OpenStack Compute (nova)

Inject an ssh key failed when booting a instance by using direct image injection.

Bug #1491216 reported by Charlotte Han on 2015-09-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Undecided	Chung Chih, Hung

Bug Description

1. root@cling-SBCJ-slot2 ~(keystone_admin)]# nova keypair-list
+---------+-------------------------------------------------+
| Name | Fingerprint |
+---------+-------------------------------------------------+
| hanrong | 57:96:f9:94:56:b9:e9:b5:86:66:c7:9d:7e:bc:57:e3 |
+---------+-------------------------------------------------+

2. modify nova.conf
inject_partition=-1
inject_key=true

3. boot a instance with parameter --key-name
nova boot --image e39e0859-1a7d-4e36-8e7d-84db2306bfea --flavor 3 --key-name hanrong --nic net-id=fa752978-d3b9-4369-870d-b0fb8d4e0fae hanrong

4. vm is active, but the end of file /root/.ssh/authrized_keys is without inserting this pub key.

5. nova-compute.log is show that:
2015-09-02 10:11:00.058 8474 WARNING nova.virt.disk.vfs.guestfs [req-f8e65cdf-5242-4b16-ad61-adb3c8224139 032d0561ca1e42bda4710eada6148bce 3c1f187a3acf4268aa8f24e6d82d5bad] Failed to close augeas aug_close: call launch before using this function\n(in guestfish, don't forget to use the 'run' command)
2015-09-02 10:11:00.068 8474 WARNING nova.virt.disk.api [req-f8e65cdf-5242-4b16-ad61-adb3c8224139 032d0561ca1e42bda4710eada6148bce 3c1f187a3acf4268aa8f24e6d82d5bad] Ignoring error injecting data into image (Error mounting /var/lib/nova/instances/c14e01b8-93f8-4f5d-b952-1e05ed73e29b/disk with libguestfs (/usr/libexec/qemu-kvm exited with error status 1.

6. fs.setup() throw exception ,log write in this code:
def inject_data(image, key=None, net=None, metadata=None, admin_password=None,
files=None, partition=None, use_cow=False, mandatory=()):
"""Inject the specified items into a disk image.

If an item name is not specified in the MANDATORY iterable, then a warning
is logged on failure to inject that item, rather than raising an exception.

it will mount the image as a fully partitioned disk and attempt to inject
into the specified partition number.

If PARTITION is not specified the image is mounted as a single partition.

    Returns True if all requested operations completed without issue.
    Raises an exception if a mandatory item can't be injected.
    """
    LOG.debug("Inject data image=%(image)s key=%(key)s net=%(net)s "
              "metadata=%(metadata)s admin_password=<SANITIZED> "
              "files=%(files)s partition=%(partition)s use_cow=%(use_cow)s",
              {'image': image, 'key': key, 'net': net, 'metadata': metadata,
               'files': files, 'partition': partition, 'use_cow': use_cow})
    fmt = "raw"
    if use_cow:
        fmt = "qcow2"
    try:
        fs = vfs.VFS.instance_for_image(image, fmt, partition)
        fs.setup()
    except Exception as e:
        # If a mandatory item is passed to this function,
        # then reraise the exception to indicate the error.
        for inject in mandatory:
            inject_val = locals()[inject]
            if inject_val:
                raise
        LOG.warning(_LW('Ignoring error injecting data into image %(image)s '
                        '(%(e)s)'), {'image': image, 'e': e})
        return False

    try:
        return inject_data_into_fs(fs, key, net, metadata, admin_password,
                                   files, mandatory)
    finally:
        fs.teardown() the exception code is :

Tags:

Revision history for this message

Charlotte Han (hanrong) wrote on 2015-09-02:

I did an experiment, if the service of nova-compute as root permission to start, we can inject the SSH key into instance success.

stop nova-compute:
systemctl stop openstack-nova-compute

start nova-compute as root permission
/usr/bin/python /usr/bin/nova-compute

Markus Zoeller (markus_z) (mzoeller) on 2015-09-17

tags:	added: inject libvirt permissions spawn
tags:	added: rootwrap

Chung Chih, Hung (lyanchih) on 2015-10-11

Changed in nova:
assignee:	nobody → Chung Chih, Hung (lyanchih)

Revision history for this message

Markus Zoeller (markus_z) (mzoeller) wrote on 2015-11-26:

I removed tags which don't have a subteam which watches for them.

tags:

removed: inject permissions spawn

Davanum Srinivas (DIMS) (dims-v) on 2016-03-04

Changed in nova:
assignee:	Chung Chih, Hung (lyanchih) → nobody

Revision history for this message

Chung Chih, Hung (lyanchih) wrote on 2016-03-04:

Sorry, I didn't notice review not been post here.

Fix proposed to branch: master
Review: https://review.openstack.org/#/c/237547/

Matt Riedemann (mriedem) on 2016-03-06

Changed in nova:
assignee:	nobody → Chung Chih, Hung (lyanchih)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-09: Fix merged to nova (master)

Reviewed: https://review.openstack.org/237547
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=92ae0f1077e4c5916d99777b032aaf0840e7ab93
Submitter: Jenkins
Branch: master

commit 92ae0f1077e4c5916d99777b032aaf0840e7ab93
Author: Chung Chih, Hung <email address hidden>
Date: Tue Oct 20 12:41:46 2015 +0000

libvirt - Add log if libguestfs can't read host kernel

    Host's kernel only allows a root user to have read/write permission in
    ubuntu. If compute-service didn't have read permission then libguestfs
    will launch image fail.

    In libguestfs offical FAQ site had point out this issue, following is
    the link
    http://libguestfs.org/guestfs-faq.1.html#binaries
    It had suggested users to change host's kernel permission. But this
    action should be handled by other patch. Here only give a hint what's
    going wrong.

    Change-Id: I36c93610831e2935d46f7ee37f95619fe6dc1481
    Related-Bug: 1413142
    Closes-Bug: 1491216