terraform-provider-libvirt: Connection to libvirt via SSH fails with provider version 0.6.9

System Information

Linux distribution

Fedora 34

Terraform version

Terraform v1.0.1
on linux_amd64

Provider and libvirt versions

provider: v0.6.9
libvirt (remote, debian stable): 5.0.0-4+deb10u1

Checklist

Is your issue/contribution related with enabling some setting/option exposed by libvirt that the plugin does not yet support, or requires changing/extending the provider terraform schema?
- Make sure you explain why this option is important to you, why it should be important to everyone. Describe your use-case with detail and provide examples where possible.
- If it is a very special case, consider using the XSLT support in the provider to tweak the definition instead of opening an issue
- Maintainers do not have expertise in every libvirt setting, so please, describe the feature and how it is used. Link to the appropriate documentation
Is it a bug or something that does not work as expected? Please make sure you fill the version information below:

Description of Issue/Question

Connecting to a remote libvirt provider via SSH fails after updating to v0.6.9 with the error message Error: failed to dial libvirt: failed to read ssh key: open /home/soeren/.ssh/id_rsa: no such file or directory. I’m indeed not using RSA keypairs anymore, instead I’ve been using ed25519 keypairs. Reverting back to v0.6.3 of the provider makes it work again. For the given remote host there’s no additional settings in the local ~/.ssh/config file.

Setup

terraform {
  required_version = ">= 0.15"
  required_providers {
    libvirt = {
      source  = "dmacvicar/libvirt"
      version = "0.6.9"
    }
  }
}

provider "libvirt" {
  uri = "qemu+ssh://soeren@remotehost.tld/system"
}

resource "libvirt_domain" "terraform_test" {
  name = "terraform_test"
}

Steps to Reproduce Issue

➜ terraform plan -no-color

Error: failed to dial libvirt: failed to read ssh key: open /home/soeren/.ssh/id_rsa: no such file or directory

  with provider["registry.terraform.io/dmacvicar/libvirt"],
  on providers.tf line 12, in provider "libvirt":
  12: provider "libvirt" {

…after changing the provider version to 0.6.3 again

➜ terraform init -upgrade

Initializing the backend...

Initializing provider plugins...
- Finding dmacvicar/libvirt versions matching "~> 0.6.3"...
- Using previously-installed dmacvicar/libvirt v0.6.3

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
➜ terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

Terraform will perform the following actions:

  # libvirt_domain.terraform_test will be created
  + resource "libvirt_domain" "terraform_test" {
      + arch        = (known after apply)
      + emulator    = (known after apply)
      + fw_cfg_name = "opt/com.coreos/config"
      + id          = (known after apply)
      + machine     = (known after apply)
      + memory      = 512
      + name        = "terraform_test"
      + qemu_agent  = false
      + running     = true
      + vcpu        = 1
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Additional information:

SELinux is enabled on the host running the terraform code, however, disabling SELinux doesn’t fix the issue.

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 2
Comments: 32 (13 by maintainers)

Commits related to this issue

v1.4 Pinned dmacvicar/libvirt to version 0.6.10 because later version have a bug which can prevent SSH-based libvirt connections: https://github.com/dmacvicar/terraform-provider-libvirt/issues/864 — committed to scmschmidt/simple_deployment by deleted user 2 years ago

Most upvoted comments

Setting this on server-side ssh config fixed it for me:

AllowPortForwarding yes
AllowTcpForwarding yes
AllowStreamLocalForwarding yes

strokovok on Oct 7, 2021

Possibly related: The following works with 0.6.10, but not with 0.6.11 (ed25519 private key):

provider "libvirt" {
  uri = "qemu+ssh://admin@example.com/system?keyfile=./admin-example-com"
}

jli-cparta on Sep 29, 2021

A lot of the connection functionality, especially ssh, worked nicely prior this design change. Why did you make the decision to drop the dependency to the libvirt library?

Because we needed a pure Go provider in order to be able to distribute using the Hashicorp Provider Registry which means people can install it just mentioning the provider.

Distributing a binary linking to a C library meant we have to provide different binaries per distribution.

dmacvicar on Sep 10, 2021

I’m also seeing similar behavior on MacOS 11.5.

My URI Connection string is qemu+ssh://peter@192.168.0.146/system?socket=/var/run/libvirt/libvirt-sock&keyfile=/Users/peter/.ssh/id_ed25519.

That connection string works with virsh but not when using the Terraform provider.

Here is the Terraform Output

╷
│ Error: failed to dial libvirt: failed to connect to libvirt on the remote host: ssh: rejected: connect failed (open failed)
│
│   with provider["registry.terraform.io/dmacvicar/libvirt"],
│   on main.tf line 10, in provider "libvirt":
│   10: provider "libvirt" {
│
╵

WorkAround

I forwarded the unix port using SSH.

note for some you might need to enable Agent Forwarding in your /etc/ssh/sshd_conf file. I had to comment out my DisableForwarding yes line.

Here is the script I use.

#!/usr/bin/env bash

set -xe

cleanup() {
    for pid in $(pgrep ssh \-fnNT); do kill -3 "$pid"; done
    rm $1
}

libvirt_sock="$TMPDIR/libvirt-sock"
ssh -fnNT -L "$libvirt_sock":/var/run/libvirt/libvirt-sock -i ~/.ssh/id_ed25519 peter@192.168.0.146
trap "cleanup $libvirt_sock" ERR EXIT
export LIBVIRT_DEFAULT_URI="qemu+unix:///session?socket=$libvirt_sock"

#Verify Connection
virsh -c "$LIBVIRT_DEFAULT_URI" sysinfo >/dev/null

#Use terraform
for cmd in init plan apply; do
    terraform "$cmd"
done
trap "terraform destroy" EXIT ERR 

echo "Press Return to Quit & Cleanup..."
read

pahansen95 on Jul 30, 2021