Red Hat Bugzilla – Bug 823634
Always Retrieve New SSH key in RHEL AMIs
Last modified: 2016-04-26 09:33:20 EDT
Description of problem:
If an SSH already exists on a RHEL AMI instance, it will not attempt to download another one. This is problematic for rebundles, even though one should be careful to remove their SSH keys anyway. It would be better if a warning was issued instead.
Steps to Reproduce:
1. Boot an AMI
2. Use ec2-create-image to rebundle it
3. Boot that new AMI with a different key
Cannot log in since the new key was not retrieved.
Issue a warning and then download the new key anyway.
The cloud-init package may solve this behavior for us. (see rhbz 770467)
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Modifying cloud-init to overwrite existing key might make the
rebundling process a little more bullet proof but would not be
a good solution.
Other users of cloud-init might very well expect existing keys
not to be overwritten.
I really think this should be address by improving the
bundling process to ensure the keys are removed.
Can the reporter, Jay Greguske, please comment?
The bundling process in EC2 is under Amazon's control, not ours, so we can't really improve that directly. I've heard arguments on both sides about what to do about existing keys, and personally I agree that the keys should not be overwritten. A warning that they exist should be emitted though.
For 6.4, I'm fine with whatever cloud init decides to do, as long as the behavior is consistent.
(In reply to comment #8)
> The bundling process in EC2 is under Amazon's control, not ours, so we can't
> really improve that directly. I've heard arguments on both sides about what
> to do about existing keys, and personally I agree that the keys should not
> be overwritten.
Sure but perhaps prior to creating the bundle the ssh keys should be
> A warning that they exist should be emitted though.
No warning is currently issued. It's not clear what value logging that
would be since the user would need to log into the instance to view the
log and since they can't log it would be a bit of the: If a tree falls
in a forest and no one is there does it make a noise. ;)
> For 6.4, I'm fine with whatever cloud init decides to do, as long as the
> behavior is consistent.
So can this bug be closed or changed to a low priority RFE to consider
having a message written to the log when existing ssh keys are found?
We cannot close the bug until 6.4 ships, we'll be using it to track that cloud-init does in fact land in the official RHEL AMIs. That's a Rel-Eng issue though, no action needs to be take on your part.
(In reply to comment #10)
> We cannot close the bug until 6.4 ships, we'll be using it to track that
> cloud-init does in fact land in the official RHEL AMIs. That's a Rel-Eng
> issue though, no action needs to be take on your part.
So I will assign it to you, Jay Greguske, since no action on my part
Since no action required on my part (AFAICS) reassigning to email@example.com as per comment #11
cloud-init shipped with 6.4 AMIs, we're taking its default behaviors with respect to ssh keys.