openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/virt/managing_vms/virt-accessing-vm-ssh.adoc
Sebastian Kopacz 85e3a39044 OSDOCS-16572: second batch of rec visibility changes
2025-11-03 18:01:04 +00:00

166 lines
8.3 KiB
Plaintext
Raw Permalink Blame History

:_mod-docs-content-type: ASSEMBLY
[id="virt-accessing-vm-ssh"]
= Configuring SSH access to virtual machines
include::_attributes/common-attributes.adoc[]
:context: virt-accessing-vm-ssh
:toclevels: 3
toc::[]
You can configure SSH access to virtual machines (VMs) by using the following methods:
* xref:../../virt/managing_vms/virt-accessing-vm-ssh.adoc#using-virtctl-ssh_virt-accessing-vm-ssh[`virtctl ssh` command]
+
You create an SSH key pair, add the public key to a VM, and connect to the VM by running the `virtctl ssh` command with the private key.
+
You can add public SSH keys to {op-system-base-full} 9 VMs at runtime or at first boot to VMs with guest operating systems that can be configured by using a cloud-init data source.
* xref:../../virt/managing_vms/virt-accessing-vm-ssh.adoc#virt-using-virtctl-port-forward-command_virt-accessing-vm-ssh[`virtctl port-forward` command]
+
You add the `virtctl port-foward` command to your `.ssh/config` file and connect to the VM by using OpenSSH.
* xref:../../virt/managing_vms/virt-accessing-vm-ssh.adoc#using-services-ssh_virt-accessing-vm-ssh[Service]
+
You create a service, associate the service with the VM, and connect to the IP address and port exposed by the service.
* xref:../../virt/managing_vms/virt-accessing-vm-ssh.adoc#using-secondary-networks-ssh_virt-accessing-vm-ssh[Secondary network]
+
You configure a secondary network, attach a virtual machine (VM) to the secondary network interface, and connect to the DHCP-allocated IP address.
include::modules/virt-access-configuration-considerations.adoc[leveloffset=+1]
[id="using-virtctl-ssh_virt-accessing-vm-ssh"]
== Using virtctl ssh
You can add a public SSH key to a virtual machine (VM) and connect to the VM by running the `virtctl ssh` command.
This method is simple to configure. However, it is not recommended for high traffic loads because it places a burden on the API server.
include::modules/virt-about-static-and-dynamic-ssh-keys.adoc[leveloffset=+2]
[id="static-key-management-vm"]
=== Static key management
You can add a statically managed public SSH key when you create a virtual machine (VM) by using the {product-title} web console or the command line. The key is added as a cloud-init data source when the VM boots for the first time.
You can also add a public SSH key to a project when you create a VM by using the web console. The key is saved as a secret and is added automatically to all VMs that you create.
[NOTE]
====
If you add a secret to a project and then delete the VM, the secret is retained because it is a namespace resource. You must delete the secret manually.
====
:context: static-key
:static-key:
include::modules/virt-adding-key-creating-vm-template.adoc[leveloffset=+3]
include::modules/virt-creating-vm-instancetype.adoc[leveloffset=+3]
:!static-key:
include::modules/virt-adding-public-key-vm-cli.adoc[leveloffset=+3]
:virt-accessing-vm-ssh:
[id="adding-dynamic-key-vm"]
=== Dynamic key management
You can enable dynamic key injection for a virtual machine (VM) by using the {product-title} web console or the command line. Then, you can update the key at runtime.
[NOTE]
====
Only {op-system-base-full} 9 supports dynamic key injection.
====
If you disable dynamic key injection, the VM inherits the key management method of the image from which it was created.
:context: dynamic-key
:dynamic-key:
include::modules/virt-adding-key-creating-vm-template.adoc[leveloffset=+3]
include::modules/virt-creating-vm-instancetype.adoc[leveloffset=+3]
include::modules/virt-editing-vm-dynamic-key-injection.adoc[leveloffset=+3]
:!dynamic-key:
include::modules/virt-enabling-dynamic-key-injection-cli.adoc[leveloffset=+3]
:context: virt-accessing-vm-ssh
:virt-accessing-vm-ssh:
include::modules/virt-using-virtctl-ssh-command.adoc[leveloffset=+2]
[TIP]
====
You can copy the `virtctl ssh` command in the web console by selecting *Copy SSH command* from the options {kebab} menu beside a VM on the *VirtualMachines* page.
