XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Xscontainer

    Xen Orchestra
    5
    29
    765
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • olivierlambertO
      olivierlambert Vates πŸͺ Co-Founder🦸 CEO πŸ§‘β€πŸ’Ό
      last edited by

      Have you followed the details given by @stormi ? You should have some detailed output then

      kiuK 2 Replies Last reply Reply Quote 0
      • kiuK
        kiu @olivierlambert
        last edited by

        @olivierlambert I have this output :

        [13:24 xcp-ng-XXXX ~]# ssh -v XXX@XXXXXXXXX
        OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
        debug1: Reading configuration data /etc/ssh/ssh_config
        debug1: /etc/ssh/ssh_config line 58: Applying options for *
        debug1: Connecting to XXXXXXXX [XXXXXXXX] port 22.
        debug1: Connection established.
        debug1: permanently_set_uid: 0/0
        debug1: key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_rsa type -1
        debug1: key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_rsa-cert type -1
        debug1: key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_dsa type -1
        debug1: key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_dsa-cert type -1
        debug1: key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_ecdsa type -1
        debug1: key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_ecdsa-cert type -1
        debug1: key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_ed25519 type -1
        debug1: key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_ed25519-cert type -1
        debug1: Enabling compatibility mode for protocol 2.0
        debug1: Local version string SSH-2.0-OpenSSH_7.4
        debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
        debug1: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000
        debug1: Authenticating to XXXXXXXXX:22 as 'XXXXXXXX'
        debug1: SSH2_MSG_KEXINIT sent
        debug1: SSH2_MSG_KEXINIT received
        debug1: kex: algorithm: curve25519-sha256
        debug1: kex: host key algorithm: ecdsa-sha2-nistp256
        debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
        debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
        debug1: kex: curve25519-sha256 need=32 dh_need=32
        debug1: kex: curve25519-sha256 need=32 dh_need=32
        debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
        debug1: Server host key: ecdsa-sha2-nistp256 SHA256:bmXWosoos6FqfYJXXYPv1H5lU4fRKIucvEv1QE/chN0
        debug1: Host 'XXXXXXXXXXXX' is known and matches the ECDSA host key.
        debug1: Found key in /root/.ssh/known_hosts:1
        debug1: rekey after 4294967296 blocks
        debug1: SSH2_MSG_NEWKEYS sent
        debug1: expecting SSH2_MSG_NEWKEYS
        debug1: SSH2_MSG_NEWKEYS received
        debug1: rekey after 4294967296 blocks
        debug1: SSH2_MSG_EXT_INFO received
        debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
        debug1: SSH2_MSG_SERVICE_ACCEPT received
        debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
        debug1: Next authentication method: gssapi-keyex
        debug1: No valid Key exchange context
        debug1: Next authentication method: gssapi-with-mic
        debug1: Unspecified GSS failure.  Minor code may provide more information
        No Kerberos credentials available (default cache: KEYRING:persistent:0)
        
        debug1: Unspecified GSS failure.  Minor code may provide more information
        No Kerberos credentials available (default cache: KEYRING:persistent:0)
        
        debug1: Next authentication method: publickey
        debug1: Trying private key: /root/.ssh/id_rsa
        debug1: Trying private key: /root/.ssh/id_dsa
        debug1: Trying private key: /root/.ssh/id_ecdsa
        debug1: Trying private key: /root/.ssh/id_ed25519
        debug1: Next authentication method: password
        XXXXX@XXXXXXXXX's password: 
        debug1: Authentication succeeded (password).
        Authenticated to XXXXXXXXXXXX ([XXXXXXXXXX]:22).
        debug1: channel 0: new [client-session]
        debug1: Requesting no-more-sessions@openssh.com
        debug1: Entering interactive session.
        debug1: pledge: network
        debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
        debug1: Sending environment.
        debug1: Sending env LANG = fr_FR.UTF-8
        Last login: Mon Jan 23 13:23:33 2023
        [XXXXX@docker ~]$ 
        
