[SOLVED] Setting up SSH /MYSQL for remote servers

Events happening in the community are now at Drupal community events on www.drupal.org.
3rdLOF's picture
Posted by 3rdLOF on October 25, 2010 at 7:21am

Hello everyone:

Edit on Solved status: IGNORE THIS ENTRY ABOUT SSH - SCROLL DOWN FOR THE MYSQL PART.

First of all, my most humble apologies for this post. I usually avoid bugging project developers with apparent noob questions, but after three days and no progress I felt I really had no choice.

I have been trying to set up Aegir (alpha14) with remote server with two separate nodes at Linode running Ubuntu 10.4 LTS, using one node as the Master (main Aegir) and a second node as the remote server.

The Problem: When adding the second node (2nd server) to Aegir at the control panel, it all goes ok up until I get the following error:

/var/aegir/config/includes could not be synced to remote server mydomain.com. Changes might not be available until this has been done. (error: Host key verification failed. rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: unexplained error (code 255) at io.c(601) [sender=3.0.7])

As it reads, it looks like a Host key verification, which after quite a few searches points to the Master server (1st node) not being able to SSH login to the remote server (2nd node).

I have tried to follow all the information in these links:

http://groups.drupal.org/node/90564
http://groups.drupal.org/node/89684#comment-281669
http://groups.drupal.org/node/36886

But so far, nothing I do seems to work. I have gone as far as uninstalling and reinstalling the node's disk image (a clean LAMP disk image I reuse for this, so it is fairly fast) a few times just to start with a clean server, but I get nowhere.

Any help or guidance would be appreciated.

Categories: ,

Comments

try manual ssh

Posted by attiks on October 25, 2010 at 7:54am
attiks's picture

Can you try to ssh to the server as the aegir user, i expect you get a prompt to accept the remote host key, accept it and i guess your problem will be solved

I try, but I get prompted for

Posted by 3rdLOF on October 25, 2010 at 8:48am
3rdLOF's picture

I try, but I get prompted for a password as well. However, I did set up the aegir user as suggested in al guides.

Permission denied (publickey,password).

sshd config

Posted by attiks on October 25, 2010 at 8:55am
attiks's picture

1/ Did you set a pasword on the key?

2/ Check /etc/ssh/sshd_config on the remote server, make sure the following aren't commented out:
RSAAuthentication yes
PubkeyAuthentication yes

If they are commented out, change it and restart sshd server (/etc/init.d/ssh restart)

3/ If that doesn't work, check the permission on the key files /var/aegir/.ssh on the tremote server I think they should be 600

1/ Did you set a pasword on

Posted by 3rdLOF on October 25, 2010 at 9:28am
3rdLOF's picture

1/ Did you set a pasword on the key?

No, I simply hit return when prompted as all guides suggested.

2/ Check /etc/ssh/sshd_config on the remote server, make sure the following aren't commented out:
RSAAuthentication yes
PubkeyAuthentication yes

This is correctly set in the remote server.

3/ If that doesn't work, check the permission on the key files /var/aegir/.ssh on the tremote server I think they should be 600

I did. Odd. The .ssh folder itself is 600, but the two files inside (known_hosts, authorized_keys) have estrange permissions and I can't change even as root:

chmod 600 authorized_keys
chmod 600 known hosts

ls -l

-rwx------ 1 aegir aegir 603 Oct 24 23:46 authorized_keys
-rwx------ 1 aegir aegir 0 Oct 24 19:54 known_hosts

I try chmod 600 authorized_keys / chmod 600 known_hosts, but when I checked, they are both still as shown above.

When I tried the chmod the files as aegir user (su -s /bin/bash - aegir) all this happens:

A) I cannot access the .ssh folder INSIDE /var/aegir/.ssh
B) trying to sudo requires me to enter a password for the aegir user...but I do not have one. I never set it.

So lost with this. Thanks for your help by the way.

"A) I cannot access the .ssh

Posted by attiks on October 25, 2010 at 10:22am
attiks's picture

"A) I cannot access the .ssh folder INSIDE /var/aegir/.ssh" can't be good since you own the file (does aegir owns this directory?)

This is what i have on my remote machine
drwx------ 2 aegir aegir 4096 2010-09-01 10:56 .ssh
-rw------- 1 aegir aegir 790 2010-09-01 10:56 authorized_keys

Does hosts.allow has anything to do with rsync

Posted by 3rdLOF on October 25, 2010 at 5:51pm
3rdLOF's picture

Now I was able to go through the whole process again and this time the permissions are set correct.

Still same error....

/var/aegir/config/includes could not be synced to remote server kannary.com. Changes might not be available until this has been done. (error: Host key verification failed. rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: unexplained error (code 255) at io.c(601) [sender=3.0.7])

I read in a few posts about setting the hosts.allow file to the IP of the master.

I am able to SSH without a password from node #1 to node #2 as an "aegir" user and does not request a password:

ssh aegir@xxx.xxx.xxx.xxx

Symlink files cannot be over written

Posted by Anonymous (not verified) on October 26, 2010 at 3:07am
Anonymous's picture

Check to see if there are any symlink files in the /var/aegir/config/includes directory (or any where in /var/) on the remote server. Delete them if they are there and run verify again. Also make sure all files and sub-directories (including var) in /var/ are chown aegir:aegir

Peace,
Michael Clendening

I can rsync via SSH

Posted by 3rdLOF on October 25, 2010 at 6:03pm
3rdLOF's picture

Using:

rsync -vaz --rsh="ssh -l aegir" ~/ xxx.xxx.xxx.xxx:~/

I can rsync without issues from node #1 as an "aegir" user. Did it manually and everything went fine.

Yet the Host Verification issue remains.

Sudoers

Posted by Anonymous (not verified) on October 25, 2010 at 11:45pm
Anonymous's picture

Did you modify sudoers on the remote server with the proper entries for aegir user to run:
aegir ALL=NOPASSWD: /usr/sbin/apache2ctl

Also check the auth.log on the remote server, after running verify new server, and see if the ssh sessions was successful. It is possible for ssh to work and the other required (sudoers, etc) settings to be the cause of the problem.

Just a side note, I am running all Linode servers and have successfully built 10.04 LAMP Aegir (alpha 12-14) from scratch with ssh working. I am now working through the same process using Omega8cc's Barracuda and Octupus scripts (you should consider it for the completeness of a fast and secure platform).

Peace,
Michael Clendening

mclendening: Thank you. I was

Posted by 3rdLOF on October 26, 2010 at 5:20am
3rdLOF's picture

mclendening:

Thank you. I was able to pass this issue, though to be honest I was so tired at the time I can't even remember how exactly I did it. Now I am stuck on a database issue: "SQLSTATE[HY000] [1130] Host 'lixxx-xx.members.linode.com' is not allowed to connect to this MySQL server" Punch a hole in iptables, rechecked root passwords for database, no luck....

Yes, I am very much interested on the barracuda and Octopus scripts, which I am going to review this very moment.

I do truly appreciate your help and, again, my apologies for polluting the discussion board with these posts.

Lets dig a little deeper

Posted by Anonymous (not verified) on October 26, 2010 at 6:18am
Anonymous's picture

We will need as much details as possible on your config to move forward. I would recommend trying to recreate what you have and document the steps as you go. Make sure to follow the official install guide and post your results back here.

Peace,
Michael Clendening

Here is the verify output

Posted by 3rdLOF on October 26, 2010 at 10:58am
3rdLOF's picture

Here is the verify output from the control panel (Server references in this post were changed to "server_domaincom" for remote server and masterdomain.com for Master for security reasons):

Task starts processing
Running: /var/aegir/drush/drush.php provision-save '@server_domaincom' --backend
Drush bootstrap phase : _drush_bootstrap_drush()
Found command: provision-save (commandfile=provision)
Initializing drush commandfile: drush_make
Initializing drush commandfile: drush_make_d_o
Initializing drush commandfile: provision
Load alias @self
Load alias @server_master
Loading mysql driver for the db service
Loading apache_ssl driver for the http service
Loading mysql driver for the db service
Loading apache_ssl driver for the http service
Load alias @server_domaincom
Loading mysql driver for the db service
Loading apache_ssl driver for the http service
Template loaded: /var/aegir/.drush/provision/provision_drushrc_alias.tpl.php
Changed permissions of /var/aegir/.drush/server_domaincom.alias.drushrc.php to 600
Generated config Drush configuration file
Changed permissions of /var/aegir/.drush/server_domaincom.alias.drushrc.php to 400
Command dispatch complete
Peak memory usage was 4.29 MB
Running: /var/aegir/drush/drush.php @server_domaincom provision-verify --backend
The external command could not be executed due to an application error.
Drush bootstrap phase : _drush_bootstrap_drush()
Load alias @server_domaincom
Found command: provision-verify (commandfile=provision)
Initializing drush commandfile: drush_make
Initializing drush commandfile: drush_make_d_o
Initializing drush commandfile: provision
Load alias @server_master
Loading mysql driver for the db service
Loading apache_ssl driver for the http service
Loading mysql driver for the db service
Loading apache_ssl driver for the http service
Including /var/aegir/.drush/provision/platform/backupmigrate/verify.provision.inc
Including /var/aegir/.drush/provision/platform/verify.provision.inc
Provision configuration path /var/aegir/config/server_domaincom exists.
Provision configuration ownership of /var/aegir/config/server_domaincom has been changed to aegir.
Provision configuration permissions of /var/aegir/config/server_domaincom have been changed to 711.
Provision configuration path /var/aegir/config/server_domaincom is writable.
/var/aegir/config/includes has been synced to remote server domain.com.
SQLSTATE[HY000] [1130] Host 'masterdomain.com' is not allowed to connect to this MySQL server
Drush command could not be completed.
Output from failed command : Fatal error: Call to a member function quote() on a non-object in /var/aegir/.drush/provision/db/db.drush.inc on line 315
An error occurred at function : drush_hosting_task
Command dispatch complete
Peak memory usage was 12.05 MB

Things I checked and tried -without necessarily knowing if they are connected or how each relates to each other:

1) I checked the memory and execution time allowances for both /etc/php5/apache2/php.ini and /etc/php5/cli/php.ini, pumped them up to 96M and 60 seconds each. I saw this in a quite a few posts, but as you can see that did little. (restarted apache, rebooted entire node afterwards)

2) /etc/mysql/my.cnf -> tested with bind uncommented, uncommented using the public IP of the node. Neither seemed to change anything.

Thanks for throwing me a bone.

Ok, finally I was able to get

Posted by 3rdLOF on October 31, 2010 at 3:23pm
3rdLOF's picture

Ok, finally I was able to get through this.

First of all, most the issues regarding SSH above are to be ignored as the problem had to do with the fact (stupid, stupid, stupid!!) in testing the rsync fom ssh I synced the home folder for both aegir users (from master to remote), THUS copying also the .ssh folder, hence why I was having so many weird issues with permissions and the key did not work (You may laugh freely. please.)

However, on the SQLSTATE[HY000] [1130] the issue was real. It appears that in the remote server one MUST grant the proper privileges in the database to the Master root user so it can login and do its thing. Explained for 4 year olds like myself:

A) In the remote server, ogin to mysql shell:

mysql -u root -p

B) Not required but do it just to see what you got in your database as far as users and their grant privileges:

select * from mysql.user where User='root' \G

This will spit out all your mysql users and their privileges. Look for the "Host" entry in all instances as this determines which hosts are allowed. If you are getting this error then you more likely have 2 or 3 instances with hosts privileges for localhost, 127.0.0.1, and depending what server your are in, some other local hostname. (For example in mine also for my node's hostname at Linode).

You will need to GRANT additional host privileges for your root @ master's server:

C) Use the Mysql grant command. You probably need to do this only for you master's server IP, but it won't hurt to do it for your domain as well, you do it TWICE (though I am sure there is a way to do this one time for both hosts, but all the same):

GRANT ALL PRIVILEGES ON *.* TO root@xxx.xxx.xxx.xxx IDENTIFIED BY 'thepassword' WITH GRANT OPTION;

and

GRANT ALL PRIVILEGES ON *.* TO root@yourmasterdomain.com IDENTIFIED BY 'thepassword' WITH GRANT OPTION;

then flush the privileges to get system aware of the changes.

FLUSH PRIVILEGES;

D) I suggest you check AGAIN, but again, not necessary:

select * from mysql.user where User='root' \G

Now you should see two additional instances for "root", one with the IP, the other with the domain.

E) Go back and retry verification. It should do it. Personally, I suggest a quite celebration. In my case, I probably woke up every neighbor in a one mile radius from my house @ 7 AM on a Sunday morning.

Cheers.

EDIT: Shouldn't this be at least mentioned in the INSTALL.txt at HEAD under the "Remote Servers" section?

This solved my problems!

Posted by remco75 on December 7, 2010 at 11:57am
remco75's picture

I agree, the 'remote servers' section could use some more details.

Although these errors have nothing to de with aegir itself (it's basic mysql server knowledge), it might be handy to have a sort of remote server checklist thing

Wonderfull job on aegir so-far btw!

Aegir hosting system

Group organizers

Group categories

Topic

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: