Configuring SSH access to virtual machines

You can configure SSH access to virtual machines (VMs) by using the following methods:

virtctl ssh command

You create an SSH key pair, add the public key to a VM, and connect to the VM by running the virtctl ssh command with the private key.

You can add public SSH keys to Red Hat Enterprise Linux (RHEL) 9 VMs at runtime or at first boot to VMs with guest operating systems that can be configured by using a cloud-init data source.
virtctl port-forward command

You add the virtctl port-foward command to your .ssh/config file and connect to the VM by using OpenSSH.
Service

You create a service, associate the service with the VM, and connect to the IP address and port exposed by the service.
Secondary network

You configure a secondary network, attach a virtual machine (VM) to the secondary network interface, and connect to the DHCP-allocated IP address.

Access configuration considerations

Each method for configuring access to a virtual machine (VM) has advantages and limitations, depending on the traffic load and client requirements.

Note

Services provide excellent performance and are recommended for applications that are accessed from outside the cluster.

If the internal cluster network cannot handle the traffic load, you can configure a secondary network.

virtctl ssh and virtctl port-forwarding commands

Simple to configure.
Recommended for troubleshooting VMs.
virtctl port-forwarding recommended for automated configuration of VMs with Ansible.
Dynamic public SSH keys can be used to provision VMs with Ansible.
Not recommended for high-traffic applications like Rsync or Remote Desktop Protocol because of the burden on the API server.
The API server must be able to handle the traffic load.
The clients must be able to access the API server.
The clients must have access credentials for the cluster.

Cluster IP service

The internal cluster network must be able to handle the traffic load.
The clients must be able to access an internal cluster IP address.

Node port service

The internal cluster network must be able to handle the traffic load.
The clients must be able to access at least one node.

Load balancer service

A load balancer must be configured.
Each node must be able to handle the traffic load of one or more load balancer services.

Secondary network

Excellent performance because traffic does not go through the internal cluster network.
Allows a flexible approach to network topology.
Guest operating system must be configured with appropriate security because the VM is exposed directly to the secondary network. If a VM is compromised, an intruder could gain access to the secondary network.

Using virtctl ssh

You can add a public SSH key to a virtual machine (VM) and connect to the VM by running the virtctl ssh command.

This method is simple to configure. However, it is not recommended for high traffic loads because it places a burden on the API server.

About static and dynamic SSH key management

You can add public SSH keys to virtual machines (VMs) statically at first boot or dynamically at runtime.

Note

Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.

You can add a statically managed SSH key to a VM with a guest operating system that supports configuration by using a cloud-init data source. The key is added to the virtual machine (VM) at first boot.

You can add the key by using one of the following methods:

Add a key to a single VM when you create it by using the web console or the command line.
Add a key to a project by using the web console. Afterwards, the key is automatically added to the VMs that you create in this project.

Use cases:

As a VM owner, you can provision all your newly created VMs with a single key.

Dynamic SSH key management

You can enable dynamic SSH key management for a VM with Red Hat Enterprise Linux (RHEL) 9 installed. Afterwards, you can update the key during runtime. The key is added by the QEMU guest agent, which is installed with Red Hat boot sources.

When dynamic key management is disabled, the default key management setting of a VM is determined by the image used for the VM.

Use cases:

Granting or revoking access to VMs: As a cluster administrator, you can grant or revoke remote VM access by adding or removing the keys of individual users from a Secret object that is applied to all VMs in a namespace.
User access: You can add your access credentials to all VMs that you create and manage.
Ansible provisioning:
- As an operations team member, you can create a single secret that contains all the keys used for Ansible provisioning.
- As a VM owner, you can create a VM and attach the keys used for Ansible provisioning.
Key rotation:
- As a cluster administrator, you can rotate the Ansible provisioner keys used by VMs in a namespace.
- As a workload owner, you can rotate the key for the VMs that you manage.

Static key management

You can add a statically managed public SSH key when you create a virtual machine (VM) by using the OpenShift Container Platform web console or the command line. The key is added as a cloud-init data source when the VM boots for the first time.

You can also add a public SSH key to a project when you create a VM by using the web console. The key is saved as a secret and is added automatically to all VMs that you create.

Note

If you add a secret to a project and then delete the VM, the secret is retained because it is a namespace resource. You must delete the secret manually.

