Skip to content
This repository has been archived by the owner on Aug 15, 2022. It is now read-only.

Issue with klient key using "connect your own machine" and docker container #11280

Open
serut opened this issue Jun 4, 2017 · 3 comments
Open

Issue with klient key using "connect your own machine" and docker container #11280

serut opened this issue Jun 4, 2017 · 3 comments

Comments

@serut
Copy link

serut commented Jun 4, 2017
edited

I've followed the guide Connect your own machine to setup a container acting like a remote machine.

But it just fails on the klient side when the service boots it tries to establish the connection with koding and has problem to found a key (which key ??). See stacktrace below
On the backend side, kontrol doesn't print any error

14:32:47 [kontrol] INFO     Registered machine on user: serut
14:33:00 [kontrol] INFO     Register (via HTTP) request from: /serut/devmanaged/klient/0.1.235/public-region/6a07e32d32db/25300627-b5bf-465b-8cac-92cc68f0d150
14:33:00 [kontrol] INFO     Kite registered (via HTTP): /serut/devmanaged/klient/0.1.235/public-region/6a07e32d32db/25300627-b5bf-465b-8cac-92cc68f0d150
14:34:50 [kontrol] INFO     Kite didn't sent any heartbeat (via HTTP). Stopping the updater /serut/devmanaged/klient/0.1.235/public-region/6a07e32d32db/25300627-b5bf-465b-8cac-92cc68f0d150
14:34:50 [kontrol] INFO     Kite is nonactive (via HTTP). Updater is closed /serut/devmanaged/klient/0.1.235/public-region/6a07e32d32db/25300627-b5bf-465b-8cac-92cc68f0d150

Expected Behavior

To connect a docker container to Koding and not a VM / dedicated server.

Current Behavior

I've created a container which installs and runs klient.
The installation looks good :

$ env
KONTROLURL=http://ip:8090/kontrol/kite
CHANNEL=devmanaged
[..]

$ touch /etc/init.d/klient

$ curl -sL https://kodi.ng/s | bash -s 580ea923
Testing sudo permissions, please input password if prompted...
Downloading Koding Service Connector 0.1.235...
Installing the Koding Service Connector package...
Authenticating you to the Koding Service
 Adding system startup for /etc/init.d/klient ...
   /etc/rc0.d/K20klient -> ../init.d/klient
   /etc/rc1.d/K20klient -> ../init.d/klient
   /etc/rc6.d/K20klient -> ../init.d/klient
   /etc/rc2.d/S20klient -> ../init.d/klient
   /etc/rc3.d/S20klient -> ../init.d/klient
   /etc/rc4.d/S20klient -> ../init.d/klient
   /etc/rc5.d/S20klient -> ../init.d/klient
Authenticated successfully
Starting the Koding Service Connector...
-- Starting Koding Service Connector... done.
>>>>>>>>>>>>>>>Success!<<<<<<<<<<<<<<
This machine has been successfully connected to Koding and
should show up automatically on the sidebar of your Koding account
where your other machines are listed.
Please head over to koding.com now and remember to not close
the "Add Your Own Machine" dialogue box until you see this machine appear
in the sidebar.
For some reason if this machine does not show up on your koding account
in the next 2-3 minutes, please re-run the install script or contact us
at support@koding.com.

When the klient tries to connect with the koding instance, it doesn't authorize the connection :

$ cat /var/log/klient.log
14:32:49.375Z INFO     [machine        ][PID:112][logging/context.go:47] [machines] Detected 0 machines, started 0 clients.
14:32:49.375Z INFO     [machine        ][PID:112][logging/context.go:47] [machines] Syncing 0 mounts of 0 machines. Failed 0
14:32:50.442Z INFO     [endpoint-kloud ][PID:112][daemon/install.go:313] Going to install screen...
14:32:52.444Z INFO     [endpoint-kloud ][PID:112][daemon/install.go:317] Screen was successfully installed.
14:33:00 [klient] WARNING  tunnel: unable to read options: key not found
14:33:00 [klient] INFO     tunnel: checking if "ip:8090" is reachable
14:33:00 [klient] ERROR    failure checking local route: IsVagrant error: exit status 1
14:33:00 [klient] INFO     Register to local kontrol 'http://127.0.0.1:3000/kontrol/kite' via the URL value: 'http://ip:8090/kite'
14:33:00 [klient] ERROR    Failed to register, retrying with original URL: Post http://127.0.0.1:3000/kontrol/register: dial tcp 127.0.0.1:3000: getsockopt: connection refused
14:33:00 [klient] INFO     Register to kontrol 'http://ip:8090/kontrol/kite' via the URL value: 'http://ip:8090/kite'
14:33:00 [klient] INFO     Registered (via HTTP) with URL: 'http://ip:8090/kite' and HeartBeat interval: '10s'
14:33:00 [klient] INFO     Using version: '0.1.235' querystring: '25300627-b5bf-465b-8cac-92cc68f0d150'
14:33:00 [klient] INFO     New listening: 0.0.0.0:56789
14:33:00 [klient] INFO     Starting Updater with following options:
        interval of: 5m0s
        endpoint: https://koding-klient.s3.amazonaws.com/devmanaged/latest-version.txt
14:33:00 [klient] INFO     Dialing 'kontrol' kite: http://ip:8090/kontrol/kite
14:33:00 [klient] INFO     Serving...
14:33:00 [klient] INFO     Connected to Kontrol
14:33:00 [klient] INFO     [remote][restoreMounts queue] Remounted successfully.
14:33:01.071Z CRITICAL [tunnelclient   ][PID:112][logging/context.go:23] [transport] client fetch identifier error: authenticationError: kiteKey: invalid kontrol key found (bb1ce922590648c1)

