Cannot establish ssh connection to root @ SshMachineLocation[LocalhostMachine:oLk6:eb25-2/127.0.1.1] (publickey auth failed).

[emad-nk]

I can't run docker from clocker on my own machine (localhost). I am using: brooklyn-clocker-examples-0.4.0 When I run "docker cloud" then "localhost", I get error.

This is what I added to brooklyn.properties: brooklyn.location.localhost.privateKeyFile = ~/.ssh/id_rsa brooklyn.ssh.config.privateKeyFile = ~/.ssh/id_rsa brooklyn.ssh.config.publicKeyFile = ~/.ssh/id_rsa.pub

And this is what I commented:

brooklyn.location.jclouds.aws-ec2.identity = AKA_YOUR_ACCESS_KEY_ID

brooklyn.location.jclouds.aws-ec2.credential =

So I don't understand if clocker is trying to "ssh root@localhost", because that not possible. From another machine I can "ssh user@IP_address" without password, so it seems ssh key is fine.

Here is full error: Failure running task invoking start[locations] on 1 node (TTlb0wbr): All nodes in cluster DynamicClusterImpl{id=gRiCX8rp} failed; first failure is: 2 of 2 parallel child tasks failed, including: Cannot establish ssh connection to root @ SshMachineLocation[LocalhostMachine:oLk6:eb25-2/127.0.1.1](publickey auth failed). Ensure that passwordless and passphraseless ssh access is enabled using standard keys from ~/.ssh or as configured in brooklyn.properties. Check that the target host is accessible, that credentials are correct (location and permissions if using a key), that the SFTP subsystem is available on the remote side, and that there is sufficient random noise in /dev/random on both ends. To debug less common causes, see the original error in the trace or log, and/or enable 'net.schmizz' (sshj) logging.

[dazzag24]

Hi,

I had this issue and it turned out that my key had a password. Take a look at the potential problems section of this page as it has some steps you can take to ensure your keys are correct.

https://brooklyn.incubator.apache.org/v/latest/ops/locations/ssh-keys.html

[RobertDiebels]

@emijoon did you manage to resolve this? Because I'm having the same error. The error resolution @dazzag24 pointed to doesn't exist any longer so I'm wondering if anyone can help me out.

Otherwise I'll open a new issue.

Versions

windows:             10 (Home Edition)
brooklyn:            0.11
clocker-kubernetes:  2.1.0-20170623.1921
clocker-common:      2.1.0-20170623.1921
brooklyn-etcd:       2.4.0
locker-swarm:        2.1.0-20170623.1921

Other information It might be helpful to mention that I can see that Brooklyn created 224 key pairs. I doubt that they're ssh-key pairs or anything but they exist.

[geomacy]

hi @emijoon, @dazzag24, if it's any help the new location of that page on SSH keys is http://brooklyn.apache.org/v/latest/locations/index.html#ssh-keys. That link above is pretty old ('incubator' days).

If you can't SSH to localhost as root, you could try setting

brooklyn.location.localhost.loginUser = xxxxx

replacing xxxx with the user you can log in as.

[RobertDiebels]

@geomacy I followed the get started guide on: http://www.clocker.io/tutorials/kubernetes-cluster.html which set the loginUser to centos though that doesn't seem to work.

[geomacy]

Ah, ignore my comment above, of course localhost is irrelevant here, the guide above recommends using a CentOS image for your nodes, hence the 'centos' value for loginUser. It would be worth making sure that your image matches this; I'd try getting a simple 'server' blueprint working first with your location before you try clocker.

[RobertDiebels]

@geomacy I've setup a python webserver to check if my credentials were ok. This worked as I expected it to. I can see brooklyn boot instances in my AWS EC2 console. Then brooklyn terminates them because it can't ssh into the remote machine.

I can see that it's trying to use my local windows user to gain access. Which isn't going to work because it has no keys. So I'm wondering how do I tell brooklyn which user to use to access the remote machines?

[geomacy]

hi (sorry for the delay, am out and about today). You should be able to configure the user to log in with using user (just as loginUser configures the name for the initial OS login, if that can't be established from the cloud).

There is a fairly good amount of detail on how Brooklyn works with logins and users in the documentation here: os-initial-login-and-setup, especially at #os-setup, including how to specify key files and/or passwords.

[RobertDiebels]

@geomacy No problem. I'm happy with any help I can get at the moment. I've generated a new ssh key-pair and put them in my home folder (on Windows) However I'm getting and intermediate error during the cluster start invocation.

'C' will be ignored, loading '\Users\Robert\.ssh\id_rsa.pub' as no framework available

Where is it getting the file from? I ensured the key-pair exists in my home folder. However I don't know whether Brooklyn is using \Users\Robert\.ssh\id_rsa.pub as a relative path or an absolute one. It if does, relative to what exactly?

Is there a specific place/way I should configure brooklyn to pick up a file on a Windows host?

I looked through the documentation you recommended which states

Following a successful logon, Brooklyn performs the following steps to configure the machine: creates a new user with the same name as the user brooklyn is running as locally (this can be overridden with user, below). install the local user’s ~/.ssh/id_rsa.pub as an authorizedkeys on the new machine, to make it easy for the operator to ssh in (override with privateKeyFile; or if there is no id{r,d}sa{,.pub} an ad hoc keypair will be generated for the regular Brooklyn user; if there is a passphrase on the key, this must be supplied) give sudo access to the newly created user (override with grantUserSudo: false) disable direct root login to the machine These steps can be skipped or customized as described below.

Again it would seem that it wants to access the current users home folder. Though ~/ will not be accessible from a Windows CMD terminal. It might be from a powershell terminal, though I'm using a CMD terminal.

Could using a CMD terminal cause the 'C' will be ignored, loading '\Users\Robert\.ssh\id_rsa.pub'0-error?

I also checked my ssh-keys with as suggested in:

ssh-keygen -y. If it does not ask for a passphrase, then your key has no passphrase

I was not asked for a passphrase while checking the id_rsa so that isn;t the problem either.

[neykov]

@RobertDiebels First thing I'd try is using loginUser:root if using Amazon. The default for Brooklyn is to use the image provided username, but sometimes it falls back to jclouds which is probably not what you want.

As for your own user name being used by Brooklyn - that's expected, but it does that for the second stage where it sets up its own user (which is overridable, but defaults to the local user account). The problem you are describing is trying to ssh in the first stage where it's using the cloud provided username.

[neykov]

As for the specific error you are getting: 'C' will be ignored, loading '\Users\Robert\.ssh\id_rsa.pub' as no framework available

There's a convention in Brooklyn where if you prefix a resource with an identifier followed by a : it will try to load it from a bundle with the same symbolic name. Unfortunately this clashes with the Windows path format. You could try prefixing it with a dummy value just so you can force your full path to be considered. For example: dummy:C:\Users\Robert\.ssh\id_rsa.pub. Brooklyn will by default use id_rsa.pub so you need to do that only when using non-default private key. Also under Windows there might be problems with password protected keys, so I'd try getting a deployment running with a passwordless private key first.

[RobertDiebels]

@neykov Thanks for the answers!

I've changed my config to:

brooklyn.locations:
- type: jclouds:aws-ec2
  brooklyn.config:
  # ---- VM Creation ----
    displayName: AWS-Frankfurt-PrivateKey
    region: eu-central-1
    identity: smthsmth
    credential: smthsmth
  # Make sure you've accepted the TOC for the image before using it. To do so
  # go to https://aws.amazon.com/marketplace/pp/B00O7WM7QW and try to start
  # an instance with the image. In the process the UI will ask you to accept
  # the TOC. There is no need to actually launch the instance.
  # If you have not accepted the TOC you'll get 401 responses from EC2'a API.
  #
  # To find the AMIs for different regions go to (login required):
  # https://aws.amazon.com/marketplace/fulfillment?productId=b7ee8a69-ee97-4a49-9e68-afaee216db2e
  # and click on "Manual Launch". There you'll see a list of regions and the corresponding image IDs.
    imageId: eu-central-1/ami-9bf712f4
    hardwareId: t2.micro
  # Provision a maximum of 3 machines in parallel to avoid hitting the
  # maximum allowed request limit rate.
    maxConcurrentMachineCreations: 3

  # ---- OS Setup ----
    loginUser: root

I still get the: 'C' will be ignored, loading '\Users\Robert\.ssh\id_rsa.pub' as no framework available- error. So I guess that Brooklyn uses the correct path?

