designetwork(EN)

IT technical memo of networking

SSH key pair is not imported in OpenStack external network diagram

When building OpenStack for verification and deploying CirrOS, the SSH key pair was not imported, and an issue occurred that CANNOT login to the instance by the SSH private-public key. OS is similar for CirrOS and Debian. (Switch to password authentication and request password input)

OpenStack version: Queens (Version: 13.0.0)

Configuration Overview

OpenStack is built on CentOS 7 in a standalone environment using PackStack.

Check here for the installation procedure

en-designetwork.hatenablog.com

Error log

The part of startup log when an issue occurs is as follows.

...
udhcpc (v1.23.2) started
Sending discover...
Sending select for 192.168.1.212...
Lease of 192.168.1.212 obtained, lease time 86400
checking http://169.254.169.254/2009-04-04/instance-id
failed 1/20: up 20.64. request failed    //FAILED MESSEAGE//
failed 2/20: up 33.14. request failed    //FAILED MESSEAGE//
...
failed 20/20: up 252.96. request failed    //FAILED MESSEAGE//
failed to read iid from metadata. tried 20
failed to get instance-id of datasource
Top of dropbear init script
Starting dropbear sshd: failed to get instance-id of datasource
OK

...
=== cirros: current=0.4.0 uptime=260.09 ===
  ____               ____  ____
 / __/ __ ____ ____ / __ \/ __/
/ /__ / // __// __// /_/ /\ \ 
\___//_//_/  /_/   \____/___/ 
   http://cirros-cloud.net


login as 'cirros' user. default password: 'gocubsgo'. use 'sudo' for root.
cirros login: 

It tried accessing http://169.254.169.254/2009-04-04/instance-id and gave up failing 20 times.

OpenStack Community Information

The above error is a failure of the instance's Metadata setting, and it contains SSH public key import.

Although the SSH public key has not been imported, the OS itself starts normally, and it is possible to log in with password authentication. (CirrOS has default password)

There are also some questions in the community that can not log in with the SSH key-pair as well. Although it is suspected that setting of NOVA_METADATA_IP, invocation of nova-api service, firewall setting are suspected, when installing by the PackStack procedure described in the above article, both were set correctly.

https://ask.openstack.org/en/question/59837/cant-ssh-to-new-created-instances-any-more/ask.openstack.org

https://ask.openstack.org/en/question/59837/cant-ssh-to-new-created-instances-any-more/ask.openstack.org

https://ask.openstack.org/en/question/42729/unable-to-connect-metadata/ask.openstack.org

# vi /etc/neutron/metadata_agent.ini

nova_metadata_ip=<Master IP>  //Configured

The port is also open.

# ss -tuna | grep 8775
tcp    LISTEN     0      128       *:8775                  *:*

There is also information that Keystone and Nova need to be restarted after key pair generation, restarted but state does not change ...

We can now SSH public key authentication by reviewing the network configuration

Since I wanted to verify with a simple environment as possible, initially I used a flat network with bridge connection with extnet. The blue designet in the figure below was a part of the network in my home, and it was flat connected to it. In my environment change network configuration solved the problem of SSH key pair.

We created the internal network of the orange part below, connected by Router, and access from the front was connected using Floating IP.

As a result, the public key of the specified SSH key pair was imported to the CirrOS instance, and by connecting the SSH private key, it was possible to log in as expected.

Log output after problem resolution

Starting network...
udhcpc (v1.23.2) started
Sending discover...
Sending select for 100.64.0.19...
Lease of 100.64.0.19 obtained, lease time 86400
route: SIOCADDRT: File exists
WARN: failed: route add -net "0.0.0.0/0" gw "100.64.0.1"
checking http://169.254.169.254/2009-04-04/instance-id
successful after 1/20 tries: up 19.10. iid=i-00000033
failed to get http://169.254.169.254/2009-04-04/user-data
warning: no ec2 metadata for user-data
Top of dropbear init script
Starting dropbear sshd: OK

failed to get http://169.254.169.254/2009-04-04/user-data , but it's not Connection Timeout.

SSH public key login confirmation

192.168.1.212 is Allocated Floating IP.

# ssh -i <key> cirros@192.168.1.212
The authenticity of host '192.168.1.212 (192.168.1.212)' can't be established.
ECDSA key fingerprint is SHA256:xxx.
ECDSA key fingerprint is MD5:xxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.212' (ECDSA) to the list of known hosts.
$ uname -a
Linux cirros-03 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:09:13 UTC 2016 x86_64 GNU/Linux
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast qlen 1000
    link/ether fa:16:3e:cb:11:e0 brd ff:ff:ff:ff:ff:ff
    inet 100.64.0.19/24 brd 100.64.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fecb:11e0/64 scope link
       valid_lft forever preferred_lft forever

Conclusion - SSH key pair is not imported in OpenStack external network diagram

In OpenStack built for verification, an issue occurred in which SSH key pair was not imported when CirrOS was deployed, and the instance could not login by SSH public key method.

Although I have not pursued detailed operation principle, SSH access by SSH public key authentication became possible as expected as it was resolved by reviewing the network configuration and as expected.

NG: bridge (extnet) flat configuration
OK: Internal + Router + Floating IP configuration


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork