SSH-ing into virtual machine (not installed, just live-system)

Hi altogether, :wave:

I´ve got a question regarding ssh-ing into a VM.

Special case though: it´s not an installed VM but rather running a live system (.iso).

Background: I want to help my friend (who lives far away) performing a clonezilla disk-backup of her system.

I could shh into her clonezilla-live system and hopefully help her that way.
I´ve already discussed that topic with Steven Shiau on Clonezilla / Discussion / Clonezilla live: using clonezilla live remotely? . So theoretically it should work,

The thing is: I want to test it beforehand in order to see what it looks like and if things will work out.
For that purpose I run the command

firejail kvm --cdrom /media/rosika/Dokumente/clonezilla-live-20160210-wily-amd64.iso -cpu host -m 512 -boot d

which in effect provides a running live clonezilla system in a VM (nothing installed though).

Now I want to ssh into that system from my host (Lubuntu 20.04.2 LTS).

These were my steps in clonezilla VM:

  • starting clonezilla VM
  • entering command prompt (shell)
  • “sudo ocs-live-netcfg”
  • choosing dhcp
  • “sudo systemctl start ssh”
  • “ip a” says: “eth0”: inet 10.0.2.15/24
  • “whoami” says: user

Clonezilla within the VM definitively has got internet connectivity. From there I can ping e.g.
itsfoss.community with 0% packet loss.

BUT:

I can´t ssh into the clonezilla VM from my host. :slightly_frowning_face:

“ssh user@10.0.2.15” from my host does nothing at all. Nothing happens.

Also (from my host):

ping 10.0.2.15 -c 3
PING 10.0.2.15 (10.0.2.15) 56(84) Bytes Daten.
^C
--- 10.0.2.15 ping statistics ---
3 Pakete übertragen, 0 empfangen, 100% Paketverlust, Zeit 2048ms

I.e. I cannot ping my VM. :slightly_frowning_face:

Does anybody have any idea why that is and what I can do about it? Thanks a lot in advance.

Many greetings.
Rosika :slightly_smiling_face:

I use KVM a lot, but I never set it up myself and I also don’t know how to configure it. I’m just the “consumer” of KVM.

Therefore, I will talk from a VirtualBox perspective, and pretend the same knowledge applies here.

  1. Maybe you need to open ports through the virtual machine’s configuration. E.g. in this case you would open inbound TCP 22.
  2. Ping is overrated in the network world. Everyone says, just ping this, just ping that. But I say: no, don’t just ping. Make an actual TCP or UDP connection.
sudo apt install -y ncat
nc -vz 10.0.2.15 22

This way you can check, if the address is reachable through the TCP port 22 on the target.
Pings actually do not mean much. It’s quick and dirty, but not as reliable, as most people think. You can’t imagine how many people I have seen in my entire life, wasting hours of their precious time, trying to debug a connectivity issue by using Ping, just to find out, that Ping was telling them results, which were not correctly interpreted in the context of the situation. For example, it’s not uncommon for a server to block Ping packets, but let through other types of packets. So, if you try to debug connectivity issues with Ping, it may seem like you cannot connect to the host, even if the host is just blocking all the Ping packets, not other types of packets.

  1. Check if SSH is properly running on the live medium.
ss -tlp '( dport = :22 or sport = :22 )'
1 Like

Hi @Akito :wave:

thanks so much for your reply and help.

nc -vz 10.0.2.15 22

from the host returns nothing. In fact I have to stop the command with CTRL+C to get my command prompt back.

As for

ss -tlp '( dport = :22 or sport = :22 )'

from the VM
I´m not quite sure what to make of the output. Here´s a screenshot:

But the command service ssh status says ssh-service is loaded, active and running.

Thanks a lot.
Rosika :thinking:

Ironically, the developers wanted to make the output more understandable, by replacing common ports with names, that represent their meaning:

  • HTTP → 80 or 8080
  • HTTPS → 443
  • SSH → 22
    etc…

Did you check, if you need to open ports for your virtual machine?

What about firejail? Maybe this is blocking access. If it’s a sandbox in the classic sense, it almost certainly should block access like the one you are trying to establish.

Hi @Akito,

thanks again for your help. :slightly_smiling_face:

Firejail doesn´t seem to be the culprit. I ran the same kvm-command without invoking firejail in order to check but the result is the same. In every aspect.

Phew, I wish I could tell. No idea how to check that.

But after performing “sudo ocs-live-netcfg” in the VM I get the following message:

(port 67) :question:

Many greetings.
Rosika :slightly_smiling_face:

P.S.:
I temporarily disbled ufw (firewall).
No effect either. :thinking:

Nearly always, my first step when troubleshooting a network service on a server - I verify it’s working on the loopback interface…

e.g. with apache - logged into the server console :

telnet 127.0.0.1 80

or

telnet localhost 80

Trying 0.0.0.0...
telnet: Unable to connect to remote host: Connection refused

Tells me it’s not running - because if it was running the message would be different (it would remind you that ^] will exit the session) e.g. :

Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.

And in NIX we’ve got hundreds of undocumented shortcuts / shorthand for things - e.g. “shorthand” for localhost is “0” (i.e. zero, shorthand for 0.0.0.0 hich is the same/similar to 127.0.0.1) - so

telnet 0 80

If I was testing if SSH (i.e. sshd / openssh-server) was running I could just :

ssh 0

Or

telnet 0 22

If “ssh 0” doesn’t respond - then SSHD isn’t even running. Well - making the assumption clonezilla busybox has telnet client binary installed - you could always try and grab it from another similar architecture machine (e.g. I’ve pulled /usr/bin/telnet from a CentOS 7 machine and put it on a RHEL 7 machine where both are x86_64 when that REL machine wasn’t subsribed to REL repos or even internet connected).

