Ignition user_data breaks openstack VM

222 views
Skip to first unread message

vincent.g...@gmail.com

unread,
Jul 25, 2017, 12:10:23 PM7/25/17
to CoreOS User
Hi all,
I am willing to use container linux on openstack but I cannot inject an Ignition file in user_data without breaking the VM. I have tried with 2 different cloud providers based on Openstack (Cloudwatt and Huawei FusionSphere) and get the same behavior.
Here is my detailed issue:

If I put this configuration in the user_data field of my Openstack VM, I cannot log in anymore with the private SSH key, the VM is asking for a password...


{

    "ignition": {

      "version": "2.0.0",

      "config": {}

    },

    "storage": {},

    "systemd": {

      "units": [

        {

          "name": "docker.service",

          "enable": true,

          "dropins": [

            {

              "name": "10-dockeropts.conf",

              "contents": "[Service]\nEnvironment=\"DOCKER_OPTS=--log-opt max-size=50m --log-opt max-file=3\"\n"

            }

          ]

        }

      ]

    },

    "networkd": {},

    "passwd": {

      "users": [

        {

          "name": "core",

          "sshAuthorizedKeys": [

            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDuc1QbcMF+Ldmp3iUNR2okabiRYQBzO/W7laejUfrxDEQ9GUIWuC1H7EEQXeEmxG2a6laNj2XS23CPFl26aLNifC6h+4bk0zvjxgP8SMaUDw9QpNUjtyq4r66HoKgSA2AWaKdpjnT0bzSt05WmN5D8LQ93Lrri0x0HZo43pe3H1z7480euIL0P9DBrvD73uYJpdQaV5JP3N3Z8z1JaFiTUZD+5kHGyWCG90UJQ0aPKYwVbCiVFACLh4unQLopIqGvuIKYcyLz82/hxhVVzmHD6Q5uPZlnXOIplBlCWtHOolwNDIdIBryD0BTMTmQ4+jMdZxWXiges4c6dAIqtytRiL\n}"

          ]

        }

      ]

    }

  }



If I put this configuration in the user_data field, I can still log in using the SSH key provided during the VM creation but I get the following message 

Failed Units: 1
  oem
-cloudinit.service

And my ignition isn't working as I can't find any docker config file corresponding to my Ignition...


{

    "ignition": {

      "version": "2.0.0",

      "config": {}

    },

    "storage": {},

    "systemd": {

      "units": [

        {

          "name": "docker.service",

          "enable": true,

          "dropins": [

            {

              "name": "10-dockeropts.conf",

              "contents": "[Service]\nEnvironment=\"DOCKER_OPTS=--log-opt max-size=50m --log-opt max-file=3\"\n"

            }

          ]

        }

      ]

    },

    "networkd": {},

    "passwd": {123}

  }


I know that Ignition support in openstack is beta but lots of interesting project like tectonic are using ignition and target openstack clouds...

Does someone already make it works ?

Regards


VG

Alex Crawford

unread,
Jul 25, 2017, 12:51:00 PM7/25/17
to vincent.g...@gmail.com, CoreOS User
If you are able to get to a password prompt, it means that Ignition
completed. It looks like your key has some trailing characters that
don't belong: \n}


> If I put this configuration in the user_data field, I can still log in
> using the SSH key provided during the VM creation but I get the following
> message
> Failed Units: 1
> oem-cloudinit.service
>
> And my ignition isn't working as I can't find any docker config file
> corresponding to my Ignition...
>
>
> {
> "ignition": {
> "version": "2.0.0",
> "config": {}
> },
> "storage": {},
> "systemd": {
> "units": [
> {
> "name": "docker.service",
> "enable": true,
> "dropins": [
> {
> "name": "10-dockeropts.conf",
> "contents": "[Service]\nEnvironment=\"DOCKER_OPTS=--log-opt
> max-size=50m --log-opt max-file=3\"\n"
> }
> ]
> }
> ]
> },
> "networkd": {},
> "passwd": {123}
> }

This is a confusing result. Ignition is trying to parse this config and
sees that it is invalid JSON and punts on it, hoping that
coreos-cloudinit will pick it up. coreos-cloudinit also fails to parse
that config which is why you are seeing that failure. You can use the
online validator [1] to double check the config.

To further complicate the situation, you are able to log in in this case
because coreos-cloudinit reads keys from the first-available datasource
(config-drive vs the network metadata service). Ignition does not read
these locations for keys, only the userdata. After the boot,
coreos-metadata normally fetches keys for you. This isn't the case on
OpenStack because it doesn't know where to fetch the keys from. You need
to enable the service and specify where it should look (currently, only
config-drive is supported). You'll need something like the following to
enable and configure coreos-metadata:

{
"ignition": { "version": "2.0.0" },
"systemd": {
"units": [{
"name": "coreos-metadata-sshkeys@.service",
"enable": true,
"dropins": [{
"name": "20-provider-override.conf",
"contents": "[Service]\nEnvironment=COREOS_METADATA_OPT_PROVIDER=--provider=openstack-metadata"
}]
}]
}
}

As I was writing this, I attempted to use CT [2], but ran into a few
issues. We'll have to clean that up a bit more before it will be useful.

That was long-winded, but I hope that helps.

-Alex

[1]: https://coreos.com/validate
[2]: https://coreos.com/os/docs/latest/provisioning.html
signature.asc

vincent.g...@gmail.com

unread,
Jul 26, 2017, 3:21:11 AM7/26/17
to CoreOS User, vincent.g...@gmail.com
Thanks for your answer. I precise I am using Tectonic-installer project which use Terraform to generate the ignitions.
So if I understand well I had to modify the SSH key output to remover the "\n" and add the metadata service configuration. Finally I get the same issue with the following Ignition

{
    "ignition": {
      "version": "2.0.0",
      "config": {}
    },
    "storage": {
      "files": [
        {
          "filesystem": "root",
          "path": "/etc/kubernetes/kubeconfig",
          "contents": {
            "source": "data:text/plain;charset=utf-8;base64,YXBpVmVyc2lvbjogdjEKa2luZDogQ29uZmlnCmNsdXN0ZXJzOgotIG5hbWU6IHRlc3QKICBjbHVzdGVyOgogICAgc2VydmVyOiBodHRwczovL3Rlc3QtazhzLmNsdXN0ZXIubG9jYWw6NDQzCiAgICBjZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YTogTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUm9SRU5EUVcxNVowRjNTVUpCWjBsUlZWUkJOVkZDUkZsWE1uUjBibW8xU21FMWVXVXpha0ZPUW1kcmNXaHJhVWM1ZHpCQ1FWRnpSa0ZFUW1NS1RWRnJkMEozV1VSV1VWRkhSWGRCZUVOVVFVaENaMDVXUWtGblZFRkVSVXBOUVdOSFFURlZSVUo0VFVGTlVXdDNRbmRaUkZaUlVWSkZkMEY0UlZSQlVBcENaMDVXUWtGdlZFTkhTblppTTFKeVpGZEtiRTFSYTNkQ2QxbEVWbEZSVEVWM1FYaEZSRUZQUW1kT1ZrSkJUVlJDTW5ReFdXMVZkRmt5UlhkSWFHTk9DazFVWTNkT2Vra3lUVVJaTVU1VVNYaFhhR05PVFZSbmQwNTZTVEpOUkZreFRsUkplRmRxUW1OTlVXdDNRbmRaUkZaUlVVZEZkMEY0UTFSQlNFSm5UbFlLUWtGblZFRkVSVXBOUVdOSFFURlZSVUo0VFVGTlVXdDNRbmRaUkZaUlVWSkZkMEY0UlZSQlVFSm5UbFpDUVc5VVEwZEtkbUl6VW5Ka1YwcHNUVkZyZHdwQ2QxbEVWbEZSVEVWM1FYaEZSRUZQUW1kT1ZrSkJUVlJDTW5ReFdXMVZkRmt5UlhkblowVnBUVUV3UjBOVGNVZFRTV0l6UkZGRlFrRlJWVUZCTkVsQ0NrUjNRWGRuWjBWTFFXOUpRa0ZSUTFkWmJuZHNNREF2ZDFOaFpWQkNTRlJQVUhnMFJtY3daR0pXTWsxSmJITklNR3RWSzNKUmJXeFFia1ZEVFM5RFozb0tOekpzTTJ0ck9VSnpaR05RZEZWS2F6STNVMDkxSzB4SlpWRTBaa3h0Vml0RVVrdGFSbm92VjFkWU0xRkNPRXM1Tm5jMVYwSXhRMjQyTjIwdlpEQkpWZ3BYVEZwNkx6VkxiVkJTZG14bk5GUlVNMWN4TUhaVE5EYzNaSFpMVkZWQlNHVTFTR3BIV1c5blJYTmtNeXN4U1ZoVWNtTTNOMVJoY2xoME5VWlJObXRGQ2s0d1kxbEJOV2xUWlhkSGNrcFNkREJqT0cxMFQwVmhhVTlxVEc1UGRuTk1SREI1T1ZoQmFYcHhTM0JDZWxKMWMxSmtWMUZ4U1RaUWVsTkxaemxCVVZNS1FqRmFXUzh5V1RZNGFsVkNTR0kxZFRsWlJXWnRjR3R5U0habU5FVkZZMEphT0N0RE9HRjBjM0p0WXpaRlpEWTVkVzR3U2tRMk1HUnhUbVpsUmpWUFZBcDBjMjlvWjNGdE1rRmhUWEJDU1hsd1ZsQTNSbGxsYmtVd2MwNDRVREJZV0hkeVZEZEJaMDFDUVVGSGFsRnFRa0ZOUVRSSFFURlZaRVIzUlVJdmQxRkZDa0YzU1VOd1JFRlFRbWRPVmtoU1RVSkJaamhGUWxSQlJFRlJTQzlOUWpCSFFURlZaRVJuVVZkQ1FsTTFTMHhVVVhZMFMzaE1TRVZTVkdWTGFWZDZVemNLU2xRMWFEaEVRVTVDWjJ0eGFHdHBSemwzTUVKQlVYTkdRVUZQUTBGUlJVRlZNMU5pZWtvMFJrOHpUVEpGTm1OaGJIQXZkVVJaTTNoNlprOW1SMHg2S3dvMmMwYzBXamRtWm04NFpHSTVjREJRUkVORFVHbERkR1poTW1kaVREVnRUa0p6WjBkNE1FaHFSRmxFVVdOdFNXaDJUelZETW5wNWJHMU1jM0prUVVsU0NrbFJjRzVLYnpOUmFrVkpabkZUUzFCRk9XMXllRlEwYVZWS05YSmFZVzVMT0ZGUVpYRTJaMkYyVUZoM1NrSkllVWwzZGxOeWNFY3JZemRQTjJ0V1lsSUtPVlkyU1ZOUFZTdHNWMjVxUVRVMWVWcENWRlZxTVRGMlJqWmhjelppTkZJM1JGSkNja1ZhWkVkemMzcDZTbXBQZVc5SlVWRndUWHA0WVcxUmVucHhXUXBpVlUxQ2IxUTVNM2hGUjNZMlp6SkxVMkY2YnpOS2QwbFNObFpzVEVFelNHbElPVEU0ZUd0MlVuRlViWEZCU1U1U2NsSllRemt3TW5KQ2VYcEZlQ3R1Q21NNGNUQmhOaXQzVEVOMlNUSkhMMDl5U0dOVlFXcHhXRVJHTUV0RWVuRndaVVI1VFU5dVEwWkJlVGRvT1dOSFRURTNjemxoVVQwOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSwp1c2VyczoKLSBuYW1lOiBrdWJlbGV0CiAgdXNlcjoKICAgIGNsaWVudC1jZXJ0aWZpY2F0ZS1kYXRhOiBMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VSeFZFTkRRWEJIWjBGM1NVSkJaMGxTUVV4VUwwdEpNVWsxWmtacWNVSkpSSHB3TVdaS1JEUjNSRkZaU2t0dldrbG9kbU5PUVZGRlRFSlJRWGNLV0VSRlNrMUJZMGRCTVZWRlFtaE5RVTFSYTNkQ2QxbEVWbEZSU1VWM1FYaERWRUZJUW1kT1ZrSkJZMVJCUkVWS1RVRmpSMEV4VlVWRlVrMUJUVkpGZHdwRWQxbEVWbEZSUzBWM2FHbGlNamt3WVROV2FWcFVSVXBOUVdOSFFURlZSVU40VFVGTlVrRjNSR2RaUkZaUlVVUkZkMlJ5WkZkS2JFeFhUbWhOUWpSWUNrUlVSVE5OUkdONVRtcEJNazVVVlhsTlZtOVlSRlJGTkUxRVkzbE9ha0V5VGxSVmVVMVdiM2RaYWtWS1RVRmpSMEV4VlVWQ2FFMUJUVkZyZDBKM1dVUUtWbEZSU1VWM1FYaERWRUZJUW1kT1ZrSkJZMVJCUkVWS1RVRmpSMEV4VlVWRlVrMUJUVkpqZDBaUldVUldVVkZMUlhjMWVtVllUakJhVnpBMllsZEdlZ3BrUjFaNVkzcEZTazFCWTBkQk1WVkZRM2hOUVUxU1FYZEVaMWxFVmxGUlJFVjNaSEprVjBwc1lrZFdNRTFKU1VKSmFrRk9RbWRyY1docmFVYzVkekJDQ2tGUlJVWkJRVTlEUVZFNFFVMUpTVUpEWjB0RFFWRkZRWFZSVFVrMGRHSjRVSGhyYWxWRksxVlBaV2RsVkUxb1RVOVlTbmxvTlRsS1FrdHJSaXR0TlhjS1N6UklTbWx3ZVZadWIwNXdLMjlIZFVGVWRuUXJXbTQzTVVOcFYyOVBRM2hVVGl0TVdVUnVUV0pyVUVGc1IwOVFZMWsxU1VkU01IVmxWMlY1TVVJeWFRcEZhR2gxZFRsQ2JsUnphMnhNVDNCdU5VdExiMEk0VFVOMk4xSlNkMHgxU2tWak9XbHdjV0pOV0hkdk9GaGxSRTVFUlVodGIwMHZXVEk1Y0hwUU4xbHdDa0YzVEhaMmFGRm9Welp1T1d0T09UbFVjME5uWjI5WVZXcFdOWGhMUW5aNksxQkZjalZHVm5GYVVFbG9jMDF4Y1UwdlVVODBjV296VDJGVmFDOVVhbkVLYm5aME0zWXhjbVJrWTBZelFVZFlTMWxUZVZsb01tRjNSazFTTWxoS2IxazJhV1ZKY3pFd2NrVnZPV1ZLVUdSMmR6TlNPVGh5ZUZSSlpEaGFWV2xOUXdvclJVdERRbVpEWTB4cFYzUk5RMDlsUzNScU5URlFOR3B1VTFKTldEbG1PRlowVW10WWEyeERTelprVjJ4M1NVUkJVVUZDYnpKQmQxaHFRVTlDWjA1V0NraFJPRUpCWmpoRlFrRk5RMEpoUVhkSVVWbEVWbEl3YkVKQ1dYZEdRVmxKUzNkWlFrSlJWVWhCZDBWSFEwTnpSMEZSVlVaQ2QwMURUVUYzUjBFeFZXUUtSWGRGUWk5M1VVTk5RVUYzU0hkWlJGWlNNR3BDUW1kM1JtOUJWWFZUYVRBd1RDdERjMU40ZUVWVk0ybHZiSE13ZFhsVksxbG1RWGRFVVZsS1MyOWFTUXBvZG1OT1FWRkZURUpSUVVSblowVkNRVVpPT0V4elZUVk9SbEphWTFoWldEUTBWbkJUVlhGUGVuUTRUeTlCYkRWMFNIcFNZMVYyYUVGa2JDOVNOVzl0Q2twcFZXSlJkRmRPTmpneVdGazNOakZYY2sxWGVFOXNkamxRUmxabFFrdHZka2xvZHpadk1pODJWVGd4VVhCSU1FOVJTbUpoVjA1eVVtWkZRWEZFV0hJS2JURk5OMnBoVFNzeVpUTmtTSGhhYTNReGJYSlFZMDE1VjFkRlExRkVkbk5UV1cwNVVubE1XRTVEYjJaUlVUZDBiamMzTVdsdU5rVjNjSEExTDJ4bmJRcFpTVFJ2ZG5oUU9IcERkVmQwUWs1ck9XVnhTRXRWWlVKa1NVNUZPV051Y21aR05qSkxUbWRKZFVodlZXTldNRXczWTFKUGQwVllka1Z4YmxGRlUxUjVDbTR4YURNM1RHUnFORGc1VW1kbGRGcFdSQzlMVkhSVlRpOURka2hFTldVeVdtdE5NRmd2ZUZNd04wMUJSbGMzZFVGUlZVOXFRWFJTYmtOMWFrdG9RazRLVG5sVldHWnNka