tripleo

[oooq] sshd not starting on overcloud nodes

Bug #1986484 reported by Lewis Denny
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
New
Undecided
Unassigned

Bug Description

On a fresh deployment of oooq master branch openssh not starting due to the following error:
```
Unable to load host key: /etc/ssh/ssh_host_rsa_key
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
```

sshd-keygen.target creates the host keys on first boot or if they are ever removed by calling `/usr/libexec/openssh/sshd-keygen` and passing it a single argument of key type:
```
[root@overcloud-controller-0 ~]# systemctl cat sshd-keygen.target
# /usr/lib/systemd/system/sshd-keygen.target
[Unit]
<email address hidden>
<email address hidden>
<email address hidden>
PartOf=sshd.service
```

```
[root@overcloud-controller-0 ~]# systemctl cat <email address hidden>
# /usr/lib/systemd/system/sshd-keygen@.service
[Unit]
Description=OpenSSH %i Server Key Generation
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_%i_key

[Service]
Type=oneshot
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/libexec/openssh/sshd-keygen %i

[Install]
WantedBy=sshd-keygen.target

# /etc/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf

# In some cloud-init enabled images the sshd-keygen template service may race
# with cloud-init during boot causing issues with host key generation. This
# drop-in config adds a condition to sshd-keygen@.service if it exists and
# prevents the sshd-keygen units from running *if* cloud-init is going to run.
#
[Unit]
ConditionPathExists=!/run/systemd/generator.early/multi-user.target.wants/cloud-init.target
```

Note there are two systemd files listed above, sshd-keygen@.service from the sshd package and `disable-sshd-keygen-if-cloud-init-active.conf` file which comes from the cloud-init rpm

This is blocking the keygen and causing sshd to fail to start.

This can be fixed by either removing cloud-init or calling `/usr/libexec/openssh/sshd-keygen` manually.

I notice the upstream CI is using centos 9 and my overcloud nodes were deployed with centos 8, maybe this default just needs to be bumped.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.