Bug 1791375

Summary: installer gather bootstrap displays misleading error about private keys when connect: operation timed out
Product: OpenShift Container Platform Reporter: Clayton Coleman <ccoleman>
Component: InstallerAssignee: Jeremiah Stuever <jstuever>
Installer sub component: openshift-installer QA Contact: wang lin <lwan>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: jstuever, scuppett
Version: 4.4   
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-04 11:24:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Clayton Coleman 2020-01-15 16:52:32 UTC 
1. Ran an install that failed
2. SSH gather from bootstrap failed with:

ERROR Attempted to gather debug logs after installation failure: failed to create SSH client, ensure the proper ssh key is in your keyring or specify with --key: dial tcp 10.0.0.7:22: connect: operation timed out

3. I have an SSH key in .pem combined format (pub + private key), but installer appeared to not read it.

I believe the installer method https://github.com/openshift/installer/blob/master/pkg/gather/ssh/ssh.go#L116 should also attempt to read PEM encoded private keys.

PEM encoded keys aren't totally uncommon, and most engineers / developers on the team use them, so it would increase team efficiency.
Comment 2 Abhinav Dahiya 2020-01-15 17:21:32 UTC 
The currently seems more like a feature required than a bug. So it is better tracked in JIRA imo.
Comment 3 Scott Dodson 2020-02-03 18:47:29 UTC 
It's not proper to add keys blindly to existing agents, we will only update the output on error to be more clear.
Comment 4 Jeremiah Stuever 2020-02-12 19:39:07 UTC 
The following is the error seen when the ssh key is neither specified with --key or loaded into the keyring. It may be helpful to display the key specific error only when authentication failed, as opposed to a connection timeout as indicated in the original error above.

ERROR Attempted to gather debug logs after installation failure: failed to create SSH client, ensure the proper ssh key is in your keyring or specify with --key: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
Comment 7 wang lin 2020-02-18 15:11:20 UTC 
I want more information about how you reproduce the error " dial tcp 10.0.0.7:22: connect: operation timed out". 
if do I need disable 22 port of the some nodes' ingress rule? which node, or any other ways? Can you give me more detail?
Comment 8 wang lin 2020-02-20 09:22:09 UTC 
It has fixed.
test payload:4.4.0-0.nightly-2020-02-18-211831

The log will contain "failed to create SSH client, ensure the proper ssh key is in your keyring or specify with --key" only when there is no key, otherwise,it won't contain this logs info.
Comment 9 Jeremiah Stuever 2020-02-25 16:35:32 UTC 
Looks like you found a way to reproduce this. You can replicate an SSH 'operation timed out' by using a bootstrap IP of a non-existing host such as 192.168.2.1 in the following example:

openshift-install gather bootstrap --bootstrap 192.168.2.1 --master 192.168.2.1
Comment 11 errata-xmlrpc 2020-05-04 11:24:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581