[StarCluster] creating a new AMI for starcluster -- can't log in

Marc Resnick mresnick at MIT.EDU
Sat Oct 30 08:54:07 EDT 2010


Hey Dan,

Just tested. I was able to SSH as root after editing authorized_keys.
Changed set_disable_root to 0, and, looking through cloud-init, you're
right, the line numbers have changed, so 67 no longer applies. The new
line is 97, and reads:

cloud.sem_and_run("set_hostname", "once-per-instance",
                set_hostname, [ hostname, log ], False)

So replace the "once-per-instance" with always, and root login
shouldn't be an issue.


Marc

On Sat, Oct 30, 2010 at 8:31 AM, Marc Resnick <mresnick at mit.edu> wrote:
> In my experience (mostly with a 10.04 alestic cluster), once you
> remove the command prefix from the authorized keys file, you should be
> able to SSH as root. However, if the instance restarts and
> (set_disable_root == True), the commands prefix will be put back in.
>
> So, unless 10.10 is completely and totally different, try SSHing as
> root after you fix the authorized_keys file. If that doesn't work,
> something is wrong (or 10.10 is completely and totally different).
>
> I'll see if I can replicate the behavior you're seeing.
>
> Marc
>
> On Fri, Oct 29, 2010 at 8:07 PM, Dan Tenenbaum <dtenenba at fhcrc.org> wrote:
>> OK, I spoke too soon.
>> This didn't work either.
>> After I made this change, I was able to ssh to the machine as root, but
>> after I made an AMI out of that instance, I could not ssh either as root or
>> as ubuntu.
>> Could this have something to do with the preparation that starcluster does
>> prior to creating an image?
>> Next I'll try just creating a starcluster image without altering anything
>> and see if I can ssh in as ubuntu.
>> If that doesn't work, I'll try creating an image without using starcluster
>> at all (instead running ec2-bundle-vol and ec2-upload-bundle on the
>> instance).
>> Thanks
>> Dan
>>
>>
>> On Fri, Oct 29, 2010 at 4:55 PM, Dan Tenenbaum <dtenenba at fhcrc.org> wrote:
>>>
>>> I found the answer, hidden here:
>>> http://alestic.com/2009/04/ubuntu-ec2-sudo-ssh-rsync
>>> ROOT SSH
>>> Finally, if you wish to circumvent the Ubuntu security standard and revert
>>> to the old practice of allowing ssh and rsync as root, this command will
>>> open it up for a new instance of the official Ubuntu images:
>>> ssh -i KEYPAIR.pem ubuntu at HOSTNAME   'sudo cp
>>> /home/ubuntu/.ssh/authorized_keys /root/.ssh/'
>>> This is not recommended, but it may be a way to get existing EC2
>>> automation code to continue working until you can upgrade to the sudo
>>> practices described above.
>>> I didn't have to do any of the steps described on the cookbook page.
>>> I'll find out later I guess if they are still necessary.
>>> Thanks
>>> Dan
>>>
>>> On Fri, Oct 29, 2010 at 4:45 PM, Dan Tenenbaum <dtenenba at fhcrc.org> wrote:
>>>>
>>>> Hi all,
>>>> I am following the instructions here:
>>>>
>>>> http://starcluster.scripts.mit.edu/~starcluster/wiki/index.php?title=StarCluster_AMI_Cookbook_Ubuntu_10.04
>>>> ...to create a new AMI for use with StarCluster.
>>>> The problem is, I end up with an AMI that I cannot ssh into.
>>>> I am using Ubuntu 10.10 instead of 10.04.
>>>> I need some clarification on these steps:
>>>>
>>>> Configure Root Login
>>>> The alestic AMI's have been configured to disable root logins. Follow the
>>>> commands below to undo this behavior:
>>>>
>>>> edit /etc/cloud/cloud.cfg and set disable_root: 0
>>>> edit /root/.ssh/authorized_keys and remove prefix commands from pubkey
>>>> entry
>>>> edit /usr/bin/cloud-init, go to line 67 and change 'once-per-instance' to
>>>> 'always', save and exit
>>>>
>>>> Step 1 is easy. Step 3 I'm not sure about since that file looks different
>>>> in Ubuntu 10.10 and the string "once-per-instance" occurs three times in the
>>>> file. Should I change all occurrences of it?
>>>> Step 2 is the one that I think is messing me up.
>>>> Before modification, /root/.ssh/authorized_keys looked like this:
>>>> command="echo 'Please login as the ubuntu user rather than root
>>>> user.';echo;sleep 10" ssh-rsa AAAAB3..... my-keypair
>>>> (actual public key omitted)
>>>> I edited it to look like this:
>>>> ssh-rsa AAAAB3..... my-keypair
>>>> This is how a typical authorized_keys line looks, in my (limited)
>>>> experience. I've never seen one with a command in it before.
>>>> But I'm wondering if it is still being interpreted as a command. Could it
>>>> be because of something I did in step 2 or 3?
>>>> Hope someone can help. It's no fun having instances I can't log into. ;(
>>>> Dan
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> StarCluster mailing list
>>>> StarCluster at mit.edu
>>>> http://mailman.mit.edu/mailman/listinfo/starcluster
>>>>
>>>
>>>
>>> _______________________________________________
>>> StarCluster mailing list
>>> StarCluster at mit.edu
>>> http://mailman.mit.edu/mailman/listinfo/starcluster
>>>
>>
>>
>> _______________________________________________
>> StarCluster mailing list
>> StarCluster at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/starcluster
>>
>>
>




More information about the StarCluster mailing list