[SOLVED] "Host key verification failed." Nach Erweiterung "dedicated migration network"

[digidax]

Hallo,
ich habe "/etc/pve/datacenter.cfg" mit einem "dedicated migration network" erweitert:
migration: secure,network=192.168.110.0/24

Wenn ich nun einen CT migrieren will bekomme ich den Fehler:

Host key verification failed.
TASK ERROR: command '/usr/bin/ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=pve1' root@192.168.130.231 pvecm mtunnel -migration_network 192.168.110.0/24 -get_migration_ip' failed: exit code 255

Ich kann mich von beiden nodes aus über das 192.168.130.0/24 und 192.168.110.0/24 Netzwerk ohne Passwortabfrage auf den jeweils anderen Knoten und umgekehrt einloggen.

root@pve1:~# pvecm status
Quorum information
------------------
Date: Fri May 3 14:17:12 2019
Quorum provider: corosync_votequorum
Nodes: 2
Node ID: 0x00000001
Ring ID: 1/140
Quorate: Yes

Votequorum information
----------------------
Expected votes: 2
Highest expected: 2
Total votes: 2
Quorum: 2
Flags: Quorate

Membership information
----------------------
Nodeid Votes Name
0x00000001 1 192.168.130.231 (local)
0x00000002 1 192.168.130.232

Muss ich noch irgend etwas ändern?

lg Frank

 

[oguz]

Hi.

Looks like the problem is occuring in function `get_local_migration_ip` in pve-cluster, which takes the migration network information from the CLI command or datacenter.cfg

I guess since you've already added it into the cfg file, you wouldn't be using the command line option, therefore it should try to read from the cfg file. Can we see your complete datacenter.cfg file if possible? Maybe there are problems such as syntax errors or weird characters which cause it not to be parsed correctly?

 

[digidax]

yes, here it is, based on the standard installation, only one line was added:

root@pve1:~# cat /etc/pve/datacenter.cfg
keyboard: de
migration: secure,network=192.168.110.0/24

root@pve2:~# cat /etc/pve/datacenter.cfg
keyboard: de
migration: secure,network=192.168.110.0/24

the migration line was only added in pve1. In pve2 the cluster has it replcated themself.

IP sets: pve1: 192.168.130.231 and 192.168.110.231
IP sets: pve2: 192.168.130.232 and 192.168.110.232

The 192.168.110.0/24 network is only used as a backbone between storage and servers.
The 192.168.130.0/24 network is use for client access from the normal office LAN.


Thanks, best regards
Frank

 

[oguz]

datacenter.cfg looks okay.

Can we see your network configuration, along with /etc/hosts as well?

 

[digidax]

root@pve1:~# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.130.231 pve1.celebraterecords.com pve1

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

root@pve2:~# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.130.232 pve2.celebraterecords.com pve2

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

I have checked the synthax in datacenter.cfg and found different writings in the web, what's the right one:
migration: secure,network=192.168.110.0/24
or
migration: type=secure,network=192.168.110.0/24

 

[digidax]

ITS WORKING !!!!!

There was a DNS problem. Checking passwordless login was only done with the IP addresses like ssh 192.168.130.231.
But using "ssh pve1" was possible, the host key was added but no login was possible - wrong password.

For testing, I have added to the DNS Domain the two subdomains pve1 and pve2. Another guy here hase cleaned this Friday the DNS records, not reading my email from this week where I have told him about the new sub domains. He has deleted just at this time where I have test the migration network. So, the catch all subdomain *.domain.de has taken the request und reolved to the wrong IP !!!!

setting up now the two sub domains to the right IP's of the PVE's the migration is now working well. Now I will test, if the right subnet is used.

Thanks for your help;
Frank

 

[oguz]

Hi.

Freut mich das zu hören!

I have checked the synthax in datacenter.cfg and found different writings in the web, what's the right one:
migration: secure,network=192.168.110.0/24
or
migration: type=secure,network=192.168.110.0/24

Die beiden sind richtig, es ist allerdings besser explizit hinzuschreiben.

Sie können den Thread als [SOLVED] markieren, indem Sie die erste Post bearbeiten.