Bug 2217870

Summary: "virtctl ssh" and NodePort ssh commands in UI do not work without '-i' flag
Product: Container Native Virtualization (CNV) Reporter: Avital Pinnick <apinnick>
Component: User ExperienceAssignee: Tal Nisan <tnisan>
Status: VERIFIED --- QA Contact: Guohua Ouyang <gouyang>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.13.0CC: dholler, gouyang
Target Milestone: ---   
Target Release: 4.14.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Avital Pinnick 2023-06-27 10:25:43 UTC 
Description of problem:

The "virtctl ssh" and "NodePort ssh" commands that are copied from the UI do not work unless the user adds the "-i" flag and the private key. 

Version-Release number of selected component (if applicable):
4.13

How reproducible:


Steps to Reproduce:
1. Create SSH key pair with "ssh-keygen" in /home/user/.ssh directory.
2. Inject public key as static key into a VM and restart the VM.
3. Copy the virtctl ssh command from the UI and try to run it from the CLI.

Actual results:
Permission denied error:

[avitalpinnick@fedora ~]$ virtctl -n avital ssh cloud-user@rhel9-inject-before-boot
The authenticity of host 'vmi/rhel9-inject-before-boot.avital (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:vmloMxhsR1f49jl04UrMNiJkxn3Xj9HHufgfwtWHHLM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'vmi/rhel9-inject-before-boot.avital' (ED25519) to the list of known hosts.
cloud-user@vmi/rhel9-inject-before-boot.avital: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Expected results:
SSH connection succeeds

Additional info:

This command worked with "/home/avitalpinnick/.ssh/testkey2": "virtctl -n avital ssh cloud-user@rhel9-inject-before-boot -i testkey2"

If the private key is in another location, the full path has to be specified: "virtctl -n avital ssh cloud-user@rhel9-inject-before-boot -i /home/avitalpinnick/testkey2"

I observed the same behavior when I copied and ran the NodePort/SSH command (after running the oc patch command to get the service to work).

I recommend adding "-i <private_SSH_key>" with a tooltip saying that if the private key is not in /home/user/.ssh, the full path needs to be specified.
Comment 1 Dominik Holler 2023-07-27 09:43:14 UTC 
Should documentation for the "--identity-file" and a "--local-ssh-opts" option added to
https://docs.openshift.com/container-platform/4.14/virt/virtual_machines/virt-accessing-vm-ssh.html#using-virtctl-ssh_virt-accessing-vm-ssh
?
Comment 2 Guohua Ouyang 2023-08-01 05:02:13 UTC 
verified on kubevirt-console-plugin-rhel9:v4.14.0-2359
Comment 4 Avital Pinnick 2023-08-01 12:01:26 UTC 
(In reply to Dominik Holler from comment #1)
> Should documentation for the "--identity-file" and a "--local-ssh-opts"
> option added to
> https://docs.openshift.com/container-platform/4.14/virt/virtual_machines/
> virt-accessing-vm-ssh.html#using-virtctl-ssh_virt-accessing-vm-ssh
> ?

The "-i" flag (same as --identity-file) is already documented: https://docs.openshift.com/container-platform/4.14/virt/virtual_machines/virt-accessing-vm-ssh.html#virt-running-virtctl-ssh-command_virt-accessing-vm-ssh