From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <aderumier@odiso.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 5C5D36818C
 for <pve-devel@lists.proxmox.com>; Thu, 14 Jan 2021 16:20:17 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 537321D49E
 for <pve-devel@lists.proxmox.com>; Thu, 14 Jan 2021 16:20:17 +0100 (CET)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com
 [IPv6:2a00:1450:4864:20::62c])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 8DE291D493
 for <pve-devel@lists.proxmox.com>; Thu, 14 Jan 2021 16:20:15 +0100 (CET)
Received: by mail-ej1-x62c.google.com with SMTP id f4so8699714ejx.7
 for <pve-devel@lists.proxmox.com>; Thu, 14 Jan 2021 07:20:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=odiso-com.20150623.gappssmtp.com; s=20150623;
 h=message-id:subject:from:to:date:in-reply-to:references:user-agent
 :mime-version:content-transfer-encoding;
 bh=F4yqifHC96te2Vxjn49tJrWRKaQp16serOI4qBxWa6w=;
 b=JvBXj3QfRx1yMqXejCtakvpNiJNuzWs4H98AlO1wVIJxECXHo2U7lAamQoaI0BqaDP
 iBL3r/rapYx8BHWfh4TM4+Va1esIMds1Sx5i3XlUAIONjujzoa87oau0BBHafEEwEIKY
 ObMe+PpjIda/idYdIgKsH/eBTL8KjDxkuWO0/Xb1wvzzgaFrHCX6rFCmAeQlAcskz51E
 XED85WbB6VUUj6JKvMKGbMSzaFsLOSfZnORtm4+UI6iGUqRMEy0cuQZvTv4C0zMpRpA8
 uWB4SiFoJH1AWcKDcpts5HgdIBYqWjrs80zHVqyXtX7sUsInBhlLEj5J21CH6eI219wu
 Ckug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to
 :references:user-agent:mime-version:content-transfer-encoding;
 bh=F4yqifHC96te2Vxjn49tJrWRKaQp16serOI4qBxWa6w=;
 b=IkKm7ZWbj2QUECqfj52rBGIt5cOvylGAdXfd03vrH+XZNgCg4pyV5qoy4yobBasZUL
 hQ0D4KifMxtkKHOhwLjRp/KcTnbPRzGoQja/kW+dDQHs/pku2P1zj8FPhEvBBscKcWIQ
 TIzUxwWUxzjanxnHlJWj2At4xYy2M2yvvT8rjZIAqjuWDrLEJiWRE/yMaGNelTR6tQda
 oJSVhcweivSgnhDt5amy2nOhk3uZgqSDbIB4nAfdY8e0wMmia2F7iTOaFDpq/+spVTS7
 YUq1WlKeU8GSbFKfth9R79TF7O6Sj1UT+SjiDH4g/qNprmcuCFQR/eVKxrfnEsoFDKw7
 62RA==
X-Gm-Message-State: AOAM531UAwQx+CWPAckoJ4263Qz45N+uGyRcI0qhhbFSHzEz7S2cCVdP
 8Ry8/zW9chWcemhnujkPXF2FFfKiEUZQWasCFKk=
X-Google-Smtp-Source: ABdhPJxEqaS67ye8O/75eXQ1tFWGOLBar64WZ175RuBfUTimZgPMvrTFoZfd7AgdEASyVeHBp8z1Tw==
X-Received: by 2002:a17:906:edd1:: with SMTP id
 sb17mr5528760ejb.118.1610637608765; 
 Thu, 14 Jan 2021 07:20:08 -0800 (PST)
Received: from [192.168.178.50] ([79.132.253.97])
 by smtp.gmail.com with ESMTPSA id v18sm2326624edx.30.2021.01.14.07.20.08
 for <pve-devel@lists.proxmox.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 14 Jan 2021 07:20:08 -0800 (PST)
Message-ID: <8be996c8068e594171ce24c348f292ca93796586.camel@odiso.com>
From: aderumier@odiso.com
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Date: Thu, 14 Jan 2021 16:20:07 +0100
In-Reply-To: <f67fb47b-a902-0fbe-49d3-52c43dd58476@proxmox.com>
References: <20210113090132.3889308-1-aderumier@odiso.com>
 <f67fb47b-a902-0fbe-49d3-52c43dd58476@proxmox.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.3 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.195 Adjusted score from AWL reputation of From: address
 DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid
 DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
 RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/,
 no trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com, cloudinit.pm, readthedocs.io]
Subject: Re: [pve-devel] [PATCH qemu-server] cloud-init: don't regenerate
 ssh hosts key on config change when vm is running
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2021 15:20:17 -0000

>>We could add vendor data and put the ssh keys there:
>>> 
>>> https://cloudinit.readthedocs.io/en/latest/topics/vendordata.html
>>> 
technically, it's possible to add host ssh keys with 


ssh_keys:
    rsa_private: |
        -----BEGIN RSA PRIVATE KEY-----
        MIIBxwIBAAJhAKD0YSHy73nUgysO13XsJmd4fHiFyQ+00R7VVu2iV9Qco
        ...
        -----END RSA PRIVATE KEY-----
    rsa_public: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEAoPRhIfLvedSDKw7Xd 


I had asked about it some months ago,but Dietmar didn't want it
https://lists.proxmox.com/pipermail/pve-devel/2020-June/044104.html
"
----- Mail original -----
De: "dietmar" <dietmar at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Jeudi 25 Juin 2020 11:00:10
Objet: Re: [pve-devel] cloudinit: generate server ssh keys on proxmox
side ?

> Maybe could we generate them once at proxmox side ? 

-1 

Copying private keys is bad .
"



I wasn't aware about ssh_deletekeys at this time, 
but it seem a better way to manage this.(keep sshkey generation inside
the vm, but do it only once)



Le mercredi 13 janvier 2021 à 12:26 +0100, Mira Limbeck a écrit :
> We could add vendor data and put the ssh keys there:
> 
> https://cloudinit.readthedocs.io/en/latest/topics/vendordata.html
> 
> 
> On 1/13/21 10:01 AM, Alexandre Derumier wrote:
> > Currently, we always regenerate sshkeys on any config change.
> > 
> > It should be done only before the first vm start, but currently
> > can't known that.
> > 
> > So, this patch only do it when vm is running.
> > 
> > Signed-off-by: Alexandre Derumier<aderumier@odiso.com>
> > ---
> >   PVE/QemuServer/Cloudinit.pm | 2 ++
> >   1 file changed, 2 insertions(+)
> > 
> > diff --git a/PVE/QemuServer/Cloudinit.pm
> > b/PVE/QemuServer/Cloudinit.pm
> > index 52a4203..dd643c1 100644
> > --- a/PVE/QemuServer/Cloudinit.pm
> > +++ b/PVE/QemuServer/Cloudinit.pm
> > @@ -135,6 +135,8 @@ sub cloudinit_userdata {
> >             $content .= "  - $k\n";
> >         }
> >       }
> > +    $content .= "ssh_deletekeys: false\n" if
> > PVE::QemuServer::check_running($vmid);
> > +
> >       $content .= "chpasswd:\n";
> >       $content .= "  expire: False\n";
> >   
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>