Adding a key when creating a VM from a template

You can add a statically managed public SSH key when you create a virtual machine (VM) by using the OpenShift Container Platform web console. The key is added to the VM as a cloud-init data source at first boot. This method does not affect cloud-init user data.

Optional: You can add a key to a project. Afterwards, this key is added automatically to VMs that you create in the project.

Prerequisites

You generated an SSH key pair by running the ssh-keygen command.

Procedure

Navigate to Virtualization → Catalog in the web console.
Click a template tile.

The guest operating system must support configuration from a cloud-init data source.
Click Customize VirtualMachine.
Click Next.
Click the Scripts tab.
If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key and select one of the following options:
- Use existing: Select a secret from the secrets list.
- Add new:
  1. Browse to the SSH key file or paste the file in the key field.
  2. Enter the secret name.
  3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.
Click Save.
Click Create VirtualMachine.

The VirtualMachine details page displays the progress of the VM creation.

Verification

Click the Scripts tab on the Configuration tab.

The secret name is displayed in the Authorized SSH key section.

Creating a VM from an instance type by using the web console

You can add a statically managed SSH key when you create a virtual machine (VM) from an instance type by using the OpenShift Container Platform web console. The key is added to the VM as a cloud-init data source at first boot. This method does not affect cloud-init user data.

Procedure

In the web console, navigate to Virtualization → Catalog.

The InstanceTypes tab opens by default.

Note

When configuring a downward-metrics device on an IBM Z® system that uses a VM preference, set the spec.preference.name value to rhel.9.s390x or another available preference with the format *.s390x.
Heterogeneous clusters only: To filter the bootable volumes using the options provided, click Architecture.
Select either of the following options:
- Select a suitable bootable volume from the list. If the list is truncated, click the Show all button to display the entire list.
  
  Note
  
  The bootable volume table lists only those volumes in the openshift-virtualization-os-images namespace that have the instancetype.kubevirt.io/default-preference label.
  - Optional: Click the star icon to designate a bootable volume as a favorite. Starred bootable volumes appear first in the volume list.
- Click Add volume to upload a new volume or to use an existing persistent volume claim (PVC), a volume snapshot, or a containerDisk volume. Click Save.
  
  Logos of operating systems that are not available in the cluster are shown at the bottom of the list. You can add a volume for the required operating system by clicking the Add volume link.
  
  In addition, there is a link to the Create a Windows bootable volume quick start. The same link appears in a popover if you hover the pointer over the question mark icon next to the Select volume to boot from line.
  
  Immediately after you install the environment or when the environment is disconnected, the list of volumes to boot from is empty. In that case, three operating system logos are displayed: Windows, RHEL, and Linux. You can add a new volume that meets your requirements by clicking the Add volume button.
  1. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key in the VirtualMachine details section.
  2. Select one of the following options:
    
    Use existing: Select a secret from the secrets list.
    
    Add new: Follow these steps:
    
    Browse to the public SSH key file or paste the file in the key field.
    
    Enter the secret name.
    
    Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.
  3. Click Save.
Optional: If you are creating a Windows VM, you can mount a Windows driver disk:
1. Click the Customize VirtualMachine button.
2. On the VirtualMachine details page, click Storage.
3. Select the Mount Windows drivers disk checkbox.
Optional: Click View YAML & CLI to view the YAML file. Click CLI to view the CLI commands. You can also download or copy either the YAML file contents or the CLI commands.
Click Create VirtualMachine.

Result

After the VM is created, you can monitor the status on the VirtualMachine details page.

Adding a key when creating a VM by using the CLI

You can add a statically managed public SSH key when you create a virtual machine (VM) by using the command line. The key is added to the VM at first boot.

The key is added to the VM as a cloud-init data source. This method separates the access credentials from the application data in the cloud-init user data. This method does not affect cloud-init user data.

Prerequisites

You generated an SSH key pair by running the ssh-keygen command.
You have installed the OpenShift CLI (oc).

Procedure

Create a manifest file for a VirtualMachine object and a Secret object.

