Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18458

Ssh keys cannot be updated in OCB pools

    XMLWordPrintable

Details

    • Moderate
    • No
    • MCO Sprint 241, MCO Sprint 242, MCO Sprint 243, MCO Sprint 244
    • 4
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      In an on-cluster build pool, when we create a MC to update the sshkeys, we can't find the new keys in the nodes after the configuration is built and applied.

      Version-Release number of selected component (if applicable):

      $ oc get clusterversion
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.14.0-0.nightly-2023-08-30-191617   True        False         7h52m   Cluster version is 4.14.0-0.nightly-2023-08-30-191617
      

      How reproducible:

      Always

      Steps to Reproduce:

      1. Enable the on-cluster build functionality in the "worker" pool
      2. Check the value of the current keys
      
      $ oc debug  node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[0].metadata.name}") -- chroot /host cat /home/core/.ssh/authorized_keys.d/ignition
      Warning: metadata.name: this is used in the Pod's hostname, which can result in surprising behavior; a DNS label is recommended: [must be no more than 63 characters]
      Starting pod/sregidor-sr3-bfxxj-worker-a-h5b5jcopenshift-qeinternal-debug-ljxgx ...
      To use host binaries, run `chroot /host`
      ssh-rsa AAAA..................................................................................................................................................................qe@redhat.com
      
      
      Removing debug pod ...
      
      
      3. Create a new MC to configure the  "core" user's sshkeys. We add 2 extra keys.
      
      
      $ oc get mc -o yaml tc-59426-add-ssh-key-9tv2owyp
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        creationTimestamp: "2023-09-01T10:57:14Z"
        generation: 1
        labels:
          machineconfiguration.openshift.io/role: worker
        name: tc-59426-add-ssh-key-9tv2owyp
        resourceVersion: "135885"
        uid: 3cf31fbb-7a4e-472d-8430-0c0eb49420fc
      spec:
        config:
          ignition:
            version: 3.2.0
          passwd:
            users:
            - name: core
              sshAuthorizedKeys:
              - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPmGf/sfIYog......
                mco_test@redhat.com
              - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDf.......
                mco_test2@redhat.com
      
       3. Verify that the new rendered MC contains the 3 keys
      
      $ oc get mcp worker
      NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
      worker   rendered-worker-02d04d7c47cd3e08f8f305541cf85000   True      False      False      2              2                   2                     0                      8h
      
      $ oc get mc -o yaml rendered-worker-02d04d7c47cd3e08f8f305541cf85000 | grep users -A9
            users:
            - name: core
              sshAuthorizedKeys:
              - ssh-rsa AAAAB...............................qe@redhat.com
              - ssh-rsa AAAAB...............................mco_test@redhat.com
              - ssh-rsa AAAAB...............................mco_test2@redhat.com
          storage:
      
      
      

      Actual results:

      Only the initial key is present in the node
      
      $ oc debug  node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[0].metadata.name}") -- chroot /host cat /home/core/.ssh/authorized_keys.d/ignition
      Warning: metadata.name: this is used in the Pod's hostname, which can result in surprising behavior; a DNS label is recommended: [must be no more than 63 characters]
      Starting pod/sregidor-sr3-bfxxj-worker-a-h5b5jcopenshift-qeinternal-debug-ljxgx ...
      To use host binaries, run `chroot /host`
      ssh-rsa AAAA.........qe@redhat.com
      
      Removing debug pod ...
      
      
       

      Expected results:

      The added ssh keys should be configure in /home/core/.ssh/authorized_keys.d/ignition file as well.
      
       

      Additional info:

       

      Attachments

        Activity

          People

            dkhater@redhat.com Dalia Khater
            sregidor@redhat.com Sergio Regidor de la Rosa
            Sergio Regidor de la Rosa Sergio Regidor de la Rosa
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: