If node NFS mounts /var/lib/one from opennebula01, passless key ssh does not work

Hey All,

Just starting out with OpenNebula.

On this CentOS 7 (both worker and controller), I cannot ssh using pass less keys from the controller opennebula01 to the worker mdskvm-p01 when the NFS share ( 192.168.0.70:/var/lib/one /var/lib/one) is mounted on the worker. But I can as soon as I unmount the opennebula01 NFS share off of the worker node mdskvm-p01. When the NFS is mounted, both worker and controller share a common /var/lib/one/.ssh/authorized_keys file, which seems to be the intent of the setup:

[oneadmin@mdskvm-p01 .ssh]$ mount|tail -n 1
192.168.0.70:/var/lib/one on /var/lib/one type nfs4 (rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,soft,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.0.60,local_lock=none,addr=192.168.0.70)
[oneadmin@mdskvm-p01 .ssh]$ pwd
/var/lib/one/.ssh
[oneadmin@mdskvm-p01 .ssh]$

Now when I run SSHD in debug mode using port 2222, the passless key works fine with or without NFS mounted on the worker node. Why?

Is there a specific sshd config file entry that prevents passless key login if sshd is not running in debug mode or when the OpenNebula NFS share is mounted? Again, in debug, SSHD works fine with or without the NFS mount on the worker mdskvm-p01.

Cheers,
TK

@TomK,

Things you can check:

  1. Are the UID/GID same on both servers? Check the filesystem permission.
  2. Export the NFS with “no_root_squash” and “insecure” parameters
  3. Step 1.5 performed? Quickstart: OpenNebula on CentOS 7 and KVM
  1. Yes

  2. Yes

[root@opennebula01 ~]# cat /etc/exports
/var/lib/one/ *(rw,sync,no_subtree_check,root_squash)
[root@opennebula01 ~]#

I tried the options for #2 but same thing (though I would object to using them if they did work since they are insecure.)

[oneadmin@opennebula01 ~]$
[oneadmin@opennebula01 ~]$ cat /etc/exports
/var/lib/one/ *(rw,sync,no_subtree_check,no_root_squash,insecure)
[oneadmin@opennebula01 ~]$ grep oneadmin /etc/group /etc/passwd
/etc/group:oneadmin:x:9869:
/etc/passwd:oneadmin:x:9869:9869::/var/lib/one:/bin/bash
[oneadmin@opennebula01 ~]$ vi /etc/exports
[oneadmin@opennebula01 ~]$ logout
[root@opennebula01 ~]# vi /etc/exports
[root@opennebula01 ~]#

[root@mdskvm-p01 ~]# grep oneadmin /etc/group /etc/passwd
/etc/group:oneadmin:x:9869:
/etc/passwd:oneadmin:x:9869:9869::/var/lib/one:/bin/bash
[root@mdskvm-p01 ~]#

So again, this works if 1) running ssh in debug mode, 2) not mounting the NFS, though that leaves the vm instantiation as non working, obviously.

Cheers,
TK

This was an selinux policy issue. Did some digging and eventually ended up checking selinux. Effectively, I needed to run:

setsebool -P use_nfs_home_dirs 1

Wrote this up in more detail here, if it helps::

since I need selinux enabled. :frowning:

Cheers,
TK