kubernetes-sigs/image-builder

Flatcar images built by image-builder does not support key auth in Openstack provider

okozachenko1203 opened this issue · 3 comments

What steps did you take and what happened:

$ make build-qemu-flatcar
  • Uploaded it to glance
  • Spin up a VM using that image
$ openstack server create flatcar --image flatcar-3374.2.0-v1.25.3  --flavor v3-starter-2  --network public --key-name okozachenko_git
  • Trying to access via ssh and it requires password
$ ssh core@162.253.55.100
The authenticity of host '162.253.55.100 (162.253.55.100)' can't be established.
ECDSA key fingerprint is SHA256:5n95nOYl/1TDiDTiIgrM3g0h7y9y+/DP3M4lTvQgGK8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '162.253.55.100' (ECDSA) to the list of known hosts.
Password:

What did you expect to happen:
I expect key auth.

Anything else you would like to add:
If i use the vanilla flatcar image, key auth is working.

Environment:

Project (Image Builder for Cluster API, kube-deploy/imagebuilder, konfigadm): Image Builder for Cluster API

Additional info for Image Builder for Cluster API related issues:

  • OS (e.g. from /etc/os-release, or cmd /c ver):
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
  • image builder version: v0.1.13

/kind bug
/area

@okozachenko1203


I'm scared it might work but can you try logging in using username builder and password builder ?

@okozachenko1203

I'm scared it might work but can you try logging in using username builder and password builder ?

@mnaser it does not work

Following this doc , I generated ignition JSON file from https://github.com/kubernetes-sigs/image-builder/blob/master/images/capi/packer/files/flatcar/clc/bootstrap.yaml for openstack provider.

cat bootstrap.yaml | docker run --rm -i ghcr.io/flatcar/ct:latest -platform openstack-metadata > ignition.json

The result ignition file is;

{
  "ignition": {
    "config": {},
    "security": {
      "tls": {}
    },
    "timeouts": {},
    "version": "2.3.0"
  },
  "networkd": {},
  "passwd": {
    "users": [
      {
        "groups": [
          "wheel",
          "sudo",
          "docker"
        ],
        "name": "builder",
        "passwordHash": "BUILDERPASSWORDHASH"
      }
    ]
  },
  "storage": {},
  "systemd": {
    "units": [
      {
        "dropins": [
          {
            "contents": "[Service]\nEnvironment=COREOS_METADATA_OPT_PROVIDER=--provider=openstack-metadata",
            "name": "20-clct-provider-override.conf"
          }
        ],
        "name": "coreos-metadata.service"
      },
      {
        "dropins": [
          {
            "contents": "[Service]\nEnvironment=COREOS_METADATA_OPT_PROVIDER=--provider=openstack-metadata",
            "name": "20-clct-provider-override.conf"
          }
        ],
        "enabled": true,
        "name": "coreos-metadata-sshkeys@.service"
      },
      {
        "enable": true,
        "name": "docker.service"
      },
      {
        "mask": true,
        "name": "update-engine.service"
      },
      {
        "mask": true,
        "name": "locksmithd.service"
      }
    ]
  }
}

To recap, coreos-metadata-sshkeys@.service should be running.