Description of problem: Created a VM with "cloudInitConfigDrive" (pointing to a K8S secret) and "networkData". cloud-init ends up using fallback datasource, userData is not applied (cannot use the configured password) and the SSH key is not applied. If networkData is removed from the VM, there's no failure. Version-Release number of selected component (if applicable): OCP+CNV 4.8.0 How reproducible: 100% Steps to Reproduce: 1. Create a secret with rsa key 2. Create a VM which uses accessCredentials, cloudInitConfigDrive with networkData and userData 3. Start the VM Actual results: cloud-init ends up using fallback datasource, userData is not used Expected results: Cloud init should succeed, userData should be usable Additional info: ======================================================= apiVersion: v1 data: id_rsa.pub: <public key> kind: Secret metadata: creationTimestamp: "2021-03-22T08:37:27Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:id_rsa.pub: {} f:type: {} manager: OpenAPI-Generator operation: Update time: "2021-03-22T08:37:27Z" name: fedora-33-1616402246-3733685 namespace: supported-os-common-templates-fedora-test-fedora-os-support resourceVersion: "5317873" uid: b092d942-8182-4ee9-aeaa-8995ee98fcf6 type: Opaque ======================================================= apiVersion: kubevirt.io/v1 kind: VirtualMachine metadata: creationTimestamp: null labels: kubevirt.io/vm: vmb name: vmb-1616069337-0921965 spec: running: false template: metadata: creationTimestamp: null labels: kubevirt.io/domain: vmb-1616069337-0921965 kubevirt.io/vm: vmb-1616069337-0921965 spec: accessCredentials: - sshPublicKey: propagationMethod: configDrive: name: userData source: secret: secretName: vmb-1616069337-0921965 domain: cpu: cores: 1 devices: disks: - disk: bus: virtio name: containerdisk - disk: bus: virtio name: cloudinitdisk interfaces: - masquerade: {} name: default - bridge: {} name: br1test-nad - bridge: {} name: br1test-vlan100-nad - bridge: {} name: br1test-vlan300-nad rng: {} machine: type: '' resources: requests: memory: 1024Mi networks: - name: default pod: {} - multus: networkName: br1test-nad name: br1test-nad - multus: networkName: br1test-vlan100-nad name: br1test-vlan100-nad - multus: networkName: br1test-vlan300-nad name: br1test-vlan300-nad nodeSelector: kubernetes.io/hostname: ruty-4-8-17-3-lhwm2-worker-0-rbhrt terminationGracePeriodSeconds: 30 volumes: - containerDisk: image: quay.io/openshift-cnv/qe-cnv-tests-fedora:33 name: containerdisk - cloudInitConfigDrive: networkData: "ethernets:\n eth1:\n addresses:\n - 10.200.0.2/24\n\ \ eth2:\n addresses:\n - 10.200.1.2/24\n eth3:\n addresses:\n\ \ - 10.200.2.2/24\nversion: 2\n" userData: '#cloud-config chpasswd: { expire: False } password: fedora ' name: cloudinitdisk ======================================================= [ 23.143323] cloud-init[626]: Cloud-init v. 19.4 running 'init' at Thu, 18 Mar 2021 10:38:34 +0000. Up 23.11 seconds. [ 23.186753] cloud-init[626]: ci-info: +++++++++++++++++++++++++++++++++++++++Net device info+++++++++++++++++++++++++++++++++++++++ [ 23.216088] cloud-init[626]: ci-info: +--------+------+------------------------------+---------------+--------+-------------------+ [ 23.242946] cloud-init[626]: ci-info: | Device | Up | Address | Mask | Scope | Hw-Address | [ 23.273992] cloud-init[626]: ci-info: +--------+------+------------------------------+---------------+--------+-------------------+ [ 23.303780] cloud-init[626]: ci-info: | eth0 | True | 10.0.2.2 | 255.255.255.0 | global | 02:60:02:00:00:0c | [ 23.335098] cloud-init[626]: ci-info: | eth0 | True | fe80::60:2ff:fe00:c/64 | . | link | 02:60:02:00:00:0c | [ 23.366811] cloud-init[626]: ci-info: | eth1 | True | fe80::38a2:a07f:8d1e:e911/64 | . | link | 02:60:02:00:00:0d | [ 23.395785] cloud-init[626]: ci-info: | eth2 | True | fe80::25bc:7279:e134:4c67/64 | . | link | 02:60:02:00:00:0e | [ 23.428085] cloud-init[626]: ci-info: | eth3 | True | fe80::f4d9:bbd2:a4d9:fb76/64 | . | link | 02:60:02:00:00:0f | [ 23.442448] cloud-init[626]: ci-info: | lo | True | 127.0.0.1 | 255.0.0.0 | host | . | [ 23.468321] cloud-init[626]: ci-info: | lo | True | ::1/128 | . | host | . | [ 23.504158] cloud-init[626]: ci-info: +--------+------+------------------------------+---------------+--------+-------------------+ [ 23.524144] cloud-init[626]: ci-info: +++++++++++++++++++++++++++Route IPv4 info++++++++++++++++++++++++++++ [ 23.540367] cloud-init[626]: ci-info: +-------+-------------+----------+---------------+-----------+-------+ [ 23.556380] cloud-init[626]: ci-info: | Route | Destination | Gateway | Genmask | Interface | Flags | [ 23.574163] cloud-init[626]: ci-info: +-------+-------------+----------+---------------+-----------+-------+ [ 23.597249] cloud-init[626]: ci-info: | 0 | 0.0.0.0 | 10.0.2.1 | 0.0.0.0 | eth0 | UG | [ 23.609172] cloud-init[626]: ci-info: | 1 | 10.0.2.0 | 0.0.0.0 | 255.255.255.0 | eth0 | U | [ 23.620900] cloud-init[626]: ci-info: +-------+-------------+----------+---------------+-----------+-------+ [ 23.632737] cloud-init[626]: ci-info: +++++++++++++++++++Route IPv6 info+++++++++++++++++++ [ 23.643784] cloud-init[626]: ci-info: +-------+-------------+---------+-----------+-------+ [ 23.654357] cloud-init[626]: ci-info: | Route | Destination | Gateway | Interface | Flags | [ 23.670108] cloud-init[626]: ci-info: +-------+-------------+---------+-----------+-------+ [ 23.698188] cloud-init[626]: ci-info: | 1 | fe80::/64 | :: | eth1 | U | [ 23.721784] cloud-init[626]: ci-info: | 2 | fe80::/64 | :: | eth2 | U | [ 23.736497] cloud-init[626]: ci-info: | 3 | fe80::/64 | :: | eth3 | U | [ 23.750118] cloud-init[626]: ci-info: | 4 | fe80::/64 | :: | eth0 | U | [ 23.763242] cloud-init[626]: ci-info: | 6 | ff00::/8 | :: | eth0 | U | [ 23.777705] cloud-init[626]: ci-info: | 7 | ff00::/8 | :: | eth1 | U | [ 23.801781] cloud-init[626]: ci-info: | 8 | ff00::/8 | :: | eth2 | U | [ 23.821786] cloud-init[626]: ci-info: | 9 | ff00::/8 | :: | eth3 | U | [ 23.842777] cloud-init[626]: ci-info: +-------+-------------+---------+-----------+-------+ [ 24.815225] cloud-init[626]: Generating public/private rsa key pair. [ 24.831815] cloud-init[626]: Your identification has been saved in /etc/ssh/ssh_host_rsa_key [ 24.856870] cloud-init[626]: Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub [ 24.874948] cloud-init[626]: The key fingerprint is: [ 24.887675] cloud-init[626]: SHA256:uJG6xSocqjB+BykRGPNKhalZT+O3Va1XXUGFrumB77g root@vma-1616063867-7428157 [ 24.908017] cloud-init[626]: The key's randomart image is: [ 24.921389] cloud-init[626]: +---[RSA 3072]----+ [ 24.929083] cloud-init[626]: |+.o. . .=*| [ 24.936469] cloud-init[626]: |.*o o . . o .| [ 24.943923] cloud-init[626]: |.+o+ . . . o | [ 24.956347] cloud-init[626]: |+o o .o. . . . | [ 24.963926] cloud-init[626]: |. . ..+oS o o | [ 24.973432] cloud-init[ OK ] Finished Initial cloud-ini…ob (metadata service crawler).[626]: | ..o o.o . + | [ 24.992104] cloud-init[626]: |oo..o + o . | [ 24.999924] cloud-init[626]: |+.o. = .o | [ 25.008243] cloud-init[626]: |o...+ Eo. | [ 25.016613] cloud-init[626]: +----[SHA256]-----+ [ 25.024796] cloud-init[626]: Generating public/private dsa key pair. [ 25.034440] cloud-init[626]: Your identification has been saved in /etc/ssh/ssh_host_dsa_key [ OK ] Reached target Cloud-config availability. [ 25.063180] cloud-init[626]: Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub Starting OpenSSH server daemon... Starting Permit User Sessions... [ 25.105969] cloud-init[626]: The key fingerprint is: [ OK ] Finished Permit User Sessions.