search

canonical / multipass

Multipass orchestrates virtual Ubuntu instances
https://multipass.run
GNU General Public License v3.0
7.51k stars 632 forks source link

Strange multipass behaviour with ssh client #3535

Open sinke237 opened 1 month ago

sinke237 commented 1 month ago

Describe the bug Strange behaviour of multipass [ssh client], any multipass command takes a very long time execute, after which if fails.

To Reproduce How, and what happened?

  1. multipass list
  2. multipass info In fact any multipass command fails with the message, info failed: ssh failed to authenticate: '' exec failed: [ssh client] channel creation failed: ''

it depends on which command you run whether multipass info or multipass exec.

Logs Here is my multipass logs:

May 22 08:33:29  systemd[1]: Started snap.multipass.hook.install-e0c16204-4ac1-4c44-b730-87b56ad9f50a.scope.
May 22 08:33:30  systemd[1]: snap.multipass.hook.install-e0c16204-4ac1-4c44-b730-87b56ad9f50a.scope: Deactivated successfully.
May 22 08:33:30  systemd[1]: Started snap.multipass.multipassd.service - Service for snap application multipass.multipassd.
May 22 08:33:30 adorsys systemd[1]: Started snap.multipass.hook.configure-94139dd2-4581-41a2-8375-1a76d787e8d7.scope.
May 22 08:33:31 adorsys systemd[1]: snap.multipass.hook.configure-94139dd2-4581-41a2-8375-1a76d787e8d7.scope: Deactivated successfully.
May 22 08:33:32  multipassd[10778]: Unable to determine subnet for the mpqemubr0 subnet
May 22 08:33:32  multipassd[10778]: Using AppArmor support
May 22 08:33:32  multipassd[10778]: Starting dnsmasq
May 22 08:33:32  multipassd[10778]: Applied AppArmor policy: multipass.dnsmasq
May 22 08:33:32  multipassd[10778]: [10876] started: dnsmasq --keep-in-foreground --strict-order --bind-interfaces --pid-file --domain=multipass --local=/multipass/ --except-interfac>
May 22 08:33:32  dnsmasq[10876]: started, version 2.90 cachesize 150
May 22 08:33:32  dnsmasq [10876]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect ino>
May 22 08:33:32  dnsmasq-dhcp[10876]: DHCP, IP range 10.59.252.2 -- 10.59.252.254, lease time infinite
May 22 08:33:32  dnsmasq-dhcp[10876]: DHCP, sockets bound exclusively to interface mpqemubr0
May 22 08:33:32  dnsmasq[10876]: using only locally-known addresses for multipass
May 22 08:33:32  dnsmasq[10876]: reading /etc/resolv.conf
May 22 08:33:32  dnsmasq[10876]: using nameserver 127.0.0.53#53
May 22 08:33:32  dnsmasq[10876]: using only locally-known addresses for multipass
May 22 08:33:32  dnsmasq[10876]: read /etc/hosts - 8 names
May 22 08:33:32  dnsmasq-dhcp[10876]: read /var/snap/multipass/common/data/multipassd/network/dnsmasq.hosts
May 22 08:33:32  multipassd[10778]: [10877] started: iptables-nft --wait -t filter --list-rules
May 22 08:33:32  multipassd[10778]: [10879] started: iptables-nft --wait -t nat --list-rules
May 22 08:33:32  multipassd[10778]: [10880] started: iptables-nft --wait -t mangle --list-rules
May 22 08:33:32  multipassd[10778]: [10881] started: iptables-nft --wait -t raw --list-rules
May 22 08:33:32  multipassd[10778]: [10882] started: iptables-legacy --wait -t filter --list-rules
May 22 08:33:32  multipassd[10778]: [10883] started: iptables-legacy --wait -t nat --list-rules
May 22 08:33:32  multipassd[10778]: [10885] started: iptables-legacy --wait -t mangle --list-rules
May 22 08:33:32  multipassd[10778]: [10887] started: iptables-legacy --wait -t raw --list-rules
May 22 08:33:32  multipassd[10778]: Using iptables-nft for firewall rules.
May 22 08:33:32  multipassd[10778]: [10889] started: iptables-nft --wait -t filter --list-rules
May 22 08:33:32  multipassd[10778]: # Warning: iptables-legacy tables present, use iptables-legacy to see them
May 22 08:33:32 adorsys multipassd[10778]: [10890] started: iptables-nft --wait -t nat --list-rules
May 22 08:33:32 adorsys multipassd[10778]: # Warning: iptables-legacy tables present, use iptables-legacy to see them
May 22 08:33:32  multipassd[10778]: [10891] started: iptables-nft --wait -t mangle --list-rules
May 22 08:33:32  multipassd[10778]: # Warning: iptables-legacy tables present, use iptables-legacy to see them
May 22 08:33:32  multipassd[10778]: [10892] started: iptables-nft --wait -t raw --list-rules
May 22 08:33:32  multipassd[10778]: # Warning: iptables-legacy tables present, use iptables-legacy to see them
May 22 08:33:32  multipassd[10778]: [10893] started: iptables-nft --wait -t filter --insert INPUT --in-interface mpqemubr0 --protocol udp --dport 67 --jump ACCEPT --match comment --c>
May 22 08:33:32  multipassd[10778]: [10897] started: iptables-nft --wait -t filter --insert INPUT --in-interface mpqemubr0 --protocol udp --dport 53 --jump ACCEPT --match comment --c>
May 22 08:33:32  multipassd[10778]: [10898] started: iptables-nft --wait -t filter --insert INPUT --in-interface mpqemubr0 --protocol tcp --dport 53 --jump ACCEPT --match comment --c>
May 22 08:33:32  multipassd[10778]: [10899] started: iptables-nft --wait -t filter --insert OUTPUT --out-interface mpqemubr0 --protocol udp --sport 67 --jump ACCEPT --match comment ->
May 22 08:33:32  multipassd[10778]: [10900] started: iptables-nft --wait -t filter --insert OUTPUT --out-interface mpqemubr0 --protocol udp --sport 53 --jump ACCEPT --match comment ->
May 22 08:33:32  multipassd[10778]: [10901] started: iptables-nft --wait -t filter --insert OUTPUT --out-interface mpqemubr0 --protocol tcp --sport 53 --jump ACCEPT --match comment ->
May 22 08:33:32  multipassd[10778]: [10902] started: iptables-nft --wait -t mangle --insert POSTROUTING --out-interface mpqemubr0 --protocol udp --dport 68 --jump CHECKSUM --checksum>

Additional info

sharder996 commented 1 month ago

Hi @sinke237,

The issue seems to be coming from this line:

Using iptables-nft for firewall rules

It seems iptables and nftables are both present on your system, which do not work simultaneously. You may have perhaps done something on your system that added the legacy iptables after installing and using Multipass meaning that your instances are now unavailable. If that's something you did, you could try reverting those changes. I will also look to see if the logic around which firewall rules we use can be improved.

sharder996 commented 1 month ago

If that's not the issue, would you be able to provide more logs with trace logging enabled? Specifically around the offending commands. See here for docs on how to change logging levels.

ricab commented 2 days ago

@sinke237, any chance you could provide the logs that @sharder996 requested?