        
        1 Reply Last reply Reply Quote 0
        • kiuK
          kiu @olivierlambert
          last edited by

          @olivierlambert @stormi up πŸ™‚

          1 Reply Last reply Reply Quote 0
          • olivierlambertO
            olivierlambert Vates πŸͺ Co-Founder🦸 CEO πŸ§‘β€πŸ’Ό
            last edited by

            Can you check the presence of the key inside your VM?

            kiuK 1 Reply Last reply Reply Quote 0
            • kiuK
              kiu @olivierlambert
              last edited by olivierlambert

              @olivierlambert yes πŸ™‚

              Output to docker machine :

              [XXXX@docker ~]$ cat .ssh/authorized_keys 
              ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDkaRRvfWs0qPggPY2VW8/4n3DcjDbZPKM8w7FS418CCZn+8JvB1LNmR1vJXHr7F4k73bo/aIDQ3Lh09iWZOhYwA1nkeDwNyBexVDYiPCuA1DEbiaFuFvo+fMB5rkb9n5WucWuGCkGgwJCB/iEbQni3k0neJe6m3SzHPUJ7DYDu5agzaBjfe0eGn9NyMindLwA/0aNl5TbwYJoxvU1HSCuDXSlcPwg5xEAqs+Rx/0LBdGlu4LiAR/K/187vPRLL3mNFzlGS1peVirqAOOJjSAg0FkQFcqGW5QRNaaAuh9eYy31FCwWC+o4+qpiy/EM0yaBn9gMlBxYxxbaJW8nzJR6zZ1w7xp7fvpdPyxzFxSAYoKIgqrGGKalbTgj25yj5odrTuhvbrzv3Jlfys6RI6SGITeVWNTHT4UtODu5+EKlCQT5UG4jEAwg9Dib68zZjxmJeTBV+Kwk7hd1i2CPkAuWT6oA477qou+ezFMkvBvlphQzGfF4h2cvU81KDvmCoCl5uySGwaQytWXHocnAUusQTUXvz1poPljPXngP3TKuJuaq0QuKKddhZvm4gRe00MzQSifrqfog6bBnDyGk5nhDjEtfd8kuusmjEp+n5+0p4l2+yZxud2eia3CEIHxCusJcKRivqccPp5uOw0kOVyeTd0KOrFRhDFljckowacGF2wQ== root@xcp-ng-XXX
              [XXXX@docker ~]$ 
              

              Output to XCP machine :

              [07:53 xcp-ng-XXXX ~]# cat .ssh/known_hosts 
              192.XXX.XXX.XXX ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNJxGOt3RvDXvelRUPTYyIHmykXhfRWSEN6PXSKYUVxct8qjENHqqqAEJOrl6E5cF9orOGQfbAPjSlLwNqGUGlo=
              [07:55 xcp-ng-XXX ~]#
              
              BenjiReisB 1 Reply Last reply Reply Quote 0
              • stormiS
                stormi Vates πŸͺ XCP-ng Team πŸš€
                last edited by

                One or more added -v to ssh might tell why the keys are not accepted.

                1 Reply Last reply Reply Quote 0
                • BenjiReisB
                  BenjiReis Vates πŸͺ XCP-ng Team πŸš€ @kiu
                  last edited by

                  @kiu I reproduced your issue.

                  The issue comes from a lib used by xscontainer as a SSH Client which use a deprecated algo ssh-rsa so all modern (>=8.7) OpenSSH reject the connexion.

                  BenjiReisB 1 Reply Last reply Reply Quote 1
                  • BenjiReisB
                    BenjiReis Vates πŸͺ XCP-ng Team πŸš€ @BenjiReis
                    last edited by

                    @BenjiReis following: I tested on a Centos7 VM with an older openssh and the prepare VM script was successful.

                    1 Reply Last reply Reply Quote 0
                    • stormiS
                      stormi Vates πŸͺ XCP-ng Team πŸš€
                      last edited by stormi

                      So, we found the reason: xscontainer in XCP-ng currently uses a rather old version of python2-paramiko, which seems to insist on using ssh-rsa algorithms, support for which was dropped in recent openssh releases.