[ 25.128983] cloud-init[626]: SHA256:jNBfCJi3jtVXsx4++vlI8VHT7N60zTyG6Q5o2rmdsD8 root@vma-1616063867-7428157 [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ 25.164067] cloud-init[626]: The key's randomart image is:[ OK [ 25.185491] cloud-init[626]: +---[DSA 1024]----+] Reached target Login Prompts. [ 25.201657] cloud-init[626]: | o. | [ 25.212418] cloud-init[626]: | o... . o ..| [ 25.224178] cloud-init[626]: | ...o. .. o .+| [ 25.232173] cloud-init[626]: | .o+... o o.| [ 25.241099] cloud-init[626]: | +. S. o... o| [ 25.250331] cloud-init[626]: | . . . +oo*+| [ 25.259214] cloud-init[626]: | + o.+.+*| [ 25.268197] cloud-init[626]: | + *E+o. .| [ 25.276719] cloud-init[626]: | . =o=*+. | [ 25.286119] cloud-init[626]: +----[SHA256]-----+ [ 25.301935] [ OK ] Started OpenSSH server daemon.cloud-init[626]: Generating public/private ecdsa key pair. [ 25.320108] cloud-init[626]: Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key [ OK ] Reached target Multi-User System. Starting Update UTMP about System Runlevel Changes... [ 25.354047] cloud-init[626]: Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub [ 25.366588] cloud-init[626]: The key fingerprint is: [ 25.374340] cloud-init[626]: SHA256:M0j6fJJZY4BeRYDOe+hKpE76YODG2Q6lGxpPIJp11Pc root@vma-1616063867-7428157 [ 25.388018] cloud-init[626]: The key's randomart image is: [ 25.398284] cloud-init[626]: +---[ECDSA 256]---+ [ 25.406616] cloud-init[626]: | ..oo | [ 25.415175] cloud-init[626]: | .o . | [ 25.423437] cloud-init[626]: | oo = . | [ 25.432440] cloud-init[626]: | oo+ + . | [ 25.440118] cloud-init[626]: |+ o.+o. S E | [ 25.448135] cloud-init[626]: |**=.oo.= + | [ 25.470743] cloud-init[626]: |*@oo .* . | [ 25.481005] cloud-init[626]: |B*= . o | [ 25.497722] [ OK ] Finished Update UTMP about System Runlevel Changes.cloud-init[626]: |o++o | [ 25.516183] cloud-init[626]: +----[SHA256]-----+ [ 25.524238] cloud-init[626]: Generating public/private ed25519 key pair. [ 25.533588] cloud-init[626]: Your identification has been saved in /etc/ssh/ssh_host_ed25519_key [ 25.544716] cloud-init[626]: Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub [ 25.555744] cloud-init[626]: The key fingerprint is: [ 25.563790] cloud-init[626]: SHA256:xnhnKNnvPMYN3Ild8KdE2zi8cH5eQ9RO4JiiE7WaJjk root@vma-1616063867-7428157 [ 25.575923] cloud-init[626]: The key's randomart image is: [ 25.586637] cloud-init[626]: +--[ED25519 256]--+ [ 25.594656] cloud-init[626]: | . ...| [ 25.602349] cloud-init[626]: | . ..+..o| [ 25.610218] cloud-init[626]: | . o o=o* | [ 25.617955] cloud-init[626]: | * * .. X.+| [ 25.626102] cloud-init[626]: | E S.o+ B.= | [ 25.633895] cloud-init[626]: | B =+ + +.o| [ 25.641226] cloud-init[626]: | ..o oo| [ 25.650677] cloud-init[626]: | o+ . .| [ 25.658048] cloud-init[626]: | .o. | [ 25.665715] cloud-init[626]: +----[SHA256]-----+ Fedora 33 (Cloud Edition) Kernel 5.9.8-200.fc33.x86_64 on an x86_64 (ttyS0) vma-1616063867-7428157 login: [ 52.577472] cloud-init[695]: Cloud-init v. 19.4 running 'modules:config' at Thu, 18 Mar 2021 10:39:04 +0000. Up 52.52 seconds. [ 53.289216] cloud-init[708]: Cloud-init v. 19.4 running 'modules:final' at Thu, 18 Mar 2021 10:39:04 +0000. Up 53.23 seconds. [ 53.369738] cloud-init[708]: ci-info: no authorized ssh keys fingerprints found for user fedora.ci-info: no authorized ssh keys fingerprints found for user fedora. <14>Mar 18 10:39:04 ec2: <14>Mar 18 10:39:04 ec2: ############################################################# <14>Mar 18 10:39:04 ec2: -----BEGIN SSH HOST KEY FINGERPRINTS----- <14>Mar 18 10:39:04 ec2: 1024 SHA256:jNBfCJi3jtVXsx4++vlI8VHT7N60zTyG6Q5o2rmdsD8 root@vma-1616063867-7428157 (DSA) <14>Mar 18 10:39:04 ec2: 256 SHA256:M0j6fJJZY4BeRYDOe+hKpE76YODG2Q6lGxpPIJp11Pc root@vma-1616063867-7428157 (ECDSA) <14>Mar 18 10:39:04 ec2: 256 SHA256:xnhnKNnvPMYN3Ild8KdE2zi8cH5eQ9RO4JiiE7WaJjk root@vma-1616063867-7428157 (ED25519) <14>Mar 18 10:39:04 