And of course there’s always the tried and true

systemctl status sshd

I know clonezilla supports the SSH client - 'cause it can use SCP / SFTP to clone systems to a remote server - but I don’t know if it runs sshd / openssh-server (I don’t even know what distro they use.

As an aside I once had a big argument with an “alleged” Network Security officer… They deleted the telnet binary off all Linux and Windows computers because it was a security risk… NO YOU NONG! unencryped plain text traffic on port 23 is a security risk - not the binary!

1 Like

This is an interesting topic and it intrigued me…

So like our esteemed peer @Akito - I fired up a clonezilla instance in virtualbox

And no - by default sshd isn’t running…

ssh 0

returns “connection refused”

While still in the shell - “sudo systemctl start ssh” (it’s called “ssh” not “sshd” just to confuse things)

I’ve no idea how to 'bake" that into an ISO (or a USB boot stick) - would your remote user be okay with kicking off the initial start up of ssh?

Go to “Enter_shell” and press enter.

Type “sudo systemctl start ssh” :


Then type “exit”

(I don’t know how you’d use the software within a remote SSH session - but - you can run the usual things like “dd” et cetera)

– later on –

After writing that missive above, I thought better of it - there’s little point starting ssh daemon (sshd, but called “ssh”) if your network stack isn’t running - and at that stage of the clonezilla start up process, the network’s not configured or connected (so you can “ssh 0” because only loopback is “plumbed”)…

https://clonezilla.org/show-live-doc-content.php?topic=clonezilla-live/doc/05_Preseed_options_to_do_job_after_booting

CTRL+F for “SSH”.

If this truly works, as intended, this should start up the SSH service properly, on boot-up.

If the above suggestion works as intended, all that should already be set up on boot-up. I guess, we just have to find out, if it really works, as it should.

All that said, in my experience, most of the time such problem arises not because something is turned off, but because there is some barrier/firewall/internet-connection restrictions going on, that is not visible or obvious to the user.

2 Likes

Hi Daniel, :wave:

thanks a lot for your detailed help.

It seems to respond. I tried it, was asked for the password (“live”) and it seems to have worked.
After typing “exit” I got:

logout
Connection to 0 closed

And service ssh status indeed tells me that it´s loaded, active and running.

So the problem should lie anywhere else I guess… :thinking:

Many greetings.
Rosika :slightly_smiling_face:

Hi @Akito :wave:

You´re certainly right there.
Yet switching off the firewall (ufw) on the host didn´t help either. :neutral_face:

Additional Info:

I´ve also two different VMs installed (BodhiLinux and Debian10 buster) - also making use of kvm/qemu (plus virt-manager).

I have absolutely no problem whatsoever SSH-ing into either of them. Works perfectly.

But the case with clonezilla is different as it´s a live system.

Thanks a lot and many greetings.
Rosika :slightly_smiling_face:

Perhaps it’d be advisable to ask someone from Clonezilla, if SSH may even work as expected, by letting them try it out. Or maybe that Steve from the aformentioned thread can help a bit more.

Yes, @Akito, I think you´re right. I think I´ll do just that.
Thanks for the suggestion.

If I get any new information I´ll post it here to let you know.

Many greetings.
Rosika :slightly_smiling_face:

1 Like

Hi all, :wave:

I´m glad to report that I finally managed to solve the problem.
I posted it to Clonezilla / Discussion / Clonezilla live: SSH-ing into clonezilla live in a virtual machine
where I got help and a few suggestions.

I finally could bring clonezilla live (running in a VM) to work the way I wanted. I achieved it with the help of virt-manager. :wink:

The topic seems to be NAT-related.

I first “converted” the clonezilla iso -image to an “.img” format (nothing to convert really):

cp clonezilla-live-20160210-wily-amd64.iso ./clonezilla.img

Then I created a new VM from within virt-manager using this image file.
In virt-manager NAT is the default (other options availabe as well but this one is correct).
When running clonezilla live this way I can perfectly ssh into it:

ssh user@192.168.122.83

is what worked for me .

When SSH-ing into my clonezilla live-VM I get:
user@wily:~$
and a command prompt on my host. :+1:

BTW: pinging the VM works as well. :wink:

So that´s it.
My next challenge will be coming to terms with commands as I naturally don´t have that semi-graphical surface clonezilla provides.

Thanks a lot for your help.

Many greetings.
Rosika :slightly_smiling_face:

1 Like

That reminds me of how Virtual Box also has a similar issue. To prevent that issue, users can select “Host-Adapter” or something like that, which allows unrestricted network communication between the VM and the host.

This could be helpful for someone reading this conversation, but needing a fix for Virtual Box.

2 Likes

Thanks @Akito for the additional info.

Good to know.

Many greetings.
Rosika :slightly_smiling_face:

Yeah - NAT is also the “Default” in Virtual Box - no idea why, it’s one of the least useful options, I always have to pick “Bridged Adaptor” after I’ve created the VM…

Not sure about vmware - I mostly only know VMware via vSphere, and a VM running in an ESX environment with NAT or HOST only networking would be next to useless… I kinda prefer vmware workstation to VirtualBox, but it’s a bit of PITA on Linux (almost EVERY time there’s kernel issues of one sort or another)…

1 Like