When building OpenStack for verification and deploying CirrOS, the SSH key pair was not imported, and an issue occurred that CANNOT login to the instance by the SSH private-public key. OS is similar for CirrOS and Debian. (Switch to password authentication and request password input)
OpenStack version: Queens (Version: 13.0.0)
- Configuration Overview
- Error log
- We can now SSH public key authentication by reviewing the network configuration
- Conclusion - SSH key pair is not imported in OpenStack external network diagram
Configuration Overview
OpenStack is built on CentOS 7 in a standalone environment using PackStack.
Check here for the installation procedure
en-designetwork.hatenablog.com
Error log
The part of startup log when an issue occurs is as follows.
... udhcpc (v1.23.2) started Sending discover... Sending select for 192.168.1.212... Lease of 192.168.1.212 obtained, lease time 86400 checking http://169.254.169.254/2009-04-04/instance-id failed 1/20: up 20.64. request failed //FAILED MESSEAGE// failed 2/20: up 33.14. request failed //FAILED MESSEAGE// ... failed 20/20: up 252.96. request failed //FAILED MESSEAGE// failed to read iid from metadata. tried 20 failed to get instance-id of datasource Top of dropbear init script Starting dropbear sshd: failed to get instance-id of datasource OK ... === cirros: current=0.4.0 uptime=260.09 === ____ ____ ____ / __/ __ ____ ____ / __ \/ __/ / /__ / // __// __// /_/ /\ \ \___//_//_/ /_/ \____/___/ http://cirros-cloud.net login as 'cirros' user. default password: 'gocubsgo'. use 'sudo' for root. cirros login:
It tried accessing http://169.254.169.254/2009-04-04/instance-id
and gave up failing 20 times.
OpenStack Community Information
The above error is a failure of the instance's Metadata setting, and it contains SSH public key import.
Although the SSH public key has not been imported, the OS itself starts normally, and it is possible to log in with password authentication. (CirrOS has default password)
There are also some questions in the community that can not log in with the SSH key-pair as well. Although it is suspected that setting of NOVA_METADATA_IP, invocation of nova-api service, firewall setting are suspected, when installing by the PackStack procedure described in the above article, both were set correctly.
https://ask.openstack.org/en/question/59837/cant-ssh-to-new-created-instances-any-more/ask.openstack.org
https://ask.openstack.org/en/question/59837/cant-ssh-to-new-created-instances-any-more/ask.openstack.org
https://ask.openstack.org/en/question/42729/unable-to-connect-metadata/ask.openstack.org
# vi /etc/neutron/metadata_agent.ini
nova_metadata_ip=<Master IP> //Configured
The port is also open.
# ss -tuna | grep 8775 tcp LISTEN 0 128 *:8775 *:*
There is also information that Keystone and Nova need to be restarted after key pair generation, restarted but state does not change ...
We can now SSH public key authentication by reviewing the network configuration
Since I wanted to verify with a simple environment as possible, initially I used a flat network with bridge connection with extnet. The blue designet in the figure below was a part of the network in my home, and it was flat connected to it. In my environment change network configuration solved the problem of SSH key pair.
We created the internal network of the orange part below, connected by Router, and access from the front was connected using Floating IP.
As a result, the public key of the specified SSH key pair was imported to the CirrOS instance, and by connecting the SSH private key, it was possible to log in as expected.
Log output after problem resolution
Starting network... udhcpc (v1.23.2) started Sending discover... Sending select for 100.64.0.19... Lease of 100.64.0.19 obtained, lease time 86400 route: SIOCADDRT: File exists WARN: failed: route add -net "0.0.0.0/0" gw "100.64.0.1" checking http://169.254.169.254/2009-04-04/instance-id successful after 1/20 tries: up 19.10. iid=i-00000033 failed to get http://169.254.169.254/2009-04-04/user-data warning: no ec2 metadata for user-data Top of dropbear init script Starting dropbear sshd: OK
failed to get http://169.254.169.254/2009-04-04/user-data
, but it's not Connection Timeout.
SSH public key login confirmation
192.168.1.212
is Allocated Floating IP.
# ssh -i <key> cirros@192.168.1.212 The authenticity of host '192.168.1.212 (192.168.1.212)' can't be established. ECDSA key fingerprint is SHA256:xxx. ECDSA key fingerprint is MD5:xxx. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.212' (ECDSA) to the list of known hosts. $ uname -a Linux cirros-03 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:09:13 UTC 2016 x86_64 GNU/Linux $ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast qlen 1000 link/ether fa:16:3e:cb:11:e0 brd ff:ff:ff:ff:ff:ff inet 100.64.0.19/24 brd 100.64.0.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fecb:11e0/64 scope link valid_lft forever preferred_lft forever
Conclusion - SSH key pair is not imported in OpenStack external network diagram
In OpenStack built for verification, an issue occurred in which SSH key pair was not imported when CirrOS was deployed, and the instance could not login by SSH public key method.
Although I have not pursued detailed operation principle, SSH access by SSH public key authentication became possible as expected as it was resolved by reviewing the network configuration and as expected.
NG: bridge (extnet) flat configuration
OK: Internal + Router + Floating IP configuration