Steps to Reproduce

  1. Create a start.sh script
#!/usr/bin/env bash
set -e # Fail on error
set -x # echo commands executed
env
# Create the initscript https://askubuntu.com/a/493209
touch /etc/init.d/klient
# Install
curl -sL https://kodi.ng/s | bash -s ${KODING_KEY}
# Daemon boots, wait
sleep 3
# Block the container if service booted successfully
if [ -f /var/log/klient.log ]; then
    tail -F /var/log/klient.log
fi
exit 1
  1. Create a Dockerfile
FROM ubuntu:14.04.5
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update \
    # Install curl to be able to download klient and its dependency (screen)
    && apt-get install -y \
               curl \
               screen
CMD ["/start.sh"]
ADD start.sh /start.sh
  1. Store your credential in a environment file .env.vmklient. You can get your credientials by visiting /Home/stacks/virtual-machines in your koding webinterface . Just extract values from that text export KONTROLURL=http://<server ip:port>/kontrol/kite [..] | bash -s <key>
KODING_KEY=<key>
KONTROLURL=http://<server ip:port>/kontrol/kite
CHANNEL=devmanaged
  1. Create the local image docker build -t vm .
  2. Run the container docker run -it --env-file .env.vmklient vm

Error encountered

registration failed: cannot authenticate user: otaToken '<KODING_KEY>' is not validated; err: not found (e9e49d6261be6ab1)

Your KODING_KEY inside .env.vmklient has expired, you need to recreate another one on the web interface (Dashboard > Virtual machines > Add your own machine)

What do you think about this ? Thanks for reading.
@rjeczalik
Copy link
Member

Related: #8514 (@gokmen can we bump priority on this one?).

@rjeczalik
Copy link
Member

Hey @serut!

But it just fails on the klient side when the service boots it tries to establish the connection with koding and has problem to found a key (which key ??).

Kite uses JWT token for authentication - it is called a kite.key in the kite framework - the klient and kontrol is built on kite framework. During registration kontrol generates a kite.key for klient, and klient stores it in ~$USER/.config/koding/konfig.bolt local database (the $USER is a user owning the klient process, here it'd be root). You can inspect the contents of it with boltcli command. The error you received basically means the kontrolKey claim of klient's kite.key does not match kontrol's public key. This can be caused by either kontrol misconfiguration or klient misreading the kite.key from local configuration.

You could confirm that by reading kiteKey from local database with:

/opt/kite/klient/klient config | jq -r .konfig.kiteKey > jwt.json

And parsing the JWT with kitekey command:

go run main.go -file jwt.json  | jq -r .kontrolKey
-----BEGIN PUBLIC KEY-----
(...)
-----END PUBLIC KEY-----

If the .kontrolKey mismatches the kontrol.pub, which kontrol service was configured with, klient will fail with the kiteKey: invalid kontrol key found error.

I also have a sad news - even if you figured out why the key is wrong, you won't be able to connect your container to koding until #8920 is fixed - klient needs to be publicly accessible by kontrol and uses tunnel service for that. This service does not start as a part of oss deployment, yet.

@serut
Copy link
Author

serut commented Jun 5, 2017

Thanks for these informations ! I managed to get the same certificate on both side... !

On the Koding server :

cat /opt/koding/generated/private_keys/kontrol/kontrol.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunK/xtLUoHrYU3/9AJiU
[..]
-----END PUBLIC KEY-----

On the VM side:

$ apt-get install -y wget git jq
$ cd /
$ wget https://storage.googleapis.com/golang/go1.7.6.linux-amd64.tar.gz
$ tar -xvf go1.7.6.linux-amd64.tar.gz
$ mv go /usr/local
$ export GOROOT=/usr/local/go
$ export GOPATH=/koding/go
$ git clone https://github.com/koding/koding
$ cd /koding/go/src/koding/kites/kloud/scripts/kitekey
$ /opt/kite/klient/klient config | jq -r .konfig.kiteKey > jwt.json
$ go run main.go -file jwt.json  | jq -r .kontrolKey
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunK/xtLUoHrYU3/9AJiU
[..]
-----END PUBLIC KEY-----

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rjeczalik @serut