Page MenuHomePhabricator

cumin fails on integration-cumin: Permission denied (publickey).
Closed, ResolvedPublic

Description

hashar@integration-cumin:~$ sudo cumin --force 'name:docker-1021' 'hostname'
1 hosts will be targeted:
integration-slave-docker-1021.integration.eqiad.wmflabs
FORCE mode enabled, continuing without confirmation
----- OUTPUT of 'hostname' -----                                                                                                            
Permission denied (publickey).                                                                                                              
================                                                                                                                            
PASS:  |                                                                                               |   0% (0/1) [00:00<?, ?hosts/s]     
FAIL:  |███████████████████████████████████████████████████████████████████████████████████████| 100% (1/1) [00:00<00:00,  7.72hosts/s]     
100.0% (1/1) of nodes failed to execute command 'hostname': integration-slave-docker-1021.integration.eqiad.wmflabs
0.0% (0/1) success ratio (< 100.0% threshold) for command: 'hostname'. Aborting.
0.0% (0/1) success ratio (< 100.0% threshold) of nodes successfully executed all commands. Aborting.

Event Timeline

hashar created this task.Mar 5 2019, 9:59 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

On the target instance:

Mar  5 10:00:01 integration-slave-docker-1021 sshd[14730]: Connection from 172.16.1.103 port 55804 on 172.16.0.78 port 22
Mar  5 10:00:02 integration-slave-docker-1021 sshd[14730]: Authentication tried for root with correct key but not from a permitted host (host=integration-cumin.integration.eqiad.wmflabs, ip=172.16.1.103).
Mar  5 10:00:02 integration-slave-docker-1021 sshd[14730]: Failed publickey for root from 172.16.1.103 port 55804 ssh2: ED25519 06:36:d8:17:14:ac:73:73:3b:71:ea:bf:1f:59:e1:23
Mar  5 10:00:02 integration-slave-docker-1021 sshd[14730]: Connection closed by 172.16.1.103 [preauth]

Authentication tried for root with correct key but not from a permitted host (host=integration-cumin.integration.eqiad.wmflabs, ip=172.16.1.103).

/etc/ssh/userkeys/root.d/cumin
from="10.68.18.238",no-agent-forwarding,no-port-forwarding,no-x11-forwarding,no-user-rc ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPfdabE1Fej0X86QgjY72LXvA3Wawrg0ZcDL0PF56/A root@integration-cumin

That is the old instance ;)

hashar closed this task as Resolved.Mar 5 2019, 10:08 AM

That comes from the project puppet config in Horizon:

profile::openstack::main::cumin::project_masters:
- 10.68.18.238

Updating it to 172.16.1.103 solved the issue.

Mentioned in SAL (#wikimedia-releng) [2019-03-05T10:13:02Z] <hashar> integration: fixed erroneous ssh key restriction for cumin | T217642