search

OpenNebula / minione

Easy to use deployment tool for an OpenNebula evaluation environment
Apache License 2.0
173 stars 55 forks source link

host to frontend ssh problem #80

Closed Andrysky closed 2 years ago

Andrysky commented 3 years ago

Description

To Reproduce Front-end(ubuntu 20.10)

wget 'https://github.com/OpenNebula/minione/releases/latest/download/minione'
chmod +x  ./minione 
sudo bash minione -f

host(ubuntu 20.04.2) 

sudo apt-get -y install gnupg wget apt-transport-https
sudo wget -q -O- https://downloads.opennebula.io/repo/repo.key | sudo apt-key add -
sudo echo "deb https://downloads.opennebula.io/repo/6.0/Ubuntu/20.04 stable opennebula" > /etc/apt/sources.list.d/opennebula.list
sudo apt-get update
sudo  apt-get -y install opennebula-node-lxc

2)add public key from Front-end to host 3)add host to Front-end

3)download alpine_3.13 - LXD-10 from apps(MarketStore) 4)deploy to host (create instances)

Сurrent behavior

Wed Apr 28 10:08:58 2021: Error executing image transfer script: Error copying <Front-end>:/var/lib/one//datastores/1/b41d4ea3bcadddf0e8316fea40d029f0 to <host>:/var/lib/one//datastores/0/4/disk.0

or

ssh <Front-end>
ssh <host>
ssh <Front-end> *required password*

Expected behavior deploy success or

ssh <Front-end>
ssh <host>
ssh <Front-end> *success*

Details

Additional context in https://docs.opennebula.io/6.0/open_cluster_deployment/lxc_node/lxc_node_installation.html#step-4-configure-passwordless-ssh written

"Since OpenNebula 5.12. On the Front-end runs dedicated SSH authentication agent service which imports the oneadmin’s private key on its start .... While the authentication agent is used, you don’t need to distribute private SSH key from Front-end to hypervisor Nodes!"

Progress Status

aded-cmcc commented 2 years ago

Same here, with a KVM node, both frontend and KVM node with Ubuntu 20.04.

I'm on frontend, i want to:

I can do that only if the first ssh (frontend -> kvm node) is:

SSH_AUTH_SOCK=/run/one/ssh-agent.sock ssh -A <kvm_node>
xorel commented 2 years ago

Yes aded-cmcc, this is how it's supposed to work. Since 5.12 it's no longer needed to distribute private ssh oneadmin key to nodes, but to get also the backward ssh connection password less the SSH agent is used (see opennebula-ssh-agent.service).

aded-cmcc commented 2 years ago

Yes aded-cmcc, this is how it's supposed to work. Since 5.12 it's no longer needed to distribute private ssh oneadmin key to nodes, but to get also the backward ssh connection password less the SSH agent is used (see opennebula-ssh-agent.service).

Okay, but I have read "KVM node installation" and "Advanced SSH usage" (the original issue was opened on OpenNebula/one), and it's not clear how to properly set SSH configuration for the oneadmin user.

Let's say, why not to add ForwardAgent yes in SSH configuration? Why not to set a .profile for exporting SSH_AUTH_SOCK?

Maybe I missed some documentation, I apologize if this is the case. Can you point me out where these settings are documented? Please consider that I haven't included any additional keys from non-standard locations.

Thanks.

xorel commented 2 years ago

Yes, I moved the issue to MiniONE while I was expecting some installation/configuration issue, but later on realized it's not even a bug (I think).

Regarding the password less from host -> frontend, it's not required in many cases, only in a few actually (mv/mvds/snap_create etc). So in the drivers, it's turned on only when needed to minimize the security impact, see function ssh_forward.

But as you noted, you can adjust the configuration as you need.