Closed cgruver closed 3 years ago
Starting CodeReady Containers VM for OpenShift 4.6.0-0.okd-2020-11-27-200126
Hmmmm... this is not the correct issue tracker for OKD-related issues ;-)
It looks like the id_rsa file is not getting created in the .crc/machine directory.
Did you perform a crc delete -f
beforehand? The key should be dropped in the ~/.crc/machines/crc
folder, but perhaps it is confused by an existing (partial) VM?
Yeah, this was a completely clean build. The ~/.crc/machines/crc/id_rsa file is not getting created, but I don't see any errors that indicate why...
I ran crc setup and crc start with debug log level to look for clues.
If this is the first run, the error is "normal" as we are using 2 possible keys to connect. The other one is in the extracted bundle.
If this is a second run, it was aborted before or during the new key generation I suppose.
This issue turns out to be an incompatibility between the new SSH cipher policies in FCOS 33 and golang.org/x/crypto/ssh
Reverting the policies in FCOS 33 to support RSA-SHA1 fixes the issue.
cat > /etc/ssh/sshd_config.d/10-fcos-insecure-rsa-key.conf <<EOF
> # For now allow RSA-SHA1 keys.
> # https://github.com/coreos/coreos-assembler/issues/1772
> PubkeyAcceptedKeyTypes=+ssh-rsa
> EOF
wow! nice catch.
Keeping this open, we'll need to fix it somehow
edit: maybe all that is needed is to switch https://github.com/code-ready/crc/blob/master/pkg/crc/ssh/keys.go#L29 to https://golang.org/pkg/crypto/ed25519/#GenerateKey
and to also do a similar change in snc
@cfergeau does this change also going to work with RHCOS ?
This will need to be tested, but I expect RHEL8 to support ecdsa
and ed25519
keys in addition to rsa
keys.
man ssh-keygen
on a rhel 8.3 system has ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]
, openssh RHEL builds from 2013/2014 have mentions of ecdsa/ed25519, so I'm quite confident it will be all fine.
I fixed it!!!
I switched snc and crc to use ecdsa keys, and it appears to work.
I'll submit a PR in the morning so you guys can vet it out.
It looks like the id_rsa file is not getting created in the .crc/machine directory.
General information
crc setup
before starting it YesCRC version
Steps to reproduce
The bundle was built with:
The SNC revision is from my fork: https://github.com/cgruver/snc The revision is: 4.1.14-157-g291ef43
The single node cluster built successfully, and was usable. The bundle built successfully.
CRC was built with:
The CRC build completed successfully.
The setup completes with no errors: Tested on MacOS 11 and CentOS 8
It unpacks the bundle and prepares the environment.
The cluster start fails with ssh errors: