lima
lima copied to clipboard
lima-vm
Forward unix domain socket from the host into the guest
Description
portForwards:
- guestSocket: "/foo/test.sock"
hostSocket: "/Users/me/tmp/test.sock"
I was trying to do something like this only to realize it works the opposite direction I need. Is there a way to forward FROM host TO the guest?
Also, with 9p - will unix sockets just work via mounts without extra forwarding?
The most straight-forward is to use tcp, but you can use ssh -L in the guest to tunnel unix sockets from the host.
The 9p file system will show the socket files, but they don't really work for connecting. I don't think sshfs works either...
Note that you would have to set up the authentication in the guest (i.e. the keys), so that it can access the host.
Normally this is only provided for the sftp server in reverse sshfs, there is no generic ssh login method provided.
For ssh-agent in particular, one would normally use -A.
Connections to ssh-agent may be forwarded from further remote hosts using the -A option to ssh(1) (but see the caveats documented therein), avoiding the need for authentication data to be stored on other machines. Authentication passphrases and private keys never go over the network: the connection to the agent is forwarded over SSH remote connections and the result is returned to the requester, allowing the user access to their identities anywhere in the network in a secure fashion.
Where the ssh man page just has the usual warnings:
-AEnables forwarding of connections from an authentication agent such as ssh-agent(1). This can also be specified on a per-host basis in a configuration file.Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
On the host, it looks something like:
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
In the VM shell, it will have similar to:
SSH_AUTH_SOCK=/tmp/ssh-XXXX241EFw/agent.3492
If you want this feature, the most straight-forward would be to add it to the limactl shell command...
It could be made permanent, but then it would probably be better to just copy or generate the keys ? (instead of letting the VM use your keys, better to have it use its own copy when you are not around)
A workaround in the meantime, would be to use limactl show-ssh and add the -A option to the args.
Copying user keys to the VM is not really secure, but many people seem happy to share ~/.ssh with it.
As mentioned in the beginning, perhaps the remote service can be accessed using tcp and a user token ?
The thing is... I don't have keys and I don't want to have them. They are in my yubikey where no one can really get them... I am trying to forward my GPG agent that pretends to be SSH agent into my containers, where I want to build some code. But I was trying to keep this open - who knows why someone might need to forward sockets, exactly. Should be available on demand pretty much like port forwarding...
It is theoretically possible to use -R (remote) forwarding, in the same way as -L (local) forwarding today.
-L local_socket:remote_socket
-R remote_socket:local_socket
But the current portForwards option doesn't have such a flag. Probably something like a boolean, though.
https://github.com/lima-vm/lima/blob/v0.10.0/pkg/hostagent/hostagent.go#L509
"-L", local+":"+remote,
Side note: -A is already implemented by forwardAgent
# Forward ssh agent into the instance.
# 🟢 Builtin default: false
forwardAgent: null
Is there a reason this issue shouldn't be closed, as it seems to be implemented by #836.
