Docs don't explain how to manually set up the jailhost's SSH keys (also, an error about errors)

[mwpher]

Hey,

I'm sorry if I missed something, but I can't find a single part of the docs that explains how to setup ssh keys for a jail host without having done the 'bootstrap' step. I tried doing 'ssh-agent zsh && ssh-add ~/.ssh/jailhostname', and although this makes regular ssh work fine, bsdploy gives some error messages and dies whenever attempting to do 'ploy ssh' or 'ploy configure'. It also appears that ploy hits an error while trying to print the 'connection failed' error message:

matt@openbsdvbox ~/ansible-stuff (git)-[master] % ploy ssh vboxjailhost   
Traceback (most recent call last):
  File "/usr/local/bin/ploy", line 9, in <module>
    load_entry_point('ploy==1.0.0', 'console_scripts', 'ploy')()
  File "/usr/local/lib/python2.7/site-packages/ploy-1.0.0-py2.7.egg/ploy/__init__.py", line 520, in ploy
    return ctrl(argv)
  File "/usr/local/lib/python2.7/site-packages/ploy-1.0.0-py2.7.egg/ploy/__init__.py", line 514, in __call__
    args.func(sub_argv, args.func.__doc__)
  File "/usr/local/lib/python2.7/site-packages/ploy-1.0.0-py2.7.egg/ploy/__init__.py", line 402, in cmd_ssh
    ssh_info = instance.init_ssh_key(user=user)
  File "/usr/local/lib/python2.7/site-packages/ploy-1.0.0-py2.7.egg/ploy/plain.py", line 186, in init_ssh_key
    log.error('Failed to connect to %s (%s)' % (self.config_id, hostname))
  File "/usr/local/lib/python2.7/site-packages/ploy-1.0.0-py2.7.egg/ploy/common.py", line 214, in config_id
    return "%s:%s" % (self.sectiongroupname, self.id)
AttributeError: 'Instance' object has no attribute 'sectiongroupname'
1 matt@openbsdvbox ~/ansible-stuff (git)-[master] %

What steps do I need to take to make bsdploy use my key?

[tomster]

hi there,

the docs don't mention it, because so far it wasn't an issue in our usage :)

we've simply concentrated on getting a user's default key onto the host, not how to configure non-default keys for existing servers.

just to make sure, i understand you correctly:

• you have an existing host, where you have installed your public key
• you can use this key to log into the host using 'plain' ssh

correct?

what is the name of the key file? is it one of the default keys such as ~/.ssh/identity? or a non-default key?

what does your ploy.conf look like that defines the host?

[mwpher]

Hi Tom!

Yes, both of those are correct.

As for the key file, it is not a 'default' key. Firstly, I don't believe I was aware there was a default key, but secondly, I figured that different hosts ought to have different keyfiles. I had guessed that it might look for the key in ~/.ssh/ez-master name, but I figured if that didn't work, adding it to ssh-agent would work (since that works in ansible).

The ploy.conf file simply looks like:

[plain-instance:vbox-ezmaster]
host = 192.168.1.13

[ez-master:vboxjailhost]
instance = vbox-ezmaster
roles =
    jails_host

[tomster]

ok, thanks, that clears it up.

so this is actually a feature requests to support non-default ssh keys for ploy hosts.

let me sleep over it :)

[mwpher]

Essentially, yes. (Thank you, by the way!)

Now, I'm not sure, but I think that if I put the key file location in ploy.conf with an ansible variable, like this:

[ez-master:vboxjailhost]
instance = vbox-ezmaster
roles =
    jails_host
ansible_host_ssh_keyfile = /home/Matt/.ssh/vboxjailhost # not sure about that var name

Then it may cause ansible to use the keyfile for connection. But I doubt that ploy uses ansible for everything under the sun.

As well, part of this issue is just the fact that there were no documents for ploy OR bsdploy that explained where the program would look for ssh keys. Although I do want the custom key settings, you should probably first add a note in docs explaining where *ploy looks for a keyfile. I'm not even sure where the keyfile is when you're doing the bootstrap process; from what you said earlier, it sounds like it looks for the private key in .ssh/identity and public key (for the bootstrapped system) in .ssh/identity.pub?

[fschulze]

1. Could you debug the attribute error and tell me what class the instance has? All the instances should have a sectiongroupname by now. It could be that I missed a case though.
2. SSH in ploy works like this:
   • We make a connection with paramiko to check the ssh host fingerprint, this uses ~/.ssh/config, so you could add stuff there, but it's a last resort.
   • After the paramiko connection succeeded, we either use that directly (ploy_fabric and ploy_ezjail use that) or we generate the options for ssh and either call it directly or pass the info on into settings etc
3. There is a ssh-key-filename option. Please try to set that to your public ssh key.
4. For bootstrap bsdploy looks for identity.pub, id_dsa.pub, id_rsa.pub and id_ecdsa.pub in ~/.ssh. If there is only one, then that is used, if there are more, you are asked. If you want to set your own, copy your public ssh key into bootstrap-files/authorized_keys. That is what gets copied to the host.

