Re: [Openstack] problem ssh-ing into vms
On Mar 28, 2012, at 8:01 AM, Pierre Amadio wrote: > Was my assumption wrong or is there something special to do to have the > metadata service available without running nova-api ? You can run the metadata service by itself using bin/nova-api-metadata. For performance reasons, I prefer this option. Alternatively you can leave it running on the api node but you have to make sure config is set on your compute and network hosts to tell the system where to forward to. You do this via a config option in nova.conf ## (StrOpt) the ip for the metadata api server # metadata_host="$my_ip" Also you have to make sure that packets are not snatted when they leave the network host if they are going to the metadata server. You can do this via a config option as well: ## (StrOpt) dmz range that should be accepted # dmz_cidr="10.128.0.0/24" So setting the following: metadata_host= dmz_cidr=/32 should work with nova-api running separately ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] problem ssh-ing into vms
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-openstack-compute-basics.html#configuring-multiple-compute-nodes:If you want to use the 10.04 Ubuntu Enterprise Cloud images that are readily available at http://uec-images.ubuntu.com/releases/10.04/release/, you may run into delays with booting. Any server that does not have nova-api running on it needs this iptables entry so that UEC images can get metadata info. On compute nodes, configure the iptables with this next step:# iptables -t nat -A PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination $NOVA_API_IP:8773-openstack-bounces+gongysh=cn.ibm@lists.launchpad.net wrote: -To: openstack From: Pierre Amadio Sent by: openstack-bounces+gongysh=cn.ibm@lists.launchpad.netDate: 03/28/2012 11:01PMSubject: Re: [Openstack] problem ssh-ing into vmsHi there !> | 2012-03-28 13:11:29,162 - DataSourceEc2.py[WARNING]: 'http://169.254.169.254' failed: url error [[Errno 111] Connection refused]> | 2012-03-28 13:11:35,174 - DataSourceEc2.py[CRITICAL]: giving up on md after 105 seconds> > The instance was unable to connect to the metadata service to get your> public keys and put them into the instance. The Ubuntu images have an> annoyance, in that if it can't get to the MD it doesn't even generate ssh> server keys, so the ssh server just drops you immediately.> > But your real problem is that the guests can't see the host.> Thanks, this helped a lot.The vm was on a node running nova-compute and nova-network only.Turned out the metadata service was available after i have startednova-api on top of that.I though nova-api was not needed on boxes running nova-compute ? (i haveit running on a "manager" node that do not launch vms).Was my assumption wrong or is there something special to do to have themetadata service available without running nova-api ?___Mailing list: https://launchpad.net/~openstackPost to : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] problem ssh-ing into vms
Hi there ! > | 2012-03-28 13:11:29,162 - DataSourceEc2.py[WARNING]: > 'http://169.254.169.254' failed: url error [[Errno 111] Connection refused] > | 2012-03-28 13:11:35,174 - DataSourceEc2.py[CRITICAL]: giving up on md after > 105 seconds > > The instance was unable to connect to the metadata service to get your > public keys and put them into the instance. The Ubuntu images have an > annoyance, in that if it can't get to the MD it doesn't even generate ssh > server keys, so the ssh server just drops you immediately. > > But your real problem is that the guests can't see the host. > Thanks, this helped a lot. The vm was on a node running nova-compute and nova-network only. Turned out the metadata service was available after i have started nova-api on top of that. I though nova-api was not needed on boxes running nova-compute ? (i have it running on a "manager" node that do not launch vms). Was my assumption wrong or is there something special to do to have the metadata service available without running nova-api ? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] problem ssh-ing into vms
