From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <aderumier@odiso.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id AD55C68E3E
 for <pve-devel@lists.proxmox.com>; Fri, 15 Jan 2021 12:08:55 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 8E74B23EF0
 for <pve-devel@lists.proxmox.com>; Fri, 15 Jan 2021 12:08:25 +0100 (CET)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com
 [IPv6:2a00:1450:4864:20::434])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 8291023EDB
 for <pve-devel@lists.proxmox.com>; Fri, 15 Jan 2021 12:08:24 +0100 (CET)
Received: by mail-wr1-x434.google.com with SMTP id v15so5188510wrx.4
 for <pve-devel@lists.proxmox.com>; Fri, 15 Jan 2021 03:08:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=odiso-com.20150623.gappssmtp.com; s=20150623;
 h=message-id:subject:from:to:date:in-reply-to:references:user-agent
 :mime-version; bh=fDOfq64zuNAvy1o59O8UqhUUZm++NocVeVgwW8WnZbE=;
 b=jg13UDVpXAgwnIZY8m7clOLbENqao2WdsQBrQa/ryZvrmLnp2GO/esmQI3WfHtqxo1
 EdftEf+0xTsfnZqnuQ9SjcAbr8FUL9cg+S54eblaVItPfQphBnT1iBb5oxsZgOwDYwZ2
 zFB2DfEUh33vQNNergoW/k0Xh3O77zU74kY6vtiB89Tfs9EtoqoDrO+b+hCV6t+6yFc6
 pRR2ejQ9mQ9iKjNJ/MUcGQdrSr7DTZBdoRrSOIZRAEfzNYx2ppebmeWsbL9jl4n5yxQr
 VL6mvSI+h3QTGBQ2nqFM4jSmqnCdfMfx+HQ/2uIDeaLS/EIj3LTWoaw3bvplLPVM/taL
 40Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to
 :references:user-agent:mime-version;
 bh=fDOfq64zuNAvy1o59O8UqhUUZm++NocVeVgwW8WnZbE=;
 b=DLFaszcKB7WQmPIwZmJL+vBEOkHk5n7/6/tI7nUmiKRvTH9tG/5I07FnUObe0W2EyR
 QANXa58dTuSOywxaTCd0ZEISAyV6OtSz4B9bKdyTiV7uMrMC6RHgZPobwCltjLaI0LnU
 P519Uaujo0noxTbiiEhT6thEwXhsx5QNmBtxQtF92Yq3fW05xhygl6JSXbnw0qYoDcz9
 UyYJ2Xx9Q6TvZb0W5bNZ1lCLXbRiqvvv7dbjvS/KvX69edFzrvNPkc36g7VkHRrQDKPa
 iAT5q54/nkI5Ad5XRtP1VjQAQOXLGxUVv4Nj4Cd4eG74GOb4ZnGJHisYir8dMaRmlvAc
 s/ng==
X-Gm-Message-State: AOAM532XZYSXRp9Ue9FxFdozqHWbpYAmS61NJr46k+N9O5LRY9FZmjBo
 gufNjZEGbVeDq0fXpkXq5Al9yBIRFcyKR2r9
X-Google-Smtp-Source: ABdhPJxEdfu/bqnv0sncA0E0UQ2Ax9EsOmuruK+UYWYC+OXkXeDec7gvvfTa5ZYzGEw9h+6Rg/uSxA==
X-Received: by 2002:adf:ef8b:: with SMTP id d11mr12803659wro.156.1610708898021; 
 Fri, 15 Jan 2021 03:08:18 -0800 (PST)
Received: from [10.59.100.50] (globalOdiso.M6Lille.odiso.net. [89.248.211.242])
 by smtp.gmail.com with ESMTPSA id 17sm11107600wmk.48.2021.01.15.03.08.17
 for <pve-devel@lists.proxmox.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 15 Jan 2021 03:08:17 -0800 (PST)
Message-ID: <650b449cdd9a413b4f55463dcd9d65be4efaadcc.camel@odiso.com>
From: aderumier@odiso.com
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Date: Fri, 15 Jan 2021 12:08:16 +0100
In-Reply-To: <8be996c8068e594171ce24c348f292ca93796586.camel@odiso.com>
References: <20210113090132.3889308-1-aderumier@odiso.com>
 <f67fb47b-a902-0fbe-49d3-52c43dd58476@proxmox.com>
 <8be996c8068e594171ce24c348f292ca93796586.camel@odiso.com>
User-Agent: Evolution 3.38.3 
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.830 Adjusted score from AWL reputation of From: address
 DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid
 DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
 HTML_MESSAGE            0.001 HTML included in message
 RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/,
 no trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [readthedocs.io, proxmox.com, cloudinit.pm]
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
Subject: Re: [pve-devel] [PATCH qemu-server] cloud-init: don't regenerate
 ssh hosts key on config change when vm is running
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2021 11:08:55 -0000

