Project

General

Profile

action #121222

coordination #80142: [saga][epic] Scale out: Redundant/load-balancing deployments of openQA, easy containers, containers on kubernetes

coordination #98472: [epic] Scale out: Disaster recovery deployments of existing openQA infrastructures

Add ssh support to terraform recipe size:M

Added by robert.richardson about 2 months ago. Updated 13 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
tinita
Category:
Feature requests
Target version:
Ready
Start date:
2022-12-01
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

Motivation

We have finished a basic terraform recipe in #118660 for provisioning an EC2 instance, but it is still missing ssh support.

Acceptance criteria

  • AC1: It is known how to enable SSH access in a terraform setup
  • AC2: An instance that is created allows access with an SSH key

Suggestions

History

#1 Updated by okurz about 2 months ago

  • Project changed from SUSE QA to QA

#2 Updated by okurz about 2 months ago

  • Project changed from QA to openQA Project
  • Category set to Feature requests

#4 Updated by cdywan about 2 months ago

osukup wrote:

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair ?

That's something we tried out and it didn't work. It's totally possible that it wasn't added correctly, though. Or maybe the networking isn't setup correctly. Feel free to use the existing branch and try it out.

#5 Updated by tinita about 1 month ago

  • Status changed from Workable to In Progress
  • Assignee set to tinita

#6 Updated by tinita about 1 month ago

I made only very small progress. Before we had the problem that the specified key was created, but the instance didn't use it.

I solved this, see https://github.com/os-autoinst/openQA/pull/4880/commits/59241dcbdd0b309d8426b4f6e466632dfc1d38fa

We need to tell aws which key_name to use.
Then it also shows up in the AWS Console.

Still I couldn't ssh (permission denied).

What I did:

ssh-keygen -t rsa -m PEM -f webuidemo.pem
ssh-keygen -y -f webuidemo.pem >webuidemo.pub

I used the content of webuidemo.pub for the public_key value.

ssh -i webuidemo.pem -o IdentitiesOnly=yes ec2-user@ip -v
ssh -i webuidemo.pem -o IdentitiesOnly=yes root@ip -v

...
debug1: Next authentication method: publickey
debug1: Trying private key: webuidemo.pem
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
ec2-user@ip: Permission denied (publickey).

I also tried with a key that I created over the webui.

I had to comment out the usser_data because with it the instance
never opened its ssh port, so I assume user_data must have a
different type of content, or the script failed for some reason,
but we never see the output anywhere, so we can just guess.

Also I had to use a new image_id as it failed to find the one
we had before.

I also tried to create an instance from the image via the webui. It resulted in the same problem.
SSH port was open, but I got permission denied.

cd container/terraform
docker run --rm -it --name terraform -v $(pwd):/workspace -w /workspace hashicorp/terraform:light validate
docker run --rm -it --name terraform -v $(pwd):/workspace -w /workspace hashicorp/terraform:light init ## this needs to be run once; providers will be downloaded to a local folder
docker run --rm -it --name localstack -p 4566:4566 -p 4510-4559:4510-4559 -v $(pwd):/workspace -w /workspace localstack/localstack:latest
docker run --rm -it --network host --name terraform -v $(pwd):/workspace -w /workspace hashicorp/terraform:light apply # this will create the instance on aws

#7 Updated by openqa_review about 1 month ago

  • Due date set to 2022-12-31

Setting due date based on mean cycle time of SUSE QE Tools

#8 Updated by tinita about 1 month ago

I wanted to try out something else, but wasn't able to login because of Okta problems.

#9 Updated by tinita about 1 month ago

  • Status changed from In Progress to Feedback

I got it working.
It turns out I used the wrong image all the time.
I looked at the "AMIs" in the navigation and found 3 images called "openqa-..." and I thought I had to use one of those. But instead we should use a Leap image.
I was pointed to https://pint.suse.com/?resource=images&csp=amazon&state=active&region=eu-central-1&search=leap to find a supported image.

Like I assumed before, to get ssh working, the key_name was still missing in the aws_instance section.
https://github.com/os-autoinst/openQA/pull/4880

With that also the user_data script is now working.
If you create the instance, you can download the webui-... key from the aws console (save as webuidemo.pem) and login via:

ssh -i webuidemo.pem -o IdentitiesOnly=yes ec2-user@ip

Then do

sudo bash
tail -f /var/log/cloud-init-output.log

to watch the openqa-bootstrap output.
When finished, you should be able to connect via http and see the webui.

#10 Updated by tinita about 1 month ago

  • Status changed from Feedback to Resolved

#11 Updated by okurz 13 days ago

  • Due date deleted (2022-12-31)

Also available in: Atom PDF