Canonical Juju

[juju 3.1 - manual provider] strict confinement breaks SSH certificate authentication

Bug #2030507 reported by Peter Jose De Sousa on 2023-08-07

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Triaged	Low	Unassigned

Bug Description

Hello,

When using manual provider on juju 3.1, manual provider is unable to authenticate using my SSH keys.

ap-http-proxy: snap-https-proxy: snap-store-assertions: snap-store-proxy: snap-store-proxy-url: ssl-hostname-verification:true test-mode:false transmit-vendor-metrics:true type:manual update-status-hook-interval:5m uuid:2554b2d3-345e-48f6-8f97-bca3b4427502]
14:32:45 INFO juju.environs.manual.sshprovisioner sshprovisioner.go:44 initialising "10.10.32.80", user "ubuntu"
14:32:45 DEBUG juju.utils.ssh ssh.go:305 using OpenSSH ssh client
14:32:45 DEBUG juju.utils.ssh ssh.go:305 using OpenSSH ssh client
14:32:45 ERROR juju.provider.manual provider.go:39 initializing ubuntu user: subprocess encountered error code 255 (ubuntu@10.10.32.80: Permission denied (publickey).)
ERROR subprocess encountered error code 255 (ubuntu@10.10.32.80: Permission denied (publickey).)
14:32:45 DEBUG cmd supercommand.go:548 error stack:
subprocess encountered error code 255 (ubuntu@10.10.32.80: Permission denied (publickey).)
github.com/juju/juju/environs/bootstrap.PrepareController:145:
github.com/juju/juju/cmd/juju/commands.(*bootstrapCommand).Run:872:

If I reinstall juju 3.1 using devmode and re-run the same command I am able to bootstrap successfully.

[Steps to reproduce]

1. Install juju 3.1/stable confined
2. Attempt to bootstrap a manual controller

Observe the above error

[Workaround]

Install with devmode (not recommended)

Thanks,
Peter

See original description

Peter Jose De Sousa (pjds) on 2023-08-07

description:	updated
summary:	[juju 3.1 - manual provider] strict confinement breaks SSH certificate - authenticaiton + authentication

Revision history for this message

Nobuto Murata (nobuto) wrote on 2023-08-08:

Confirmed.

Juju snap is trying to access the socket of ssh-agent, which may not be covered by "ssh-keys" plug in snapcraft.

> Aug 08 11:45:29 t14 kernel: audit: type=1400 audit(1691462729.314:741): apparmor="DENIED" operation="connect" class="file" profile="snap.juju.juju" name="/run/user/1000/keyring/ssh" pid=159125 comm="ssh" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

Revision history for this message

Nobuto Murata (nobuto) wrote on 2023-08-08:

In my case, a workaround was to add the following lines in ~/.ssh/config explicitly.

Host <TARGET_IP_ADDRESS>
IdentityFile ~/.ssh/id_ed25519
ControlMaster no

Revision history for this message

Peter Jose De Sousa (pjds) wrote on 2023-08-10:

Thanks Nobuto, I'll try it out

Revision history for this message

Joseph Phillips (manadart) wrote on 2023-10-05:

Can you confirm whether the work-around worked for you?

Changed in juju:
status:	New → Triaged
importance:	Undecided → Low

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.