Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"rke up" got "ssh: rejected: administratively prohibited (open failed)" #93

Closed
nevermosby opened this issue Dec 3, 2017 · 23 comments
Closed

"rke up" got "ssh: rejected: administratively prohibited (open failed)" #93

nevermosby opened this issue Dec 3, 2017 · 23 comments
Labels
kind/bug

Comments

@nevermosby
Copy link

rke version: rke version v0.0.7-dev

problem:
when to run "./rke -d up" with the file "cluster.yml" in the same folder, I got:

INFO[0000] [certificates] Generating kubernetes certificates
INFO[0000] [certificates] Generating CA kubernetes certificates
...
INFO[0003][certificates] Deploying kubernetes certificates to Cluster nodes
DEBU[0003] [certificates] Pulling Certificate downloader Image on host [node1]
FATA[0008] Can't pull Docker image rancher/rke-cert-deployer:0.1.0 for host [node1]: error during connect: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=rancher%2Frke-cert-deployer&tag=0.1.0: Error connecting to Docker socket on host [node1]: ssh: rejected: administratively prohibited (open failed)

Tried to fix it by enabling the ssh config,AllowTcpForwarding yes, but failed.

Any suggestions?
@superseb
Copy link
Contributor

superseb commented Dec 3, 2017

Is this on CentOS/RHEL by any chance?

@galal-hussein
Copy link
Contributor

Can you also make sure that the ssh user you are using has access to docker engine

@iyacontrol
Copy link

iyacontrol commented Dec 4, 2017
edited
Loading

i also meet the same problem。i even try root user to ssh ,but the rke still failed。

@iyacontrol
Copy link

@nevermosby have you solved the problem?

@superseb
Copy link
Contributor

superseb commented Dec 4, 2017

@iyacontrol Please share used OS (cat /etc/os-release)

@iyacontrol
Copy link

@superseb
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

@iyacontrol
Copy link

@superseb Linux 3.10.0-693.el7.x86_64

@nevermosby
Copy link
Author

@superseb yeah, it is a centos system, details are listed beblow:

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

@galal-hussein I used "root" to run the command so it can be sure I have the access to docker engine.

@iyacontrol I still have this issue with centos.

New progress here:
I tried ubuntu system instead and it did work.
So some different OS configuration can be the root cause.

@galal-hussein
Copy link
Contributor

@nevermosby I will try to reproduce with CentOS 7 to see if the problem is related to specific OS

@galal-hussein
Copy link
Contributor

galal-hussein commented Dec 5, 2017
edited
Loading

@nevermosby @iyacontrol @superseb I was able to reproduce the issue, however i am not sure what is the root cause, CentOS seems to reject ssh local forwarding using the root:

- Unit session-33.scope has begun starting up.
Dec 04 23:32:46 hussein-centos-01 sshd[11192]: refused streamlocal port forward: originator  port 0, target /var/run/docker.sock
Dec 04 23:32:46 hussein-centos-01 sshd[11192]: pam_unix(sshd:session): session closed for user root

➜  ssh -nNT -L /tmp/docker.sock:/var/run/docker.sock  root@x.x.x.x
channel 1: open failed: administratively prohibited: open failed
channel 1: open failed: administratively prohibited: open failed

however it works for another users other than root, for a work around you can specify other users than root for now

@nevermosby
Copy link
Author

@galal-hussein thx for feedback. On the same centos machine, I took ur advice and tried another user other than root but got same error.

@galal-hussein
Copy link
Contributor

@nevermosby can you make sure that the ssh user has access to docker engine, you can add the user to docker group and use it in cluster.yml

@nevermosby
Copy link
Author

@galal-hussein yes I am sure I have added the user to docker group and tried "docker push" command, it works.fine.

@galal-hussein
Copy link
Contributor

@nevermosby Can you post the version of openssh currently installed on the centos server

@superseb superseb mentioned this issue Dec 7, 2017
Closed
@nevermosby
Copy link
Author

@galal-hussein sorry for late reply. The version installed on my centos machine is :

ssh -V

OpenSSH_6.6.1p1,OpenSSL 1.0.1e-fips 11 Feb 2013

@niusmallnan
Copy link

@galal-hussein
It seems that pam_unix causes this issue.
Try this: https://serverfault.com/questions/416441/pam-module-causes-flurry-of-ssh-sessions

@bgehman bgehman mentioned this issue Dec 8, 2017
Closed
@galal-hussein
Copy link
Contributor

@niusmallnan No i don't think this is the issue, i just tested with disabling PAM and same error, also i think not using PAM is not recommended in RHEL

@moelsayed
Copy link
Contributor

@nevermosby You need to upgrade your openssh server to 7.x to get support for local stream forwarding.

@nevermosby
Copy link
Author

Hi @moelsayed ,thx for remind and I just upgraded my openssh version to 7.4 and enabled "AllowTcpForwarding" for yes:

ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

However, I still got the same error. Maybe the forwarding configuration is not right. Could u give some advise for this?

@ghost
Copy link

ghost commented Dec 11, 2017
edited by niusmallnan
Loading

if you run rke in centos7, you should not use the root user to open the ssh tunnel.you can try the following step to run rke
in all nodes:

  1. update openssh to 7.4,and docker version v1.12.6
  2. set "AllowTcpForwarding yes" "PermitTunnel yes" to /etc/ssh/sshd_config,and then restart sshd service
  3. the host which run rke can ssh to all nodes without password
  4. run: "groupadd docker" to create docker group,while docker group is not exist.
  5. run: "useradd -g docker yourusername" to create yourusername user and set it's group to docker
  6. set the docker.service's MountFlags=shared (vi /xxx/xxx/docker.service)
  7. run:"su yourusername" to change current user,and then restart the docker service. so in the user yourusername session the docker.sock will be created in the path /var/run/docker.sock
  8. in cluster.yml set the ssh user to yourusername(in setup hosts)
  nodes:
  - address: x.x.x.x
     ...
    user:  yourusername
  - address: x.x.x.x
     ...
    user:  yourusername
  1. in cluster.yml set the kubelet to use the systemd cgroup(in setup hosts)
  services:
    kubelet:
      image: rancher/k8s:v1.8.3-rancher2
      extra_args: {"cgroup-driver":"systemd","fail-swap-on":"false"}

now you can run "rke -d up" to setup your k8s cluster.
if you meet "Failed to Save Kubernetes certificates: Timeout waiting for K8s to be ready" when running rke,your can see something here #121

@subhransusekhar
Copy link

Hi @luoshiqian thanks your solutions worked for me on centos 7.4

@galal-hussein
Copy link
Contributor

@luoshiqian Thanks for the steps, OpenSSH doesn't allow ssh tunneling for root users for some reason, closing this issue and will track the root user bug in this issue #136

@niusmallnan niusmallnan mentioned this issue Dec 28, 2017
Closed
@moelsayed moelsayed mentioned this issue Feb 20, 2018
Closed
@ibre5041
Copy link

Tried to fix it by enabling the ssh config,AllowTcpForwarding yes, but failed.

Any suggestions?

I had same problem, found you that problem was on mine side. In authorizedkeys in key usage restrictions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@niusmallnan @ibre5041 @nevermosby @subhransusekhar @superseb @galal-hussein @moelsayed @iyacontrol