CentOS template in Cloudstack

David Curran

unread,

Sep 19, 2017, 7:26:53 AM9/19/17

to Packer

I'm trying to build CentOS templates in cloudstack using Packer.

Below is a config.json that works for ubuntu using temporary keys:

"builders": [{
  "type": "cloudstack",
  "communicator": "ssh",
  "ssh_username": "{{user `ssh_username`}}",
  "ssh_handshake_attempts": 2,
  "ssh_password": "",

  "api_url": "{{user `api_url`}}",
  "api_key": "{{user `api_key`}}",
  "network": "{{user `network`}}",
  "secret_key": "{{user `secret_key`}}",
  "service_offering": "{{user `service_offering`}}",
  "source_template": "{{user `source_template`}}",
  "template_os": "{{user `template_os`}}",
  "zone": "{{user `zone`}}",
  "expunge": true,
  "public_ip_address": "{{user `public_ip`}}",

  "template_name": "{{user `template_name`}}-{{isotime \"020106-0304\"}}",
  "template_password_enabled": true,
  "template_scalable": true

}],

The part that is failing is SSH on to the newly built VM.

"handshake error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"

I am able to log in to the machine with the password generated by cloud stack (passwordenabled = true) but not with the generated key. When I log in with password I can't see any .ssh/ directory and therefore the temporary public key isn't in the correct authorized_keys file.

That explains why SSH fails, it is trying public key auth but can't do it.

However, when using winrm communicator with windows VMs, if winrm_password is left blank or is left out entirely then it defaults to the generated password. Is this not possible with the SSH communicator?

Or is there a reason that the public key isn't being put on to the VM in the first place?

Rickard von Essen

unread,

Sep 19, 2017, 7:47:53 AM9/19/17

to packe...@googlegroups.com

I would start by creating a template where you have some fixed credentials that you can use for debugging (or use the console). Run packer build --on-error=ask, so when it fails you have time to troubleshoot.

Jump into the node to debug if cloud-init is functioning as it should, see http://cloudinit.readthedocs.io/en/latest/topics/datasources/cloudstack.html

You should be able to curl down the public key for the key-pair somewhere on http://10.1.1.1/latest/user-data. Then check the cloud-init logs to see if there is any error configuring you image.

If you get stuck post some more details here.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/ad3279b3-dd6c-4392-aaa3-883e0c223910%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

David Curran

unread,

Sep 19, 2017, 9:26:26 AM9/19/17

to Packer

Thanks Rickard,

I've run with -on-error=ask and I'm able to log in with the generated password, find the temporary public key has not been put on the server and no .ssh directory exists. Once I add the public key ro .ssh/authorized keys and retry the rest of the process completes without a hitch.

This is what I get back from the URLs the page you linked show

[root@localhost ~]# curl http://192.168.1.1/latest/user-data

[root@localhost ~]# curl http://192.168.1.1/latest/meta-data

service-offering

availability-zone

local-ipv4

local-hostname

public-ipv4

public-hostname

instance-id

vm-id

public-keys

cloud-identifier

[root@localhost ~]# curl http://192.168.1.1/latest/meta-data/cloud-identifier

CloudStack-{2f818df1-6d64-40e2-aa67-9bfa3a6a6637}

[root@localhost ~]# curl http://192.168.1.1/latest/meta-data/public-ipv4

x.x.x.x

[root@localhost ~]# curl http://192.168.1.1/latest/meta-data/local-ipv4

192.168.1.71

This is what I see in logs:

Sep 19 13:14:59 localhost rc.local: Starting cloud cloud-set-guest-password.
Sep 19 13:15:09 localhost cloud: Found password server IP 192.168.1.1 in /var/lib/NetworkManager/dhclient-3f280eb6-a130-4589-9cd4-4947081d6ae8-eno16777752.lease
Sep 19 13:15:09 localhost cloud: Sending request to password server at 192.168.1.1
Sep 19 13:15:10 localhost cloud: Got response from server at 192.168.1.1
Sep 19 13:15:10 localhost cloud: VM got a valid password from server at 192.168.1.1
Sep 19 13:15:10 localhost cloud: Changing password ...
Sep 19 13:15:10 localhost cloud: Sending acknowledgment to password server at 192.168.1.1

Don't see anything in our external logging either that sheds any light

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.

Rickard von Essen

unread,

Sep 19, 2017, 9:31:09 AM9/19/17

to packe...@googlegroups.com

Does curl http://192.168.1.1/latest/meta-data/public-keys give you the pub key for the keypair?

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/329d81fa-8b24-4887-ae33-d40cf2a759d0%40googlegroups.com.

David Curran

unread,

Sep 19, 2017, 9:32:53 AM9/19/17

to Packer

Yes, that was the link I used to get the public key into my authorized_keys file

Rickard von Essen

unread,

Sep 19, 2017, 9:45:10 AM9/19/17

to packe...@googlegroups.com

So then the problem is that the cloud-init in the template doesn't add that to the user you expect.

Do you have a logline similar to "ci-info: no authorized ssh keys fingerprints found for user XXX" in /var/log/cloud-init-output.log

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/cae34e4c-f42c-4633-976a-5a6514b929ea%40googlegroups.com.

David Curran

unread,

Sep 19, 2017, 9:57:35 AM9/19/17

to Packer

Odd thing is, they file isn't created in /var/log and I can't find it anywhere else. It's there on the successful Ubuntu builds but not for CentOS

I got the previous log messages from /var/log/messages but that's all there was relating to "cloud"

Rickard von Essen

unread,

Sep 19, 2017, 10:20:33 AM9/19/17

to packe...@googlegroups.com

What's your CentOS and cloud-init version?

What's the content of /etc/cloud/cloud.cfg ?

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/832a1c19-7096-4f88-88e8-e96a12404794%40googlegroups.com.

David Curran

unread,

Sep 19, 2017, 11:23:51 AM9/19/17

to Packer

Think I understand the problem!

There is no /etc/cloud

That suggests cloud-init isn't even installed? That means the people who looked after our templates previously didn't install it.