10.22. Setting Up RSA Authentication Between Nodes

Some operations on virtual environments, e.g., migration and backup to other nodes, require authenticating on remote servers running Virtuozzo Hybrid Server. It is typically done by means of passwords. If entering passwords is not an option, nodes can be authenticated with RSA keys.

Do the following:

  1. Generate an identity for the user that will run commands on the remote node. An identity is a pair of key files: the private key id_rsa and the public key id_rsa.pub. Identities are stored in <user_dir>/.vz/keys/. For example, to generate an identity for the current user (typically root):

    # mkdir -p ~/.vz/keys/
    # ssh-keygen -f ~/.vz/keys/id_rsa
    Generating public/private rsa key pair.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /root/.vz/keys/id_rsa.
    Your public key has been saved in /root/.vz/keys/id_rsa.pub.
    The key fingerprint is:
    SHA256:Jf+I5HjipRFy1AxgC945ZrSVZCMkauhru40r1u9XEHQ root@node1.example.local
    The key's randomart image is:
    +---[RSA 2048]----+
    |  o.*oAo E       |
    |.o * B.*.        |
    |o.. O . = .      |
    |o  o o . +       |
    | .  . o G .      |
    |  .  o = o o     |
    | o.   + * . .    |
    |o.+. . B         |
    |o=o.oo+          |
    +----[SHA256]-----+
    
  2. Add the contents of the public key file id_rsa.pub to <user_dir>/.vz/authorized_keys on the remote node. For example, for the root user:

    # cat ~/.vz/keys/id_rsa.pub | \
    ssh <user>@<remote_node> 'mkdir -p ~/.vz/keys/ && cat >> ~/.vz/keys/authorized_keys'
    

    Where <remote_node> is the remote node’s IP address.

    Note

    To use SSH keys as well, generate them in the user’s home directory on the local node and authorize them in the user’s directory on the remote node same as RSA keys, e.g., cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys.

Now the user authorized on the remote node can manage virtual environments on that node without having to enter the password. Some of the operations are:

  • Creating and managing virtual environments remotely. For example:

    # prlctl create remote_ve -l <user>@<remote_node>
    # prlctl list remote_ve -l <user>@<remote_node>
    UUID              STATUS       IP_ADDR         T  NAME
    {6f18d2ce-<...>}  stopped      -               VM remote_ve
    
  • Backing up local virtual environments to remote nodes. For example:

    # prlctl backup local_ve -s <user>@<remote_node>
    # prlctl backup-list -s <user>@<remote_node>
    ID                Backup_ID         Node         Date        Type       Size
    {fc0106cb-<...>}  {b1edf157-<...>}  remote_node  02/28/2021
    
  • Setting the default backup location on a remote node. For example:

    # prlsrvctl set --backup-storage <user>@<remote_node>
    

    Note

    The use of passwords in the prlsrvctl set --backup-storage command is dropped in Virtuozzo Hybrid Server 7.5 Update 1 to avoid keeping passwords in the file system.

  • Backing up remote virtual environments to the local node. For example:

    # cat ~/.vz/keys/id_rsa.pub >> ~/.vz/keys/authorized_keys
    # prlctl backup remote_ve -l <user>@<remote_node> -s <user>@<local_node>
    

    Where <local_node> is the local node’s IP address. It must be reachable from the remote node.

    Adding the local user’s public key to the local node’s authorized keys is required to avoid being asked for the password, because the local node’s IP address is used instead of localhost.

  • Migrating virtual environments. For example:

    # prlctl migrate local_ve <user>@<remote_node>
    # prlctl migrate <user>@<remote_node>/remote_ve <user>@<local_node>