Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

Docs Bug? SSH User Setup on Azure

Open bexelbie opened this issue 9 months ago • 3 comments

Description

az cli seems to require that it either be directly passed SSH keys or generate them as it cannot use the ones in the ignition file

Impact

The docs set you up for an error if you configure core with an ssh key via ignition

Environment and steps to reproduce

I ran az vm create --resource-group flatcar_testing --name node1 --user-data ./simple.json --image FlatcarLinuxFreeGen2

and got this error:

An RSA key file or key value must be supplied to SSH Key Value. You can use --generate-ssh-keys to let CLI generate one for you

Expected behavior

a VM Created

Additional information

It appears you must include either "--admin-user core and --generate-ssh-keys or a key file specification" or use "--authentication-type password and provide a never used password"

Here is the original butane file with the key abbreviated

variant: flatcar version: 1.1.0

passwd: users: - name: core ssh_authorized_keys: - ssh-ed25519 AAAA-key storage: files: - path: /etc/subuid overwrite: true contents: inline: | core:100000:65536 bexelbie:200000:65536

bexelbie avatar Mar 12 '25 08:03 bexelbie

Yeah, I think the SSH key provided from the command line will be uploaded on the Azure IMDS to be later fetched by Afterburn. Can you confirm that if you provide an SSH key via the command line (and not from Ignition) you can still login into the instance? If yes, we might need to document both approaches.

tormath1 avatar Mar 12 '25 09:03 tormath1

I tested it again and providing a key on the command line allowed hte command to complete and let me log in. There was no way to avoid providing a key. Using /dev/null for example, did not work. I did not try using a different key than the one in my ignition file.

I think we should update the documentation to reflect the requirement and find out from the azure cli team if this is something that is expected behavior or not.

bexelbie avatar Mar 18 '25 09:03 bexelbie

https://learn.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az-vm-create

Hi @bexelbie. I feel like this is expected behavior because the Azure CLI defaults to SSH authentication for Linux VMs. The az vm create command requires either --ssh-key-values or --generate-ssh-keys when using SSH authentication to ensure secure access is configured at the Azure platform level. This initial Azure provisioning step happens before the VM processes user-data like Ignition or cloud-init files.

Should I make a docs PR? @tormath1

krishjainx avatar Mar 28 '25 19:03 krishjainx