I have sent another patch,
with a config option

(Like this, user can define behaviour)

Le jeudi 14 janvier 2021 à 16:20 +0100, aderumier@odiso.com a écrit :
> > > We could add vendor data and put the ssh keys there:
> > > > 
> > > > https://cloudinit.readthedocs.io/en/latest/topics/vendordata.html
> > > > 
> technically, it's possible to add host ssh keys with 
> 
> 
> ssh_keys:
>     rsa_private: |
>         -----BEGIN RSA PRIVATE KEY-----
>         MIIBxwIBAAJhAKD0YSHy73nUgysO13XsJmd4fHiFyQ+00R7VVu2iV9Qco
>         ...
>         -----END RSA PRIVATE KEY-----
>     rsa_public: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEAoPRhIfLvedSDKw7Xd
> 
> 
> I had asked about it some months ago,but Dietmar didn't want it
> https://lists.proxmox.com/pipermail/pve-devel/2020-June/044104.html
> "
> ----- Mail original -----
> De: "dietmar" <dietmar at proxmox.com>
> À: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Jeudi 25 Juin 2020 11:00:10
> Objet: Re: [pve-devel] cloudinit: generate server ssh keys on proxmox
> side ?
> 
> > Maybe could we generate them once at proxmox side ? 
> 
> -1 
> 
> Copying private keys is bad .
> "
> 
> 
> 
> I wasn't aware about ssh_deletekeys at this time, 
> but it seem a better way to manage this.(keep sshkey generation
> inside
> the vm, but do it only once)
> 
> 
> 
> Le mercredi 13 janvier 2021 à 12:26 +0100, Mira Limbeck a écrit :
> > We could add vendor data and put the ssh keys there:
> > 
> > https://cloudinit.readthedocs.io/en/latest/topics/vendordata.html
> > 
> > 
> > On 1/13/21 10:01 AM, Alexandre Derumier wrote:
> > > Currently, we always regenerate sshkeys on any config change.
> > > 
> > > It should be done only before the first vm start, but currently
> > > can't known that.
> > > 
> > > So, this patch only do it when vm is running.
> > > 
> > > Signed-off-by: Alexandre Derumier<aderumier@odiso.com>
> > > ---
> > >   PVE/QemuServer/Cloudinit.pm | 2 ++
> > >   1 file changed, 2 insertions(+)
> > > 
> > > diff --git a/PVE/QemuServer/Cloudinit.pm
> > > b/PVE/QemuServer/Cloudinit.pm
> > > index 52a4203..dd643c1 100644
> > > --- a/PVE/QemuServer/Cloudinit.pm
> > > +++ b/PVE/QemuServer/Cloudinit.pm
> > > @@ -135,6 +135,8 @@ sub cloudinit_userdata {
> > >             $content .= "  - $k\n";
> > >         }
> > >       }
> > > +    $content .= "ssh_deletekeys: false\n" if
> > > PVE::QemuServer::check_running($vmid);
> > > +
> > >       $content .= "chpasswd:\n";
> > >       $content .= "  expire: False\n";
> > >   
> > 
> > 
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> > 
> 
>