3

I am passing (YAML representation)

metadata:
 items: 
 - key: sshKeys
   value: root:ssh-rsa AAAAB... non@nan

when creating a gcloud instance. But I cannot ssh to the instance

$ ssh 139.242.197.104.bc.googleusercontent.com
Host key fingerprint is SHA256:aSSOS1tMiF9h43C6UIJQW0TqXuYVMfRic3Lm7gYRECQ
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Looks like ssh key is not inserted on boot. Instance is standard RHEL 7.2 kvm guest image converted from qcow2 to raw format and uploaded. Any idea if what I'm doing is the correct incantation for specifying ssh keys in GCE and if what I want is supported by cloud-init?

akostadinov
  • 1,178
  • 1
  • 9
  • 18
  • Did you install [Google Compute Engine image packages](https://cloud.google.com/compute/docs/tutorials/building-images#gceimagepackages) before building your custom image? google-daemon is required to create new accounts and configure ssh to accept public keys using metadata server. How do you supply your private key to SSH command? – Kamran Feb 20 '16 at 23:54
  • @Kamran, no, I don't install gce packages (and don't want to). I am actually asking how to make `cloud-init` happy. I don't see reason to install some unknown daemon when all other cloud services I'm using, do not require additional packages. If not anything else, that would make my machine init configuration inconsistent with the other clouds and that's not acceptable for me. – akostadinov Feb 22 '16 at 06:57

1 Answers1

1

Huh, can't get any GCE answer it seems. Figured it out though. First of all current Red Hat Enterprise Linux (v7.2) cloud-init version does not support instance ssh keys (it handles only project level keys). cloud-init trunk though does support them already so hopefully downstream will pick up soon. In the meantime I used the following user-data to emulate this (again YAML representation): metadata:

 items:
 - key: sshKeys
   value: root:ssh-rsa AAAAB... non@nan 
 - key: user-data
   value:|
     #cloud-config
     disable_root: false
     preserve_hostname: true
     runcmd:
     - "curl 'http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys' -H 'Metadata-Flavor: Google' | sed -r -e 's/(^|,)[^\\S]*:/\\1/g' -e 's/,/\\n/g' >> /root/.ssh/authorized_keys"

Note that google documentation talks only about startup-script metadata key. To my reading even upstream cloud-init does not care about that metadata key. It is looking for the user-data key as shown above.

Hope this helps.

akostadinov
  • 1,178
  • 1
  • 9
  • 18