ec2: 3072 SHA256:uJG6xSocqjB+BykRGPNKhalZT+O3Va1XXUGFrumB77g root@vma-1616063867-7428157 (RSA) <14>Mar 18 10:39:04 ec2: -----END SSH HOST KEY FINGERPRINTS----- <14>Mar 18 10:39:04 ec2: ############################################################# -----BEGIN SSH HOST KEY KEYS----- ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLkD01rgPuKwK1RD4DueCvIqVu4+im3E6Fkk66Hvax2F44tYbA2N09ADnPA9OQaOVxGQ0VHfM1mB780PNfmDPR4= root@vma-1616063867-7428157 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+jn561/lZKjkImQmErXM0UtuH2TqZlKKCumXnj235+ root@vma-1616063867-7428157 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC78q92O4JRZOqTbTHJrr4d/o7AJLQGP3egHAj49WtDySjKTqK4DVj59Poxu9VWbq2lihMDr4zMsku50KtwF++H//puLzucoq68LgF5miw78udUpy8/jvew93l6RGhTEOdt9YQrsStOYvy3bxU5RV82/Tkhi4Cjd14w8etO25lIvuySKqcQ/u9WHpkw+klSJSblkzPQsYdKcQYG7h33CGtg/yoLok5fbWJoqBOIAoNFqiEf97UX/Bpwa2qIPMoFhMgZgKhmB8gwTRpiCh6Uy4CWW5djP5drULNM5FnLMZ6cdpZQGcV88VdgyjWWlxIPPs/v4DmdtgOU4KoHTpXEg46NKSuC1Qxdfx9bEnAODD1o21fAuigEDpfIR4RnK1/c2Av2RTZiM0qkbXq9nUkp2LBs0LNq+poKZrISCM6OGcF92ulhHAHgx6uFXyZbFrtHVOpZeRXkxlxoMCipf/k0fYHtTuE/DNvfsjnqQBICyYl6tFiM3doEdmkXZU5HACIvev8= root@vma-1616063867-7428157 -----END SSH HOST KEY KEYS----- [ 53.576126] cloud-init[708]: Cloud-init v. 19.4 finished at Thu, 18 Mar 2021 10:39:05 +0000. Datasource DataSourceNone. Up 53.57 seconds [ 53.592411] cloud-init[708]: 2021-03-18 10:39:05,098 - cc_final_message.py[WARNING]: Used fallback datasource =======================================================
As per the cloud init documentation - [0] - the only data source that allows for network config v2 is the no cloud data source. That is the configuration format you are indeed using. For the config drive data source, you would need to use either ENI - [1] - or OpenStack Metadata Service Network - [2]. [0] - https://cloudinit.readthedocs.io/en/latest/topics/network-config.html#network-configuration-sources [1] - https://cloudinit.readthedocs.io/en/latest/topics/network-config-format-eni.html#network-config-eni [2] - https://specs.openstack.org/openstack/nova-specs/specs/liberty/implemented/metadata-service-network-info.html#rest-api-impact
I did not mention that I really do not expect OpenStack Metadata Service Network format to work at all, since it refers to entities on a data model that does not exist on kubevirt. https://specs.openstack.org/openstack/nova-specs/specs/liberty/implemented/metadata-service-network-info.html#rest-api-impact
(In reply to Miguel Duarte Barroso from comment #3) > I did not mention that I really do not expect OpenStack Metadata Service > Network format to work at all, since it refers to entities on a data model > that does not exist on kubevirt. > > https://specs.openstack.org/openstack/nova-specs/specs/liberty/implemented/ > metadata-service-network-info.html#rest-api-impact OK it does work. *Some* of the attributes (vif_id, id, network_id) used make no sense on non-openstack providers but are required according to the schema [0]. Please try to repeat your experiment but with this following network data section: ```yaml --- apiVersion: kubevirt.io/v1alpha3 kind: VirtualMachine metadata: creationTimestamp: null labels: kubevirt.io/vm: vmb name: vmb-1616069337-0921965 spec: running: false template: metadata: creationTimestamp: null labels: kubevirt.io/domain: vmb-1616069337-0921965 kubevirt.io/vm: vmb-1616069337-0921965 spec: accessCredentials: - sshPublicKey: propagationMethod: configDrive: name: id_rsa.pub source: secret: secretName: my-key # the name of the secret object ( I exported it w/ `kubectl create secret generic my-key --from-file=ssh-publickey=<path_to_public_key>` ) domain: cpu: cores: 1 devices: disks: - disk: bus: virtio name: containerdisk - disk: bus: virtio name: cloudinitdisk interfaces: - masquerade: {} name: default rng: {} machine: type: '' resources: requests: memory: 1024Mi networks: - name: default pod: {} terminationGracePeriodSeconds: 30 volumes: - containerDisk: image: quay.io/openshift-cnv/qe-cnv-tests-fedora:33 name: containerdisk - cloudInitConfigDrive: networkData: | { "links": [ { "id": "tap0", "name": "eth0", "mtu": 1500, "type": "tap", "vif_id": "3c54ff58-02b5-499e-bed0-03530f89e624" # pointless attribute. } ], "networks": [ { "id": "network0", "name": "eth0", "link": "tap0", "network_id": "764d0ecb-f8a5-47d9-b034-53b5b61666a7", # pointless attribute. "type": "ipv4_dhcp" }, { "id": "network1", "name": "eth0", "link": "tap0", "network_id": "764d0ecb-f8a5-47d9-b034-53b5b61666a8", # pointless attribute. "routes": [ { "gateway": "fd10:0:2::1", "netmask": "120", "network": "::0" } ], "address": "fd10:0:2::2/120", "type": "static" } ], "services": [] } userData: |- #cloud-config chpasswd: { expire: False } password: fedora name: cloudinitdisk ``` Please confirm this works for you, so we can close the bug (not a bug). [0] - https://docs.openstack.org/nova/latest/_downloads/9119ca7ac90aa2990e762c08baea3a36/network_data.json
@David, the issue in this bug was found when testing https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/#static-ssh-key-injection-via-cloud-init Please see https://bugzilla.redhat.com/show_bug.cgi?id=1941470#c4, it appears to be the only way to use SSH injection using cloudInitConfigDrive provider and configure networkData (though the are some issues which Miguel is looking into). Could a different provider be used? If not then I think we should change this bug to a doc bug. WDYT? @Miguel, tested with the provided yaml: IP and route are set: 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc fq_codel state UP group default qlen 1000 link/ether 52:54:00:83:6a:35 brd ff:ff:ff:ff:ff:ff altname enp1s0 inet 10.0.2.2/24 brd 10.0.2.255 scope global dynamic noprefixroute eth0 valid_lft 86309432sec preferred_lft 86309432sec inet6 fd10:0:2::2/120 scope global noprefixroute valid_lft forever preferred_lft forever inet6 fe80::5054:ff:fe83:6a35/64 scope link noprefixroute valid_lft forever preferred_lft forever $ ip -6 r ::1 dev lo proto kernel metric 256 pref medium ::/120 via fd10:0:2::1 dev eth0 proto static metric 100 pref medium fd10:0:2::/120 dev eth0 proto kernel metric 100 pref medium fe80::/64 dev eth0 proto kernel metric 100 pref medium MTU is not set: 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 52:54:00:83:6a:35 brd ff:ff:ff:ff:ff:ff altname enp1s0 Ping worked on your cluster but not on mine: $ tracepath fd10:0:2::1 1?: [LOCALHOST] 0.032ms pmtu 1450 1: vmb-1616069337-0921965 3096.493ms !H Resume: pmtu 1450
I think the cnv cluster is not configured in dual stack mode. As can be seen, the launcher pods do not have an IPv6 global unicast address on their pod primary interface, which is the criteria for kubevirt to install the flows that implement DNAT/masquerade in the pod, which would enable the VM to ping the gateway. $ kubectl get pods NAME READY STATUS RESTARTS AGE ... virt-launcher-vm-mdb-bcmqb 2/2 Running 0 7m28s ... $ kubectl exec -it virt-launcher-vm-mdb-bcmqb -- ip addr show eth0 Defaulting container name to compute. Use 'kubectl describe pod/virt-launcher-vm-mdb-bcmqb -n default' to see all of the containers in this pod. 3: eth0@if680: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default link/ether 0a:58:0a:81:02:ba brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.129.2.186/23 brd 10.129.3.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::8827:2cff:fe90:633e/64 scope link valid_lft forever preferred_lft forever Are you sure the cluster is configured in dual-stack mode ? If not, there's no way the gateway will be pinged. I have left this running VM / pod on the cluster whose credentials @rnetser gave over private msg.
(In reply to Ruth Netser from comment #5) > @David, the issue in this bug was found when testing > https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/ > #static-ssh-key-injection-via-cloud-init > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1941470#c4, it > appears to be the only way to use SSH injection using cloudInitConfigDrive > provider and configure networkData (though the are some issues which Miguel > is looking into). > Could a different provider be used? unfortunately a different cloud-init provider can not be used for the access credentials api. ConfigDrive allows for ssh keys to be injected using metadata, where as noCloud appears to not allow this. We at least only support it with COnfigDrive. > If not then I think we should change > this bug to a doc bug. WDYT? possibly, I'll let the network team confirm whether this is something that can be handled within docs or not.
(In reply to David Vossel from comment #8) > (In reply to Ruth Netser from comment #5) > > @David, the issue in this bug was found when testing > > https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/ > > #static-ssh-key-injection-via-cloud-init > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1941470#c4, it > > appears to be the only way to use SSH injection using cloudInitConfigDrive > > provider and configure networkData (though the are some issues which Miguel > > is looking into). > > Could a different provider be used? > > unfortunately a different cloud-init provider can not be used for the access > credentials api. ConfigDrive allows for ssh keys to be injected using > metadata, where as noCloud appears to not allow this. We at least only > support it with COnfigDrive. > > > If not then I think we should change > > this bug to a doc bug. WDYT? > > possibly, I'll let the network team confirm whether this is something that > can be handled within docs or not. We could definitely update the docs indicating the special considerations to take when we want to inject ssh public keys along w/ IPv6 network configuration in the docs, but personally, I think it raises a lot of questions; having to provision the nonsense ID related attributes to comply w/ the json schema is particularly jaw dropping. I have investigated the cloud init automatic translation mechanisms - [0] - (imo, this would be a neat solution, since the user would just use a tool to translate our example to the openstack metadata format) but it doesn't work in that direction (it **does work** from openstack metadata to netplan (network config v2; we need the opposite). I am unsure what's worse; document this, or leave it undocumented, and hope no one requires this use case. I would say the most sensible thing to do is to discourage this use case (if you use network data, use NoCloud datasource) on the docs. [0] - https://cloudinit.readthedocs.io/en/latest/topics/network-config.html#network-configuration-tools
(In reply to Miguel Duarte Barroso from comment #9) > (In reply to David Vossel from comment #8) > > (In reply to Ruth Netser from comment #5) > > > @David, the issue in this bug was found when testing > > > https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/ > > > #static-ssh-key-injection-via-cloud-init > > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1941470#c4, it > > > appears to be the only way to use SSH injection using cloudInitConfigDrive > > > provider and configure networkData (though the are some issues which Miguel > > > is looking into). > > > Could a different provider be used? > > > > unfortunately a different cloud-init provider can not be used for the access > > credentials api. ConfigDrive allows for ssh keys to be injected using > > metadata, where as noCloud appears to not allow this. We at least only > > support it with COnfigDrive. > > > > > If not then I think we should change > > > this bug to a doc bug. WDYT? > > > > possibly, I'll let the network team confirm whether this is something that > > can be handled within docs or not. > > We could definitely update the docs indicating the special considerations to > take when we want to inject ssh public keys along w/ IPv6 network > configuration in the docs, > but personally, I think it raises a lot of questions; having to provision > the nonsense ID related attributes to comply w/ the json schema is > particularly jaw dropping. > > I have investigated the cloud init automatic translation mechanisms - [0] - > (imo, this would be a neat solution, since the user would just use a tool to > translate our > example to the openstack metadata format) but it doesn't work in that > direction (it **does work** from openstack metadata to netplan (network > config v2; we need the > opposite). > > I am unsure what's worse; document this, or leave it undocumented, and hope > no one requires this use case. > > I would say the most sensible thing to do is to discourage this use case (if > you use network data, use NoCloud datasource) on the docs. The issue is that you cannot use both NoCloud and cloudInitConfigDrive so I you'd like to use SSH injection, you'd have to use cloudInitConfigDrive. > > [0] - > https://cloudinit.readthedocs.io/en/latest/topics/network-config. > html#network-configuration-tools
(In reply to Miguel Duarte Barroso from comment #9) > (In reply to David Vossel from comment #8) > > (In reply to Ruth Netser from comment #5) > > > @David, the issue in this bug was found when testing > > > https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/ > > > #static-ssh-key-injection-via-cloud-init > > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1941470#c4, it > > > appears to be the only way to use SSH injection using cloudInitConfigDrive > > > provider and configure networkData (though the are some issues which Miguel > > > is looking into). > > > Could a different provider be used? > > > > unfortunately a different cloud-init provider can not be used for the access > > credentials api. ConfigDrive allows for ssh keys to be injected using > > metadata, where as noCloud appears to not allow this. We at least only > > support it with COnfigDrive. > > > > > If not then I think we should change > > > this bug to a doc bug. WDYT? > > > > possibly, I'll let the network team confirm whether this is something that > > can be handled within docs or not. > > We could definitely update the docs indicating the special considerations to > take when we want to inject ssh public keys along w/ IPv6 network > configuration in the docs, > but personally, I think it raises a lot of questions; having to provision > the nonsense ID related attributes to comply w/ the json schema is > particularly jaw dropping. > > I have investigated the cloud init automatic translation mechanisms - [0] - > (imo, this would be a neat solution, since the user would just use a tool to > translate our > example to the openstack metadata format) but it doesn't work in that > direction (it **does work** from openstack metadata to netplan (network > config v2; we need the > opposite). > > I am unsure what's worse; document this, or leave it undocumented, and hope > no one requires this use case. > > I would say the most sensible thing to do is to discourage this use case (if > you use network data, use NoCloud datasource) on the docs. The issue is that you cannot use both NoCloud and cloudInitConfigDrive so If you'd like to use SSH injection, you'd have to use cloudInitConfigDrive. > > [0] - > https://cloudinit.readthedocs.io/en/latest/topics/network-config. > html#network-configuration-tools
(In reply to Ruth Netser from comment #11) > (In reply to Miguel Duarte Barroso from comment #9) > > (In reply to David Vossel from comment #8) > > > (In reply to Ruth Netser from comment #5) > > > > @David, the issue in this bug was found when testing > > > > https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/ > > > > #static-ssh-key-injection-via-cloud-init > > > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1941470#c4, it > > > > appears to be the only way to use SSH injection using cloudInitConfigDrive > > > > provider and configure networkData (though the are some issues which Miguel > > > > is looking into). > > > > Could a different provider be used? > > > > > > unfortunately a different cloud-init provider can not be used for the access > > > credentials api. ConfigDrive allows for ssh keys to be injected using > > > metadata, where as noCloud appears to not allow this. We at least only > > > support it with COnfigDrive. > > > > > > > If not then I think we should change > > > > this bug to a doc bug. WDYT? > > > > > > possibly, I'll let the network team confirm whether this is something that > > > can be handled within docs or not. > > > > We could definitely update the docs indicating the special considerations to > > take when we want to inject ssh public keys along w/ IPv6 network > > configuration in the docs, > > but personally, I think it raises a lot of questions; having to provision > > the nonsense ID related attributes to comply w/ the json schema is > > particularly jaw dropping. > > > > I have investigated the cloud init automatic translation mechanisms - [0] - > > (imo, this would be a neat solution, since the user would just use a tool to > > translate our > > example to the openstack metadata format) but it doesn't work in that > > direction (it **does work** from openstack metadata to netplan (network > > config v2; we need the > > opposite). > > > > I am unsure what's worse; document this, or leave it undocumented, and hope > > no one requires this use case. > > > > I would say the most sensible thing to do is to discourage this use case (if > > you use network data, use NoCloud datasource) on the docs. > > The issue is that you cannot use both NoCloud and cloudInitConfigDrive so If > you'd like to use SSH injection, you'd have to use cloudInitConfigDrive. I'm aware. What I'm saying is that using a config drive network data requires to use openstack metadata format, something which is very confusing to use outside non openstack providers. I am recommending not documenting that, because it does raise a lot more questions than it answers (complying with the schema requires using some attributes that quite simply just do not have any meaning in kubevirt's data model). Since the networkData is really only needed for IPv6 configurations, I think keeping the documentation as is, is the best option available. People that want to use this use case for IPv6 should either be discouraged, or explained they are forced to use openstack metadata format, which, imo, makes no sense outside of openstack. > > > > [0] - > > https://cloudinit.readthedocs.io/en/latest/topics/network-config. > > html#network-configuration-tools
(In reply to Miguel Duarte Barroso from comment #12) > (In reply to Ruth Netser from comment #11) > > (In reply to Miguel Duarte Barroso from comment #9) > > > (In reply to David Vossel from comment #8) > > > > (In reply to Ruth Netser from comment #5) > > > > > @David, the issue in this bug was found when testing > > > > > https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/ > > > > > #static-ssh-key-injection-via-cloud-init > > > > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1941470#c4, it > > > > > appears to be the only way to use SSH injection using cloudInitConfigDrive > > > > > provider and configure networkData (though the are some issues which Miguel > > > > > is looking into). > > > > > Could a different provider be used? > > > > > > > > unfortunately a different cloud-init provider can not be used for the access > > > > credentials api. ConfigDrive allows for ssh keys to be injected using > > > > metadata, where as noCloud appears to not allow this. We at least only > > > > support it with COnfigDrive. > > > > > > > > > If not then I think we should change > > > > > this