Rke: SSH tunneling is not working for Root user on CentOS/RHEL

Created on 12 Dec 2017  路  8Comments  路  Source: rancher/rke

using openssh 7.0+, root user is not allowed to ssh tunnel to docker socket on the CentOS/RHEL hosts, however normal users work normally with RKE.

kinbug
Source
picture galal-hussein
👍1

Most helpful comment

RKE uses Stream local forwarding feature to tunnel and connect to docker engine on each host, OpenSSH supports stream local forwarding since version 6.7, so Ubuntu 14.04 will not work with rke since it has OpenSSH 6.6, OpenSSH should be upgraded on ubuntu 14.04

picture galal-hussein on 30 Jan 2018
👍2

All 8 comments

https://bugs.centos.org/view.php?id=14291

moelsayed picture moelsayed on 20 Dec 2017

This is a regression in OpenSSH. We tested using OpenSSH 7.5 and it works fine. Older version should be updated to versions with the back-ported fix.

moelsayed picture moelsayed on 20 Dec 2017

@galal-hussein @moelsayed I encountered this issue on Ubuntu 14.04 and OpenSSH_6.6.1

root@leo-k8s-c1-n0:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.5 LTS
Release:    14.04
Codename:   trusty
root@leo-k8s-c1-n0:~#

root@leo-k8s-c1-n0:~# ssh -V
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014
root@leo-k8s-c1-n0:~#

On my OSX machine:

ssh -V
OpenSSH_7.4p1, LibreSSL 2.5.0

cluster.yaml:

network:
  plugin: canal

ssh_key_path: ~/.ssh/id_rsa
enforce_docker_version: false

nodes:
  - address: 1.1.1.1
    user: root
    role: [controlplane, etcd]
  - address: 2.2.2.2
    user: root
    role: [worker]
  - address: 3.3.3.3
    user: root
    role: [worker]
  - address: 4.4.4.4
    user: root
    role: [worker]
leodotcloud picture leodotcloud on 29 Jan 2018

Upgrading openssh on OS X laptop, didn't help either.

rke up                                                         
INFO[0000] Building Kubernetes cluster
INFO[0000] [dialer] Setup tunnel for host [1.1.1.1]
FATA[0000] Failed to set up SSH tunneling for Etcd host [1.1.1.1]: Can't retrieve Docker Info: error during connect: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: Failed to dial to Docker socket: ssh: rejected: administratively prohibited (open failed)

 ssh -V                                                                  
OpenSSH_7.6p1, OpenSSL 1.0.2n  7 Dec 2017
leodotcloud picture leodotcloud on 29 Jan 2018

Upgrading the OS to Ubuntu 16.04 solved the problem for me.

root@leo-k8s-c1-n0:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:    16.04
Codename:   xenial
root@leo-k8s-c1-n0:~# ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g  1 Mar 2016
root@leo-k8s-c1-n0:~#
leodotcloud picture leodotcloud on 29 Jan 2018

RKE uses Stream local forwarding feature to tunnel and connect to docker engine on each host, OpenSSH supports stream local forwarding since version 6.7, so Ubuntu 14.04 will not work with rke since it has OpenSSH 6.6, OpenSSH should be upgraded on ubuntu 14.04

galal-hussein picture galal-hussein on 30 Jan 2018
👍2

@galal-hussein So what is the best solution for centos7 for now? Update ssh or use another user ?

BalaBalaYi picture BalaBalaYi on 18 May 2018

upgrade centos version

yum install openssh-server
markhuyong picture markhuyong on 30 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

HighwayofLife picture HighwayofLife  路  4Comments
blaggacao picture blaggacao  路  3Comments
Hefeweizen picture Hefeweizen  路  4Comments
randrewedwards picture randrewedwards  路  3Comments
dan-evolvere picture dan-evolvere  路  3Comments