/srv/irclogs.ubuntu.com/2022/06/17/#cloud-init.txt

=== Daniel is now known as toolz
cook_keyHi, I'm having an issue with ssh host keys. It appears that cloud-init is removing the host keys but not generating them. This is causing sshd to fail to start, and then we do not have ssh access to the VM. I'm seeing this behavior after creating a snapshot of the VM and then booting another instance of the VM. So this would be the 2nd run of16:11
cook_keycloud-init. On the first run, the keys are generated.16:11
minimalcook_key: many of cloud-init's actions are performed only on 1st boot by design16:23
minimalso if you clone a VM instance you need to "clean" it before use16:23
cook_keyhow do I clean it so it'll generate those keys again?16:33
smoserwell, the goal is that you dont ever really *need* to clean.  you should be able to capture an existing instance and the things that need to run per-instance (like ssh key generation) will run.16:50
smosercook_key: you'll need to either see a console log or capture the failed instanced and then look at logs on it.16:51
minimalsmoser: wouldn't at the very least a "cloud-init clean" need to be done when cloning the VM?16:56
smoseryou should not need to do that.16:59
smoserfor a stock image it should not be necessary.  you could have done things in user-data or in your own use that need to be cleaned up, but cloud-init should handle its things correctly.16:59
cook_keyI've looked at the logs. It says that it's removing the host keys and I'd expect to see regeneration of the keys after that, but I do not. It seems like it's just skipping it altogther. It's like the ssh_genkeytypes is empty and it skips the loop: https://github.com/canonical/cloud-init/blob/22.1/cloudinit/config/cc_ssh.py#L24617:00
minimalsmoser: assuming the instance-id is different, right?17:00
smoserminimal: yeah. that is kind of an assumption ;)17:00
minimalsmoser: I was making a more general point that there are likely to be (non cloud-init related) host-specific things in an VM that need to be cleaned out before using a clone of it17:01
minimalcook_key: which Data Source are you using?17:02
cook_keyminimal: OpenStack17:04
minimalcook_key: so does the meta-data it provides to VMs have a unique instance id?17:05
minimalcook_key: as smoser and I were aluding to, if old cloud-init config from the cloned VM is around it should not be used as, in theory, any new VM should be presented with a different instance-id by Openstack - if it is presented with the same instance-id as given to the VM that was cloned then cloud-init won't know to do all the 1st time configuration17:07
cook_keyminimal: Yes, I believe I get a new instance ID after booting the snapshot:17:23
cook_key# ls /var/lib/cloud/instances/17:23
cook_key200cf044-f88c-44eb-be80-4de19248f823  4a08a20f-4362-46ee-b0d0-86739fa2697a17:23
minimalok, have you tried enabling debugging in the cloud-init config as then you'll have more details in /var/log/cloud-init.log to look to see what's going on?17:24
cook_keyYes, the debug messages are in the log, but I can't quite trace why it's skipping the key generation17:25
cook_key2022-06-17 17:09:43,267 - handlers.py[DEBUG]: start: init-network/config-ssh: running config-ssh with frequency once-per-instance17:27
cook_key2022-06-17 17:09:43,268 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/4a08a20f-4362-46ee-b0d0-86739fa2697a/sem/config_ssh - wb: [644] 25 bytes17:27
cook_key2022-06-17 17:09:43,270 - util.py[DEBUG]: Restoring selinux mode for /var/lib/cloud/instances/4a08a20f-4362-46ee-b0d0-86739fa2697a/sem/config_ssh (recursive=False)17:27
cook_key2022-06-17 17:09:43,272 - util.py[DEBUG]: Restoring selinux mode for /var/lib/cloud/instances/4a08a20f-4362-46ee-b0d0-86739fa2697a/sem/config_ssh (recursive=False)17:27
cook_key2022-06-17 17:09:43,273 - helpers.py[DEBUG]: Running config-ssh using lock (<FileLock using file '/var/lib/cloud/instances/4a08a20f-4362-46ee-b0d0-86739fa2697a/sem/config_ssh'>)17:27
cook_key2022-06-17 17:09:43,284 - util.py[DEBUG]: Attempting to remove /etc/ssh/ssh_host_rsa_key17:27
cook_key2022-06-17 17:09:43,284 - util.py[DEBUG]: Attempting to remove /etc/ssh/ssh_host_rsa_key.pub17:27
cook_key2022-06-17 17:09:43,284 - util.py[DEBUG]: Attempting to remove /etc/ssh/ssh_host_dsa_key17:28
cook_key2022-06-17 17:09:43,284 - util.py[DEBUG]: Attempting to remove /etc/ssh/ssh_host_dsa_key.pub17:28
cook_key2022-06-17 17:09:43,284 - util.py[DEBUG]: Attempting to remove /etc/ssh/ssh_host_ecdsa_key17:28
cook_key2022-06-17 17:09:43,285 - util.py[DEBUG]: Attempting to remove /etc/ssh/ssh_host_ecdsa_key.pub17:28
cook_key2022-06-17 17:09:43,285 - util.py[DEBUG]: Attempting to remove /etc/ssh/ssh_host_ed25519_key17:28
cook_key2022-06-17 17:09:43,285 - util.py[DEBUG]: Attempting to remove /etc/ssh/ssh_host_ed25519_key.pub17:28
cook_key2022-06-17 17:09:43,288 - util.py[DEBUG]: Reading from /etc/ssh/sshd_config (quiet=False)17:28