bug to a doc bug. WDYT? > > > > > > > > possibly, I'll let the network team confirm whether this is something that > > > > can be handled within docs or not. > > > > > > We could definitely update the docs indicating the special considerations to > > > take when we want to inject ssh public keys along w/ IPv6 network > > > configuration in the docs, > > > but personally, I think it raises a lot of questions; having to provision > > > the nonsense ID related attributes to comply w/ the json schema is > > > particularly jaw dropping. > > > > > > I have investigated the cloud init automatic translation mechanisms - [0] - > > > (imo, this would be a neat solution, since the user would just use a tool to > > > translate our > > > example to the openstack metadata format) but it doesn't work in that > > > direction (it **does work** from openstack metadata to netplan (network > > > config v2; we need the > > > opposite). > > > > > > I am unsure what's worse; document this, or leave it undocumented, and hope > > > no one requires this use case. > > > > > > I would say the most sensible thing to do is to discourage this use case (if > > > you use network data, use NoCloud datasource) on the docs. > > > > The issue is that you cannot use both NoCloud and cloudInitConfigDrive so If > > you'd like to use SSH injection, you'd have to use cloudInitConfigDrive. > > I'm aware. > > What I'm saying is that using a config drive network data requires to use > openstack metadata format, > something which is very confusing to use outside non openstack providers. > > I am recommending not documenting that, because it does raise a lot more > questions than it answers > (complying with the schema requires using some attributes that quite simply > just do not have any > meaning in kubevirt's data model). This is exactly why I think we should have this issue documented along with the SSH injection feature :) @Petr, wdyt? > > Since the networkData is really only needed for IPv6 configurations, I think > keeping the documentation > as is, is the best option available. > > People that want to use this use case for IPv6 should either be discouraged, > or explained they are > forced to use openstack metadata format, which, imo, makes no sense outside > of openstack. > > > > > > > [0] - > > > https://cloudinit.readthedocs.io/en/latest/topics/network-config. > > > html#network-configuration-tools
I tend to agree that this should remain open. We should not document anything about the OpenStack network format but at the same time, it should not be blocked. For the documentation, I would do it the other way around - whenever we document networkData, we should say that is is supported only with noCloud. So we don't need to document it on every place where we use cloudInitConfigDrive. Would that make sense?
> For the documentation, I would do it the other way around - whenever we document networkData, we should say that is is supported only with noCloud. So we don't need to document it on every place where we use cloudInitConfigDrive. Would that make sense? Do you think it would be reasonable to create a knowledge base article for ipv6+configDrive to at least close the gap a bit here?
(In reply to David Vossel from comment #15) > > For the documentation, I would do it the other way around - whenever we document networkData, we should say that is is supported only with noCloud. So we don't need to document it on every place where we use cloudInitConfigDrive. Would that make sense? As a user may bump into this when trying to define networkData, I lean toward documenting it there. > > Do you think it would be reasonable to create a knowledge base article for > ipv6+configDrive to at least close the gap a bit here? @Petr?
(In reply to Ruth Netser from comment #16) > (In reply to David Vossel from comment #15) > > > For the documentation, I would do it the other way around - whenever we document networkData, we should say that is is supported only with noCloud. So we don't need to document it on every place where we use cloudInitConfigDrive. Would that make sense? > As a user may bump into this when trying to define networkData, I lean > toward documenting it there. Just to be sure, by there you mean in suggested networkData documentation (in this case, wherever we document how to use networkData with dual-stack)? > > > > Do you think it would be reasonable to create a knowledge base article for > > ipv6+configDrive to at least close the gap a bit here? > > @Petr? I would be for a knowledge base, but against documenting the awkward API there. Could we instead state that "networkData is not supported with cloudInitConfigDrive" and "in case you need to perform additional network configuration, use the userData section and a command line network configuration tool depending on your guest OS" and below that, show an example of how to do this with NetworkManager. This way it would be clear, within borders of what we want to support and still helpful in a situation when somebody wants to use both of those features. Thoughts?
Sounds good to me.
Proposed https://access.redhat.com/articles/6022791. @rnetser Could you review it ? moving the bug to post.
@mduarted, maybe add a note that a service needs to be created to access the VM via SSH (not directly related to the topic but relevant for SSH)? Other then that, LGTM
(In reply to Ruth Netser from comment #20) > @mduarted, maybe add a note that a service needs to be created to > access the VM via SSH (not directly related to the topic but relevant for > SSH)? I am not specifying any port in the spec, which would make all ports reachable. Never the less, access to the VM via SSH is not in scope of the article (but I think the provided example does not prevent it). > Other then that, LGTM
A workaround was provided via a KBase article that should be published once both dual-stack and SSH key injection features get published.