From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <root@kvmformation1.odiso.net>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id C9BD9688FA
 for <pve-devel@lists.proxmox.com>; Thu, 14 Jan 2021 18:11:17 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id BD4F41E2E7
 for <pve-devel@lists.proxmox.com>; Thu, 14 Jan 2021 18:11:17 +0100 (CET)
Received: from kvmformation1.odiso.net (globalOdiso.M6Lille.odiso.net
 [89.248.211.242])
 by firstgate.proxmox.com (Proxmox) with ESMTP id C67D91E2DD
 for <pve-devel@lists.proxmox.com>; Thu, 14 Jan 2021 18:11:15 +0100 (CET)
Received: by kvmformation1.odiso.net (Postfix, from userid 0)
 id 38146167C4A; Thu, 14 Jan 2021 18:11:09 +0100 (CET)
From: Alexandre Derumier <aderumier@odiso.com>
To: pve-devel@lists.proxmox.com
Date: Thu, 14 Jan 2021 18:11:08 +0100
Message-Id: <20210114171108.756728-1-aderumier@odiso.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  1
 AWL -0.189 Adjusted score from AWL reputation of From: address
 HEADER_FROM_DIFFERENT_DOMAINS 0.248 From and EnvelopeFrom 2nd level mail
 domains are different
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 KHOP_HELO_FCRDNS        0.398 Relay HELO differs from its IP's reverse DNS
 NO_DNS_FOR_FROM         0.379 Envelope sender has no MX or A DNS records
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [qemuserver.pm, cloudinit.pm]
Subject: [pve-devel] [PATCH qemu-server] cloudinit: add sshdeletehostkeys
 option
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2021 17:11:17 -0000

This define behaviour of ssh server keys generation on cloudinit
config change.

different value:

- once : only once at vmstart  (default value)
- no : never generate ssh key
- yes: always generate ssh key

When value is defined to 'once', the value is rewriten to 'no'
in vmconfig after vm start

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 PVE/QemuServer.pm           |  9 ++++++++-
 PVE/QemuServer/Cloudinit.pm | 11 +++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 54278e5..cd6c26c 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -760,6 +760,13 @@ my $confdesc_cloudinit = {
 	format => 'urlencoded',
 	description => "cloud-init: Setup public SSH keys (one key per line, OpenSSH format).",
     },
+    sshdeletehostkeys => {
+	optional => 1,
+	type => 'string',
+	enum => [qw(once yes no)],
+	default_key => 1,
+	description => "cloud-init: Regenerate host SSH keys on config change.",
+    },
 };
 
 # what about other qemu settings ?
@@ -4943,7 +4950,7 @@ sub vm_start_nolock {
 	$conf = PVE::QemuConfig->load_config($vmid); # update/reload
     }
 
-    PVE::QemuServer::Cloudinit::generate_cloudinitconfig($conf, $vmid);
+    PVE::QemuServer::Cloudinit::generate_cloudinitconfig($conf, $vmid, 1);
 
     my $defaults = load_defaults();
 
diff --git a/PVE/QemuServer/Cloudinit.pm b/PVE/QemuServer/Cloudinit.pm
index dd643c1..4dbc4d6 100644
--- a/PVE/QemuServer/Cloudinit.pm
+++ b/PVE/QemuServer/Cloudinit.pm
@@ -135,7 +135,7 @@ sub cloudinit_userdata {
 	    $content .= "  - $k\n";
 	}
     }
-    $content .= "ssh_deletekeys: false\n" if PVE::QemuServer::check_running($vmid);
+    $content .= "ssh_deletekeys: false\n" if defined($conf->{sshdeletehostkeys}) && $conf->{sshdeletehostkeys} eq 'no'; 
 
     $content .= "chpasswd:\n";
     $content .= "  expire: False\n";
@@ -464,9 +464,10 @@ my $cloudinit_methods = {
 };
 
 sub generate_cloudinitconfig {
-    my ($conf, $vmid) = @_;
+    my ($conf, $vmid, $vmstart) = @_;
 
     my $format = get_cloudinit_format($conf);
+    my $generated = undef;
 
     PVE::QemuConfig->foreach_volume($conf, sub {
         my ($ds, $drive) = @_;
@@ -479,7 +480,13 @@ sub generate_cloudinitconfig {
 	    or die "missing cloudinit methods for format '$format'\n";
 
 	$generator->($conf, $vmid, $drive, $volname, $storeid);
+	$generated = 1;
     });
+
+    if ($vmstart && $generated && (!defined($conf->{sshdeletehostkeys}) || $conf->{sshdeletehostkeys} eq 'once')) {
+        $conf->{sshdeletehostkeys} = 'no';
+        PVE::QemuConfig->write_config($vmid, $conf);
+    }
 }
 
 sub dump_cloudinit_config {
-- 
2.20.1