Adding SSH keys for core user post-install creates .ssh folder owned by root

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform 4.x

Issue

  • If a cluster is installed without SSH keys and those are added post-install as per this solution, /home/core/.ssh is owned by root and SSH doesn't work.

Resolution

This is a known issue, which is already fixed in the following versions:

The workaround is to just chown the folder to core user:

oc debug node/${NODE} -- chroot /host chown -R core. /home/core/.ssh
Starting pod/example-worker-1examplenet-debug ...
To use host binaries, run `chroot /host`

Removing debug pod ...

Where ${NODE} has to be replaced with the name of the node.

Root Cause

Machine config daemon (component of Machine Config Operator in charge of applying configuration changes to nodes) runs as root and just creates the /home/core/.ssh folder as needed, but it doesnt set the right core user to it. This, in turn, makes SSH unusable.

This problem doesn't reproduce if the cluster was installed with SSH keys or for nodes created after having configured the SSH keys, because in both cases, the files are created by ignition (not Machine Config Daemon) and ignition doesn't have this problem.

Diagnostic Steps

Check permissions on /home/core/.ssh folder with a debug pod:

oc debug node/${NODE} -- ls -lad /host/home/core/.ssh
Starting pod/example-worker-1examplenet-debug ...
To use host binaries, run `chroot /host`
drwx------. 2 root root 29 Jul 22 16:06 /host/home/core/.ssh

Removing debug pod ...
SBR
Product(s)
Category

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.