SSH host keys are regenerated each time a VM does a stop/start

[agaffney]

Description

This is a (hopefully) unintended side effect of #273. Because the instance-id changes, cloud-init treats it like it's the first boot and does all the first boot things, like deleting the existing SSH host keys and regenerating new ones. I was able to work around this in an existing VM by creating a file in /etc/cloud/cloud.cfg.d with ssh_deletekeys: false, but this is not an ideal solution.

[agaffney]

CC @jandubois (author of #273)

[jandubois]

This is a (hopefully) unintended side effect of #273.

Yes, this is unintended. Do you have any suggestion how to deal with this?

My naïve idea would be to create a /etc/cloud/cloud.cfg.d/lima file with ssh_deletekeys: false during provisioning, so it would be in place automatically. Would that work for you?

[agaffney]

As long as that file is dropped after cloud-init has run for the first time, that shouldn't cause any issues with cloud images that may already have SSH host keys in them (we want them to be deleted and regenerated), and it should address this problem.

[jandubois]

As long as that file is dropped after cloud-init has run for the first time

This will automatically be true because we can't run anything until cloud-init has dropped our authorized keys.

Note that you can do this right now yourself in lima.yaml with your own script:

provision:
- mode: system
  script: |
    #!/bin/sh
    mkdir -p /etc/cloud/cloud.cfg.d
    echo "ssh_deletekeys: false" > /etc/cloud/cloud.cfg.d/lima

Well, maybe use a different name than lima, because that's what I may use for the built-in version of this.

Put this into ~/.lima/_config/override.yaml and it will automatically be applied to all your instances from that point forward.

[agaffney]

This will automatically be true because we can't run anything until cloud-init has dropped our authorized keys.

I more meant sticking it in the cloud-init config provided at boot vs. dropping a file "manually" after first boot.

[vessux]

All files to be read by cloud-init in folder /etc/cloud/cloud.cfg.d/ must have .cfg extension so if you want to use the workaround by @jandubois add .cfg to the filename in override .yaml file

example:

provision:
- mode: system
  script: |
    #!/bin/sh
    mkdir -p /etc/cloud/cloud.cfg.d
    echo "ssh_deletekeys: false" > /etc/cloud/cloud.cfg.d/lima-local.cfg