-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot SSH into Flatcar 3227.2.0 instance created in OpenStack #817
Cannot SSH into Flatcar 3227.2.0 instance created in OpenStack #817
Comments
Allow oem-cloudinit.service for openstack too. Fixes [1], an issue where ssh keys were not fetched if no user-data was provisioned, but only a keypair. [1] flatcar/Flatcar#817
Can you login via console to probe whether We need to add a conversion for openstack in Btw: we recently started publishing gzipped images specifically so that glance can directly import them: https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_openstack_image.img.gz |
I couldn't log in via console because I don't know the password. Is there a default password for "core" (or root)? |
There isn't a default password, you would need to modify the OEM partition (partition 6), following these instructions https://flatcar-linux.org/docs/latest/installing/customizing-the-image/customize-the-image/#mounting-a-partition-for-customization, before uploading the image. You would need to extend
then you will have access to the console without a password. |
Allow oem-cloudinit.service for openstack too. Fixes [1], an issue where ssh keys were not fetched if no user-data was provisioned, but only a keypair. [1] flatcar/Flatcar#817
I created an image with autologin and checked the journal: oem-cloudinit.service is activated, but when it tries to start it says "oem-cloudinit.service: Skipped due to 'exec-condition'." |
I can confirm this even with older releases. I never bothered to check or make a ticket here (mea culpa). I noticed it in the very beginning of using Flatcar. It only works with ignition supplied user data. Not with the key itself provided via OpenStack. |
@till could you check if enabling |
@jepio You mean, roll ignition with the service enabled? And then test if that makes the supplied key work? |
Yes. You might also be able to test it from the command line, just |
Allow oem-cloudinit.service for openstack too. Fixes [1], an issue where ssh keys were not fetched if no user-data was provisioned, but only a keypair. [1] flatcar/Flatcar#817
@jepio I justed tested with Flatcar deployed on Openstack:
works fine - SSH keys are provisioned from metadata.
|
Description
Cannot SSH into an OpenStack VM created from a Flatcar 3227.2.0 image if the VM is provisioned with an ssh key (not with ignition user_data). Most likely the ssh key is not actually provisioned.
Impact
Our pipelines that publish Flatcar images to Glance include a basic test that it would be possible to ssh into a VM built from the image and that test fails now.
Environment and steps to reproduce
a. Use a Flatcar image downloaded from https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_openstack_image.img.bz2
b. Create a glance image from it
c. Create a compute instance based on the image with a key name (e.g.
openstack server create
with--key-name xxx
, but without--user-data
)core
Expected behavior
ssh with public-key authentication works
Additional information
I tried to provision the same public key via ignition user-data instead and then ssh worked. So it's probably not a problem with the type of key or host key algorithm. With previous Flatcar image releases provisioning the ssh key worked fine.
Command line used to create a VM (where security group ssh is one that allows incoming port 22)
or with terraform, including the key pair creation:
I tried to understand the difference of the current release to previous ones and my idea is that cloudinit is not run anymore.
Cloudinit used to query the metadata agent via
http://169.254.169.254/2009-04-04/meta-data/public-keys/0/openssh-key
and provide the returned key for thecore
user.If I configure the VM via user-data I can see in the journal that enabling cloudinit is skipped ("enable-oem-cloudinit.service: Skipped due to 'exec-condition'.") and that is probably because there is already user-data. I couldn't read the journal of a VM that was not configured with user-data though, so I try to guess now, what happened.
In enable-oem-cloudinit.service the ExecConditions should match (.userConfigProvided is probably false if the VM was not configured with user-data). So oem-cloudinit.service will most likely be enabled. But in oem-cloudinit.service there is an ExecCondition that checks if the OEM_ID is one from the list (aws gcp rackspace-onmetal azure cloudsigma packet vmware digitalocean) and openstack is not in it. So cloudinit is not run. But we would need it to fetch the public key.
In older releases there was a default ignition file that created and enabled some oem-cloudinit.service that didn't have that ExecCondition, so cloudinit was run (maybe again only if user-data wasn't available).
The text was updated successfully, but these errors were encountered: