Closed kquinsland closed 1 year ago
There's a note about it here:
In TrueNAS for the custom sshd params you can add:
PubkeyAcceptedAlgorithms +ssh-rsa
There are a few issues about it here but it could use a bit more exposure in the docs etc.
There are a few issues about it here but it could use a bit more exposure in the docs etc.
Yeah, now that I know what the issue is, I see a few notes/warnings about it.
At the onset, all I had was that the workloads were fine but the controllers were not. I didn't add any new workloads that needed PVC so the controller pods failure was not evident and I didn't put 2 and 2 together / correlate the failure with the timing of the 12 -> 13 update.
I'm assuming that RSA keys are still required then?
No, you are welcome to use any key style that ssh supports. For example I use ssh-ed25519
keys without issue.
Thanks for confirming RSA isn't required.
A while back, I noticed that I had two pods that were in a failed state. No workloads were effected so I brushed it off until I had more time to sit down and investigate.
I tracked down the two pods to the csi that I use to manage PV on my TrueNAS core.
I'll spare you the details / dead-ends from my notes, but the solution was to re-enable support for
RSA
in thesshd_config
file.From the TrueNAS/CORE web UI,
Services
>SSH
>Advanced
>Auxiliary Parameters
Add the line:
Click save and the ssh server will restart. Either wait for the
CrashLoopBackOff
to re-spin the container or kill the pods. After that, the controller pods came back up.It was only after that I found the solution that I did some checking through my notes and it looks like the pods have been in a failing state since I did the 12 -> 13 upgrade on my NAS. Since 12 is EOL, I suspect that more people will get hit by this if they have not already.
And while drafting this post, I found a note about this exact issue (just with different symptoms) in the
Known Issues
for the upgrade:This ends the PSA
I'm not a JS expert, but after a quick skim of the docs and this code
it looks like I should be able to add a
to the yaml file I use to render out the heml chart?
Or, alternatively should I create a new
curve25519
based SSH key for theroot
user and update the rendered chart with the new key? The example configurations all use-----BEGIN RSA PRIVATE KEY-----
which is why I went with RSA keys to begin with.