Agent forwarding fails when using ssh tunnel for starting service by fleetctl #1352

l15k4 · 2015-09-14T07:14:37Z

Hey,

I created a new ticket for this issue as it is a different problem.

@bcwaldon Isn't it possible to get more information about the problem? It happens here :
https://github.com/coreos/fleet/blob/master/Godeps/_workspace/src/golang.org/x/crypto/ssh/agent/forward.go#L19

CoreOS stable (723.3.0)

Agent forwarding works on my laptop in general terms. my .ssh/config :

################################################
# General
Host *
StrictHostKeyChecking no
ServerAliveInterval 15
ForwardAgent yes
ForwardX11 no
###################################

Sometimes load works and it gets stuck on start but it happens even on service load :

$ fleetctl --version
fleetctl version 0.11.5+git
$ export FLEETCTL_TUNNEL=127.0.0.1:2222
$ ls
es-data@.service  es-discovery@.service  es-intelligent-discovery@.service  es@.service
$ fleetctl list-machines
MACHINE     IP      METADATA
d6112b20... 172.17.8.102    -
e604d80e... 172.17.8.101    -
$ fleetctl list-units
UNIT    MACHINE ACTIVE  SUB
$ fleetctl load es-data@{1,2}.service
2015/09/14 10:23:23 WARN fleetctl.go:799: Error retrieving Unit(es-data@2.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%402.service?alt=json: forwarding request denied
2015/09/14 10:23:34 WARN fleetctl.go:799: Error retrieving Unit(es-data@1.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%401.service?alt=json: forwarding request denied
2015/09/14 10:23:38 WARN fleetctl.go:799: Error retrieving Unit(es-data@2.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%402.service?alt=json: forwarding request denied
2015/09/14 10:24:09 WARN fleetctl.go:799: Error retrieving Unit(es-data@1.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%401.service?alt=json: forwarding request denied
2015/09/14 10:24:52 WARN fleetctl.go:799: Error retrieving Unit(es-data@2.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%402.service?alt=json: forwarding request denied
2015/09/14 10:25:17 WARN fleetctl.go:799: Error retrieving Unit(es-data@1.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%401.service?alt=json: ssh: rejected: administratively prohibited (open failed)
2015/09/14 10:25:17 WARN fleetctl.go:799: Error retrieving Unit(es-data@2.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%402.service?alt=json: ssh: rejected: administratively prohibited (open failed)
2015/09/14 10:25:27 WARN fleetctl.go:799: Error retrieving Unit(es-data@1.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%401.service?alt=json: ssh: rejected: administratively prohibited (open failed)
2015/09/14 10:25:29 WARN fleetctl.go:799: Error retrieving Unit(es-data@2.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%402.service?alt=json: ssh: rejected: administratively prohibited (open failed)
2015/09/14 10:25:44 WARN fleetctl.go:799: Error retrieving Unit(es-data@1.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%401.service?alt=json: ssh: rejected: administratively prohibited (open failed)
2015/09/14 10:26:05 WARN fleetctl.go:799: Error retrieving Unit(es-data@2.service) from Registry: Get http://domain-sock/fleet/v1/units/es-data%402.service?alt=json: ssh: rejected: administratively prohibited (open failed)

Imho if you try reproduce sections Remote Fleet Access and Vagrant https://github.com/coreos/fleet/blob/master/Documentation/using-the-client.md you won't be able to start the services....

It seems to be resolved by explicitly setting --endpoint http://172.17.8.101:2379,http://172.17.8.101:2379

Anyway it hangs indefinitely with these debug messages :