I'm not sure what the best option for you is. Setting ssh-key-filename probably works best, but then you can't share the config file with other developers, or they have to use the same key filename. One solution for that case would be to use config extension (see ploy readme).

You could also set the ssh key in your ~/.ssh/config, but then you probably have to always use the long name for instances.

Why do you think a key per host makes sense? If your computer is compromised, then all your keys are most likely compromised. Do you have a long passphrase for all of your keys, or do you use some kind of keychain to avoid typing the passphrase to get it into ssh-agent? If you do the latter, then I don't see the point, you could just use one key with a good passphrase instead of one password for your keychain. For a practical attack one would have to either brute force your passphrase (for the keychain or your keys) or install a key logger. The threat level for each looks kinda the same for me, but using a ssh key per host is less practical. (I'm always talking about your own ssh key and the public part of it per host, the hosts need their own unique ssh key, which is the default obviously).

[mwpher]

1. How would I do that? I've looked around but I haven't found anything about it online (without editing the script). Btw, I should note that this error occurs even when I have set up the key correctly; I literally can't use ploy until we figure out what the error is.
2. Oh good, Paramiko. The reason that I can't use Duplicity over SSH. (╯ಠ益ಠ) ╯︵ ┻━┻
3. I'll give that a shot!
4. I put it in there, and the program clearly recognizes it fine; i'm still getting the error, though (although this time it appears to be longer). I'll attach that at the end.

Actually, what I'm more concerned about is being able to have different keys for different types of instance; one for important servers, one for test machines, etc.

Sorry for bugging you with all this stuff. (._.)

Traceback (most recent call last):
  File "/usr/local/bin/ploy", line 9, in <module>
    load_entry_point('ploy==1.0rc13', 'console_scripts', 'ploy')()
  File "/usr/local/lib/python2.7/site-packages/ploy/__init__.py", line 520, in ploy
    return ctrl(argv)
  File "/usr/local/lib/python2.7/site-packages/ploy/__init__.py", line 514, in __call__
    args.func(sub_argv, args.func.__doc__)
  File "/usr/local/lib/python2.7/site-packages/bsdploy/__init__.py", line 39, in __call__
    instance.do('bootstrap')
  File "/usr/local/lib/python2.7/site-packages/ploy_fabric/__init__.py", line 231, in do
    return tasks[task](*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/bsdploy/fabfile_mfsbsd.py", line 31, in bootstrap
    if not bu.bsd_url:
  File "/usr/local/lib/python2.7/site-packages/lazy/lazy.py", line 28, in __get__
    value = self.__func(inst)
  File "/usr/local/lib/python2.7/site-packages/bsdploy/bootstrap_utils.py", line 314, in bsd_url
    self.install_devices
  File "/usr/local/lib/python2.7/site-packages/lazy/lazy.py", line 28, in __get__
    value = self.__func(inst)
  File "/usr/local/lib/python2.7/site-packages/bsdploy/bootstrap_utils.py", line 283, in install_devices
    mounts = self.mounts
  File "/usr/local/lib/python2.7/site-packages/lazy/lazy.py", line 28, in __get__
    value = self.__func(inst)
  File "/usr/local/lib/python2.7/site-packages/bsdploy/bootstrap_utils.py", line 252, in mounts
    return run('mount')                                                                                                               [79/531]  File "/usr/local/lib/python2.7/site-packages/fabric/network.py", line 639, in host_prompting_wrapper
    return func(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/fabric/operations.py", line 1042, in run
    shell_escape=shell_escape)
  File "/usr/local/lib/python2.7/site-packages/fabric/operations.py", line 909, in _run_command
    channel=default_channel(), command=wrapped_command, pty=pty,
  File "/usr/local/lib/python2.7/site-packages/fabric/state.py", line 388, in default_channel
    chan = _open_session()
  File "/usr/local/lib/python2.7/site-packages/fabric/state.py", line 380, in _open_session
    return connections[env.host_string].get_transport().open_session()
  File "/usr/local/lib/python2.7/site-packages/ploy_fabric/_fabric_integration.py", line 40, in __getitem__
    ssh_info = server.init_ssh_key(user=user)
  File "/usr/local/lib/python2.7/site-packages/ploy/plain.py", line 164, in init_ssh_key
    log.error('Failed to connect to %s (%s)' % (self.config_id, hostname))
  File "/usr/local/lib/python2.7/site-packages/ploy/common.py", line 214, in config_id
    return "%s:%s" % (self.sectiongroupname, self.id)

[fschulze]

Please edit File "/usr/local/lib/python2.7/site-packages/ploy/common.py", line 214, in config_id
by writing:

  print(self)

and let the return on line 214 move to 215.
That should print the representation of the instance just before the traceback.

