DAB for LXC in PVE 4?

apmuthu

Active Member
Feb 26, 2009
745
6
38
Chennai - India & Singapore
On 2015-06-29, a commit was made to the git repo for DAB:
do not regenerate sshd host keys

For PVE 3.x is the second diff necessary for OpenVZ?
Code:
@@ -1338,9 +1338,6 @@ EOD
     # reset password
     $self->ve_command ("usermod -L root");
 
-    # regenerate sshd host keys
-    $self->install_init_script ($script_ssh_init, 2, 14);
-
     if ($mta eq 'postfix') {
        $data = "postfix postfix/main_mailer_type select No configuration\n";
        $self->ve_debconfig_set ($data);
 

apmuthu

Active Member
Feb 26, 2009
745
6
38
Chennai - India & Singapore
I understand that you no longer support OpenVZ now that the later kernels have dropped it.
All I wanted to know was why ssh keys are no longer needed to be generated for LXC.

Attached is the updated DAB.pm file for use in PVE 3.x - community (my) supported version.
 

Attachments

  • DAB.zip
    11.4 KB · Views: 6
Last edited:

apmuthu

Active Member
Feb 26, 2009
745
6
38
Chennai - India & Singapore
Even in OpenVZ, the ssh keys are created during container creation - hence the said diffs must be valid for PVE 3.x as well - isn't it? Therefore, ssh keys should have been deleted and then created during container creation time for OpenVZ (in PVE 3.x) using DAB to have worked well hitherto ....
 

apmuthu

Active Member
Feb 26, 2009
745
6
38
Chennai - India & Singapore
If you are using upto pve-manager v3.4-6 (tested), do not apply the portion of the patch listed in the #3 post in this thread but use the patched DAB.pm file in the #5 post in this thread (contains Debian jessie, and Ubuntu later versions). Otherwise, the SSH keys will not get regenerated and you will land up getting the same keys for all newly created containers that the base template has on it's creation. Refer changelog for pve-manager. Have not tested the later versions of pve-manager in PVE 3.4 but see no reason why it should be any different atleast until pve-manager v3.4-9.

Tested the issue with:
# pveversion -v
proxmox-ve-2.6.32: 3.4-156 (running kernel: 2.6.32-39-pve)
pve-manager: 3.4-6 (running version: 3.4-6/102d4547)
pve-kernel-2.6.32-39-pve: 2.6.32-156
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.7-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.10-2
pve-cluster: 3.0-17
qemu-server: 3.4-6
pve-firmware: 1.1-4
libpve-common-perl: 3.0-24
libpve-access-control: 3.0-16
libpve-storage-perl: 3.0-33
pve-libspice-server1: 0.12.4-3
vncterm: 1.1-8
vzctl: 4.0-1pve6
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 2.2-10
ksm-control-daemon: 1.1-1
glusterfs-client: 3.5.2-1

The vzctl binary allows create/clone of container and it is up-to-date as far as PVE 3.4 version is concerned.

The contents of the SSH keys must be different for different containers (except hot/cold standby clones):
Code:
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!