Example manifest:

apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  name: example-vm
  namespace: example-namespace
spec:
  dataVolumeTemplates:
    - metadata:
        name: example-vm-volume
      spec:
        sourceRef:
          kind: DataSource
          name: rhel9
          namespace: openshift-virtualization-os-images
        storage:
          resources: {}
  instancetype:
    name: u1.medium
  preference:
    name: rhel.9
  runStrategy: Always
  template:
    spec:
      domain:
        devices: {}
      volumes:
        - dataVolume:
            name: example-vm-volume
          name: rootdisk
        - cloudInitNoCloud: 
            userData: |-
              #cloud-config
              user: cloud-user
          name: cloudinitdisk
      accessCredentials:
        - sshPublicKey:
            propagationMethod:
              noCloud: {}
            source:
              secret:
                secretName: authorized-keys 
---
apiVersion: v1
kind: Secret
metadata:
  name: authorized-keys
data:
  key: c3NoLXJzYSB...

Specify the cloudInitNoCloud data source.
Specify the Secret object name.
Paste the public SSH key.

Create the VirtualMachine and Secret objects by running the following command:
```
$ oc create -f <manifest_file>.yaml
```

Start the VM by running the following command:

$ virtctl start vm example-vm -n example-namespace

Verification

Get the VM configuration:

$ oc describe vm example-vm -n example-namespace

Example output:

apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  name: example-vm
  namespace: example-namespace
spec:
  template:
    spec:
      accessCredentials:
        - sshPublicKey:
            propagationMethod:
              noCloud: {}
            source:
              secret:
                secretName: authorized-keys
# ...

Dynamic key management

You can enable dynamic key injection for a virtual machine (VM) by using the OpenShift Container Platform web console or the command line. Then, you can update the key at runtime.

Note

Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.

If you disable dynamic key injection, the VM inherits the key management method of the image from which it was created.

Enabling dynamic key injection when creating a VM from a template

You can enable dynamic public SSH key injection when you create a virtual machine (VM) from a template by using the OpenShift Container Platform web console. Then, you can update the key at runtime.

Note

Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.

The key is added to the VM by the QEMU guest agent, which is installed with RHEL 9.

Prerequisites

You generated an SSH key pair by running the ssh-keygen command.

Procedure

Navigate to Virtualization → Catalog in the web console.
Click the Red Hat Enterprise Linux 9 VM tile.
Click Customize VirtualMachine.
Click Next.
Click the Scripts tab.
If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key and select one of the following options:
- Use existing: Select a secret from the secrets list.
- Add new:
  1. Browse to the SSH key file or paste the file in the key field.
  2. Enter the secret name.
  3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.
Set Dynamic SSH key injection to on.
Click Save.
Click Create VirtualMachine.

The VirtualMachine details page displays the progress of the VM creation.

Verification

Click the Scripts tab on the Configuration tab.

The secret name is displayed in the Authorized SSH key section.

Creating a VM from an instance type by using the web console

You can enable dynamic SSH key injection when you create a virtual machine (VM) from an instance type by using the OpenShift Container Platform web console. Then, you can add or revoke the key at runtime.

Note

Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.

The key is added to the VM by the QEMU guest agent, which is installed with RHEL 9.

Procedure

In the web console, navigate to Virtualization → Catalog.

The InstanceTypes tab opens by default.

Note

When configuring a downward-metrics device on an IBM Z® system that uses a VM preference, set the spec.preference.name value to rhel.9.s390x or another available preference with the format *.s390x.
Heterogeneous clusters only: To filter the bootable volumes using the options provided, click Architecture.
Select either of the following options:
- Select a suitable bootable volume from the list. If the list is truncated, click the Show all button to display the entire list.
  
  Note
  
  The bootable volume table lists only those volumes in the openshift-virtualization-os-images namespace that have the instancetype.kubevirt.io/default-preference label.
  - Optional: Click the star icon to designate a bootable volume as a favorite. Starred bootable volumes appear first in the volume list.
- Click Add volume to upload a new volume or to use an existing persistent volume claim (PVC), a volume snapshot, or a containerDisk volume. Click Save.
  
  Logos of operating systems that are not available in the cluster are shown at the bottom of the list. You can add a volume for the required operating system by clicking the Add volume link.
  
  In addition, there is a link to the Create a Windows bootable volume quick start. The same link appears in a popover if you hover the pointer over the question mark icon next to the Select volume to boot from line.
  
  Immediately after you install the environment or when the environment is disconnected, the list of volumes to boot from is empty. In that case, three operating system logos are displayed: Windows, RHEL, and Linux. You can add a new volume that meets your requirements by clicking the Add volume button.
Click the Red Hat Enterprise Linux 9 VM tile.
1. If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key in the VirtualMachine details section.
2. Select one of the following options:
  Use existing: Select a secret from the secrets list.
  
