https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# elemental
a
This message was deleted.
f
The cloud-init looks correct on a first glance. The entire content should be copied (by default) on the 
/oem
path. It should then be executed by the 
cos_setup_boot
systemd service if I recall correctly, you can check its logs.
r
Im guessing its been changed to: elemental-setup-boot.service I found that and i found that if i have debug on: 
/usr/bin/elemental run-stage boot --debug
i can see some interesting stuff!
Copy code
DEBU[2023-10-12T15:48:11Z] Creating file /etc/ssl/certs/rb.pem
some sysinfo dumps in between then:
Copy code
DEBU[2023-10-12T15:48:11Z] running command `update-ca-certificates`
INFO[2023-10-12T15:48:11Z] Command output:
INFO[2023-10-12T15:48:11Z] Done executing stage 'boot'
But there is no file there....
Copy code
cat /etc/ssl/certs/rb.pem
cat: /etc/ssl/certs/rb.pem: No such file or directory
f
isn't the path 
/etc/ssl/certs/crt.pem
?
oh sorry it's in the debug log
r
Ye i changed it to rb.pem for testing purposes
f
I can not reproduce it. I tried with:
Copy code
config:
    cloud-config:
      users:
        - name: root
          passwd: root
      write_files:
        - content: |-
            -----BEGIN CERTIFICATE-----
            -----END CERTIFICATE-----
          owner: root
          path: /etc/ssl/certs/test.pem
          permission: '777'
and the file is correctly created. I'm using elemental version 0.11.1, which is included in the baseImage: 
<http://registry.suse.com/rancher/elemental-teal-iso/5.4:1.2.2|registry.suse.com/rancher/elemental-teal-iso/5.4:1.2.2>
Copy code
m-3af904e7-d9e1-40c8-9a4b-eadb9aff1f53:~ # ls -al /etc/ssl/certs/test.pem
---------- 1 root root 53 Oct 12 16:15 /etc/ssl/certs/test.pem
m-3af904e7-d9e1-40c8-9a4b-eadb9aff1f53:~ # cat /etc/ssl/certs/test.pem 
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
r
I just confirmed im building from the same base image. can i check if im using 0.11.1 from the node?
f
you can run 
elemental version
r
i found it DEBU[2023-10-12T154811Z] Starting elemental version 0.11.1 on commit b447804c
0.11.1+gb447804
f
same version
you should also find the file in 
/oem/91_custom.yaml
r
Copy code
m-34f505f6-acaa-45a0-8dc3-e36717312380:/oem # cat /oem/91_custom.yaml
#cloud-config
runcmd:
- update-ca-certificates
ssh_authorized_keys:
- ssh-rsa 
users:
- name: root
  passwd: 
write_files:
- content: |-
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  owner: root
  path: /etc/ssl/certs/rb.pem
  permission: "777"
is this correct?
f
I am not 100% sure you need to set the root user, it should be already set, maybe you can spare that. But note you have no authorized keys, so you may lock yourself out of the system
r
ye i just deleted all the sensitive info from it.
f
makes sense
also your logs say writing file, so it shouldn't matter
I'm scratching my head over this
r
me too, for whole 2 days 😄
f
I assume you didn't edit the filesystem or mount points
r
i figured it out!
after removing
Copy code
runcmd:
- update-ca-certificates
it works.
f
oooh right
nice one
r
can you try your use case with update-ca-certificates?
im guessing i cant not run this command since i need the new cert to be added.
f
yes indeed it removes it
runcmd is ran last if I recall correctly
r
ye
Copy code
DEBU[2023-10-12T16:24:57Z] running command `update-ca-certificates`
INFO[2023-10-12T16:24:58Z] Command output:
INFO[2023-10-12T16:24:58Z] Done executing stage 'boot'
Sorry about that i thought the cert wasn't being added since i still had trouble connecting to a solution via https.
Thanks for the help, do you know if is it normal for etcd snapshotting, cis profile to not work on freshly installed elemental os 5.14.21? The thing is rke2 binary is not in path for rke2-server so its not able to take the snapshot.
f
you are welcome for the snapshotting I am not sure, we do not include the rke2 binary by the way, so that should something you could maybe add with the cloud-init script, I see 
/usr/local
is 
rw
r
its included via: /opt/rke2/bin/rke2
f
right, that should be the bootstrap script indeed placing it there then
I would try to ask in the general channel maybe, I am not sure it's related to the Elemental image setup
r
Oh i thought that the elemental image should be ready to work with rke2 features. i can fix it via the cloudinit but i thought the default setup should work Is this maybe a github issue? for reference:
Copy code
Oct 12 16:42:33 m-34f505f6-acaa-45a0-8dc3-e36717312380 rancher-system-agent[5989]: time="2023-10-12T16:42:33Z" level=info msg="[Applyinator] Running command: rke2 [etcd-snapshot save]"
Oct 12 16:42:33 m-34f505f6-acaa-45a0-8dc3-e36717312380 rancher-system-agent[5989]: time="2023-10-12T16:42:33Z" level=error msg="error executing instruction 1: exec: \"rke2\": executable file not found in $PATH"
f
indeed the expectation is that this should work out of the box, but what is installing the rke2 binary is Rancher, so I would expect that bootstrap script to take care of this
journalctl -u rancher-system-agent
r
16:47:26Z" level=info msg="[Applyinator] Command sh [-c rke2 etcd-snapshot list --etcd-s3=false 2>/dev/null] finished with err: <nil> and exit code: 127"
also seeing a ton of these messages: im guessing this is known: 
16:47:11Z" level=error msg="error encountered during parsing of last run time: parsing time \"\" as \"Mon Jan _2 15:04:05 MST 2006\": cannot parse \"\" as \"Mon\""
f
not really sure, you could check: https://github.com/rancher/system-agent
👍 1
Also the in the #general channel you will find people with better experience than myself in this
r
On further diagnosis, the documentation said to insert the crt here:
Copy code
/etc/ssl/certs/crt.pem
and running
Copy code
update-ca-certificates
It removes the crt and does not successfully add it to the trust no matter what i do. but... adding a cert to /etc/pki/trust/anchors/ Works like a charm and no need to run that command. Is this something that you guys might want to edit in the documentation?
f
Thank you for pointing out, I opened a PR to fix it
Open in Slack
PreviousNext
Powered by