Skip to content

fix(cli): use local ssh client for vm access#2442

Open
LopatinDmitr wants to merge 2 commits into
mainfrom
fix/cli/remove-native-ssh-client
Open

fix(cli): use local ssh client for vm access#2442
LopatinDmitr wants to merge 2 commits into
mainfrom
fix/cli/remove-native-ssh-client

Conversation

@LopatinDmitr

@LopatinDmitr LopatinDmitr commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

Remove the embedded native SSH/SCP implementation from the virtualization CLI.

d8 v ssh and d8 v scp now always use the local OpenSSH/SCP clients through d8 v port-forward --stdio=true as ProxyCommand.

This change also:

  • supports passing additional local SSH/SCP client options after --, for example d8 v ssh vm -- -o StrictHostKeyChecking=no -R 8080:127.0.0.1:8080;
  • keeps explicit CLI mappings for common options: --identity-file/-i is passed to OpenSSH/SCP as -i, and --known-hosts is passed as UserKnownHostsFile;
  • keeps --local-ssh as a deprecated no-op compatibility flag;
  • keeps --local-ssh-opts as a deprecated compatibility flag;
  • updates CLI docs, user guides, and unit tests.

Why do we need it, and what problem does it solve?

We do not want to support and maintain two separate SSH/SCP clients in the virtualization CLI.

The embedded native implementation has limited compatibility and may behave differently from the OpenSSH client users already have configured locally. Keeping only the local OpenSSH/SCP path makes VM access more predictable: it uses the user's existing SSH configuration, agent, certificates, authentication behavior, and client options.

OpenSSH is also available on all supported user platforms, including Windows, so the CLI no longer needs a separate built-in SSH/SCP implementation as a fallback.

What is the expected result?

  1. Run d8 v ssh user@vm -i /path/to/key and verify that the command authenticates through local OpenSSH.
  2. Run d8 v scp -i /path/to/key ./file user@vm:/tmp/file and verify that SCP uses the same local-client path.
  3. Run d8 v ssh -n myvms ubuntu-24 -p 2222 -- -o StrictHostKeyChecking=no -R 8080:127.0.0.1:8080 and verify that options after -- are passed to the local OpenSSH client.
  4. Run d8 v ssh -n myvms ubuntu-24 -p 2222 --command xclock -- -o StrictHostKeyChecking=no -X -n and verify that the remote command and local OpenSSH options are both applied.
  5. Run commands with deprecated --local-ssh or --local-ssh-opts and verify that they still work and print deprecation warnings.
  6. Run d8 v ssh user@vm --known-hosts /path/to/known_hosts and verify that OpenSSH uses it as UserKnownHostsFile.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: fix
summary: Use local OpenSSH and SCP clients for virtual machine SSH and SCP access.
impact_level: low

@LopatinDmitr LopatinDmitr added this to the v1.9.0 milestone Jun 3, 2026
@LopatinDmitr LopatinDmitr marked this pull request as draft June 3, 2026 13:59
@LopatinDmitr LopatinDmitr force-pushed the fix/cli/remove-native-ssh-client branch from ab8e42b to 5969f19 Compare June 3, 2026 14:11
@LopatinDmitr LopatinDmitr marked this pull request as ready for review June 5, 2026 07:49
@LopatinDmitr LopatinDmitr force-pushed the fix/cli/remove-native-ssh-client branch 3 times, most recently from e3cb34e to 57f6d8d Compare June 9, 2026 09:52
@LopatinDmitr
fix(cli): use local ssh client for vm access
fa8ef2f 
Use the local OpenSSH/SCP clients for VM access by default and remove the embedded native SSH/SCP implementation.

Keep --local-ssh and --local-ssh-opts as deprecated compatibility flags, add --ssh-opts for extra client options, and map --known-hosts to OpenSSH UserKnownHostsFile.

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr
fix(cli): use local ssh client for vm access
6dd0b06 
Use local OpenSSH/SCP clients for VM access and remove the embedded native SSH/SCP implementation.

Keep --local-ssh and --local-ssh-opts as deprecated compatibility flags. Pass common options such as --identity-file and --known-hosts directly to the local client, and allow advanced SSH/SCP options to be specified after --.

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the fix/cli/remove-native-ssh-client branch from 57f6d8d to 6dd0b06 Compare June 9, 2026 12:58
diafour
diafour reviewed Jun 10, 2026
View reviewed changes
Comment thread src/cli/internal/cmd/ssh/ssh.go
Comment on lines 167 to 169
if err != nil {
return err
}

@diafour diafour Jun 10, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As client is not needed for "local ssh", we can report the error and proceed with "default" as namespace.

@universal-itengineer universal-itengineer modified the milestones: v1.9.0, v1.10.0 Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@diafour diafour diafour left review comments

@fl64 fl64 Awaiting requested review from fl64 fl64 is a code owner

@prismagod prismagod Awaiting requested review from prismagod prismagod is a code owner

@goganat goganat Awaiting requested review from goganat goganat is a code owner

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@LopatinDmitr LopatinDmitr

Labels

None yet

Projects

None yet

Milestone

v1.10.0

Development

Successfully merging this pull request may close these issues.

3 participants

@LopatinDmitr @diafour @universal-itengineer