Why does knife sometime decide to bomb out?


#1

Hi,

Per the below…this happens about 10% of the time. Why does this
happen? This just happened three times in a row.

ubuntu@ubuntu:~/.chef$ knife ec2 server create -r
"role[monitor_server]" -E development --region ap-southeast-1 -Z
ap-southeast-1a -I ami-c4622596 --flavor m1.medium -G nginx -x ubuntu
-S sg_development -i /home/ubuntu/.ec2/sg_development.pem
Instance ID: i-ba8a5dee
Flavor: m1.medium
Image: ami-c4622596
Region: ap-southeast-1
Availability Zone: ap-southeast-1a
Security Groups: nginx
SSH Key: sg_development

Waiting for server…
Public DNS Name: ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com
Public IP Address: 46.137.237.153
Private DNS Name: ip-10-131-34-124.ap-southeast-1.compute.internal
Private IP Address: 10.131.34.124

Waiting for sshd.done
Bootstrapping Chef on ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com
ERROR: Net::SSH::HostKeyMismatch: fingerprint
f2:50:06:7a:7c:dc:e3:94:08:89:a4:ae:04:3c:ab:a9 does not match for
"ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com,46.137.237.153"


#2

On Monday, April 16, 2012 at 9:22 PM, David Montgomery wrote:

Hi,

Per the below…this happens about 10% of the time. Why does this
happen? This just happened three times in a row.

ubuntu@ubuntu:~/.chef$ knife ec2 server create -r
"role[monitor_server]" -E development --region ap-southeast-1 -Z
ap-southeast-1a -I ami-c4622596 --flavor m1.medium -G nginx -x ubuntu
-S sg_development -i /home/ubuntu/.ec2/sg_development.pem
Instance ID: i-ba8a5dee
Flavor: m1.medium
Image: ami-c4622596
Region: ap-southeast-1
Availability Zone: ap-southeast-1a
Security Groups: nginx
SSH Key: sg_development

Waiting for server…
Public DNS Name: ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com (http://ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com)
Public IP Address: 46.137.237.153
Private DNS Name: ip-10-131-34-124.ap-southeast-1.compute.internal
Private IP Address: 10.131.34.124

Waiting for sshd.done
Bootstrapping Chef on ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com (http://ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com)
ERROR: Net::SSH::HostKeyMismatch: fingerprint
f2:50:06:7a:7c:dc:e3:94:08:89:a4:ae:04:3c:ab:a9 does not match for
"ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com (http://ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com),46.137.237.153"

It’s exactly what it says. SSH strict host key checking is enabled, and you have a different fingerprint for this IP/hostname in your known_hosts file.


Dan DeLeo


#3

How is that disabled? I find that especially when dealing with ec2
instances this is a huge nuisance. Disabling strict host key checking in
general (per
http://help.opscode.com/discussions/problems/116-knife-doesnt-handle-host-key-conflicts)
seems to miss how there are two use cases. In one, in general, I don’t
want ssh to ssh into a host whose host key has changed. However with knife
I am sure that amazon has given me an address and I should just ignore any
host key conflicts and bootstrap.

It seems that even if the option can’t be manipulated directly in the
Net::SSH API (I’m not sure if it can or can’t) it’d be nice to be able to
default it to having the known_hosts file = /dev/null when using knife,
e.g. per http://net-ssh.github.com/ssh/v2/api/classes/Net/SSH/Config.html.

-Peter

On Tue, Apr 17, 2012 at 1:11 AM, Daniel DeLeo dan@kallistec.com wrote:

On Monday, April 16, 2012 at 9:22 PM, David Montgomery wrote:

Hi,

Per the below…this happens about 10% of the time. Why does this
happen? This just happened three times in a row.

ubuntu@ubuntu:~/.chef$ knife ec2 server create -r
"role[monitor_server]" -E development --region ap-southeast-1 -Z
ap-southeast-1a -I ami-c4622596 --flavor m1.medium -G nginx -x ubuntu
-S sg_development -i /home/ubuntu/.ec2/sg_development.pem
Instance ID: i-ba8a5dee
Flavor: m1.medium
Image: ami-c4622596
Region: ap-southeast-1
Availability Zone: ap-southeast-1a
Security Groups: nginx
SSH Key: sg_development

Waiting for server…
Public DNS Name: ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com(
http://ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com)
Public IP Address: 46.137.237.153
Private DNS Name: ip-10-131-34-124.ap-southeast-1.compute.internal
Private IP Address: 10.131.34.124

Waiting for sshd.done
Bootstrapping Chef on
ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com (
http://ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com)
ERROR: Net::SSH::HostKeyMismatch: fingerprint
f2:50:06:7a:7c:dc:e3:94:08:89:a4:ae:04:3c:ab:a9 does not match for
"ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com (
http://ec2-46-137-237-153.ap-southeast-1.compute.amazonaws.com
),46.137.237.153"

It’s exactly what it says. SSH strict host key checking is enabled, and
you have a different fingerprint for this IP/hostname in your known_hosts
file.


Dan DeLeo


#4

On Tue, Apr 17, 2012 at 7:22 AM, Peter Norton pn+chef-list@knewton.com wrote:

How is that disabled? I find that especially when dealing with ec2
instances this is a huge nuisance. Disabling strict host key checking in

man ssh_config will give you what you need.

TL;DR, try something like:

$ echo >> ~/.ssh/config
Host *.compute.amazonaws.com
StrictHostKeyChecking no

Andrea


#5

I’m not sure that hits the use case I was talking about, though. It looks
like knife’s bootstrap.rb will disable host key checking if passed
–no-host-key-verify, but I think that’s appropriate for a config option in
knife.rb - possibly for both bootstrap and ssh commands, though possibly
allowing for separate config options. Currently this seems like it can
only be set at the command line.

-Peter

On Tue, Apr 17, 2012 at 2:40 AM, Andrea Campi
andrea.campi@zephirworks.comwrote:

On Tue, Apr 17, 2012 at 7:22 AM, Peter Norton pn+chef-list@knewton.com
wrote:

How is that disabled? I find that especially when dealing with ec2
instances this is a huge nuisance. Disabling strict host key checking in

man ssh_config will give you what you need.

TL;DR, try something like:

$ echo >> ~/.ssh/config
Host *.compute.amazonaws.com
StrictHostKeyChecking no

Andrea