  Add new: Follow these steps:
  
  Browse to the public SSH key file or paste the file in the key field.
  
  Enter the secret name.
  
  Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.
3. Click Save.
Set Dynamic SSH key injection in the VirtualMachine details section to on.
Optional: If you are creating a Windows VM, you can mount a Windows driver disk:
1. Click the Customize VirtualMachine button.
2. On the VirtualMachine details page, click Storage.
3. Select the Mount Windows drivers disk checkbox.
Optional: Click View YAML & CLI to view the YAML file. Click CLI to view the CLI commands. You can also download or copy either the YAML file contents or the CLI commands.
Click Create VirtualMachine.

Result

After the VM is created, you can monitor the status on the VirtualMachine details page.

Enabling dynamic SSH key injection by using the web console

You can enable dynamic key injection for a virtual machine (VM) by using the OpenShift Container Platform web console. Then, you can update the public SSH key at runtime.

The key is added to the VM by the QEMU guest agent, which is installed with Red Hat Enterprise Linux (RHEL) 9.

Prerequisites

The guest operating system is RHEL 9.

Procedure

Navigate to Virtualization → VirtualMachines in the web console.
Select a VM to open the VirtualMachine details page.
On the Configuration tab, click Scripts.
If you have not already added a public SSH key to your project, click the edit icon beside Authorized SSH key and select one of the following options:
- Use existing: Select a secret from the secrets list.
- Add new:
  1. Browse to the SSH key file or paste the file in the key field.
  2. Enter the secret name.
  3. Optional: Select Automatically apply this key to any new VirtualMachine you create in this project.
Set Dynamic SSH key injection to on.
Click Save.

Enabling dynamic key injection by using the CLI

You can enable dynamic key injection for a virtual machine (VM) by using the command line. Then, you can update the public SSH key at runtime.

Note

Only Red Hat Enterprise Linux (RHEL) 9 supports dynamic key injection.

The key is added to the VM by the QEMU guest agent, which is installed automatically with RHEL 9.

Prerequisites

You generated an SSH key pair by running the ssh-keygen command.
You have installed the OpenShift CLI (oc).

Procedure

Create a manifest file for a VirtualMachine object and a Secret object.

Example manifest:

apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  name: example-vm
  namespace: example-namespace
spec:
  dataVolumeTemplates:
    - metadata:
        name: example-vm-volume
      spec:
        sourceRef:
          kind: DataSource
          name: rhel9
          namespace: openshift-virtualization-os-images
        storage:
          resources: {}
  instancetype:
    name: u1.medium
  preference:
    name: rhel.9
  runStrategy: Always
  template:
    spec:
      domain:
        devices: {}
      volumes:
        - dataVolume:
            name: example-vm-volume
          name: rootdisk
        - cloudInitNoCloud: 
            userData: |-
              #cloud-config
              runcmd:
              - [ setsebool, -P, virt_qemu_ga_manage_ssh, on ]
          name: cloudinitdisk
      accessCredentials:
        - sshPublicKey:
            propagationMethod:
              qemuGuestAgent:
                users: ["cloud-user"]
            source:
              secret:
                secretName: authorized-keys 
---
apiVersion: v1
kind: Secret
metadata:
  name: authorized-keys
data:
  key: c3NoLXJzYSB...

Specify the cloudInitNoCloud data source.
Specify the Secret object name.
Paste the public SSH key.

Create the VirtualMachine and Secret objects by running the following command:
```
$ oc create -f <manifest_file>.yaml
```

Start the VM by running the following command:

$ virtctl start vm example-vm -n example-namespace

Verification

Get the VM configuration:

$ oc describe vm example-vm -n example-namespace

Example output:

apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  name: example-vm
  namespace: example-namespace
spec:
  template:
    spec:
      accessCredentials:
        - sshPublicKey:
            propagationMethod:
              qemuGuestAgent:
                users: ["cloud-user"]
            source:
              secret:
                secretName: authorized-keys
# ...

Using the virtctl ssh command

You can use the virtctl ssh command to access a running virtual machine instance (VMI). The command accepts VM or VMI targets.

Prerequisites

You installed the virtctl command-line tool.
You added a public SSH key to the VM.
You have an SSH client installed.
The environment where you installed the virtctl tool has the cluster permissions required to access the VM. For example, you ran oc login or you set the KUBECONFIG environment variable.

