Failed git push: Permission denied

[technosophos]

This could be a duplicate of #28, but since the symptoms were different, I thought I'd file it.

tl;dr: I can't push from an in-cluster Ubuntu pod to the builder. The git client gets a permissions error.

I'm running an Ubuntu pod inside of k8s, and connecting to builder from there. The full record of my install is here: https://gist.github.com/technosophos/9d5ebda491141eaf3475

The relevant details, though, are this:

  root@ubuntu:/example-ruby-sinatra# git remote add deis ssh://git@10.246.93.6:2223/keener-hacienda.git

Following instructions, we should now be able to push:

  root@ubuntu:/example-ruby-sinatra# git push deis master
The authenticity of host '[10.246.93.6]:2223 ([10.246.93.6]:2223)' can't be established.
ECDSA key fingerprint is SHA256:Vs7LSYv1qopIQeDdgMLOHt5GhbE8tFT73XtfSQxneLo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.246.93.6]:2223' (ECDSA) to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Checking the logs:

⇒  k --namespace=deis logs deis-builder-1dtun
2015/12/14 19:52:05 Listening... on 3000
[debug] Name: HOST, Val: 127.0.0.1
[debug] Name: DEIS_ETCD_1_SERVICE_HOST, Val: 10.247.206.187
[debug] Name: DEIS_ETCD_1_SERVICE_PORT_CLIENT, Val: 4100
[debug] Name: ETCD_PATH, Val: /deis/builder
[debug] Name: ETCD_TTL, Val: 20
[debug] Name: ETCD, Val: 10.247.206.187:4100
[info] Sleeping
[info] Woke up.
[info] Could not get SSH host key from etcd. Generating new ones.
[info] Parsed host key /etc/ssh/ssh_host_rsa_key.
[info] Parsed host key /etc/ssh/ssh_host_dsa_key.
[info] Parsed host key /etc/ssh/ssh_host_ecdsa_key.
[info] Building confd templates. This may take a moment.
[debug] Recoverable error: exit status 1
[debug] Output: "2015-12-14T19:52:29Z deis-builder-1dtun confd[21]: ERROR 100: Key not found (/deis/controller) [13]\n2015-12-14T19:52:29Z deis-builder-1dtun confd[21]: ERROR 100: Key not found (/deis/controller) [13]\n"
[info] Re-trying template build. (Elapsed time: 3)
[debug] Recoverable error: exit status 1
[debug] Output: "2015-12-14T19:52:32Z deis-builder-1dtun confd[26]: ERROR 100: Key not found (/deis/controller) [13]\n2015-12-14T19:52:32Z deis-builder-1dtun confd[26]: ERROR 100: Key not found (/deis/controller) [13]\n"
[info] Re-trying template build. (Elapsed time: 6)
[debug] Recoverable error: exit status 1
[debug] Output: "2015-12-14T19:52:35Z deis-builder-1dtun confd[31]: ERROR 100: Key not found (/deis/controller) [13]\n2015-12-14T19:52:35Z deis-builder-1dtun confd[31]: ERROR 100: Key not found (/deis/controller) [13]\n"
[info] Re-trying template build. (Elapsed time: 9)
[info] Templates generated for 10.247.206.187:4100 on run 3
[info] Watching confd.
[debug] Name: EXTERNAL_PORT, Val: 2223
[info] Added hostkey.
[info] Added hostkey.
[info] Added hostkey.
[info] Builder is running.
[info] Listening on 0.0.0.0:2223
[info] Accepting new connections.
[info] Checking closer.
[info] Checking closer.
[info] Accepted connection.
[error] Failed handshake: EOF (&{{0xc820170000}})

[technosophos]

I can verify that I can now get to this step (which I think means the present issue is closed):

root@ubuntu:/example-ruby-sinatra# git push deis master
Counting objects: 119, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (62/62), done.
Writing objects: 100% (119/119), 25.58 KiB | 0 bytes/s, done.
Total 119 (delta 49), reused 119 (delta 49)
/home/git/builder: line 129: /bin/mc: No such file or directory
To ssh://git@10.246.93.17:2223/keener-hacienda.git
 * [new branch]      master -> master

[arschles]

@technosophos yes I believe that means this issue is closed. Going to close now but if this issue recurs after I fix #30, I'll reopen

[krancour]

I am running into this still.

I used a trick of attempting to ssh to the builder as user git with -vvv to see what's going wrong.

