Comments (23)
if you run rke in centos7, you should not use the root user to open the ssh tunnel.you can try the following step to run rke
in all nodes:
- update openssh to 7.4,and docker version v1.12.6
- set "AllowTcpForwarding yes" "PermitTunnel yes" to /etc/ssh/sshd_config,and then restart sshd service
- the host which run rke can ssh to all nodes without password
- run: "groupadd docker" to create docker group,while docker group is not exist.
- run: "useradd -g docker yourusername" to create yourusername user and set it's group to docker
- set the docker.service's MountFlags=shared (vi /xxx/xxx/docker.service)
- run:"su yourusername" to change current user,and then restart the docker service. so in the user yourusername session the docker.sock will be created in the path /var/run/docker.sock
- in cluster.yml set the ssh user to yourusername(in setup hosts)
nodes:
- address: x.x.x.x
...
user: yourusername
- address: x.x.x.x
...
user: yourusername
- in cluster.yml set the kubelet to use the systemd cgroup(in setup hosts)
services:
kubelet:
image: rancher/k8s:v1.8.3-rancher2
extra_args: {"cgroup-driver":"systemd","fail-swap-on":"false"}
now you can run "rke -d up" to setup your k8s cluster.
if you meet "Failed to Save Kubernetes certificates: Timeout waiting for K8s to be ready" when running rke,your can see something here #121
from rke.
Is this on CentOS/RHEL by any chance?
from rke.
Can you also make sure that the ssh user you are using has access to docker engine
from rke.
i also meet the same problem。i even try root user to ssh ,but the rke still failed。
from rke.
@nevermosby have you solved the problem?
from rke.
@iyacontrol Please share used OS (cat /etc/os-release
)
from rke.
@superseb
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
from rke.
@superseb Linux 3.10.0-693.el7.x86_64
from rke.
@superseb yeah, it is a centos system, details are listed beblow:
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
@galal-hussein I used "root" to run the command so it can be sure I have the access to docker engine.
@iyacontrol I still have this issue with centos.
New progress here:
I tried ubuntu system instead and it did work.
So some different OS configuration can be the root cause.
from rke.
@nevermosby I will try to reproduce with CentOS 7 to see if the problem is related to specific OS
from rke.
@nevermosby @iyacontrol @superseb I was able to reproduce the issue, however i am not sure what is the root cause, CentOS seems to reject ssh local forwarding using the root:
- Unit session-33.scope has begun starting up.
Dec 04 23:32:46 hussein-centos-01 sshd[11192]: refused streamlocal port forward: originator port 0, target /var/run/docker.sock
Dec 04 23:32:46 hussein-centos-01 sshd[11192]: pam_unix(sshd:session): session closed for user root
➜ ssh -nNT -L /tmp/docker.sock:/var/run/docker.sock [email protected]
channel 1: open failed: administratively prohibited: open failed
channel 1: open failed: administratively prohibited: open failed
however it works for another users other than root, for a work around you can specify other users than root for now
from rke.
@galal-hussein thx for feedback. On the same centos machine, I took ur advice and tried another user other than root but got same error.
from rke.
@nevermosby can you make sure that the ssh user has access to docker engine, you can add the user to docker group and use it in cluster.yml
from rke.
@galal-hussein yes I am sure I have added the user to docker group and tried "docker push" command, it works.fine.
from rke.
@nevermosby Can you post the version of openssh currently installed on the centos server
from rke.
@galal-hussein sorry for late reply. The version installed on my centos machine is :
ssh -V
OpenSSH_6.6.1p1,OpenSSL 1.0.1e-fips 11 Feb 2013
from rke.
@galal-hussein
It seems that pam_unix
causes this issue.
Try this: https://serverfault.com/questions/416441/pam-module-causes-flurry-of-ssh-sessions
from rke.
@niusmallnan No i don't think this is the issue, i just tested with disabling PAM and same error, also i think not using PAM is not recommended in RHEL
from rke.
@nevermosby You need to upgrade your openssh server to 7.x to get support for local stream forwarding.
from rke.
Hi @moelsayed ,thx for remind and I just upgraded my openssh version to 7.4 and enabled "AllowTcpForwarding" for yes:
ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
However, I still got the same error. Maybe the forwarding configuration is not right. Could u give some advise for this?
from rke.
Hi @luoshiqian thanks your solutions worked for me on centos 7.4
from rke.
@luoshiqian Thanks for the steps, OpenSSH doesn't allow ssh tunneling for root users for some reason, closing this issue and will track the root user bug in this issue #136
from rke.
Tried to fix it by enabling the ssh config,
AllowTcpForwarding yes
, but failed.Any suggestions?
I had same problem, found you that problem was on mine side. In authorizedkeys in key usage restrictions.
from rke.
Related Issues (20)
- [BUG] etcd snapshot-save --s3 is not working HOT 3
- ETCD Outbound Port should be 2379 not 379 HOT 1
- failed to check etcd health: failed to get /health for host .. remote error: tls: bad certificate HOT 2
- Include darwin-arm64 to release assets HOT 1
- ACI CNI 6.0.3.1 changes for RKE1 v1.5.x HOT 2
- v1.5.1 rke up on existing cluster fails: for v1.26.11-rancher2-1 [cluster upgrade] HOT 1
- Сonfiguring the firewall on virtual machines for Rancher nodes HOT 1
- [Backport] [v1.4] etcd snapshot-restore with etcd v3.5.9 fails due to missing /bin/sh in etcd container image HOT 1
- Can't register a node from a new template on a downstream cluster HOT 2
- RKE cluster was not created with Failed to bring up Etcd Plane: Error: No such container: etcd-rolling-snapshots HOT 3
- with latest kernel version the worker node DNS is not working HOT 2
- RKE restarting masters/workers after adding a new worker or master
- [Question] About ciphers
- Calico versions and other CNI version info? Where? HOT 8
- Metrics: unreachable kubernetes API (no logs) HOT 1
- How to restart apiserver
- Cluster unrecoverable after every power outage - nodes all say ready (even when off) HOT 2
- RKE should have a dry-run option HOT 3
- Errors while removing an etcd member can cause RKE to try to remove the member indefinitely HOT 2
- don't use dns search of the host HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rke.