                      That's why it works for some distros and not for others.

                      We'll see it to update the components. Meanwhile, it's possible to fix it by installing python2-pip from EPEL and then upgrading first to "cryptography < 2.6" and then to "paramiko < 3". However, doing this as root may overwrite the files from the RPMs so it's not really clean. I'd advise it only for testing.

                      kiuK 2 Replies Last reply Reply Quote 3
                      • kiuK
                        kiu @stormi
                        last edited by

                        @stormi OK, thanks. I will try your solution on a small lab.

                        1 Reply Last reply Reply Quote 0
                        • kiuK
                          kiu @stormi
                          last edited by

                          @stormi I tried to do it but I don't think I succeeded. Could you send me a more specific doc of what you are doing?

                          thanks πŸ™‚

                          1 Reply Last reply Reply Quote 0
                          • stormiS
                            stormi Vates πŸͺ XCP-ng Team πŸš€
                            last edited by

                            I think these are the steps that worked for me:

                            yum install xscontainer
                            yum install python2-pip --enablerepo=epel
                            pip2 install --upgrade "pip < 21"
                            pip2 install --upgrade "cryptography == 2.5"
                            pip2 install --upgrade "paramiko < 3"
                            

                            As this is done outside a virtualenv (I've tried inside a virtualenv, but I think xscontainer runs stuff outside of it, so it didn't work), this will overwrite the contents of RPMs you installed, so, again, only for testing.

                            I also had to remove the former host key from the VM metadata:

                             xe vm-param-remove uuid=... param-name=other-config param-key=xscontainer-sshhostkey
                            
                            kiuK 1 Reply Last reply Reply Quote 1
                            • kiuK
                              kiu @stormi
                              last edited by

                              @stormi Thanks, I just tried that and it still doesn't work 😞

                              1 Reply Last reply Reply Quote 0
                              • stormiS
                                stormi Vates πŸͺ XCP-ng Team πŸš€
                                last edited by

                                Well, I tried it myself on a freshly installed pool, and this worked. Can you elaborate on what doesn't work?

                                kiuK 1 Reply Last reply Reply Quote 0
                                • kiuK
                                  kiu @stormi
                                  last edited by

                                  @stormi I still have the same problem, the key does not want to install and asks me if I want to try again.

                                  1 Reply Last reply Reply Quote 0
                                  • stormiS
                                    stormi Vates πŸͺ XCP-ng Team πŸš€
                                    last edited by

                                    What's the exact error message?

                                    kiuK 1 Reply Last reply Reply Quote 0
                                    • kiuK
                                      kiu @stormi
                                      last edited by olivierlambert

                                      @stormi

                                      Would you like to push a pool-specific public SSH key into the ~/.ssh/authorized_keys file of the specified VM and therefore authorize hosts in the pool to interact with the containers inside the VM?
                                      Answer y/n: 
                                      y
                                      Attempting to push the public xscontainer key to USER@IP.
                                      ID@IP's password: 
                                      Success.
                                      Attempting to refresh the state of the VM
                                      Failure diagnosis: Unable to find ncat inside the VM. Please install ncat. 
                                      Do you wish to retry?
                                      Answer y/n:
                                      
                                      kiuK 1 Reply Last reply Reply Quote 0
                                      • kiuK
                                        kiu @kiu
                                        last edited by

                                        My server is up to date

                                        1 Reply Last reply Reply Quote 0
                                        • stormiS
                                          stormi Vates πŸͺ XCP-ng Team πŸš€
                                          last edited by

                                          It's not the same error. Your VM is missing a required package : ncat, as the error message says.

                                          kiuK 1 Reply Last reply Reply Quote 0
                                          • kiuK
                                            kiu @stormi
                                            last edited by

                                            @stormi My bad. Ok I installed the nmap-ncat package under rockylinux and works perfectly now πŸ™‚ Thank you πŸ™‚

                                            1 Reply Last reply Reply Quote 1
                                            • F foxy82 referenced this topic
                                            • First post
                                              Last post