Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Always Retrieve New SSH key in RHEL AMIs|
|Product:||Red Hat Enterprise Linux 6||Reporter:||Jay Greguske <jgregusk>|
|Component:||cloud-init||Assignee:||Jay Greguske <jgregusk>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||mkovacik|
|Version:||6.3||CC:||atodorov, jgregusk, syeghiay|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|:||823635 (view as bug list)||Environment:|
|Last Closed:||2013-03-20 13:38:49 EDT||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Jay Greguske 2012-05-21 14:29:12 EDT
Description of problem: If an SSH already exists on a RHEL AMI instance, it will not attempt to download another one. This is problematic for rebundles, even though one should be careful to remove their SSH keys anyway. It would be better if a warning was issued instead. How reproducible: Always Steps to Reproduce: 1. Boot an AMI 2. Use ec2-create-image to rebundle it 3. Boot that new AMI with a different key Actual results: Cannot log in since the new key was not retrieved. Expected results: Issue a warning and then download the new key anyway. Additional info: The cloud-init package may solve this behavior for us. (see rhbz 770467)
Comment 3 RHEL Product and Program Management 2012-07-10 02:59:28 EDT
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
Comment 4 RHEL Product and Program Management 2012-07-10 21:48:03 EDT
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 7 Joe Vlcek 2012-11-16 11:37:16 EST
Modifying cloud-init to overwrite existing key might make the rebundling process a little more bullet proof but would not be a good solution. Other users of cloud-init might very well expect existing keys not to be overwritten. I really think this should be address by improving the bundling process to ensure the keys are removed. Can the reporter, Jay Greguske, please comment?
Comment 8 Jay Greguske 2012-11-16 12:17:31 EST
The bundling process in EC2 is under Amazon's control, not ours, so we can't really improve that directly. I've heard arguments on both sides about what to do about existing keys, and personally I agree that the keys should not be overwritten. A warning that they exist should be emitted though. For 6.4, I'm fine with whatever cloud init decides to do, as long as the behavior is consistent.
Comment 9 Joe Vlcek 2012-11-16 16:25:37 EST
(In reply to comment #8) > The bundling process in EC2 is under Amazon's control, not ours, so we can't > really improve that directly. I've heard arguments on both sides about what > to do about existing keys, and personally I agree that the keys should not > be overwritten. Sure but perhaps prior to creating the bundle the ssh keys should be removed. > A warning that they exist should be emitted though. No warning is currently issued. It's not clear what value logging that would be since the user would need to log into the instance to view the log and since they can't log it would be a bit of the: If a tree falls in a forest and no one is there does it make a noise. ;) > For 6.4, I'm fine with whatever cloud init decides to do, as long as the > behavior is consistent. Great. So can this bug be closed or changed to a low priority RFE to consider having a message written to the log when existing ssh keys are found?
Comment 10 Jay Greguske 2012-11-16 16:45:21 EST
We cannot close the bug until 6.4 ships, we'll be using it to track that cloud-init does in fact land in the official RHEL AMIs. That's a Rel-Eng issue though, no action needs to be take on your part.
Comment 11 Joe Vlcek 2013-01-03 11:04:01 EST
(In reply to comment #10) > We cannot close the bug until 6.4 ships, we'll be using it to track that > cloud-init does in fact land in the official RHEL AMIs. That's a Rel-Eng > issue though, no action needs to be take on your part. So I will assign it to you, Jay Greguske, since no action on my part is required.
Comment 13 Steven Hardy 2013-03-20 07:53:53 EDT
Since no action required on my part (AFAICS) reassigning to firstname.lastname@example.org as per comment #11
Comment 14 Jay Greguske 2013-03-20 13:38:49 EDT
cloud-init shipped with 6.4 AMIs, we're taking its default behaviors with respect to ssh keys.