Procedure

Run the virtctl ssh command:

$ virtctl -n <namespace> ssh <username>@vm/<vm_name> -i <ssh_key>

You must specify the resource type (vmi/ or vm/) before the VM name.

For example:

$ virtctl -n my-namespace ssh cloud-user@vm/example-vm -i my-key

Tip

You can copy the virtctl ssh command in the web console by selecting Copy SSH command from the options kebab menu beside a VM on the VirtualMachines page.

Alternatively, right-click the VM in the tree view and select Copy SSH command from the pop-up menu to copy the virtctl ssh command.

Using the virtctl port-forward command

You can access a running virtual machine (VM) by using a local OpenSSH client and the virtctl port-forward command. You can use this method with Ansible to automate the configuration of VMs.

This method is recommended for low-traffic applications because port-forwarding traffic is sent over the control plane. This method is not recommended for high-traffic applications such as Rsync or Remote Desktop Protocol because it places a heavy burden on the API server.

Prerequisites

You have OpenSSH installed.
You installed the virtctl command-line tool.
The environment where you installed virtctl has the cluster permissions required to access the VM. For example, you ran oc login or you set the KUBECONFIG environment variable.

Procedure

Add the following text to the ~/.ssh/config file on your client machine:
```
Host vm/*
  ProxyCommand virtctl port-forward --stdio=true %h %p
```
Connect to the VM by running the following command:
```
$ ssh <user>@vm/<vm_name>.<namespace>
```

Using a service for SSH access

You can create a service for a virtual machine (VM) and connect to the IP address and port exposed by the service.

Note

Services provide excellent performance and are recommended for applications that are accessed from outside the cluster or within the cluster. Ingress traffic is protected by firewalls.

If the cluster network cannot handle the traffic load, consider using a secondary network for VM access.

About services

A Kubernetes service exposes network access for clients to an application running on a set of pods. Services offer abstraction, load balancing, and, in the case of the NodePort and LoadBalancer types, exposure to the outside world.

ClusterIP: Exposes the service on an internal IP address and as a DNS name to other applications within the cluster. A single service can map to multiple virtual machines. When a client tries to connect to the service, the client’s request is load balanced among available backends. ClusterIP is the default service type.
NodePort: Exposes the service on the same port of each selected node in the cluster. NodePort makes a port accessible from outside the cluster, as long as the node itself is externally accessible to the client.
LoadBalancer: Creates an external load balancer in the current cloud (if supported) and assigns a fixed, external IP address to the service.

Note

For on-premise clusters, you can configure a load-balancing service by deploying the MetalLB Operator.

Creating a service

You can create a service to expose a virtual machine (VM) by using the OpenShift Container Platform web console, virtctl command-line tool, or a YAML file.

Enabling load balancer service creation by using the web console

You can enable the creation of load balancer services for a virtual machine (VM) by using the OpenShift Container Platform web console.

Prerequisites

You have configured a load balancer for the cluster.
You have logged in as a user with the cluster-admin role.
You created a network attachment definition for the network.

Procedure

Go to Virtualization → Overview.
On the Settings tab, click Cluster.
Expand General settings and SSH configuration.
Set SSH over LoadBalancer service to on.

Creating a service by using the web console

You can create a node port or load balancer service for a virtual machine (VM) by using the OpenShift Container Platform web console.

Prerequisites

You configured the cluster network to support either a load balancer or a node port.
To create a load balancer service, you enabled the creation of load balancer services.

Procedure

Navigate to VirtualMachines and select a virtual machine to view the VirtualMachine details page.
On the Details tab, select SSH over LoadBalancer from the SSH service type list.
Optional: Click the copy icon to copy the SSH command to your clipboard.

Verification

Check the Services pane on the Details tab to view the new service.

Creating a service by using virtctl

You can create a service for a virtual machine (VM) by using the virtctl command-line tool.

Prerequisites

You installed the virtctl command-line tool.
You configured the cluster network to support the service.
The environment where you installed virtctl has the cluster permissions required to access the VM. For example, you ran oc login or you set the KUBECONFIG environment variable.

Procedure

Create a service by running the following command:

$ virtctl expose vm <vm_name> --name <service_name> --type <service_type> --port <port>

Specify the ClusterIP, NodePort, or LoadBalancer service type.