It seems iptables or some other similar software are no running on your host. openstack relies on it to translate 169.254.169.254 to host address.-openstack-bounces+gongysh=cn.ibm@lists.launchpad.net wrote: -To: Pierre Amadio From: Scott Moser Sent by: openstack-bounces+gongysh=cn.ibm@lists.launchpad.netDate: 03/28/2012 10:16PMCc: openstack Subject: Re: [Openstack] problem ssh-ing into vmsOn Wed, 28 Mar 2012, Pierre Amadio wrote:> Hi there !>> I'm puzzled with a ssh issue. Things used to work "before", and now, i> cannot access my vms anymore.Thank you for attaching euca-get-console-output. That provides the realhint here.| cloud-init start-local running: Wed, 28 Mar 2012 13:09:35 +. up 43.07 seconds| no instance data found in start-local| ci-info: lo : 1 127.0.0.1 255.0.0.0| ci-info: eth0 : 1 10.0.0.3 255.255.255.0 fa:16:3e:59:63:1b| ci-info: route-0: 0.0.0.0 10.0.0.1 0.0.0.0 eth0 UG| ci-info: route-1: 10.0.0.0 0.0.0.0 255.255.255.0 eth0 U| cloud-init start running: Wed, 28 Mar 2012 13:09:48 +. up 56.41 seconds| 2012-03-28 13:09:49,331 - DataSourceEc2.py[WARNING]: 'http://169.254.169.254' failed: url error [[Errno 111] Connection refused]| 2012-03-28 13:09:50,349 - DataSourceEc2.py[WARNING]: 'http://169.254.169.254' failed: url error [[Errno 111] Connection refused]| ...| 2012-03-28 13:11:29,162 - DataSourceEc2.py[WARNING]: 'http://169.254.169.254' failed: url error [[Errno 111] Connection refused]| 2012-03-28 13:11:35,174 - DataSourceEc2.py[CRITICAL]: giving up on md after 105 secondsThe instance was unable to connect to the metadata service to get yourpublic keys and put them into the instance. The Ubuntu images have anannoyance, in that if it can't get to the MD it doesn't even generate sshserver keys, so the ssh server just drops you immediately.But your real problem is that the guests can't see the host.You could potentially debug some more by using a cirros image, which willlet you do password auth in after it fails to reach the data source.___Mailing list: https://launchpad.net/~openstackPost to : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] problem ssh-ing into vms
On Wed, 28 Mar 2012, Pierre Amadio wrote: > Hi there ! > > I'm puzzled with a ssh issue. Things used to work "before", and now, i > cannot access my vms anymore. Thank you for attaching euca-get-console-output. That provides the real hint here. | cloud-init start-local running: Wed, 28 Mar 2012 13:09:35 +. up 43.07 seconds | no instance data found in start-local | ci-info: lo: 1 127.0.0.1 255.0.0.0 | ci-info: eth0 : 1 10.0.0.3255.255.255.0 fa:16:3e:59:63:1b | ci-info: route-0: 0.0.0.0 10.0.0.10.0.0.0 eth0 UG | ci-info: route-1: 10.0.0.00.0.0.0 255.255.255.0 eth0 U | cloud-init start running: Wed, 28 Mar 2012 13:09:48 +. up 56.41 seconds | 2012-03-28 13:09:49,331 - DataSourceEc2.py[WARNING]: 'http://169.254.169.254' failed: url error [[Errno 111] Connection refused] | 2012-03-28 13:09:50,349 - DataSourceEc2.py[WARNING]: 'http://169.254.169.254' failed: url error [[Errno 111] Connection refused] | ... | 2012-03-28 13:11:29,162 - DataSourceEc2.py[WARNING]: 'http://169.254.169.254' failed: url error [[Errno 111] Connection refused] | 2012-03-28 13:11:35,174 - DataSourceEc2.py[CRITICAL]: giving up on md after 105 seconds The instance was unable to connect to the metadata service to get your public keys and put them into the instance. The Ubuntu images have an annoyance, in that if it can't get to the MD it doesn't even generate ssh server keys, so the ssh server just drops you immediately. But your real problem is that the guests can't see the host. You could potentially debug some more by using a cirros image, which will let you do password auth in after it fails to reach the data source. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] problem ssh-ing into vms
