Possible deprecation and removal of the native virtctl SSH/SCP clients
36 views
Skip to first unread message
Felix Matouschek
Feb 6, 2025, 6:36:01 AMFeb 6
to kubevi...@googlegroups.com
Hi,
this topic already came up during the last two community meetings.
Currently, virtctl ssh and scp support two methods for establishing a
connection to remote hosts. The first method is a native SSH client
builtin to virtctl and the second method is to wrap the local SSH/SCP
clients on the host running virtctl. Both methods can be switched by
passing the "--local-ssh" flag and at the moment the default is to use
the native SSH client.
However, there are some issues with the native SSH client, which are
starting to add up. For example:
- No support for SSH escape sequences [1]
- Weird behavior with SSH agents [2], [3]
- This is security sensitive code which we need to maintain
- Complex build system to allow excluding the native SSH client from
builds
- ...
Many of these issues are not trivial to address and in my opinion, the
use of a wrapped SSH/SCP client brings the user experience closer to
what a user of a regular OpenSSH client would expect from virtctl ssh
as well.
Therefore, I would like to propose to deprecate and eventually to
remove the SSH/SCP clients built into virtctl and instead to only use
the local SSH/SCP clients on the host running virtctl.
This should be a transparent change to users, as command lines like
`virtctl ssh user@myvm` should continue to work without any changes
required. I'm still going to verify this for MacOS/Windows and will
post an update once I'm done.
I've already opened a PR ([4]) to deprecate the "--local-ssh" flag and
to use local ssh by default. Ideally, I'd like to merge this for
KubeVirt 1.5 and to remove the native clients in 1.6 already, if nobody
is against it.
What do you think?
Thanks,
Felix
[1] https://github.com/kubevirt/kubevirt/issues/13475
[2]
https://github.com/kubevirt/kubevirt/issues/7072#issuecomment-1022998700
[3] https://github.com/kubevirt/kubevirt/pull/12431
[4] https://github.com/kubevirt/kubevirt/pull/13871
this topic already came up during the last two community meetings.
Currently, virtctl ssh and scp support two methods for establishing a
connection to remote hosts. The first method is a native SSH client
builtin to virtctl and the second method is to wrap the local SSH/SCP
clients on the host running virtctl. Both methods can be switched by
passing the "--local-ssh" flag and at the moment the default is to use
the native SSH client.
However, there are some issues with the native SSH client, which are
starting to add up. For example:
- No support for SSH escape sequences [1]
- Weird behavior with SSH agents [2], [3]
- This is security sensitive code which we need to maintain
- Complex build system to allow excluding the native SSH client from
builds
- ...
Many of these issues are not trivial to address and in my opinion, the
use of a wrapped SSH/SCP client brings the user experience closer to
what a user of a regular OpenSSH client would expect from virtctl ssh
as well.
Therefore, I would like to propose to deprecate and eventually to
remove the SSH/SCP clients built into virtctl and instead to only use
the local SSH/SCP clients on the host running virtctl.
This should be a transparent change to users, as command lines like
`virtctl ssh user@myvm` should continue to work without any changes
required. I'm still going to verify this for MacOS/Windows and will
post an update once I'm done.
I've already opened a PR ([4]) to deprecate the "--local-ssh" flag and
to use local ssh by default. Ideally, I'd like to merge this for
KubeVirt 1.5 and to remove the native clients in 1.6 already, if nobody
is against it.
What do you think?
Thanks,
Felix
[1] https://github.com/kubevirt/kubevirt/issues/13475
[2]
https://github.com/kubevirt/kubevirt/issues/7072#issuecomment-1022998700
[3] https://github.com/kubevirt/kubevirt/pull/12431
[4] https://github.com/kubevirt/kubevirt/pull/13871
Felix Matouschek
Feb 6, 2025, 9:48:15 AMFeb 6
to kubevirt-dev
I was able to successfully verify that the --local-ssh flag also works with the SSH clients of MacOS and Windows.
Felix Matouschek
Feb 10, 2025, 10:23:31 AMFeb 10
to kubevirt-dev
Since feature freeze is coming close and there was no further discussion:
I went ahead and changed the wording on the PR I created slightly.
It now only deprecates the '--local-ssh' flag and sets it to true by default,
but it does not mention anything about removal of the native clients.
Is anybody against merging that?
Thanks,
Felix
Alice Frosi
Feb 11, 2025, 6:46:45 AMFeb 11
to Felix Matouschek, kubevirt-dev
Hi Felix,
It sounds good to me!
Alice
--
You received this message because you are subscribed to the Google Groups "kubevirt-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubevirt-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/kubevirt-dev/ebe70bb1-2bb0-46d2-a2ea-c8fb54b82825n%40googlegroups.com.
Felix Matouschek
Aug 19, 2025, 8:56:02 AMAug 19
to kubevirt-dev
Hi all,
if there are no further objections, I would like to remove the native virtctl ssh client in 1.7.
Any more comments on this?
Thanks,
Felix
Roman Mohr
Aug 19, 2025, 10:27:08 AMAug 19
to Felix Matouschek, kubevirt-dev
On Tue, Aug 19, 2025, 5:56 AM 'Felix Matouschek' via kubevirt-dev <kubevi...@googlegroups.com> wrote:
Hi all,if there are no further objections, I would like to remove the native virtctl ssh client in 1.7.Any more comments on this?
Sad to see it go for nostalgic reasons, if that counts :)
Sounds good to me.
To view this discussion visit https://groups.google.com/d/msgid/kubevirt-dev/5b1426c3-dc51-4d04-940e-0bc0e8110146n%40googlegroups.com.
Felix Matouschek
Aug 19, 2025, 11:00:19 AMAug 19
to kubevirt-dev
On Tuesday, August 19, 2025 at 4:27:08 PM UTC+2 Roman Mohr wrote:
On Tue, Aug 19, 2025, 5:56 AM 'Felix Matouschek' via kubevirt-dev <kubevi...@googlegroups.com> wrote:Hi all,if there are no further objections, I would like to remove the native virtctl ssh client in 1.7.Any more comments on this?Sad to see it go for nostalgic reasons, if that counts :)
Agree, my KubeVirt journey has started here :)
Reply all
Reply to author
Forward
0 new messages