Bug 823634

Summary: Always Retrieve New SSH key in RHEL AMIs
Product: Red Hat Enterprise Linux 6 Reporter: Jay Greguske <jgregusk>
Component: cloud-initAssignee: Jay Greguske <jgregusk>
Status: CLOSED CURRENTRELEASE QA Contact: mkovacik
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: atodorov, jgregusk, syeghiay
Target Milestone: rcKeywords: EC2
Target Release: 6.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 823635 (view as bug list) Environment:
Last Closed: 2013-03-20 13:38:49 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 823635    

Description Jay Greguske 2012-05-21 14:29:12 EDT
Description of problem:
If an SSH already exists on a RHEL AMI instance, it will not attempt to download another one. This is problematic for rebundles, even though one should be careful to remove their SSH keys anyway. It would be better if a warning was issued instead.

How reproducible:
Always

Steps to Reproduce:
1. Boot an AMI
2. Use ec2-create-image to rebundle it
3. Boot that new AMI with a different key
  
Actual results:
Cannot log in since the new key was not retrieved.

Expected results:
Issue a warning and then download the new key anyway.

Additional info:
The cloud-init package may solve this behavior for us. (see rhbz 770467)
Comment 3 RHEL Product and Program Management 2012-07-10 02:59:28 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 RHEL Product and Program Management 2012-07-10 21:48:03 EDT
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 7 Joe Vlcek 2012-11-16 11:37:16 EST
Modifying cloud-init to overwrite existing key might make the
rebundling process a little more bullet proof but would not be
a good solution.

Other users of cloud-init might very well expect existing keys
not to be overwritten.

I really think this should be address by improving the
bundling process to ensure the keys are removed.

Can the reporter, Jay Greguske, please comment?
Comment 8 Jay Greguske 2012-11-16 12:17:31 EST
The bundling process in EC2 is under Amazon's control, not ours, so we can't really improve that directly. I've heard arguments on both sides about what to do about existing keys, and personally I agree that the keys should not be overwritten. A warning that they exist should be emitted though.

For 6.4, I'm fine with whatever cloud init decides to do, as long as the behavior is consistent.
Comment 9 Joe Vlcek 2012-11-16 16:25:37 EST
(In reply to comment #8)
> The bundling process in EC2 is under Amazon's control, not ours, so we can't
> really improve that directly. I've heard arguments on both sides about what
> to do about existing keys, and personally I agree that the keys should not
> be overwritten.



Sure but perhaps prior to creating the bundle the ssh keys should be
removed.

> A warning that they exist should be emitted though.

No warning is currently issued. It's not clear what value logging that
would be since the user would need to log into the instance to view the
log and since they can't log it would be a bit of the: If a tree falls
in a forest and no one is there does it make a noise. ;)

> For 6.4, I'm fine with whatever cloud init decides to do, as long as the
> behavior is consistent.

Great.

So can this bug be closed or changed to a low priority RFE to consider
having a message written to the log when existing ssh keys are found?
Comment 10 Jay Greguske 2012-11-16 16:45:21 EST
We cannot close the bug until 6.4 ships, we'll be using it to track that cloud-init does in fact land in the official RHEL AMIs. That's a Rel-Eng issue though, no action needs to be take on your part.
Comment 11 Joe Vlcek 2013-01-03 11:04:01 EST
(In reply to comment #10)
> We cannot close the bug until 6.4 ships, we'll be using it to track that
> cloud-init does in fact land in the official RHEL AMIs. That's a Rel-Eng
> issue though, no action needs to be take on your part.

So I will assign it to you, Jay Greguske, since no action on my part
is required.
Comment 13 Steven Hardy 2013-03-20 07:53:53 EDT
Since no action required on my part (AFAICS) reassigning to jgregusk@redhat.com as per comment #11
Comment 14 Jay Greguske 2013-03-20 13:38:49 EDT
cloud-init shipped with 6.4 AMIs, we're taking its default behaviors with respect to ssh keys.