Is the opennbula ssh agent supposed to work without any extra setup?

Community Support
1

OS is debian 11

My issue is that it does not work until
i do

eval ssh-agent -s && ssh-add
Agent pid 289270
Identity added: /var/lib/one/.ssh/id_rsa (oneadmin@on-front)

Then it works as expected I can ssh from front to nodes and back
Easy check:
before i do eval ssh-agent -s && ssh-add
echo $SSH_AUTH_SOCK gives nothing
ssh-add -L also nothing
after i do eval ssh-agent -s && ssh-add
echo $SSH_AUTH_SOCK gives
/tmp/ssh-C9E9lOi4eE2n/agent.289269
and ssh-add -L list the key

Output from systemctl status opennebula-ssh-agent.service

systemctl status opennebula-ssh-agent.service
â—Ź opennebula-ssh-agent.service - OpenNebula SSH agent
     Loaded: loaded (/lib/systemd/system/opennebula-ssh-agent.service; disabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-07-01 09:36:15 EEST; 11min ago
    Process: 288891 ExecStartPre=/bin/sh -c echo SSH_AUTH_SOCK=$SSH_AUTH_SOCK > /var/run/one/ssh-agent.env (code=exited, status=0/SUCCESS)
    Process: 288892 ExecStart=/bin/sh -c exec /usr/bin/ssh-agent -a $SSH_AUTH_SOCK (code=exited, status=0/SUCCESS)
    Process: 288894 ExecStartPost=/bin/sh -c /usr/bin/ssh-add (code=exited, status=0/SUCCESS)
   Main PID: 288893 (ssh-agent)
      Tasks: 1 (limit: 4692)
     Memory: 604.0K
        CPU: 19ms
     CGroup: /system.slice/opennebula-ssh-agent.service
             └─288893 /usr/bin/ssh-agent -a /var/run/one/ssh-agent.sock

Jul 01 09:36:15 on-front systemd[1]: Starting OpenNebula SSH agent...
Jul 01 09:36:15 on-front sh[288892]: SSH_AUTH_SOCK=/var/run/one/ssh-agent.sock; export SSH_AUTH_SOCK;
Jul 01 09:36:15 on-front sh[288892]: SSH_AGENT_PID=288893; export SSH_AGENT_PID;
Jul 01 09:36:15 on-front sh[288892]: echo Agent pid 288893;
Jul 01 09:36:15 on-front sh[288895]: Identity added: /var/lib/one/.ssh/id_rsa (oneadmin@on-front)
Jul 01 09:36:15 on-front systemd[1]: Started OpenNebula SSH agent.

Versions of the related components and OS (frontend, hypervisors, VMs):
Frontend 6.2.0.1

Obvious solution is to just
echo "export SSH_AUTH_SOCK=/var/run/one/ssh-agent.sock" >> ~oneadmin/.bashrc, but I’m I supposed to?

2

No one tried this?

3

Hi @branislav_k,

It should work without doing any extra step for the oned service. If you take a look at the oned service environment you should see something similar to the export you’re proposing:

$ cat /proc/`pgrep oned`/environ
...SSH_AUTH_SOCK=/var/run/one/ssh-agent.sock

This will make passwordles ssh work for the oned process. If you want to take advantage of the agent also when you’re logged as a oneadmin in the server terminal, you’ll need to manually export the env variable, or as you mentioned add it to the .bashrc file or similar.

4

Ok thanks.
Then this probably should be added to the docs, because all examples are saying that you as the user must test ssh from frontend to nodes etc. and I was expecting for it to work, but it doesn’t.

For example here
https://docs.opennebula.io/6.2/open_cluster_deployment/kvm_node/kvm_node_installation.html#step-4-configure-passwordless-ssh

1 Like