On Thu, Nov 12, 2020 at 10:01 AM Angus Clarke <an...@charworth.com> wrote: > > Hello > > Sharing for anyone who needs it, this was carried out on OL7, they use ovirt > 4.3 > > In short: both the hosted-engine deployment routine and the host add to > cluster routine distribute public ssh keys to /root/.ssh/authorized_keys > regardless of the AuthorizedKeysFile setting in /etc/ssh/sshd_config. Both > routines fail if AuthorizedKeysfile is not default. > > > The hosted-engine setup assumes AuthorizedKeysFile to be default > (~/.ssh/authorized_keys) and creates a public key there, instead of following > the sshd_config directive. The setup fails on the back of this. > > Once I commented this out of sshd_config file (assumes default) and restarted > sshd on the KVM host that was running the hosted-engine deployment, the > hosted-engine setup completed successfully. > > > Similarly, I could not deploy a second KVM host to the compute cluster until > I had altered this setting on that 2nd KVM host - presumably that process has > some similar routine that unwittingly writes keys to ~/.ssh/authorized_keys.
Thanks for the report. Would you like to open one or two bugs about this? I think it's just bug, though - from searching relevant source - in the code adding a host to the engine. This code is also used during hosted-engine deploy. We also have code there to add lines to this file on the appliance (engine vm image), but I do not believe users will work so hard as to update the image before deploy. So one bug is probably enough. To make sure, please include there all relevant details about how "they" (your customer?) configure their machines - e.g. is it only during their installation (image/PXE/etc.) or also routinely (puppet etc.) I admit I am not sure what the expected behavior should be, though: An admin can run sshd with a custom file. So should we also check that? Perhaps it's enough if we allow the admin to set a custom location also for oVirt, instead of trying to guess. And make sure that the failure error message is clear and unique enough so that people searching the net for it find your bug, so can find how to configure it :-) Best regards, -- Didi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NNV5RFGEV4IBGHSHTAGARWRBBJJ4HJ2D/