From outside the cluster (accessing via router):

[kent@mbp ~]$ ssh -i ~/.ssh/kent -vvv -p 2222 git@deis.krancour.deis.ninja
Warning: Identity file /Users/kent/.ssh/kent not accessible: No such file or directory.
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/kent/.ssh/config
debug1: /Users/kent/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to deis.krancour.deis.ninja [52.26.8.75] port 2222.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/Users/kent/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /Users/kent/.ssh/id_rsa type 1
debug1: identity file /Users/kent/.ssh/id_rsa-cert type -1
debug1: identity file /Users/kent/.ssh/id_dsa type -1
debug1: identity file /Users/kent/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
ssh_exchange_identification: Connection closed by remote host

To rule out router problems, here's the same troubleshooting technique applied from within the cluster. The IP you see is the builder's service IP:

ubuntu@ip-172-20-0-101:~$ ssh -vvv -i id_rsa -p 2222 git@10.0.4.94
OpenSSH_6.7p1 Ubuntu-5ubuntu1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.4.94 [10.0.4.94] port 2222.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Ubuntu-5ubuntu1
ssh_exchange_identification: read: Connection reset by peer

Note that I've tried all the obvious things. I have looked at /home/git/.ssh/authorized_keys on the builder. It looks good. I have tried different keys. I have verified the key I'm using works on v1.x clusters.

[technosophos]

Did you do a deis keys:add? I forgot to do that yesterday when I first filed this bug, but by the time I remembered, @arschles had already fixed the existing auth error.

[technosophos]

I must be misunderstanding what @krancour did... why use a key that does not exist?

[krancour]

@technosophos the key did exist. The only thing unusual about what I did was that as a diagnostic procedure, I used ssh directly so I could get a trace that might indicate why the git push was failing. That said, the traces do seem to be indicating that the key is bad or doesn't exist, however, the same key works just fine with 1.x clusters.

[technosophos]

@krancour this is what I am not understanding:

[kent@mbp ~]$ ssh -i ~/.ssh/kent -vvv -p 2222 git@deis.krancour.deis.ninja
Warning: Identity file /Users/kent/.ssh/kent not accessible: No such file or directory.
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/kent/.ssh/config

[krancour]

Ah... whoops... let me try that again. There is a problem, but you're right... I botched that line, so the trace isn't useful.

[krancour]

Here we go:

[kent@mbp ~]$ ssh -i ~/.ssh/id_rsa -vvv -p 2222 git@deis.krancour.deis.ninja
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/kent/.ssh/config
debug1: /Users/kent/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to deis.krancour.deis.ninja [52.26.8.75] port 2222.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/Users/kent/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /Users/kent/.ssh/id_rsa type 1
debug1: identity file /Users/kent/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
ssh_exchange_identification: Connection closed by remote host

[technosophos]

What's still weird to me is that you are getting a response from an OpenSSH server. What server is that? Builder does not run OpenSSH. It runs a custom SSH server that uses the Go library.

[technosophos]

n/m... that's the client output, isn't it

[arschles]

I couldn't reproduce this on my local k8s cluster. Below I've listed everything I did from start to finish.

1. Install Deis on the Cluster

helm up
helm fetch deis/deis
helm install deis

That resulted in the following services (kd is an alias for kubectl get --namespace=deis):

ENG000656:builder aaronschlesinger$ kd get svc
NAME                  CLUSTER_IP   EXTERNAL_IP   PORT(S)             SELECTOR                   AGE
deis-builder          10.3.0.197   <none>        2222/TCP            name=deis-builder          14s
deis-database         10.3.0.57    <none>        5432/TCP            name=deis-database         14s
deis-etcd-1           10.3.0.218   <none>        2380/TCP,4100/TCP   name=deis-etcd-1           14s
deis-etcd-discovery   10.3.0.143   <none>        2381/TCP            name=deis-etcd-discovery   14s
deis-minio            10.3.0.29    <none>        9000/TCP            app=deis-minio             14s
deis-registry         10.3.0.237   <none>        5000/TCP            name=deis-registry         14s
deis-workflow         10.3.0.146   <none>        80/TCP              name=deis-workflow         14s

Then, I waited until all relevant pods were up:

ENG000656:builder aaronschlesinger$ kd get pod
NAME                        READY     STATUS    RESTARTS   AGE
deis-builder-b2t2u          1/1       Running   1          3m
deis-database-vnku3         1/1       Running   0          3m
deis-etcd-1-gxt12           1/1       Running   1          3m
deis-etcd-1-o6uu3           1/1       Running   0          3m
deis-etcd-1-pg2rj           1/1       Running   0          3m
deis-etcd-discovery-cf7tz   1/1       Running   0          3m
deis-minio-lgski            1/1       Running   0          3m
deis-registry-gzxua         1/1       Running   0          3m
deis-router-s4cti           0/1       Pending   0          3m
deis-workflow-yh1xd         1/1       Running   0          3m

2. Set up the Account

Then, I logged into the minion (I'm running a cluster created by micro-kube) and set up an account:

core@micro-kube ~/example-go $ ./deis register 10.3.0.146
username: arschles
password: 
password (confirm): 
email: arschles@gmail.com
Registered arschles
Logged in as arschles

3. Generate and add Keys

Then, generated and added my keys to the agent and Deis:

core@micro-kube ~/example-go $ ssh-keygen -t rsa -b 4096 -C "arschles@gmail.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/core/.ssh/id_rsa): 
/home/core/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/core/.ssh/id_rsa.
Your public key has been saved in /home/core/.ssh/id_rsa.pub.
The key fingerprint is:
b1:1d:0f:70:57:de:64:93:ce:fb:84:2c:18:56:a4:f2 arschles@gmail.com
The key's randomart image is:
+---[RSA 4096]----+
|        . ..o...+|
|         o o.. =.|
|        o +.  + .|
|         *o+   o |
|        S.Eo.. ..|
|          . . o..|
|             . ..|
|                .|
|                 |
+-----------------+
core@micro-kube ~/example-go $ eval $(ssh-agent) && ssh-add ~/.ssh/id_rsa
Agent pid 29720
Identity added: /home/core/.ssh/id_rsa (rsa w/o comment)
core@micro-kube ~/example-go $ ./deis keys:add ~/.ssh/id_rsa.pub
Uploading id_rsa.pub to deis... done

4. Create new Project

Then I created a new project:

core@micro-kube ~/example-go $ ./deis create --no-remote
Creating Application... done, created luxury-gemstone
remote available at ssh://git@10.3.0.146:2222/luxury-gemstone.git

5. Set up new git remote

Then, pointed my git remote at builder:

core@micro-kube ~/example-go $ git remote add deis ssh://git@10.3.0.197:2222/luxury-gemstone.git

6. Push to the deis remote

Then pushed:

core@micro-kube ~/example-go $ git push deis master
The authenticity of host '[10.3.0.197]:2222 ([10.3.0.197]:2222)' can't be established.
RSA key fingerprint is 85:94:7f:63:f6:53:0c:15:86:f3:50:1d:60:f0:32:27.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.3.0.197]:2222' (RSA) to the list of known hosts.
Counting objects: 165, done.
Compressing objects: 100% (151/151), done.
Writing objects: 100% (165/165), 3.02 MiB | 11.00 KiB/s, done.
Total 165 (delta 81), reused 0 (delta 0)
mc: Configuration written to [/var/minio-conf/config.json]. Please update your access credentials.
mc: Successfully created ‘/var/minio-conf/share’.
mc: Initialized share uploads ‘/var/minio-conf/share/uploads.json’ file.
mc: Initialized share downloads ‘/var/minio-conf/share/downloads.json’ file.
Added host ‘http://10.3.0.29:9000’ successfully.
Bucket created successfully ‘http://10.3.0.29:9000/git’.
‘luxury-gemstone.tar.gz’ -> ‘http://10.3.0.29:9000/git/home/luxury-gemstone:git-2783d643/tar’
Total: 2.97 MB, Transferred: 2.97 MB, Speed: 22.75 MB/s
stored tarfile in http://10.3.0.29:9000/git/home/luxury-gemstone:git-2783d643/tar
pod "deis-slugbuilder" created
no file
no file
no file

Unfortunately, the no file message continues, because builder starts up the deis-slugbuilder pod in the default namespace but the cluster is running in the deis namespace. I've created #39 to track that.

[krancour]

I built a new cluster and am now unable to repro this.

[arschles]

@krancour I'm not sure why you'd have to build a new cluster, so this still concerns me.

@technosophos @slack do you mind trying to repro this again?

[technosophos]

Doing it now.

[krancour]

@arschles I think my cluster was in a bad state. I told @technosophos earlier, but I was running on t1.micros and I know I was starting to have resource issues. Many pods, including the builder started flapping. I can't help but imagine that contributed.

[arschles]

@krancour ok, I think I'm just paranoid. Thanks for letting me know.

[felixbuenemann]

I was running into this as well on v2.1.0 and it was related to helmc generating a builder-key that began with a space, causing api access between builder and controller to fail, which is why destroying and rebuilding the cluster worked, if the affected people also regenerated their secrets.

I opened deis/charts#303 to track the issue.

[cheriftubs]

The fix for me was to run "ssh-add" in the terminal ;)