Alternatively, right-click the VM in the tree view and select *Copy SSH command* from the pop-up menu to copy the `virtctl ssh` command.
====
include::modules/virt-using-virtctl-port-forward-command.adoc[leveloffset=+1]
[id="using-services-ssh_virt-accessing-vm-ssh"]
== Using a service for SSH access
You can create a service for a virtual machine (VM) and connect to the IP address and port exposed by the service.
[NOTE]
====
Services provide excellent performance and are recommended for applications that are accessed from outside the cluster or within the cluster. Ingress traffic is protected by firewalls.
====
If the cluster network cannot handle the traffic load, consider using a secondary network for VM access.
include::modules/virt-about-services.adoc[leveloffset=+2]
[id="creating-services-ssh_virt-accessing-vm-ssh"]
=== Creating a service
You can create a service to expose a virtual machine (VM) by using the {product-title} web console, `virtctl` command-line tool, or a YAML file.
include::modules/virt-enabling-load-balancer-service-web.adoc[leveloffset=+3]
include::modules/virt-creating-service-web.adoc[leveloffset=+3]
include::modules/virt-creating-service-virtctl.adoc[leveloffset=+3]
.Next steps
After you create a service with `virtctl`, you must add `special: key` to the `spec.template.metadata.labels` stanza of the `VirtualMachine` manifest. See xref:../../virt/managing_vms/virt-accessing-vm-ssh.adoc#virt-creating-service-cli_virt-accessing-vm-ssh[Creating a service by using the command line].
include::modules/virt-creating-service-cli.adoc[leveloffset=+3]
include::modules/virt-connecting-service-ssh.adoc[leveloffset=+2]
[id="using-secondary-networks-ssh_virt-accessing-vm-ssh"]
== Using a secondary network for SSH access
You can configure a secondary network, attach a virtual machine (VM) to the secondary network interface, and connect to the DHCP-allocated IP address by using SSH.
[IMPORTANT]
====
Secondary networks provide excellent performance because the traffic is not handled by the cluster network stack. However, the VMs are exposed directly to the secondary network and are not protected by firewalls. If a VM is compromised, an intruder could gain access to the secondary network. You must configure appropriate security within the operating system of the VM if you use this method.
====
See the link:https://access.redhat.com/articles/6994974#networking-multus[Multus] and link:https://access.redhat.com/articles/6994974#networking-sriov[SR-IOV] documentation in the link:https://access.redhat.com/articles/6994974[{VirtProductName} Tuning & Scaling Guide] for additional information about networking options.
.Prerequisites
ifndef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
* You configured a secondary network such as xref:../../virt/vm_networking/virt-connecting-vm-to-linux-bridge.adoc#virt-connecting-vm-to-linux-bridge[Linux bridge] or xref:../../virt/vm_networking/virt-connecting-vm-to-sriov.adoc#virt-connecting-vm-to-sriov[SR-IOV].
* You created a network attachment definition for a xref:../../virt/vm_networking/virt-connecting-vm-to-linux-bridge.adoc#virt-creating-linux-bridge-nad-web_virt-connecting-vm-to-linux-bridge[Linux bridge network] or the SR-IOV Network Operator created a xref:../../virt/vm_networking/virt-connecting-vm-to-sriov.adoc#nw-sriov-network-attachment_virt-connecting-vm-to-sriov[network attachment definition] when you created an `SriovNetwork` object.
endif::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
ifdef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
* You configured a xref:../../virt/vm_networking/virt-connecting-vm-to-ovn-secondary-network.adoc#virt-connecting-vm-to-ovn-secondary-network[secondary network].
* You created a xref:../../virt/vm_networking/virt-connecting-vm-to-ovn-secondary-network.adoc#creating-ovn-nad_virt-connecting-vm-to-ovn-secondary-network[network attachment definition].
endif::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
include::modules/virt-vm-creating-nic-web.adoc[leveloffset=+2]
include::modules/virt-connecting-secondary-network-ssh.adoc[leveloffset=+2]
ifndef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
[NOTE]
====
You can also xref:../../virt/vm_networking/virt-accessing-vm-secondary-network-fqdn.adoc#virt-accessing-vm-secondary-network-fqdn[access a VM attached to a secondary network interface by using the cluster FQDN].
====
endif::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
View Git Blame Copy Permalink