3BpZEcxSWJ6SktiMUZpWmpCRlRVdFZNbFZ3YzFBNVpuRnRReTlGUjIxM1BRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0KICAgIGNsaWVudC1rZXktZGF0YTogTFMwdExTMUNSVWRKVGlCU1UwRWdVRkpKVmtGVVJTQkxSVmt0TFMwdExRcE5TVWxGY0ZGSlFrRkJTME5CVVVWQmRWRk5TVFIwWW5oUWVHdHFWVVVyVlU5bFoyVlVUV2hOVDFoS2VXZzFPVXBDUzJ0R0syMDFkMHMwU0VwcGNIbFdDbTV2VG5BcmIwZDFRVlIyZEN0YWJqY3hRMmxYYjA5RGVGUk9LMHhaUkc1TlltdFFRV3hIVDFCaldUVkpSMUl3ZFdWWFpYa3hRakpwUldob2RYVTVRbTRLVkhOcmJFeFBjRzQxUzB0dlFqaE5RM1kzVWxKM1RIVktSV001YVhCeFlrMVlkMjg0V0dWRVRrUkZTRzF2VFM5Wk1qbHdlbEEzV1hCQmQweDJkbWhSYUFwWE5tNDVhMDQ1T1ZSelEyZG5iMWhWYWxZMWVFdENkbm9yVUVWeU5VWldjVnBRU1doelRYRnhUUzlSVHpSeGFqTlBZVlZvTDFScWNXNTJkRE4yTVhKa0NtUmpSak5CUjFoTFdWTjVXV2d5WVhkR1RWSXlXRXB2V1RacFpVbHpNVEJ5Ulc4NVpVcFFaSFozTTFJNU9ISjRWRWxrT0ZwVmFVMURLMFZMUTBKbVEyTUtUR2xYZEUxRFQyVkxkR28xTVZBMGFtNVRVazFZT1dZNFZuUlNhMWhyYkVOTE5tUlhiSGRKUkVGUlFVSkJiMGxDUVZGRFJVTkZhR3hMYVZCTlpHWkpaZ3AwUlhOQ09FVmlMMWxOYjFaRVZHNTVNRFZtVjJaYVJrbHZWblp1YTBvek1rUTNNSFV2U0ZjM1ZYRlRUazlQYldsQlYxRlphV3RpUlRGT1ZucEhUekZ6Q2xwS1RXZzVZbEZRYzJWWFEydHdiV1JaY0daNVEwUkZNRGd4YW1kT1VrOUNZMVEzYjIxT0szYzJReTkzYlV0Mk1YSm9VR1ZJTlRsblVHWlhZVUZxYUZNS01tbEtjbWxRUWk5NGNHaFBjMUpGV0c1dU1GTnRVbXMyVmtwT09FVXpiVk5JUkc0MGVVbHVNbk13WVRneFZtRm1PVUpvY0hneU5XeDJRaXM1U1Rsa2J3cERUR2MwWlhabVMybDNhM0pJT0dGMk9WbExSMGw1YlRWemNEQm1UMVIxTW5wYU9HaFRXbUZ6Tm5nMVYzQnhlVU41V0hSRmNrOXJNVVpvWWtKNFlURjJDbmd5TWxoV2RXaFZWV1ZJYWtkV2RqSnBXa2M1ZG14dFZ6RlRjRVpyVDJkclVFeFRTbXhHZUdacFJFbHVXRXhSYjFaRVRWSjJhbVU1UVZaUGFrTlBRazBLUlVSRVdWUlVhVkpCYjBkQ1FVMUZjVlpYYjBGNGIwUlhXWFZEWTFSa1FUbE1ZWGRYWkdGM01tZDVjVFJvY1dsalNUUlBMelYwUjAxd2RUa3JUM0p2TndwRFJEUkVPVTloVDJOME5uSk5RbGRrTUhoTVZVTnVVa05xUTJKblJFdHJOMGxMS3pKNFExSk5SbGhZWkVoUlNHbHpUbGh5UjFaa1FtWnhOMUZvVjB4V0NrRm1SMFZ0UlRSelUzVTBkbWRKUWxoTlVHWmpkMDlqUlZwNWRuQmFTRzUzUW1KS1dFWXlURVpCVjNsbVRWcEpibXRzYlZOV01XTldRVzlIUWtGUVZYZ0tkVnBsZERWbWNXeHlhVzFEYlZKRWJGbEtkRE5KT1dKb1QyeHFLMEV3UjBZemRWaG9MMlIxUkUwd09FeEhNWEJVY25ka1pqVkVkRzQ1YlRORlRIVlpjUXBOV0hZMGJuVlVkQzlITjFRMllYbFVObGhHVW5oaVRIbGxUa05ZYW1KTk9UVnJWRVJGY0ZkbVUzQjNNR0l5WVhsTmExZzRlRFJFV0hkUE4weEpTRFZOQ214S01UaFFlbTAyTTJoUWNWUk5SRVJDV0U0eWIwbFJjMHBVUlVsbGJYTjVSSGwxTldKdFNEZEJiMGRDUVV0MWN5dHFhVFU0TjBsNE1UZE5WV1EzZG5BS1p6VjJPRmxvZW5GWVpUQnpSSFJJZGpRd2FVY3hOV1pLZWpsMmRXSnFaSGh0T0U5NVRrbG9jMlJtT0dOWGFVZzRTVTF2VGtacVZqVndOa2wwV1d4T1RncHlOa1UzWVVaMGVVY3lhV3BYWkV0Q1RGQlZVMlV6Vlc1VGJsbElPRmRUUkU0M1ZERlRXQzlCYzJRck5qZENVV3RoWlhOQmExcHNRVTl2YlRKYWIzaFNDa2hHT0VOT1JrTmxSWE5RT1ZGRmRFeFVSRU0zWkZaQ05VRnZSMEZSZDNoTE5VOW5MM0ZESzJkR1YyWktPVmN6VkRSbk9VNU9TbWMwVUZabFVXbHNNVk1LUnpKcFZqUXlNMWxJVUdjM2FscExkVzVSVTJsM015OXNVMmhVU1dkc1dIUllRMjlpVVZKNU1qRTFUMHBLV2tRME1TdDZNV00zTmsxUVVGbEZXVWwzTHdweFNGQjZXa0ZwTHk5VlJERmhXVFl5TkhBMlFqWTBRMVZIU0dob1RsVm5OWEF5Y25aWGVHb3pWekZxU21wcWFVZERRa2hpVTA5c1RtSnJRVlZSWWxoYUNtOXBiemwyWm5ORFoxbEZRWFpuU3pCMmRXWnRMM2h2VDBSUFNYbG9aVzFoVlRWYVVHdzVWM2w2YjFGblkyWTJOMFJuUVZKSGEwNUdVbGhTVUZZNVJrZ0thbGhRUTBVNFIwRktlVmw1WlZGeGJFMUtTVGRvV0ZsSFVHcGtReTlXVG5kdGNXeHhXbGxwVFZGVFlsQXlSRTVuZVU1dE0wWXpTbVptWWpSU2NrdHZOd3BhTVRnMWRIRndabWd3WTJRMFIxZENiM1U1YVdwM2NERm5jbGR4Y25Gd2NUbHBWWE5oZUhSVE1qaFJUWGcwTlhOdU1VVXhkV2x6UFFvdExTMHRMVVZPUkNCU1UwRWdVRkpKVmtGVVJTQkxSVmt0TFMwdExRbz0KY29udGV4dHM6Ci0gY29udGV4dDoKICAgIGNsdXN0ZXI6IHRlc3QKICAgIHVzZXI6IGt1YmVsZXQK",
            "verification": {}
          },
          "mode": 420,
          "user": {},
          "group": {}
        },
        {
          "filesystem": "root",
          "path": "/etc/kubernetes/kubelet.env",
          "contents": {
            "source": "data:text/plain;charset=utf-8;base64,S1VCRUxFVF9JTUFHRV9VUkw9cXVheS5pby9jb3Jlb3MvaHlwZXJrdWJlCktVQkVMRVRfSU1BR0VfVEFHPSJ2MS43LjFfY29yZW9zLjAiCg==",
            "verification": {}
          },
          "mode": 420,
          "user": {},
          "group": {}
        },
        {
          "filesystem": "root",
          "path": "/etc/sysctl.d/max-user-watches.conf",
          "contents": {
            "source": "data:text/plain;charset=utf-8;base64,ZnMuaW5vdGlmeS5tYXhfdXNlcl93YXRjaGVzPTE2MTg0",
            "verification": {}
          },
          "mode": 420,
          "user": {},
          "group": {}
        },
        {
          "filesystem": "root",
          "path": "/etc/resolv.conf",
          "contents": {
            "source": "data:text/plain;charset=utf-8;base64,c2VhcmNoIGNsdXN0ZXIubG9jYWwKbmFtZXNlcnZlciA4LjguOC44Cm5hbWVzZXJ2ZXIgOC44LjQuNAo=",
            "verification": {}
          },
          "mode": 420,
          "user": {},
          "group": {}
        },
        {
          "filesystem": "root",
          "path": "/etc/hostname",
          "contents": {
            "source": "data:text/plain;charset=utf-8;base64,dGVzdC1tYXN0ZXItMA==",
            "verification": {}
          },
          "mode": 420,
          "user": {},
          "group": {}
        }
      ]
    },
    "systemd": {
      "units": [
        {
          "name": "docker.service",
          "enable": true,
          "dropins": [
            {
              "name": "10-dockeropts.conf",
              "contents": "[Service]\nEnvironment=\"DOCKER_OPTS=--log-opt max-size=50m --log-opt max-file=3\"\n"
            }
          ]