When trying the prefix dummy I get: FileNotFoundException: dummy:C:\Users\Robert\.ssh\id_rsa (Dutch description stating that the syntax is incorrect.)

For me this probably means I will have to stop using clocker and Brooklyn. I would recommend that people not try to use Brooklyn and clocker on Windows machines until it has further matured on that OS.

Either way thanks for the effort guys! Even if it doesn't work out in the end I always appreciate people helping me out 😄

[neykov]

@RobertDiebels There are users currently using Brooklyn with Windows, so I'm sure it's possible to make it work. There's one more thing you could try out. There's an alternative distribution of Brooklyn based on Karaf (an OSGi container), available at [1]. Could retry deploying with it. Start it with either bin\karaf (foreground) or bin\start (background), the web UI is the same as the classic distribution.

We are looking forward to transitioning to the Karaf based distribution as the recommended one for next release.

As a first attempt I suggest you try deploying a minimal blueprint. For example:

location:
  aws-ec2:
    identity: smthsmth
    credential: smthsmth
    region: eu-central-1
    loginUser: root
services:
- type: server

[1] http://apache.cbox.biz/brooklyn/apache-brooklyn-0.11.0/apache-brooklyn-0.11.0-karaf.zip

[geomacy]

@neykov I think Robert has already tried a basic app successfully (above), and this is just a problem with clocker, right @RobertDiebels?

[geomacy]

Actually @RobertDiebels one thing looks odd to me about your config above: the brooklyn.locations: looks like some sort of legacy syntax. I think your location definition should be based on the example given at http://www.clocker.io/tutorials/kubernetes-cluster.html#setup-a-cloud-location. Looks like the only difference in specific settings from your config above is the hardwareId, so you could try adding the following location to your Brooklyn catalog and trying to deploy clocker using this:

brooklyn.catalog:
  id: aws-central-centos7
  name: "AWS Frankfurt CentOS 7"
  itemType: location
  item:
    type: jclouds:aws-ec2
    brooklyn.config:
      region: eu-central-1
      identity: smthsmth
      credential: smthsmth
      minRam: 2000

# Make sure you've accepted the TOC for the image before using it. To do so
# go to https://aws.amazon.com/marketplace/pp/B00O7WM7QW and try to start
# an instance with the image. In the process the UI will ask you to accept
# the TOC. There is no need to actually launch the instance.
# If you have not accepted the TOC you'll get 401 responses from EC2'a API.
#
# To find the AMIs for different regions go to (login required):
# https://aws.amazon.com/marketplace/fulfillment?productId=b7ee8a69-ee97-4a49-9e68-afaee216db2e
# and click on "Manual Launch". There you'll see a list of regions and the corresponding image IDs.
      imageId: eu-central-1/ami-9bf712f4

# Provision a maximum of 3 machines in parallel to avoid hitting the
# maximum allowed request limit rate.
      maxConcurrentMachineCreations: 3

      loginUser: centos

      hardwareId: t2.micro

[geomacy]

(actually doesn't t2.micro have just 1Gb Memory? Might be better with t2.small)

[RobertDiebels]

@geomacy That's correct I have launched one of the default templates successfully onto AWS. I used clocker to try and launch a Kubernetes cluster so far unsuccessfully. Unfortunately I don't have any time left to keep trying clocker. That's why I'm forfeiting haha.

[geomacy]

Sorry to hear it; as Svet says, others have been working with Brooklyn on Windows, so likely it's something small that needs fixed, but sometimes it can take a lot if time to find that small thing. Good luck with your endeavours!