2015/09/14 14:17:37 DEBUG fleetctl.go:815: Waiting for Unit(es-data@2.service) state(inactive) to be loaded
2015/09/14 14:17:37 DEBUG http.go:28: HTTP GET http://domain-sock/fleet/v1/units/es-data%401.service?alt=json
2015/09/14 14:17:37 DEBUG http.go:31: HTTP GET http://domain-sock/fleet/v1/units/es-data%401.service?alt=json 200 OK
2015/09/14 14:17:37 DEBUG fleetctl.go:815: Waiting for Unit(es-data@1.service) state(inactive) to be loaded
2015/09/14 14:17:37 DEBUG http.go:28: HTTP GET http://domain-sock/fleet/v1/units/es-data%402.service?alt=json
2015/09/14 14:17:37 DEBUG http.go:31: HTTP GET http://domain-sock/fleet/v1/units/es-data%402.service?alt=json 200 OK
2015/09/14 14:17:37 DEBUG fleetctl.go:815: Waiting for Unit(es-data@2.service) state(inactive) to be loaded
2015/09/14 14:17:37 DEBUG http.go:28: HTTP GET http://domain-sock/fleet/v1/units/es-data%401.service?alt=json
2015/09/14 14:17:37 DEBUG http.go:31: HTTP GET http://domain-sock/fleet/v1/units/es-data%401.service?alt=json 200 OK
2015/09/14 14:17:37 DEBUG fleetctl.go:815: Waiting for Unit(es-data@1.service) state(inactive) to be loaded
2015/09/14 14:17:38 DEBUG http.go:28: HTTP GET http://domain-sock/fleet/v1/units/es-data%402.service?alt=json
2015/09/14 14:17:38 DEBUG http.go:31: HTTP GET http://domain-sock/fleet/v1/units/es-data%402.service?alt=json 200 OK
2015/09/14 14:17:38 DEBUG fleetctl.go:815: Waiting for Unit(es-data@2.service) state(inactive) to be loaded
2015/09/14 14:17:38 DEBUG http.go:28: HTTP GET http://domain-sock/fleet/v1/units/es-data%401.service?alt=json
2015/09/14 14:17:38 DEBUG http.go:31: HTTP GET http://domain-sock/fleet/v1/units/es-data%401.service?alt=json 200 OK
2015/09/14 14:17:38 DEBUG fleetctl.go:815: Waiting for Unit(es-data@1.service) state(inactive) to be loaded
2015/09/14 14:17:38 DEBUG http.go:28: HTTP GET http://domain-sock/fleet/v1/units/es-data%402.service?alt=json
2015/09/14 14:17:38 DEBUG http.go:31: HTTP GET http://domain-sock/fleet/v1/units/es-data%402.service?alt=json 200 OK
2015/09/14 14:17:38 DEBUG fleetctl.go:815: Waiting for Unit(es-data@2.service) state(inactive) to be loaded
2015/09/14 14:17:38 DEBUG http.go:28: HTTP GET http://domain-sock/fleet/v1/units/es-data%401.service?alt=json
2015/09/14 14:17:38 DEBUG http.go:31: HTTP GET http://domain-sock/fleet/v1/units/es-data%401.service?alt=json 200 OK
2015/09/14 14:17:38 DEBUG fleetctl.go:815: Waiting for Unit(es-data@1.service) state(inactive) to be loaded
2015/09/14 14:17:39 DEBUG http.go:28: HTTP GET http://domain-sock/fleet/v1/units/es-data%402.service?alt=json
2015/09/14 14:17:39 DEBUG http.go:31: HTTP GET http://domain-sock/fleet/v1/units/es-data%402.service?alt=json 200 OK
2015/09/14 14:17:39 DEBUG fleetctl.go:815: Waiting for Unit(es-data@2.service) state(inactive) to be loaded
2015/09/14 14:17:39 DEBUG http.go:28: HTTP GET http://domain-sock/fleet/v1/units/es-data%401.service?alt=json
2015/09/14 14:17:39 DEBUG http.go:31: HTTP GET http://domain-sock/fleet/v1/units/es-data%401.service?alt=json 200 OK
2015/09/14 14:17:39 DEBUG fleetctl.go:815: Waiting for Unit(es-data@1.service) state(inactive) to be loaded

The text was updated successfully, but these errors were encountered:

l15k4 · 2015-09-14T14:31:45Z

It wasn't related to ssh tunnel, I was just loading multiple services where the latter depends on the former this way :

fleetctl load a@service
fleetctl load b-depends-on-a@service

but you gotta do this :

fleetctl load -no-block=false a@service 
fleetctl load b-depends-on-a@service

or this way :

fleetctl load a@service b-depends-on-a@service

l15k4 changed the title ~~Agent forwarding fails when using fleetctl --tunnel~~ Agent forwarding fails when using ssh tunnel for starting service by fleetctl Sep 14, 2015

l15k4 closed this as completed Sep 14, 2015

kayrus mentioned this issue Feb 5, 2016

fleetctl submit/start for more than 5 units at a time fails #1425

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Agent forwarding fails when using ssh tunnel for starting service by fleetctl #1352

Agent forwarding fails when using ssh tunnel for starting service by fleetctl #1352

Agent forwarding fails when using ssh tunnel for starting service by fleetctl #1352

Agent forwarding fails when using ssh tunnel for starting service by fleetctl #1352

Comments