[chef] Re: Re: Re: Re: Re: Re: Re: Knife ec2 failing on sshd


Chronological Thread 
  • From: Michael Lindsay < >
  • To:
  • Subject: [chef] Re: Re: Re: Re: Re: Re: Re: Knife ec2 failing on sshd
  • Date: Fri, 6 Mar 2015 15:54:17 -0800

Things are definitely improving:

First attempt with this debug statement indicates that it's using the EID to connect, but got this: Net::SSH::HostKeyMismatch.  Realized since I've been putting so many different instances behind this EID, I had to kill it's known_hosts entry (shouldn't --no-host-key-verify be doing this for me?)

Now I'm getting "Authentication failed for user @[EIP]. (Net::SSH::AuthenticationFailed)"  Which appears to be missing the username.

This is the stack trace:

.../opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/net-ssh-2.9.2/lib/net/ssh.rb:224:in `start': Authentication failed for user @[EIP] (Net::SSH::AuthenticationFailed)

from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/net-ssh-gateway-1.2.0/lib/net/ssh/gateway.rb:74:in `initialize'

from /Users/mnl/.chefdk/gem/ruby/2.1.0/gems/knife-ec2-0.10.0/lib/chef/knife/ec2_server_create.rb:815:in `new'

from /Users/mnl/.chefdk/gem/ruby/2.1.0/gems/knife-ec2-0.10.0/lib/chef/knife/ec2_server_create.rb:815:in `configure_ssh_gateway'

from /Users/mnl/.chefdk/gem/ruby/2.1.0/gems/knife-ec2-0.10.0/lib/chef/knife/ec2_server_create.rb:779:in `tunnel_test_ssh'

from /Users/mnl/.chefdk/gem/ruby/2.1.0/gems/knife-ec2-0.10.0/lib/chef/knife/ec2_server_create.rb:766:in `wait_for_tunnelled_sshd'

from /Users/mnl/.chefdk/gem/ruby/2.1.0/gems/knife-ec2-0.10.0/lib/chef/knife/ec2_server_create.rb:730:in `wait_for_sshd'

from /Users/mnl/.chefdk/gem/ruby/2.1.0/gems/knife-ec2-0.10.0/lib/chef/knife/ec2_server_create.rb:406:in `run'

from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:417:in `block in run_with_pretty_exceptions'

from /opt/chefdk/embedded/apps/chef/lib/chef/local_mode.rb:38:in `with_server_connectivity'

from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:416:in `run_with_pretty_exceptions'

from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:213:in `run'

from /opt/chefdk/embedded/apps/chef/lib/chef/application/knife.rb:139:in `run'

from /opt/chefdk/embedded/apps/chef/bin/knife:25:in `<top (required)>'

from /opt/chefdk/bin/knife:40:in `load'

from /opt/chefdk/bin/knife:40:in `<main>'


On Fri, Mar 6, 2015 at 3:36 PM, Darren Dyke < " target="_blank"> > wrote:
@Michael L. 

If you are using the --associate-eip flag, try setting "--server-connect-attribute public_ip_address" See below from the ec2 server create: https://github.com/chef/knife-ec2/blob/master/lib/chef/knife/ec2_server_create.rb#L260-L264

option :server_connect_attribute,
:long => "--server-connect-attribute ATTRIBUTE",
:short => "-a ATTRIBUTE",
:description => "The EC2 server attribute to use for SSH connection. Use this attr for creating VPC instances along with --associate-eip",
:default => nil

On Fri, Mar 6, 2015 at 6:19 PM, Michael Lindsay < " target="_blank"> > wrote:
@Julian, it did find it's way to tcp_test_ssh after all.  Running with Debug enabled I can see 'No ssh gateway found'.  Furthermore I can see it is trying to connect to the Private IP Address and not the EIP that I provided.  Which explains the difference between my ssh and knife's... Just looking for a fix for that now.

 - M

On Fri, Mar 6, 2015 at 3:04 PM, Michael Lindsay < " target="_blank"> > wrote:
@Julian: hadn't thought to look at the source code, that's good info (and I can see why the dots roll out more slowly ;-) ).  I'm not connecting to an ubuntu instance so looks like it wouldn't be TCP connection in the second git file but instead something from here? 

@Darren: It's a public subnet, so no proxy required

On Fri, Mar 6, 2015 at 2:48 PM, Darren Dyke < " target="_blank"> > wrote:
Hello, are you trying to configure a node on a private subnet? If so are you supplying the --ssh-gateway option/configure ssh config proxies?

On Fri, Mar 6, 2015 at 5:32 PM, Michael Weinberg < " target="_blank"> > wrote:
No, it shouldn't be. But I don't know what is actually happening during 'waiting for sshd,' so on the off chance there's some additional communication there I thought I'd suggest it.

--
Michael F. Weinberg | Director of Operations
http://heavywaterops.com | @heavywaterops

On Fri, Mar 6, 2015 at 2:29 PM, Michael Lindsay < " target="_blank"> > wrote:
Hi again Michael :-) I'm new to VPC, but I feel like I've poured over all the settings there.  Would the behavior be different with knife than ssh on the same workstation in this regard?

On Fri, Mar 6, 2015 at 2:19 PM, Michael Weinberg < " target="_blank"> > wrote:
Hi Michael,

I generally use Cloudformation for all my VPC instances, so have not attempted a direct bootstrap. Have you confirmed that the inbound and outbound security group and ACL rules allow traffic both directions on 22, 80, 443, and the ephemeral ports? 

--
Michael F. Weinberg | Director of Operations
http://heavywaterops.com | @heavywaterops

On Fri, Mar 6, 2015 at 2:16 PM, Michael Lindsay < " target="_blank"> > wrote:

Hello everyone… 

I’m attempting my first knife ec2 create commands for building instances inside a VPC.  

The problem I'm facing is that "Waiting for sshd access to become available...." Never completes.  What's weird (and flies in the face of what I thought was going on) is that while I'm watching little dots appear, in another terminal window on the same workstation, using the same identity file, user, and I think hostname (EIP) that the knife command is using, I CAN ssh into the instance.

Any ideas what might cause this?

 - Michael












Archive powered by MHonArc 2.6.16.

§