search

rancher / rke

Rancher Kubernetes Engine (RKE), an extremely simple, lightning fast Kubernetes distribution that runs entirely within containers.
Apache License 2.0
3.22k stars 583 forks source link

Failed to set up SSH tunneling for host [x.x.x.x]: Can't retrieve Docker Info: error during connect #3305

Closed chq3272991 closed 1 year ago

chq3272991 commented 1 year ago

RKE version: v1.3.11

Docker version: 19.03.11

Operating system and kernel:

cat /etc/os-release

PRETTY_NAME="UnionTech OS Server 20" NAME="UnionTech OS Server 20" VERSION_ID="20" VERSION="20" ID="uos" PLATFORM_ID="platform:uel20" HOME_URL="https://www.chinauos.com/" BUG_REPORT_URL="https://bbs.chinauos.com/" VERSION_CODENAME="fuyu"

uname -r

4.19.90-2201.4.0.0135.up1.uel20.aarch64

Type/provider of hosts: cucloud

cluster.yml file:

nodes:
    - address: 173.20.x.x
      ssh_key_path: "/root/.ssh/id_rsa"
      user: rke002
      role:
        - controlplane
        - etcd
        - worker

cluster_name: rke002

addon_job_timeout: 30

network:
  plugin: flannel

Steps to Reproduce:

[root@~]# useradd rke001
[root@~]# usermod -aG root rke001
[root@~]# echo "adcsd2rvrfg3" | passwd --stdin rke001
[root@~]# su rke001
[rke001@~]# docker ps 
[rke001@~]# exit

[root@~]# cat ~/.ssh/id_rsa.pub 
[root@~]# ssh-keygen -t rsa 
[root@~]# ssh-copy-id rke001@173.20.x.x 
rke001@173.20.x.x 's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'rke001@173.20.x.x '"
and check to make sure that only the key(s) you wanted were added.

[root@~]# ssh rke001@173.20.x.x 
Last login: Wed Jul 19 10:59:16 2023
[rke001@~]# exit 
[root@~]# rke up -config cluster.yml

Results:

[root@DC3-20-007 rke]# rke up -config cluster.yml 
INFO[0000] Running RKE version: v1.3.11                 
INFO[0000] Initiating Kubernetes cluster                
INFO[0000] [dialer] Setup tunnel for host [173.20.x.x ]   
WARN[0000] Failed to set up SSH tunneling for host [173.20.x.x ]: Can't retrieve Docker Info: error during connect: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info": Unable to access the service on /var/run/docker.sock. The service might be still starting up. Error: ssh: rejected: connect failed (open failed) 
WARN[0000] Removing host [127.0.0.1] from node lists    
WARN[0000] [state] can't fetch legacy cluster state from Kubernetes: Cluster must have at least one etcd plane host: failed to connect to the following etcd host(s) [127.0.0.1] 
INFO[0000] [certificates] Generating CA kubernetes certificates 
INFO[0000] [certificates] Generating Kubernetes API server aggregation layer requestheader client CA certificates 
INFO[0000] [certificates] GenerateServingCertificate is disabled, checking if there are unused kubelet certificates 
INFO[0000] [certificates] Generating Kubernetes API server certificates 
INFO[0001] [certificates] Generating Service account token key 
INFO[0001] [certificates] Generating Kube Controller certificates 
INFO[0001] [certificates] Generating Kube Scheduler certificates 
INFO[0001] [certificates] Generating Kube Proxy certificates 
INFO[0002] [certificates] Generating Node certificate   
INFO[0002] [certificates] Generating admin certificates and kubeconfig 
INFO[0002] [certificates] Generating Kubernetes API server proxy client certificates 
INFO[0002] Successfully Deployed state file at [./cluster.rkestate] 
INFO[0002] Building Kubernetes cluster                  
FATA[0002] Cluster must have at least one etcd plane host: please specify one or more etcd in cluster config

final,I see the config of sshd:

... 

# To modify the system-wide ssh configuration, create a  *.conf  file under
#  /etc/ssh/sshd_config.d/  which will be automatically included below
#Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
LogLevel VERBOSE
PubkeyAuthentication yes
RSAAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
ClientAliveCountMax 0
Banner /etc/issue.net
MACs hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com
StrictModes yes
AllowTcpForwarding no
AllowAgentForwarding no
GatewayPorts no
PermitTunnel no
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

I comment it , and then redo , command : rke up -config cluster.yml . then , rke can up !

# To modify the system-wide ssh configuration, create a  *.conf  file under
#  /etc/ssh/sshd_config.d/  which will be automatically included below
#Include /etc/ssh/sshd_config.d/*.conf
#Protocol 2
#LogLevel VERBOSE
#PubkeyAuthentication yes
#RSAAuthentication yes
#IgnoreRhosts yes
#RhostsRSAAuthentication no
#HostbasedAuthentication no
#PermitEmptyPasswords no
#PermitUserEnvironment no
#Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
#ClientAliveCountMax 0
#Banner /etc/issue.net
#MACs hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com
#StrictModes yes
#AllowTcpForwarding no
#AllowAgentForwarding no
#GatewayPorts no
#PermitTunnel no
#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

so , I want to know which sshd_config item make rke can not up

HectorB-2020 commented 1 year ago

@chq3272991, your configuration has PermitTunnel no. This parameter has to be set to yes. This is mentioned in the docs.

chq3272991 commented 1 year ago

@HectorB-2020 I try to change "PermitTunnel yes" , and other settings like this :

# To modify the system-wide ssh configuration, create a  *.conf  file under
#  /etc/ssh/sshd_config.d/  which will be automatically included below
#Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
LogLevel VERBOSE
PubkeyAuthentication yes
RSAAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
ClientAliveCountMax 0
Banner /etc/issue.net
MACs hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com
StrictModes yes
AllowTcpForwarding no
AllowAgentForwarding no
GatewayPorts no
PermitTunnel yes
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

then, systemctl restart sshd but rke also up fail : Failed to set up SSH tunneling for host

chq3272991 commented 1 year ago

final,I find the sshd_config must setting like this:

AllowTcpForwarding yes
AllowAgentForwarding yes
GatewayPorts yes
PermitTunnel yes