I thought a bit more, you should also be able to add the key to your ~/.ssh/config like this:

Host 192.168.1.13
    IdentityFile yourkey.pub

Then it should work for both paramiko and ssh. This is nicer than putting it in ploy.conf. In my last reply I didn't think through what host will be looked up. For plain instances it's the content of host and that is used regardless of whether you use the plain instance directly or as an ezjail master.

Be assured, that you are not bugging us, but ploy :)
We appreciate if people report new issues.

[mwpher]

Ok, first of all, I have tried moving the ssh key to identify and identity.pub, and bootstrap now does indeed work (I also realized that the bootstrap-fingerprint I had added was unneccessary). however, ssh to the post-bootstrapped system doesn't work. after adding print(self), I get:

matt@fbsdvbox ~/ansible-stuff (git)-[master] % ploy ssh jailhost                                            
<ploy.plain.Instance object at 0x803f0b0d0>
Traceback (most recent call last):
  File "/usr/local/bin/ploy", line 9, in <module>
    load_entry_point('ploy==1.0rc13', 'console_scripts', 'ploy')()
  File "/usr/local/lib/python2.7/site-packages/ploy/__init__.py", line 520, in ploy
    return ctrl(argv)
  File "/usr/local/lib/python2.7/site-packages/ploy/__init__.py", line 514, in __call__
    args.func(sub_argv, args.func.__doc__)
  File "/usr/local/lib/python2.7/site-packages/ploy/__init__.py", line 402, in cmd_ssh
    ssh_info = instance.init_ssh_key(user=user)
  File "/usr/local/lib/python2.7/site-packages/ploy/plain.py", line 164, in init_ssh_key
    log.error('Failed to connect to %s (%s)' % (self.config_id, hostname))
  File "/usr/local/lib/python2.7/site-packages/ploy/common.py", line 215, in config_id
    return "%s:%s" % (self.sectiongroupname, self.id)
AttributeError: 'Instance' object has no attribute 'sectiongroupname'

[fschulze]

Could you please try this fix:

diff --git a/ploy/plain.py b/ploy/plain.py
index 8adf9fe..1556167 100644
--- a/ploy/plain.py
+++ b/ploy/plain.py
@@ -60,6 +60,8 @@ class InstanceFormattingWrapper(object):


 class Instance(BaseInstance):
+    sectiongroupname = 'plain-instance'
+
     def get_host(self):
         if 'host' not in self.config:
             return self.config['ip']

For me this at least fixes the error output.

[mwpher]

YES! It works! (Kind of)

Here's the error output it's now able to give me:

ERROR: Failed to connect to plain-instance:ploy-demo (192.168.1.19)
ERROR: username: 'root'
ERROR: port: 22
ERROR: Couldn't validate fingerprint for ssh connection.
ERROR: No fingerprint set in config.
ERROR: Is the instance finished starting up?

How would I fix this?

[mwpher]

If I close the issue, can we still keep talking?

[fschulze]

Just leave the issue open until it's completely resolved.

You have to set fingerprint = ... in [plain-instance:vbox-ezmaster]. You can get the fingerprint on the server with ssh-keygen -lf /etc/ssh/ssh_host_rsa_key or similar. You can also use ssh-keyscan 192.168.1.13 from your computer, but that can't really be trusted on the open internet. Some of this is explained in the ploy readme.

[mwpher]

It's working now! (Although you should know that ssh-keyscan doesn't print the fingerprint in the form of xx:xx:...) Shouldn't it have automatically noted the new fingerprint when the bootstrap process was done, though? Or is that something that hasn't been done yet?

[fschulze]

The bootstrap should have created ssh_host_* files in bootstrap-files/. Is that the case? If so it should actually pick up the fingerprint automatically. If the files are there and the fingerprint isn't picked up, then we need to debug further.

[mwpher]

I don't see a file like that. There isn't any ssh_host_* files in etc/ either.

EDIT: another issue:

TASK: [jails_host | Enable sysvipc_allowed] *********************************** 
failed: [jailhost] => {"failed": true}
msg: Failed to reload sysctl: sysctl: unknown oid 'security.jail.allow_raw_sockets ' at line 10: No such file or directory
sysctl: unknown oid 'security.jail.sysvipc_allowed ' at line 11: No such file or directory

This has got to do with the space after the oid name, right?

[mwpher]

... Aaaand today it magically works, but now i get:

TASK: [jails_host | Setup data zpool] ***************************************** 
failed: [jailhost] => {"failed": true}
msg: Don't know how to handle 0 number of devices ().

FATAL: all hosts have already failed -- aborting

(._.) ( l: ) ( .-. ) ( :l ) (._.)

[mwpher]

NEVERMIND I UPGRADED THE PACKAGE AND IT WORKS OKAY

I'M CLOSING THE ISSUE AND GETTING OFF YOUR ISSUES LIST

I'LL BE SURE TO ANNOY YOU IF I FIND ANYTHING ELSE BYEEEEE