lima icon indicating copy to clipboard operation
lima copied to clipboard

Published 20 hours ago verified publisher icon lima-vm

SSH host keys are regenerated each time a VM does a stop/start

Open agaffney opened this issue 3 years ago • 6 comments

Description

This is a (hopefully) unintended side effect of #273. Because the instance-id changes, cloud-init treats it like it's the first boot and does all the first boot things, like deleting the existing SSH host keys and regenerating new ones. I was able to work around this in an existing VM by creating a file in /etc/cloud/cloud.cfg.d with ssh_deletekeys: false, but this is not an ideal solution.

agaffney avatar Feb 23 '22 21:02 agaffney

CC @jandubois (author of #273)

agaffney avatar Feb 23 '22 21:02 agaffney

This is a (hopefully) unintended side effect of #273.

Yes, this is unintended. Do you have any suggestion how to deal with this?

My naïve idea would be to create a /etc/cloud/cloud.cfg.d/lima file with ssh_deletekeys: false during provisioning, so it would be in place automatically. Would that work for you?

jandubois avatar Feb 23 '22 21:02 jandubois

As long as that file is dropped after cloud-init has run for the first time, that shouldn't cause any issues with cloud images that may already have SSH host keys in them (we want them to be deleted and regenerated), and it should address this problem.

agaffney avatar Feb 23 '22 22:02 agaffney

As long as that file is dropped after cloud-init has run for the first time

This will automatically be true because we can't run anything until cloud-init has dropped our authorized keys.

Note that you can do this right now yourself in lima.yaml with your own script:

provision:
- mode: system
  script: |
    #!/bin/sh
    mkdir -p /etc/cloud/cloud.cfg.d
    echo "ssh_deletekeys: false" > /etc/cloud/cloud.cfg.d/lima

Well, maybe use a different name than lima, because that's what I may use for the built-in version of this.

Put this into ~/.lima/_config/override.yaml and it will automatically be applied to all your instances from that point forward.

jandubois avatar Feb 23 '22 22:02 jandubois

This will automatically be true because we can't run anything until cloud-init has dropped our authorized keys.

I more meant sticking it in the cloud-init config provided at boot vs. dropping a file "manually" after first boot.

agaffney avatar Feb 25 '22 17:02 agaffney

All files to be read by cloud-init in folder /etc/cloud/cloud.cfg.d/ must have .cfg extension so if you want to use the workaround by @jandubois add .cfg to the filename in override .yaml file

example:

provision:
- mode: system
  script: |
    #!/bin/sh
    mkdir -p /etc/cloud/cloud.cfg.d
    echo "ssh_deletekeys: false" > /etc/cloud/cloud.cfg.d/lima-local.cfg

vessux avatar May 30 '22 07:05 vessux