10.26. Setting Up RSA Authentication Between Nodes¶
Some operations on virtual environments, e.g., migration and backup to other nodes, require authenticating on remote servers running Virtuozzo Hybrid Server. It is typically done by means of passwords. If entering passwords is not an option, nodes can be authenticated with RSA keys.
Do the following:
Generate an identity for the user that will run commands on the remote node. An identity is a pair of key files: the private key
id_rsaand the public keyid_rsa.pub. Identities are stored in<user_dir>/.vz/keys/. For example, to generate an identity for the current user (typically root):# mkdir -p ~/.vz/keys/ # ssh-keygen -f ~/.vz/keys/id_rsa -m pem Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.vz/keys/id_rsa. Your public key has been saved in /root/.vz/keys/id_rsa.pub. The key fingerprint is: SHA256:Jf+I5HjipRFy1AxgC945ZrSVZCMkauhru40r1u9XEHQ root@node1.example.local The key's randomart image is: +---[RSA 2048]----+ | o.*oAo E | |.o * B.*. | |o.. O . = . | |o o o . + | | . . o G . | | . o = o o | | o. + * . . | |o.+. . B | |o=o.oo+ | +----[SHA256]-----+
Add the contents of the public key file
id_rsa.pubto<user_dir>/.vz/authorized_keyson the remote node. For example, for the root user:# cat ~/.vz/keys/id_rsa.pub | \ ssh <user>@<remote_node> 'mkdir -p ~/.vz/keys/ && cat >> ~/.vz/keys/authorized_keys'
Where
<remote_node>is the remote node’s IP address.Note
To use SSH keys as well, generate them in the user’s home directory on the local node and authorize them in the user’s directory on the remote node same as RSA keys, e.g.,
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys.
Now the user authorized on the remote node can manage virtual environments on that node without having to enter the password. Some of the operations are:
Creating and managing virtual environments remotely. For example:
# prlctl create remote_ve -l <user>@<remote_node> # prlctl list remote_ve -l <user>@<remote_node> UUID STATUS IP_ADDR T NAME {6f18d2ce-<...>} stopped - VM remote_veBacking up local virtual environments to remote nodes. For example:
# prlctl backup local_ve -s <user>@<remote_node> # prlctl backup-list -s <user>@<remote_node> ID Backup_ID Node Date Type Size {fc0106cb-<...>} {b1edf157-<...>} remote_node 02/28/2021Setting the default backup location on a remote node. For example:
# prlsrvctl set --backup-storage <user>@<remote_node>
Note
The use of passwords in the
prlsrvctl set --backup-storagecommand is dropped in Virtuozzo Hybrid Server 7.5 Update 1 to avoid keeping passwords in the file system.Backing up remote virtual environments to the local node. For example:
# cat ~/.vz/keys/id_rsa.pub >> ~/.vz/keys/authorized_keys # prlctl backup remote_ve -l <user>@<remote_node> -s <user>@<local_node>
Where
<local_node>is the local node’s IP address. It must be reachable from the remote node.Adding the local user’s public key to the local node’s authorized keys is required to avoid being asked for the password, because the local node’s IP address is used instead of
localhost.Migrating virtual environments. For example:
# prlctl migrate local_ve <user>@<remote_node> # prlctl migrate <user>@<remote_node>/remote_ve <user>@<local_node>