Difference between revisions of "VPP/HostStack/LDP/sshd"

From fd.io
< VPP‎ | HostStack
Jump to: navigation, search
(Server configuration)
 
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
Example of how to run sshd via LDP and VCL on top of VPP's host stack. This is known to work as of vpp [https://gerrit.fd.io/r/#/c/16340/ gerrit 16340] with OpenSSH 7.6p1 on Ubuntu 18.04.1.  
+
= sshd with LD_PRELOAD =
 +
 
 +
Example of how to run sshd via ldp and vcl on top of vpp's host stack. Although OpenSSH 7.6p1 on Ubuntu 18.04.1 used to work unchanged with vpp as of [https://gerrit.fd.io/r/#/c/16342/ gerrit 16342], 8.6p1 requires some patching to work with vpp 21.06 and Ubuntu 20.04. In particular:
 +
* privilege separation is no longer compatible with ldp so it must be disabled (<code>use_privsep = 0</code> in sshd.c)
 +
* <code>closefrom(REEXEC_DEVCRYPTO_RESERVED_FD)</code> in sshd.c must be commented out or it will close the binary api socket
  
 
To run the test two hosts with networking connectivity are needed:
 
To run the test two hosts with networking connectivity are needed:
- server where vpp and sshd run
+
* server where vpp and sshd run
- client where the ssh client runs on top of the linux host stack
+
* client where the ssh client runs on top of the linux host stack
  
 
== Server configuration ==
 
== Server configuration ==
Line 9: Line 13:
 
Since this is experimental work, it is recommended to start vpp in debug mode with the following additions to startup.conf:
 
Since this is experimental work, it is recommended to start vpp in debug mode with the following additions to startup.conf:
  
 +
unix { gid vpp }
 
  session { evt_qs_memfd_seg  }
 
  session { evt_qs_memfd_seg  }
 
  socksvr { socket-name /tmp/vpp-api.sock}
 
  socksvr { socket-name /tmp/vpp-api.sock}
 +
 +
These ensure that vpp starts with gid vpp, the session layer uses a memfd segment for event queues and that the binary api can work with a socket transport. It is also important that the user that starts vpp is a member of the vpp group.
 +
 +
The minimal vcl startup configuration in <code>/etc/vpp/vcl.conf</code> should be:
 +
 +
vcl {
 +
  heapsize 64M
 +
  rx-fifo-size 4000000
 +
  tx-fifo-size 4000000
 +
  api-socket-name /tmp/vpp-api.sock
 +
}
 +
 +
To startup sshd run:
 +
 +
sudo LD_PRELOAD=$LDP_PATH sshd -f $CFG_FILE -4 -r -D
 +
 +
<code>LDP_PATH</code> is the path to the LD_PRELOAD library built by vpp. Typically you can find this under <code>build-root/build-vpp_debug-native/vpp/lib/libvcl_ldpreload.so</code>. The <code>CFG_FILE</code> is a customized sshd file. In particular, the following things have been changed compared to the default /etc/ssh/sshd_config:
 +
 +
Port 2222
 +
HostKey /path/to/valid/ssh_host_rsa_key
 +
PidFile /tmp/vcl_sshd.pid
 +
 +
The rest of the options limit network connectivity to IPv4 and set flags that force sshd not to re-execute and daemonize.
 +
 +
== Running the client ==
 +
 +
Assuming that the client will do public key authentication with the server and that the keys have been properly configured, on the client linux host do:
 +
 +
ssh -p 2222 <server_ip>
 +
 +
At this point you should be logged into the server. To see the ssh session in vpp cli do:
 +
 +
sh session verbose

Latest revision as of 23:54, 16 June 2021

sshd with LD_PRELOAD

Example of how to run sshd via ldp and vcl on top of vpp's host stack. Although OpenSSH 7.6p1 on Ubuntu 18.04.1 used to work unchanged with vpp as of gerrit 16342, 8.6p1 requires some patching to work with vpp 21.06 and Ubuntu 20.04. In particular:

  • privilege separation is no longer compatible with ldp so it must be disabled (use_privsep = 0 in sshd.c)
  • closefrom(REEXEC_DEVCRYPTO_RESERVED_FD) in sshd.c must be commented out or it will close the binary api socket

To run the test two hosts with networking connectivity are needed:

  • server where vpp and sshd run
  • client where the ssh client runs on top of the linux host stack

Server configuration

Since this is experimental work, it is recommended to start vpp in debug mode with the following additions to startup.conf:

unix { gid vpp }
session { evt_qs_memfd_seg  }
socksvr { socket-name /tmp/vpp-api.sock}

These ensure that vpp starts with gid vpp, the session layer uses a memfd segment for event queues and that the binary api can work with a socket transport. It is also important that the user that starts vpp is a member of the vpp group.

The minimal vcl startup configuration in /etc/vpp/vcl.conf should be:

vcl {
  heapsize 64M
  rx-fifo-size 4000000
  tx-fifo-size 4000000
  api-socket-name /tmp/vpp-api.sock
}

To startup sshd run:

sudo LD_PRELOAD=$LDP_PATH sshd -f $CFG_FILE -4 -r -D

LDP_PATH is the path to the LD_PRELOAD library built by vpp. Typically you can find this under build-root/build-vpp_debug-native/vpp/lib/libvcl_ldpreload.so. The CFG_FILE is a customized sshd file. In particular, the following things have been changed compared to the default /etc/ssh/sshd_config:

Port 2222
HostKey /path/to/valid/ssh_host_rsa_key
PidFile /tmp/vcl_sshd.pid

The rest of the options limit network connectivity to IPv4 and set flags that force sshd not to re-execute and daemonize.

Running the client

Assuming that the client will do public key authentication with the server and that the keys have been properly configured, on the client linux host do:

ssh -p 2222 <server_ip>

At this point you should be logged into the server. To see the ssh session in vpp cli do:

sh session verbose