Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

null_resource.copy-worker Still creating... with Fedora CoreOS #915

Closed
dghubble opened this issue Dec 19, 2020 · 4 comments
Closed

null_resource.copy-worker Still creating... with Fedora CoreOS #915

dghubble opened this issue Dec 19, 2020 · 4 comments
Labels
status/out-of-scope

Comments

@dghubble
Copy link
Member

dghubble commented Dec 19, 2020
edited
Loading

Fedora CoreOS 33 has stronger crypto defaults (faq) while the Go language (and therefore Terraform plugins) hasn't yet added support for RSA SHA-2 (see golang/go#37278).

Short/medium term, follow the Fedora CoreOS guidance. You can either use a non-RSA key (except Azure) or apply the workaround recommended by Fedora CoreOS as a snippet.

variant: fcos
version: 1.1.0
storage:
  files:
    - path: /etc/ssh/sshd_config.d/10-insecure-rsa-keysig.conf
      mode: 0600
      contents:
        inline: |
          PubkeyAcceptedKeyTypes=+ssh-rsa

This issue is not tracking any planned action on Typhoon's part. But rather anticipating users not seeing the CHANGELOG.

Symptom

You'll notice that provisioning clusters with Fedora CoreOS 33 hangs when trying to us an RSA key, because of the now stronger policies in Fedora.

module.foo.null_resource.copy-worker-secrets[0]: Still creating....
....

Bear in mind, if you are a new user, there are plenty of other reasons your SSH connections to bootstrap machines might not be working (e.g. ssh-agent, see docs).

Related: coreos/fedora-coreos-tracker#699
@dghubble dghubble mentioned this issue Dec 19, 2020
Merged
@bendrucker bendrucker mentioned this issue Dec 22, 2020
Closed
@alexsomesan alexsomesan mentioned this issue Feb 4, 2021
Merged
@meabed meabed mentioned this issue Feb 19, 2021
Closed
dghubble added a commit that referenced this issue Aug 11, 2021
@dghubble
Show SSH keys with ssh-ed25519 instead of sha-rsa in docs
61ee01f 
* For Fedora CoreOS, users should not be using sha-rsa public
keys anymore, so make sure the docs examples reflect this
* #915
@dghubble dghubble mentioned this issue Aug 11, 2021
Merged
foltik pushed a commit to foltik/typhoon that referenced this issue Sep 1, 2021
@dghubble @foltik
Show SSH keys with ssh-ed25519 instead of sha-rsa in docs
31e58c9 
* For Fedora CoreOS, users should not be using sha-rsa public
keys anymore, so make sure the docs examples reflect this
* poseidon#915
elemental-lf pushed a commit to elemental-lf/typhoon that referenced this issue Dec 11, 2021
@dghubble @elemental-lf
Show SSH keys with ssh-ed25519 instead of sha-rsa in docs
20b9806 
* For Fedora CoreOS, users should not be using sha-rsa public
keys anymore, so make sure the docs examples reflect this
* poseidon#915
@dghubble
Copy link
Member Author

Terraform is still tracking this hashicorp/terraform#30134

@adaliszk
Copy link

Before opening a new issue, I am wondering if this is why the SSH connection does not even try using a key?

module.cluster.module.typhoon.null_resource.copy-controller-secrets[0]: Still creating... [9m30s elapsed]
2022-04-16T22:06:27.840Z [DEBUG] Connecting to some-node.some-domain.tld:22 for SSH
2022-04-16T22:06:27.862Z [DEBUG] Connection established. Handshaking for user core
2022-04-16T22:06:27.989Z [WARN]  SSH authentication failed (core@some-node.some-domain.tld:22): ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
2022-04-16T22:06:27.989Z [WARN]  retryable error: SSH authentication failed (core@some-node.some-domain.tld:22): ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain

To be sure, I've configured my local client to be able to automatically just log in, but that seem to be ignored in this case.

@sedlund
Copy link

sedlund commented Apr 16, 2022

Before opening a new issue, I am wondering if this is why the SSH connection does not even try using a key?

Terraform cannot (specifically golang/go#49952) produce a valid fingerprint for RSA SHA-2 keys to be seen as valid to the SSH server, so it will not be a valid method to use. I generated and use ed25519 keys in the meantime.

@dghubble
Copy link
Member Author

dghubble commented Aug 4, 2022
edited
Loading

Go addressed this issue in the crypto library and Terraform v1.2+ releases have the fix. RSA SHA2 keys can be used with Fedora CoreOS again, which removes the need for a workaround (esp on Azure where ed25519 isn't allowed) in my testing. hashicorp/terraform#30134

@dghubble dghubble closed this as completed Aug 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/out-of-scope
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dghubble @adaliszk @sedlund