New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSH tunneling is not working for Root user on CentOS/RHEL #136

Closed
galal-hussein opened this Issue Dec 12, 2017 · 8 comments

Comments

Projects
None yet
5 participants
@galal-hussein
Collaborator

galal-hussein commented Dec 12, 2017

using openssh 7.0+, root user is not allowed to ssh tunnel to docker socket on the CentOS/RHEL hosts, however normal users work normally with RKE.

@moelsayed

This comment has been minimized.

Show comment
Hide comment
Member

moelsayed commented Dec 20, 2017

@moelsayed

This comment has been minimized.

Show comment
Hide comment
@moelsayed

moelsayed Dec 20, 2017

Member

This is a regression in OpenSSH. We tested using OpenSSH 7.5 and it works fine. Older version should be updated to versions with the back-ported fix.

Member

moelsayed commented Dec 20, 2017

This is a regression in OpenSSH. We tested using OpenSSH 7.5 and it works fine. Older version should be updated to versions with the back-ported fix.

@leodotcloud

This comment has been minimized.

Show comment
Hide comment
@leodotcloud

leodotcloud Jan 29, 2018

Member

@galal-hussein @moelsayed I encountered this issue on Ubuntu 14.04 and OpenSSH_6.6.1

root@leo-k8s-c1-n0:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.5 LTS
Release:	14.04
Codename:	trusty
root@leo-k8s-c1-n0:~#
root@leo-k8s-c1-n0:~# ssh -V
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014
root@leo-k8s-c1-n0:~#

On my OSX machine:

ssh -V
OpenSSH_7.4p1, LibreSSL 2.5.0

cluster.yaml:

network:
  plugin: canal

ssh_key_path: ~/.ssh/id_rsa
enforce_docker_version: false

nodes:
  - address: 1.1.1.1
    user: root
    role: [controlplane, etcd]
  - address: 2.2.2.2
    user: root
    role: [worker]
  - address: 3.3.3.3
    user: root
    role: [worker]
  - address: 4.4.4.4
    user: root
    role: [worker]
Member

leodotcloud commented Jan 29, 2018

@galal-hussein @moelsayed I encountered this issue on Ubuntu 14.04 and OpenSSH_6.6.1

root@leo-k8s-c1-n0:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.5 LTS
Release:	14.04
Codename:	trusty
root@leo-k8s-c1-n0:~#
root@leo-k8s-c1-n0:~# ssh -V
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014
root@leo-k8s-c1-n0:~#

On my OSX machine:

ssh -V
OpenSSH_7.4p1, LibreSSL 2.5.0

cluster.yaml:

network:
  plugin: canal

ssh_key_path: ~/.ssh/id_rsa
enforce_docker_version: false

nodes:
  - address: 1.1.1.1
    user: root
    role: [controlplane, etcd]
  - address: 2.2.2.2
    user: root
    role: [worker]
  - address: 3.3.3.3
    user: root
    role: [worker]
  - address: 4.4.4.4
    user: root
    role: [worker]
@leodotcloud

This comment has been minimized.

Show comment
Hide comment
@leodotcloud

leodotcloud Jan 29, 2018

Member

Upgrading openssh on OS X laptop, didn't help either.

rke up                                                         
INFO[0000] Building Kubernetes cluster
INFO[0000] [dialer] Setup tunnel for host [1.1.1.1]
FATA[0000] Failed to set up SSH tunneling for Etcd host [1.1.1.1]: Can't retrieve Docker Info: error during connect: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: Failed to dial to Docker socket: ssh: rejected: administratively prohibited (open failed)

 ssh -V                                                                  
OpenSSH_7.6p1, OpenSSL 1.0.2n  7 Dec 2017
Member

leodotcloud commented Jan 29, 2018

Upgrading openssh on OS X laptop, didn't help either.

rke up                                                         
INFO[0000] Building Kubernetes cluster
INFO[0000] [dialer] Setup tunnel for host [1.1.1.1]
FATA[0000] Failed to set up SSH tunneling for Etcd host [1.1.1.1]: Can't retrieve Docker Info: error during connect: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: Failed to dial to Docker socket: ssh: rejected: administratively prohibited (open failed)

 ssh -V                                                                  
OpenSSH_7.6p1, OpenSSL 1.0.2n  7 Dec 2017
@leodotcloud

This comment has been minimized.

Show comment
Hide comment
@leodotcloud

leodotcloud Jan 29, 2018

Member

Upgrading the OS to Ubuntu 16.04 solved the problem for me.

root@leo-k8s-c1-n0:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.3 LTS
Release:	16.04
Codename:	xenial
root@leo-k8s-c1-n0:~# ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g  1 Mar 2016
root@leo-k8s-c1-n0:~#
Member

leodotcloud commented Jan 29, 2018

Upgrading the OS to Ubuntu 16.04 solved the problem for me.

root@leo-k8s-c1-n0:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.3 LTS
Release:	16.04
Codename:	xenial
root@leo-k8s-c1-n0:~# ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g  1 Mar 2016
root@leo-k8s-c1-n0:~#
@galal-hussein

This comment has been minimized.

Show comment
Hide comment
@galal-hussein

galal-hussein Jan 29, 2018

Collaborator

RKE uses Stream local forwarding feature to tunnel and connect to docker engine on each host, OpenSSH supports stream local forwarding since version 6.7, so Ubuntu 14.04 will not work with rke since it has OpenSSH 6.6, OpenSSH should be upgraded on ubuntu 14.04

Collaborator

galal-hussein commented Jan 29, 2018

RKE uses Stream local forwarding feature to tunnel and connect to docker engine on each host, OpenSSH supports stream local forwarding since version 6.7, so Ubuntu 14.04 will not work with rke since it has OpenSSH 6.6, OpenSSH should be upgraded on ubuntu 14.04

@BalaBalaYi

This comment has been minimized.

Show comment
Hide comment
@BalaBalaYi

BalaBalaYi May 18, 2018

@galal-hussein So what is the best solution for centos7 for now? Update ssh or use another user ?

BalaBalaYi commented May 18, 2018

@galal-hussein So what is the best solution for centos7 for now? Update ssh or use another user ?

@markhuyong

This comment has been minimized.

Show comment
Hide comment
@markhuyong

markhuyong commented Sep 30, 2018

upgrade centos version

yum install openssh-server
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment