tripleo

Can't ssh to vm instance created from cirros-0.5.2 image using key

Bug #1991231 reported by Mikolaj Ciecierski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Mikolaj Ciecierski
tripleo zed-1

Bug Description

Description
===========
It is not possible to ssh to an instance created from cirros-0.5.2 (http://download.cirros-cloud.net/0.5.2/cirros-0.5.2-x86_64-disk.img) image using public key authentication. Only password authentication works. The key is present under ~/.ssh/authorized_keys on the instance, but key-based authentication doesn't work. This error is showing up in: Error: send_pubkey_test: no mutual signature algorithm

To workaround you can run update-crypto-policies --set LEGACY command on undercloud. Then both password and key authentication works.

I spawned also an instance using a newer cirros image, cirros-0.6.0 (http://download.cirros-cloud.net/0.6.0/cirros-0.6.0-x86_64-disk.img), and ssh works both with password and key with DEFAULT crypto-policies set on undercloud.

Steps to reproduce
==================
1.Deploy tripleo environment from master branch

2.Upload key to the Compute service

openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey

3.Spawn instance using command:

openstack server create \
        --image ${IMAGE_NAME} \
        --flavor ${FLAVOR_NAME} \
        --security-group ${SECGROUP_NAME} \
        --key-name mykey \
        --nic net-id=${TENANT_NET_ID} \
        ${INSTANCE_NAME}

4. Attach floating ip to instance

openstack server add floating ip ${INSTANCE_NAME} ${INSTANCE_FIP}

5.Try to ssh to instance using key from undercloud:

ssh ~/.ssh/<uploaded key> cirros@${INSTANCE_FIP}

Expected result
===============

Being able to ssh to the instance using key

Actual result
=============
Only password based authentication works for cirros-0.5.2 image
For cirros-0.6.0 both key and password works for ssh.

Revision history for this message
Brendan Shephard (bshephar) wrote :

Hmm, I don't think this is a tripleo bug. I'd say the old cirros image is just using legacy ssh-rsa crypto algorithms that have been deprecated for some time. CentOS9 Stream won't support them by default, hence the requirement to re-enable them before being able to access the VM.

I don't think we want to use the legacy crypto-policies by default on our undercloud node.

Revision history for this message
Mikolaj Ciecierski (mciecierski) wrote :

This bug was created primarily to track issue against tripleo-upgrade repo. In tripleo-upgrade we use bash script[1], which spawns vm on overcloud before update/ffu. The script uploads cirros image downloaded from mirror, without any modifications before uploading it to glance.

Since centos9 is used both in master and wallaby I have already proposed changes to both of these branches.

Master change: https://review.opendev.org/c/openstack/tripleo-upgrade/+/860082

Wallaby cherry-pick: https://review.opendev.org/c/openstack/tripleo-upgrade/+/861165

[1]https://github.com/openstack/tripleo-upgrade/blob/master/templates/workload_launch.sh.j2

Changed in tripleo:
assignee: nobody → Mikolaj Ciecierski (mciecierski)
Revision history for this message
Takashi Kajinami (kajinamit) wrote :

The patches mentioned in comment 2 were both merged. We probably can mark this as resolved.

Feel free to reopen this in case you still need any fix/investigation/etc.

Changed in tripleo:
importance: Undecided → Medium
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.