Hi there ! I'm puzzled with a ssh issue. Things used to work "before", and now, i cannot access my vms anymore. I experience the same problem on both diablo (on ubuntu oneiric) and essex (ubuntu precise). I generate a ssh key: euca-add-keypair mykey > ~/creds/testkey.priv chmod 0600 ~/creds/testkey.priv It looks like the following: ubuntu@manager-node:~/creds$ cat testkey.priv KEYPAIR testkey d5:47:1e:61:53:3d:36:61:1a:08:e9:00:a1:80:8d:a9 -BEGIN RSA PRIVATE KEY- MIICXAIBAAKBgQDS7d774T5M7kQR1ExJBD2+19Bf2GbYgwM9d/LZMmVVf3VpYWCq PXMAelR2nupAxpq68aWHiR4aL//8KZ6FomIxbLGbbzJpyYHowUe8qNlHSrcQrow2 XAu27w7GElfmq22nU/454oavSWu50pk8xLMwyRVh7/9+0ErxIoKmQxlvqwIDAQAB AoGAX7h9Idc0+5qBH4o1WElpb+rmcCh3e7fwx3tgpLpfDC68bKc5Q+iBAO2C2RYC /oRigYXZ9aj/FSlFRPzqKIDph+tMRZqWtG+1U49+iTRo5mzwG3xCgmDgtOhfM54Q ywJSZAuxZbBSNKOgZ0+iB48pZevGqWhcMviK6Wg5uyl746kCQQDyyD4PVKmELwSs mBfxqd02FS7oDKT5ZWg0o21ShiRkg0LTZ2rXFZYWUkBnH7ZXmtR3myj/mFSUH4HR qOniOWktAkEA3mmuBU1xk33rEl6sg7pRP7nrYNv5XvkzdWBfPLZ41ek1zhsSEPXP vBtnJ3IPhLtsU7Xc+8BR8/PY2l12xDuTNwJACUW6kQ1TuBevnwPkDjfFmhYvB2/M MTY9R51iRH+ZDjmxKK/Pdc1+QPX9PbMJXMkuCi9j3ncr68hURfSkkh5NNQJAHXXw KCGm/rt6LNe/kD9YzdEpvY3FzW/DAjQ+yUL+ZI9coi1xyi9VUfxrQI1aQuG0qq33 VJ2X/XF6cwpYVgvyJwJBAM5nHXhK2vBwsDc3nPByVG4mOjCC+i3I+Q6Du171QpNH Jj5H9deWAF9i5dQcrdRO7uHp8NVxTt2z9GHh8fNp2qM= -END RSA PRIVATE KEY- The key seems to be known by euca-tools. ubuntu@manager-node:~/creds$ euca-describe-keypairs KEYPAIR testkey d5:47:1e:61:53:3d:36:61:1a:08:e9:00:a1:80:8d:a9 I launch a vm with: euca-run-instances -k testkey ami-0005 The vms itself is an instance of http://cloud-images.ubuntu.com/oneiric/current/oneiric-server-cloudimg-amd64.tar.gz Now, when i try to connect to the vm, i have the following error message: ubuntu@manager-node:~/creds$ ssh - -i testkey.priv ubuntu@192.168.123.5 OpenSSH_5.9p1 Debian-4ubuntu1, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.123.5 [192.168.123.5] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "testkey.priv" as a RSA1 public key debug3: key_read: missing whitespace debug1: identity file testkey.priv type -1 debug1: identity file testkey.priv-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1 Debian-7ubuntu1 debug1: match: OpenSSH_5.8p1 Debian-7ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-4ubuntu1 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent Read from socket failed: Connection reset by peer Why is it mentionning the following ? debug3: Could not load "testkey.priv" as a RSA1 public key Is not testkey.priv supposed to be a _private_ key instead ? euca-get-console-output i-0003 for the involved node is attached. ubuntu@manager-node:~/creds$ euca-describe-instances RESERVATION r-nu11r90h 2252de9d285c4400a2ef87845f971ef7 default INSTANCEi-0003 ami-0005192.168.123.5 server-3 running testkey (2252de9d285c4400a2ef87845f971ef7, compute-a) 0 m1.small2012-03-28T13:08:35.000Znova aki-0004ari-0003monitoring-disabled 192.168.123.5 10.0.0.3instance-store Any idea what i could do wrong ? ubuntu@manager-node:~/creds$ euca-get-console-output i-0003 i-0003 2012-03-28T13:19:50.482Z [0.00] Initializing cgroup subsys cpuset [0.00] Initializing cgroup subsys cpu [0.00] Linux version 3.0.0-16-virtual (buildd@roseapple) (gcc version 4.6.1 (Ubuntu/Linaro 4.6.1-9ubuntu3) ) #29-Ubuntu SMP Tue Feb 14 13:27:41 UTC 2012 (Ubuntu 3.0.0-16.29-virtual 3.0.20) [0.00] Command line: root=/dev/vda console=ttyS0 [0.00] KERNEL supported cpus: [0.00] Intel GenuineIntel [0.00] AMD AuthenticAMD [0.00] Centaur CentaurHauls [0.00] BIOS-provided physical RAM map: [0.00] BIOS-e820: - 0009bc00 (usable) [0.00] BIOS-e820: 0009bc00 - 000a (reserved) [0.00] BIOS-e820: 000f - 0010 (reserved) [0.00] BIOS-e820: 0010 - 7fffd000 (usable) [0.00] BIOS-e820: 7fffd000 - 8000 (reserved) [0.00] BIOS-e820: fffc - 0001 (reserved) [0.00] NX (Execute Disable) protection: active [0.00] DMI 2.4 present. [0.00] No AGP bridge found [0.00] last_pfn = 0x7fffd max_arch_pfn = 0x4 [0.00] x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106 [0.00] found SMP MP-table at [880fdae0] fdae0 [0.00] init_memory_mapping: -7fffd000 [0.00] RAMDISK: 7ffd9000 - 7fff [0