cook_key2022-06-17 17:09:43,306 - util.py[DEBUG]: Read 4268 bytes from /etc/ssh/sshd_config17:28
cook_key2022-06-17 17:09:43,324 - util.py[DEBUG]: Changing the ownership of /home/centos/.ssh to 1001:100217:28
cook_key2022-06-17 17:09:43,326 - util.py[DEBUG]: Restoring selinux mode for /home/centos/.ssh (recursive=False)17:28
cook_key2022-06-17 17:09:43,376 - util.py[DEBUG]: Writing to /home/centos/.ssh/authorized_keys - wb: [600] 0 bytes17:28
cook_keySorry for flooding the chat with that17:28
minimalthis is the important bit: "Writing to /home/centos/.ssh/authorized_keys - wb: [600] 0 bytes"17:29
minimalsee the "0 bytes" bit...17:29
minimalso is your user-data correct regarding how you specify the key(s) to add?17:29
cook_keyI believe so. I'm able to ssh in with the right ssh_authorized_key for the user, but not until I manually run `ssh-keygen -A` to create the ssh host keys. If I don't do that, sshd will not start. I'm actually having to enable a password for the user so I can get in via the console the first time to generate the keys manually.17:31
minimalsorry, was getting confused between host keys and user keys :-)17:34
cook_keyNo worries17:35
minimalcook_keys: do you specify "ssh_keys" in your user-data?17:44
cook_keyYes17:54
minimalok, "ssh_keys" is for specifying *host* keys, not user keys - host keys will not be generated if you specify them via "ssh_keys" entry18:00
minimalhttps://cloudinit.readthedocs.io/en/latest/topics/modules.html#ssh18:01
minimalthe "Host Keys" section, 2nd and 3rd paragraphs18:01
minimal"If no host keys are specified using ssh_keys, then keys will be generated using ssh-keygen"18:02
minimalso it is doing exactly what you told it to do :-)18:03
minimalpesky computers, always doing exactly what I tell them to do, not what I intended for them to do ;-)18:06
cook_keyOh sorry, I misspoke. We are not setting `ssh_keys`, but we are setting `ssh_authorized_keys`18:06
minimalah, ok, then the keygen should occur18:07
minimaldo you specify "ssh_genkeytypes" ?18:08
cook_keyOriginally I wasn't, because I wanted it to use the default for that. But I also tried adding it in and specifying all 4 keys and it still did not generate the keys.18:10
cook_keyBased on the code, it seems like something is setting ssh_genkeytypes to [] and it skips the generation loop18:10
cook_keyall 4 key types*18:10
minimalyeah that's why I wondered if you were setting it18:14
minimalthe default value is set here: https://github.com/canonical/cloud-init/blob/728098325657cb2fec559cf321ccd5235e786381/cloudinit/config/cc_ssh.py#L17218:14
cook_keyI tried a workaround of using rc.local to make sure the keys are there but cloud-init seems to run afterwards and just delete them on me. This is frustrating.18:38
minimalcook_key: well you could set "ssh_deletekeys: False" in user-data to stop the deletion18:42
minimalhowever it is strange that the list of keys to create appears to be empty18:42
minimalwhich version of cloud-init are you using?18:42
cook_keyI'll give that a shot.18:43
cook_keyI'm using 22.1-1.el818:43
cook_keyCentos 8.418:43
minimalthat's just a workaround, you should try and nail down what is going wrong18:44
cook_keythat's why I'm here ;)18:45
minimalhave you checked the contents of /etc/cloud/cloud.cfg and any files in /etc/cloud/cloud.d/ to see if they are settings anything related?18:48
cook_keyWould this do it?18:51
cook_keyssh_deletekeys:   118:51
cook_keyssh_genkeytypes:  ~18:51
cook_keyThis is in /etc/cloud/cloud.cfg18:51
cook_keyWhat does the `~` mean in this case? Default?18:54
minimalI think "ssh_genkeytypes:  ~" means its a broken config ;-)18:57
minimalthat might explain your problems18:57
minimalcook_key: any idea how that got in the cloud.cfg file?19:03
minimal"ssh_deletekeys:   1" I assume is equivalent to "True"19:04
cook_keyI'm not sure, but it's not the only place in the file:19:05
cook_key$ cat /etc/cloud/cloud.cfg | grep \~19:05
cook_keymount_default_fields: [~, ~, 'auto', 'defaults,nofail,x-systemd.requires=cloud-init.service', '0', '2']19:05
cook_keyssh_genkeytypes:  ~19:05
cook_keysyslog_fix_perms: ~19:05
minimalcook_key: for the mount_default_fields value that is normal I think19:09
minimalthe syslog_fix_perms entry, I see that in the cloud.cfg.tmpl file for Redhat (and derivatives). Perhaps "~" means something in YAML19:11
minimalanyway try commenting out the "ssh_genkeytypes" entry and see if things work as expected19:11
cook_key> The tilde is one of the ways the null value can be written19:16
cook_keyha, that's got to be it, right?19:16
cook_keyThank you very much for the help minimal. I hope this is it.19:16
minimalcook_key: sounds like it, I guess its then an empty list (rather than not being set at all) and so the for loop does nothing19:18
minimalsounds like a bug to be raised ;-)19:18

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!