9.6.2.3.4. Enabling dynamic key injection by using the CLI
You can enable dynamic key injection for a virtual machine (VM) by using the command line. Then, you can update the public SSH key at runtime.
Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.
The key is added to the VM by the QEMU guest agent, which is installed automatically with RHEL 9.
Prerequisites
-
You generated an SSH key pair by running the
ssh-keygencommand. -
You have installed the OpenShift CLI (
oc).
Procedure
Create a manifest file for a
VirtualMachineobject and aSecretobject.Example manifest:
apiVersion: kubevirt.io/v1 kind: VirtualMachine metadata: name: example-vm namespace: example-namespace spec: dataVolumeTemplates: - metadata: name: example-vm-volume spec: sourceRef: kind: DataSource name: rhel9 namespace: openshift-virtualization-os-images storage: resources: {} instancetype: name: u1.medium preference: name: rhel.9 runStrategy: Always template: spec: domain: devices: {} volumes: - dataVolume: name: example-vm-volume name: rootdisk - cloudInitNoCloud: userData: |- #cloud-config runcmd: - [ setsebool, -P, virt_qemu_ga_manage_ssh, on ] name: cloudinitdisk accessCredentials: - sshPublicKey: propagationMethod: qemuGuestAgent: users: ["cloud-user"] source: secret: secretName: authorized-keys --- apiVersion: v1 kind: Secret metadata: name: authorized-keys data: key: c3NoLXJzYSB...-
spec.template.spec.volumes.cloudInitNoClouddefines the data source, for exampleuserData. -
spec.template.spec.accessCredentials.sshPublicKey.source.secret.secretNamedefines thesecretobject name. -
data.keywithin thesecretobject defines the full public SSH key.
-
Create the
VirtualMachineandSecretobjects by running the following command:$ oc create -f <manifest_file>.yamlStart the VM by running the following command:
$ virtctl start vm example-vm -n example-namespace
Verification
Get the VM configuration by running the following command:
$ oc describe vm example-vm -n example-namespaceExample output:
apiVersion: kubevirt.io/v1 kind: VirtualMachine metadata: name: example-vm namespace: example-namespace spec: template: spec: accessCredentials: - sshPublicKey: propagationMethod: qemuGuestAgent: users: ["cloud-user"] source: secret: secretName: authorized-keys # ...