High Availability and SSH

I’m setting up Frontend HA by following the official documentation.

I’ve some queries with respect to the SSH functionality. I’ve successfully added 3 servers onto the zone and they are in the states “leader, follower, follower”. So far, good. The VIP has got attached and swaps as the states change. The datastore location /var/lib/one/datastores is backed by a shared storage.

I’m trying to understand how the SSH information is exchanged among the nodes in HA. All 3 frontend servers have different set of SSH Keys and configuration information.

[frontend-01] # ssh-keygen -lf /var/lib/one/.ssh/id_rsa.pub 
3072 SHA256:tGtmz5AMHgUZhRhDQSyCiRxy9w9EMfrv0ry7no0gdnM oneadmin@frontend-01 (RSA)
[frontend-02] # ssh-keygen -lf /var/lib/one/.ssh/id_rsa.pub
3072 SHA256:qnF5PxCOjyWS5yXocd5gfX5AOsFi8Wiw1qBPqb/Tv6I oneadmin@frontend-02 (RSA)
[frontend-03] # ssh-keygen -lf /var/lib/one/.ssh/id_rsa.pub
3072 SHA256:XLsb2S5Bq95MYS6MoqjIIQJMk5NEJbBbLf212njEs6o oneadmin@frontend-03 (RSA)

For instance, if I add the Hypervisor nodes when the frontend-01 is the leader, and the frontend-01 becomes the follower later, and now, let’s say frontend-02 is the leader, as frontend-2 will take over the cluster operation, SSH Key information is no longer valid on the hypervisors because Hypervisor nodes have the public key of frontend-01 in the authorized_keys, not of the frontend-02.

The documentation doesn’t specify anything about sharing /var/lib/one/.ssh/ directory across the frontend nodes. Really appreciate the help!


So copy the ssh private key from leader to followers. There is also some ssh-agent functionality added.

Check this, it is in core since 5.12