Example:

$ virtctl expose vm example-vm --name example-service --type NodePort --port 22

Verification

Verify the service by running the following command:
```
$ oc get service
```

Next steps

After you create a service with virtctl, you must add special: key to the spec.template.metadata.labels stanza of the VirtualMachine manifest. See Creating a service by using the command line.

Creating a service by using the CLI

You can create a service and associate it with a virtual machine (VM) by using the command line.

Prerequisites

You configured the cluster network to support the service.
You have installed the OpenShift CLI (oc).

Procedure

Edit the VirtualMachine manifest to add the label for service creation:
```
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  name: example-vm
  namespace: example-namespace
spec:
  runStrategy: Halted
  template:
    metadata:
      labels:
        special: key 
# ...
```
1. Add special: key to the spec.template.metadata.labels stanza.
  Note
  
  Labels on a virtual machine are passed through to the pod. The special: key label must match the label in the spec.selector attribute of the Service manifest.
Save the VirtualMachine manifest file to apply your changes.
Create a Service manifest to expose the VM:
```
apiVersion: v1
kind: Service
metadata:
  name: example-service
  namespace: example-namespace
spec:
# ...
  selector:
    special: key 
  type: NodePort 
  ports: 
    protocol: TCP
    port: 80
    targetPort: 9376
    nodePort: 30000
```
1. Specify the label that you added to the spec.template.metadata.labels stanza of the VirtualMachine manifest.
2. Specify ClusterIP, NodePort, or LoadBalancer.
3. Specifies a collection of network ports and protocols that you want to expose from the virtual machine.
Save the Service manifest file.
Create the service by running the following command:
```
$ oc create -f example-service.yaml
```
Restart the VM to apply the changes.

Verification

Query the Service object to verify that it is available:
```
$ oc get service -n example-namespace
```

Connecting to a VM exposed by a service by using SSH

You can connect to a virtual machine (VM) that is exposed by a service by using SSH.

Prerequisites

You created a service to expose the VM.
You have an SSH client installed.
You are logged in to the cluster.

Procedure

Run the following command to access the VM:
```
$ ssh <user_name>@<ip_address> -p <port> 
```
1. Specify the cluster IP for a cluster IP service, the node IP for a node port service, or the external IP address for a load balancer service.

Using a secondary network for SSH access

You can configure a secondary network, attach a virtual machine (VM) to the secondary network interface, and connect to the DHCP-allocated IP address by using SSH.

Important

Secondary networks provide excellent performance because the traffic is not handled by the cluster network stack. However, the VMs are exposed directly to the secondary network and are not protected by firewalls. If a VM is compromised, an intruder could gain access to the secondary network. You must configure appropriate security within the operating system of the VM if you use this method.

See the Multus and SR-IOV documentation in the OpenShift Virtualization Tuning & Scaling Guide for additional information about networking options.

Prerequisites

You configured a secondary network such as Linux bridge or SR-IOV.
You created a network attachment definition for a Linux bridge network or the SR-IOV Network Operator created a network attachment definition when you created an SriovNetwork object.

Configuring a VM network interface by using the web console

You can configure a network interface for a virtual machine (VM) by using the OpenShift Container Platform web console.

Prerequisites

You created a network attachment definition for the network.

Procedure

Navigate to Virtualization → VirtualMachines.
Click a VM to view the VirtualMachine details page.
On the Configuration tab, click the Network interfaces tab.
Click Add network interface.
Enter the interface name and select the network attachment definition from the Network list.
Click Save.
Restart or live migrate the VM to apply the changes.

Connecting to a VM attached to a secondary network by using SSH

You can connect to a virtual machine (VM) attached to a secondary network by using SSH.

Prerequisites

You attached a VM to a secondary network with a DHCP server.
You have an SSH client installed.
You have installed the OpenShift CLI (oc).

Procedure

Obtain the IP address of the VM by running the following command:

$ oc describe vm <vm_name> -n <namespace>

Example output:

# ...
Interfaces:
  Interface Name:  eth0
  Ip Address:      10.244.0.37/24
  Ip Addresses:
    10.244.0.37/24
    fe80::858:aff:fef4:25/64
  Mac:             0a:58:0a:f4:00:25
  Name:            default
# ...

Connect to the VM by running the following command:

$ ssh <user_name>@<ip_address> -i <ssh_key>

Example:

$ ssh cloud-user@10.244.0.37 -i ~/.ssh/id_rsa_cloud-user

Note

You can also access a VM attached to a secondary network interface by using the cluster FQDN.