Skip to content

SSH host keys are regenerated each time a VM does a stop/start #678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
agaffney opened this issue Feb 23, 2022 · 6 comments
Open

SSH host keys are regenerated each time a VM does a stop/start #678

agaffney opened this issue Feb 23, 2022 · 6 comments
Labels
bug Something isn't working

Comments

@agaffney
Copy link

Description

This is a (hopefully) unintended side effect of #273. Because the instance-id changes, cloud-init treats it like it's the first boot and does all the first boot things, like deleting the existing SSH host keys and regenerating new ones. I was able to work around this in an existing VM by creating a file in /etc/cloud/cloud.cfg.d with ssh_deletekeys: false, but this is not an ideal solution.
@agaffney
Copy link
Author

CC @jandubois (author of #273)

@jandubois
Copy link
Member

This is a (hopefully) unintended side effect of #273.

Yes, this is unintended. Do you have any suggestion how to deal with this?

My naïve idea would be to create a /etc/cloud/cloud.cfg.d/lima file with ssh_deletekeys: false during provisioning, so it would be in place automatically. Would that work for you?

@jandubois jandubois added the bug Something isn't working label Feb 23, 2022
@agaffney
Copy link
Author

As long as that file is dropped after cloud-init has run for the first time, that shouldn't cause any issues with cloud images that may already have SSH host keys in them (we want them to be deleted and regenerated), and it should address this problem.

@jandubois
Copy link
Member

As long as that file is dropped after cloud-init has run for the first time

This will automatically be true because we can't run anything until cloud-init has dropped our authorized keys.

Note that you can do this right now yourself in lima.yaml with your own script:

provision:
- mode: system
  script: |
    #!/bin/sh
    mkdir -p /etc/cloud/cloud.cfg.d
    echo "ssh_deletekeys: false" > /etc/cloud/cloud.cfg.d/lima

Well, maybe use a different name than lima, because that's what I may use for the built-in version of this.

Put this into ~/.lima/_config/override.yaml and it will automatically be applied to all your instances from that point forward.

@agaffney
Copy link
Author

agaffney commented Feb 25, 2022
edited
Loading

This will automatically be true because we can't run anything until cloud-init has dropped our authorized keys.

I more meant sticking it in the cloud-init config provided at boot vs. dropping a file "manually" after first boot.

@vessux
Copy link

vessux commented May 30, 2022

All files to be read by cloud-init in folder /etc/cloud/cloud.cfg.d/ must have .cfg extension so if you want to use the workaround by @jandubois add .cfg to the filename in override .yaml file

example:

provision:
- mode: system
  script: |
    #!/bin/sh
    mkdir -p /etc/cloud/cloud.cfg.d
    echo "ssh_deletekeys: false" > /etc/cloud/cloud.cfg.d/lima-local.cfg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jandubois @agaffney @vessux