Redhat – cloud-init does not insert instance level ssh keys in gce

centos7cloud-initgoogle-cloud-platformredhatrhel7

I am passing (YAML representation)

metadata:
 items: 
 - key: sshKeys
   value: root:ssh-rsa AAAAB... non@nan

when creating a gcloud instance. But I cannot ssh to the instance

$ ssh 139.242.197.104.bc.googleusercontent.com
Host key fingerprint is SHA256:aSSOS1tMiF9h43C6UIJQW0TqXuYVMfRic3Lm7gYRECQ
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Looks like ssh key is not inserted on boot. Instance is standard RHEL 7.2 kvm guest image converted from qcow2 to raw format and uploaded. Any idea if what I'm doing is the correct incantation for specifying ssh keys in GCE and if what I want is supported by cloud-init?

Best Answer

Huh, can't get any GCE answer it seems. Figured it out though. First of all current Red Hat Enterprise Linux (v7.2) cloud-init version does not support instance ssh keys (it handles only project level keys). cloud-init trunk though does support them already so hopefully downstream will pick up soon. In the meantime I used the following user-data to emulate this (again YAML representation): metadata:

 items:
 - key: sshKeys
   value: root:ssh-rsa AAAAB... non@nan 
 - key: user-data
   value:|
     #cloud-config
     disable_root: false
     preserve_hostname: true
     runcmd:
     - "curl 'http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys' -H 'Metadata-Flavor: Google' | sed -r -e 's/(^|,)[^\\S]*:/\\1/g' -e 's/,/\\n/g' >> /root/.ssh/authorized_keys"

Note that google documentation talks only about startup-script metadata key. To my reading even upstream cloud-init does not care about that metadata key. It is looking for the user-data key as shown above.

Hope this helps.

Related Solutions

Starting a long-running process in cloud-init on ec2 instance

The reason the process was not running was that the Amazon EC2 Linux instance is Red-Hat like, and there is a bug/feature in those distros that a sudo command requires a tty. There is no tty attached to the environment when the cloud-init is processed, and so it fails.

One answer is to edit etc/sudoers and change the line

Defaults requiretty

Defaults !requiretty

There are other approaches, apparently, but this worked for me.

GCE project-wide SSH keys not propogating

First, make sure that your VM instance can communicate with metadata server and can read the project-wide sshKeys value. To verify this, connect to your VM and run the following command:

curl http://metadata.google.internal/computeMetadata/v1/project/attributes/sshKeys -H "Metadata-Flavor: Google"

The output of the command should be SSH keys that you've added to the metadata of your project. If the command can not communicate with metadata, that means your internal firewall blocks the traffic between your VM and metadata server.

If the communication is successful and you can read the value of sshKeys, then you should verify that account manager daemon is running. In Ubuntu 14.04, the daemon script is located at:

/usr/share/google/google_daemon/manage_accounts.py

Use the following command to verify its running status:

sudo ps aux | grep manage_accounts.py

Best Answer

Related Solutions

Starting a long-running process in cloud-init on ec2 instance

GCE project-wide SSH keys not propogating

Related Topic