        },
        {
          "name": "coreos-metadata-sshkeys@.service",
          "enable": true,
          "dropins": [
            {
              "name": "20-provider-override.conf",
              "contents": "[Service]\nEnvironment=COREOS_METADATA_OPT_PROVIDER=--provider=openstack-metadata"
            }
          ]
        },
        {
          "name": "locksmithd.service",
          "enable": true,
          "mask": true
        },
        {
          "name": "kubelet.service",
          "enable": true,
          "contents": "[Unit]\nDescription=Kubelet via Hyperkube ACI\n\n[Service]\nEnvironment=\"RKT_RUN_ARGS=--uuid-file-save=/var/cache/kubelet-pod.uuid \\\n  --volume=resolv,kind=host,source=/etc/resolv.conf \\\n  --mount volume=resolv,target=/etc/resolv.conf \\\n  --volume var-lib-cni,kind=host,source=/var/lib/cni \\\n  --mount volume=var-lib-cni,target=/var/lib/cni \\\n  --volume var-log,kind=host,source=/var/log \\\n  --mount volume=var-log,target=/var/log\"\nEnvironmentFile=/etc/kubernetes/kubelet.env\nExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests\nExecStartPre=/bin/mkdir -p /srv/kubernetes/manifests\nExecStartPre=/bin/mkdir -p /etc/kubernetes/checkpoint-secrets\nExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d\nExecStartPre=/bin/mkdir -p /var/lib/cni\nExecStartPre=/usr/bin/bash -c \"grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d \u003e /etc/kubernetes/ca.crt\"\nExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/cache/kubelet-pod.uuid\nExecStart=/usr/lib/coreos/kubelet-wrapper \\\n  --kubeconfig=/etc/kubernetes/kubeconfig \\\n  --require-kubeconfig \\\n  --cni-conf-dir=/etc/kubernetes/cni/net.d \\\n  --network-plugin=cni \\\n  --lock-file=/var/run/lock/kubelet.lock \\\n  --exit-on-lock-contention \\\n  --pod-manifest-path=/etc/kubernetes/manifests \\\n  --allow-privileged \\\n  --node-labels=node-role.kubernetes.io/master \\\n  --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \\\n   \\\n  --minimum-container-ttl-duration=6m0s \\\n  --cluster_dns=10.3.0.10 \\\n  --cluster_domain=cluster.local \\\n  --client-ca-file=/etc/kubernetes/ca.crt \\\n  --anonymous-auth=false\nExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid\nRestart=always\nRestartSec=10\n\n[Install]\nWantedBy=multi-user.target\n"
        },
        {
          "name": "bootkube.service",
          "enable": true,
          "contents": "[Unit]\nDescription=Bootstrap a Kubernetes cluster\nConditionPathExists=!/opt/tectonic/init_bootkube.done\n\n[Service]\nType=oneshot\nRemainAfterExit=true\nWorkingDirectory=/opt/tectonic\n\nUser=root\nGroup=root\n\nExecStart=/usr/bin/bash /opt/tectonic/bootkube.sh\nExecStartPost=/bin/touch /opt/tectonic/init_bootkube.done\n\n[Install]\nWantedBy=multi-user.target"
        },
        {
          "name": "tectonic.service",
          "contents": "[Unit]\nDescription=Bootstrap a Tectonic cluster\nConditionPathExists=!/opt/tectonic/init_tectonic.done\nRequires=bootkube.service\nAfter=bootkube.service\n\n[Service]\nType=oneshot\nRemainAfterExit=true\nWorkingDirectory=/opt/tectonic\n\nUser=root\nGroup=root\n\nExecStart=/usr/bin/bash /opt/tectonic/tectonic-rkt.sh\nExecStartPost=/bin/touch /opt/tectonic/init_tectonic.done\n\n[Install]\nWantedBy=multi-user.target"
        }
      ]
    },
    "networkd": {},
    "passwd": {
      "users": [
        {
          "name": "core",
          "sshAuthorizedKeys": [
            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCthodDkQwDCzf1FZS+KgfSehk/goF9xuo6erh7AJCxWeW89TBWMhccrrbNpaB6WC/V7UEr3DsdOzfQ9SC6R21aj2iZ4P3XmCOIcW21xKqavc0k+Jp2Jyg+/m68b/6tMhfnSDvM0gKplE6MV6wF7/x6LfGomJR2yuG1VKCWhHMkkZF7IDp3QGLAw/lmTbY7LTb778v9yRWKxKjrC5ZVfzkgLVAeIgH5Vv1PkYXudOtg7peyXY+GjxwjUYWuJMwdTKNeQLeZQItR7hgWSdddrQTlBoRpwTLrk9DQtRVkWKdXQIhYLbV7wTz5HQekGHlYfniCHdWmIhvnUQsQKmvlwid3"
          ]
        }
      ]
    }
  }


This is a valid ignition from the validator perspective.
Do you have any other lead ?

vincent.g...@gmail.com

unread,
Aug 2, 2017, 12:19:17 PM8/2/17
to CoreOS User, vincent.g...@gmail.com
Does someone already succeed in using Ignition on Openstack ?

Alex Crawford

unread,
Aug 7, 2017, 8:40:02 PM8/7/17
to vincent.g...@gmail.com, CoreOS User
On 07/26, vincent.g...@gmail.com wrote:
> Thanks for your answer. I precise I am using Tectonic-installer project
> which use Terraform to generate the ignitions.
> So if I understand well I had to modify the SSH key output to remover the
> "\n" and add the metadata service configuration. Finally I get the same
> issue with the following Ignition

FYI, that config has your kubeconfig secrets in it. You won't want to
use those in production now. I'm sure you're aware, but I just wanted to
remind you.

> This is a valid ignition from the validator perspective.
> Do you have any other lead ?

That looked fine to me. Can you try adding the `coreos.autologin` kernel
parameter so you can log in (you will need console access) and look
around? I'm curious to see the Ignition logs as well as a listing of
`.ssh/authorized_keys.d`.

-Alex
signature.asc
Reply all
Reply to author
Forward
0 new messages