I manage a OpenNebula server (that acts as server and kvm node for educational purposes at a university, so I have created a lot of users (one for each student in each course), so there are more than 400 users in OpenNebula. By default, all of instances created in the server have private IP (in differents SDN, one of them allowed to do NAT with barebone server). Now, some teachers have been asked me to allow direct connection from outside to the private instances… but my server is not assigning public IPs (floating IPs), so connection is only allowed (if I am not wrong) in these two ways:
Directly from VNC console tab
Creating all the users that already exist in OpenNebula into the system (in the CentOS system) and, then, allow SSH connection from outside to the barebone server and, then, allow SSH from the server to each instance with public/private SSH pair. But, in this way, I need to create all the users in the system, aren’t they? Or are there any configuration way to “transport” and “enable” them directly in the system???
You can authorized them into a single user, by adding all their SSH public keys and then add this use public key on each VM using the context packages.
With this way you can do something like ssh -J <user>@<jumping_host> root@<vm>.
thanks for your answer. I will try it but I suppose that solucion needs that “single user” exists in the Linux System (/etc/passwd and /etc/shadow). Is not there any solution to listen in an end-point when user login to get a user from OpenNebula authentication system? In other words, is it possible to run from a remote host a “ssh my_opennebula_user@opennebula_server” if “my_opennebula_users” doesn’t exist in linux systema, but only in the OpenNebula authentication system?
That is not possible, take in account that OpenNebula users are used just within OpenNebula to authenticate request and access the cloud, in order to access to the physical system you need to create a Linux user.