ssh keys not being uploaded

[rspa...@redhat.com]

the ssh key that I pass to the installer is not being uploaded to the cluster machines. as a result the machines are unreachable by ssh.
I suspect this is not what it is supposed to happen, although I haven't see clusters build by others yet.
I have uploaded the ssh key manually to AWS, I am wondering if that could be the issue.
Please advise on how to fix this.

[Pepijn Oomen]

On Monday, December 17, 2018 at 12:20:01 AM UTC+1, rspa...@redhat.com wrote:

the ssh key that I pass to the installer is not being uploaded to the cluster machines. as a result the machines are unreachable by ssh.

Check the result of the YAML file generated by the "create install-config" command and make sure your public key is included. Note that the default user is "core".

[rspa...@redhat.com]

I have a running cluster, but no keys.

if I look into openshift_install_state.json I can see fragments like:

"*bootstrap.Bootstrap": {

"Config": {

"ignition": {

"config": {},

"security": {

"tls": {}

},

"timeouts": {},

"version": "2.2.0"

},

"networkd": {},

"passwd": {

"users": [

{

"name": "core",

"sshAuthorizedKeys": [

"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtty9+Qton+j31GmZGakLqlk4tPuo/MFnWI9bYKXUhxc2w0AA99mw0KbO4VTP0Y5LeEbXE0aCls13TseH2CtoFUhnDSxxWM9aW9C4vXDMfd1buTPaDJMLaKOtynzu34Hkm7P7wnArw3Yr9mWoeTgTRWg38XiyKeh9z51L/TQden7NW2znaQCav8QWZGLm0LyiJWjMif5AqPBYee/EA3cugjU7ZFpCRvpxCarjCT+3jAAV702IynYsqBf+4mD7UBG5GU7zbmYJtmXIzcgBge9vyfSKhhXvioKkT9Y4NB+qBg9dJ0LJKaU+zIzHqwF7T07i3nQwnBG885amDyRHPDAdj rspazzol\n"

]

}

]

},

that is the key I configured. 

I also run openshift-install create install-config, I can see the ssh key:

sshKey: |

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtty9+Qton+j31GmZGakLqlk4tPuo/MFnWI9bYKXUhxc2w0AA99mw0KbO4VTP0Y5LeEbXE0aCls13TseH2CtoFUhnDSxxWM9aW9C4vXDMfd1buTPaDJMLaKOtynzu34Hkm7P7wnArw3Yr9mWoeTgTRWg38XiyKeh9z51L/TQden7NW2znaQCav8QWZGLm0LyiJWjMif5AqPBYee/EA3cugjU7ZFpCRvpxCarjCT+3jAAV702IynYsqBf+4mD7UBG5GU7zbmYJtmXIzcgBge9vyfSKhhXvioKkT9Y4NB+qBg9dJ0LJKaU+zIzHqwF7T07i3nQwnBG885amDyRHPDAdj rspazzol

[wk...@redhat.com]

If you look in the console or (equivalently) early boot logs for your machine, you should see Ignition laying down your key. You should also be able to see the key in the {role}-user-data secrets.

One misconception is that nodes will use AWS keypairs [1], but we don't do that. Laying down public keys via Ignition (and, eventually, the machine-control daemon [2]) allows us to keep the private key out of AWS and stick to cloud-agnostic approaches.

[1]: https://github.com/openshift/installer/issues/862
[2]: https://github.com/openshift/machine-config-operator/pull/115

[wk...@redhat.com]

Correction: despite the "key pair" naming, AWS only stores public keys [1]. So the benefits of our Ignition / machine-config daemon approach are its being cloud agnostic and avoiding the need for the update dance [2].

[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws
[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#replacing-lost-key-pair

[Raffaele Spazzoli]

wking,

I finally had time to come back to this. 

I was not familiar with ignition (still I am not), but basically if I understand correctly, you are saying that the keys are being uploaded by ignition and that AWS is not aware of it.

So I tried to connect like this:

rspazzol@rspazzol ~/git/openshift-externalDNS (master) $ ssh -i ~/.ssh/sshkey-gcp 18.208.135.211

rspa...@18.208.135.211's password: 

Permission denied, please try again.

rspa...@18.208.135.211's password: 

as you can see now I'm being asked a password. I assume this should not be happening.

I get the same if I try with a different user, for example:

rspazzol@rspazzol ~/git/openshift-externalDNS (master) $ ssh -i ~/.ssh/sshkey-gcp ec2-...@18.208.135.211

ec2-...@18.208.135.211's password: 

can you explain how this is supposed to work?

Thanks,

Raffaele

Raffaele Spazzoli

Senior Architect - OpenShift, Containers and PaaS Practice

Tel: +1 216-258-7717

Vacation Advisory:

from 12/22/18 to 01/06/19

--
You received this message because you are subscribed to a topic in the Google Groups "OpenShift 4 Developer Preview" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openshift-4-dev-preview/5wgpUsoxzDw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openshift-4-dev-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openshift-4-dev-preview/0ac8b9d1-36d5-4137-a562-c2e9d93a98cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[W. Trevor King]

On Fri, Dec 28, 2018 at 11:28 AM Raffaele Spazzoli wrote:
> I was not familiar with ignition (still I am not), but basically if I understand correctly, you are saying that the keys are being uploaded by ignition and that AWS is not aware of it.

Yes.

> So I tried to connect like this:
>
> rspazzol@rspazzol ~/git/openshift-externalDNS (master) $ ssh -i ~/.ssh/sshkey-gcp 18.208.135.211
> rspa...@18.208.135.211's password:

> ...

>
> as you can see now I'm being asked a password. I assume this should not be happening.

We have some internal work for removing the password fallback (which
just got a public ticket [1]), which will make using the wrong SSH key
or username less confusing (you'll just be rejected instead of asked
for a password).

> I get the same if I try with a different user, for example:
>
> rspazzol@rspazzol ~/git/openshift-externalDNS (master) $ ssh -i ~/.ssh/sshkey-gcp ec2-...@18.208.135.211
> ec2-...@18.208.135.211's password:

You should be using `core` as the username. We currently only
document this for libvirt (e.g. [2]), but there's an open PR to add it
to the platform-agnostic docs [3].

Cheers,
Trevor

[1]: https://github.com/openshift/os/issues/374
[2]: https://github.com/openshift/installer/blob/v0.8.0/docs/dev/libvirt-howto.md#ssh-access
[3]: https://github.com/openshift/installer/pull/795