Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CPDEV-102270] OpenSSH server issue WA has been added to TG. #691

Merged
merged 3 commits into from
Sep 19, 2024
Merged

[CPDEV-102270] OpenSSH server issue WA has been added to TG. #691

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9145363
OpenSSH server issue WA has been added to TG.
Sep 13, 2024
f31c315
Update Troubleshooting.md
disa1217 Sep 17, 2024
86301af
Update Troubleshooting.md
disa1217 Sep 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions documentation/Troubleshooting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ This section provides troubleshooting information for Kubemarine and Kubernetes
- [Troubleshooting an Installation That Ended Incorrectly](#troubleshooting-an-installation-that-ended-incorrectly)
- [Upgrade Procedure to v1.28.3 Fails on ETCD Step](#upgrade-procedure-to-v1283-fails-on-etcd-step)
- [kubectl logs and kubectl exec fail](#kubectl-logs-and-kubectl-exec-fail)
- [OpenSSH server becomes unavailable during cluster installation on Centos9](#openssh-server-becomes-unavailable-during-cluster-installation-on-centos9)

# Kubemarine Errors

Expand Down Expand Up @@ -1404,3 +1405,27 @@ Error from server: error dialing backend: remote error: tls: internal error
**Root cause**: The `kubelet` server certificate is not approved, whereas the cluster has been configured not to use self-signed certificates for the `kubelet` server.

**Solution**: Perform CSR approval steps from the maintenance guide. Refer to the [Kubelet Server Certificate Approval](https://github.com/Netcracker/KubeMarine/blob/main/documentation/internal/Hardening.md#kubelet-server-certificate-approval) section for details.

## OpenSSH server becomes unavailable during cluster installation on Centos9

**Sympthoms**: Installation fails on `kubemarine.system.reboot_nodes`, OpenSSH server becomes unavailable due to OpenSSL version missmatch error.

The following lines can be found in the OpenSSH server logs:
```
OpenSSL version mismatch. Built against 30000070, you have 30200010
sshd.service: Main process exited, code=exited, status=255/EXEPTION
sshd.service: Failed with result 'exit-code'.
Failed to start OpenSSH server daemon.
```

**Root cause**: Since OpenSSL is updated by default when deploying a cluster with KubeMarine, the version incompatibility problem arises. OpenSSH was compiled with OpenSSL version 3.0.0 (30000070) and after the update, version 3.2.0 (30200010) is installed.
Probably, OpenSSL does not provide backward compatibility.

**Solution**: Add the upgrade section for OpenSSH server in the **cluster.yaml** file.

```yaml
services:
packages:
upgrade:
- openssh-server
```
Loading