented out or it will close the binary api socket | ||
To run the test two hosts with networking connectivity are needed: | To run the test two hosts with networking connectivity are needed: | ||
− | + | * server where vpp and sshd run | |
− | + | * client where the ssh client runs on top of the linux host stack | |
== Server configuration == | == Server configuration == | ||
Line 13: | Line 17: | ||
socksvr { socket-name /tmp/vpp-api.sock} | socksvr { socket-name /tmp/vpp-api.sock} | ||
− | These ensure that vpp starts with gid vpp, the session layer uses memfd | + | These ensure that vpp starts with gid vpp, the session layer uses a memfd segment for event queues and that the binary api can work with a socket transport. It is also important that the user that starts vpp is a member of the vpp group. |
− | + | The minimal vcl startup configuration in <code>/etc/vpp/vcl.conf</code> should be: | |
vcl { | vcl { | ||
Line 23: | Line 27: | ||
api-socket-name /tmp/vpp-api.sock | api-socket-name /tmp/vpp-api.sock | ||
} | } | ||
+ | |||
+ | To startup sshd run: | ||
+ | |||
+ | sudo LD_PRELOAD=$LDP_PATH sshd -f $CFG_FILE -4 -r -D | ||
+ | |||
+ | <code>LDP_PATH</code> is the path to the LD_PRELOAD library built by vpp. Typically you can find this under <code>build-root/build-vpp_debug-native/vpp/lib/libvcl_ldpreload.so</code>. The <code>CFG_FILE</code> is a customized sshd file. In particular, the following things have been changed compared to the default /etc/ssh/sshd_config: | ||
+ | |||
+ | Port 2222 | ||
+ | HostKey /path/to/valid/ssh_host_rsa_key | ||
+ | PidFile /tmp/vcl_sshd.pid | ||
+ | |||
+ | The rest of the options limit network connectivity to IPv4 and set flags that force sshd not to re-execute and daemonize. | ||
+ | |||
+ | == Running the client == | ||
+ | |||
+ | Assuming that the client will do public key authentication with the server and that the keys have been properly configured, on the client linux host do: | ||
+ | |||
+ | ssh -p 2222 <server_ip> | ||
+ | |||
+ | At this point you should be logged into the server. To see the ssh session in vpp cli do: | ||
+ | |||
+ | sh session verbose |
Latest revision as of 23:54, 16 June 2021
sshd with LD_PRELOAD
Example of how to run sshd via ldp and vcl on top of vpp's host stack. Although OpenSSH 7.6p1 on Ubuntu 18.04.1 used to work unchanged with vpp as of gerrit 16342, 8.6p1 requires some patching to work with vpp 21.06 and Ubuntu 20.04. In particular:
- privilege separation is no longer compatible with ldp so it must be disabled (
use_privsep = 0
in sshd.c) -
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD)
in sshd.c must be commented out or it will close the binary api socket
To run the test two hosts with networking connectivity are needed:
- server where vpp and sshd run
- client where the ssh client runs on top of the linux host stack
Server configuration
Since this is experimental work, it is recommended to start vpp in debug mode with the following additions to startup.conf:
unix { gid vpp } session { evt_qs_memfd_seg } socksvr { socket-name /tmp/vpp-api.sock}
These ensure that vpp starts with gid vpp, the session layer uses a memfd segment for event queues and that the binary api can work with a socket transport. It is also important that the user that starts vpp is a member of the vpp group.
The minimal vcl startup configuration in /etc/vpp/vcl.conf
should be:
vcl { heapsize 64M rx-fifo-size 4000000 tx-fifo-size 4000000 api-socket-name /tmp/vpp-api.sock }
To startup sshd run:
sudo LD_PRELOAD=$LDP_PATH sshd -f $CFG_FILE -4 -r -D
LDP_PATH
is the path to the LD_PRELOAD library built by vpp. Typically you can find this under build-root/build-vpp_debug-native/vpp/lib/libvcl_ldpreload.so
. The CFG_FILE
is a customized sshd file. In particular, the following things have been changed compared to the default /etc/ssh/sshd_config:
Port 2222 HostKey /path/to/valid/ssh_host_rsa_key PidFile /tmp/vcl_sshd.pid
The rest of the options limit network connectivity to IPv4 and set flags that force sshd not to re-execute and daemonize.
Running the client
Assuming that the client will do public key authentication with the server and that the keys have been properly configured, on the client linux host do:
ssh -p 2222 <server_ip>
At this point you should be logged into the server. To see the ssh session in vpp cli do:
sh session verbose