linux - NixOps：如何部署到现有的 NixOS VM？

Question

我遇到了与这个问题几乎相同的问题，但从未得到回答：

nixops：在具有现有 nixos 的机器上部署时如何使用本地 ssh 密钥（targetEnv 没有）？

不过，我没有使用 Terraform。只是 NixOS + NixOps。到目前为止，我：

在 Vultr 上创建了一个新的虚拟机
是否从当前的iso（20.09 pre something）安装了标准的NixOS，设置了root密码
使用 root 密码身份验证启用 ssh 并执行了nixos-rebuild switch
在我的笔记本电脑上手动生成一个 ssh 密钥对
ssh使用密码编辑到 VM 并将公钥添加到/root/.ssh/authorized_keys

现在我可以按预期使用新密钥手动 ssh 进入 VM：

ssh -i .secrets/vultrtest1_rsa root@XXX.XXX.XXX.XXX

凉爽的。接下来，我将现有的 NixOS 配置文件复制到我的笔记本电脑并尝试将它们连接到 NixOps。我尝试了一个最小的test1.nix，以及添加下面的deployment."none"和/或users.users.root.openssh部分。

vultrtest1
├── configuration.nix
└── hardware-configuration.nix
test1.nix

# test1.nix
{
  network.description = "vultr test 1";
  network.enableRollback = true;

  vultrtest1 = { config, pkgs, ... } : {
    deployment.targetHost = "XXX.XXX.XXX.XXX";
    imports = [ ./vultrtest1/configuration.nix ];

    # deployment.targetEnv = "none"; # existing nixos vm

    # same result with or without this section:
    deployment."none" = {
      sshPrivateKey = builtins.readFile ./secrets/vultrtest1_rsa;
      sshPublicKey  = builtins.readFile ./secrets/vultrtest1_rsa.pub;
      sshPublicKeyDeployed = true;
    };

    # same result with or without this:
    users.users.root.openssh.authorizedKeys.keyFiles = [ ./secrets/vultrtest1_rsa.pub ];
  };

}

在所有情况下，当我尝试创建和部署网络时，NixOps 会尝试生成另一个 SSH 密钥，然后无法使用它登录：

$ nixops create test1.nix -d test1
created deployment ‘b4ac25fa-c842-11ea-9a84-00163e5e6c00’
b4ac25fa-c842-11ea-9a84-00163e5e6c00

$ nixops list
+--------------------------------------+-------+------------------------+------------+------+
| UUID                                 | Name  | Description            | # Machines | Type |
+--------------------------------------+-------+------------------------+------------+------+
| b4ac25fa-c842-11ea-9a84-00163e5e6c00 | test1 | Unnamed NixOps network |          0 |      |
+--------------------------------------+-------+------------------------+------------+------+

$ nixops deploy -d test1                                                             
vultrtest1> generating new SSH keypair... done
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).
vultrtest1> could not connect to ‘root@XXX.XXX.XXX.XXX’, retrying in 1 seconds...
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).
vultrtest1> could not connect to ‘root@XXX.XXX.XXX.XXX’, retrying in 2 seconds...
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).
vultrtest1> could not connect to ‘root@XXX.XXX.XXX.XXX’, retrying in 4 seconds...
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).
vultrtest1> could not connect to ‘root@XXX.XXX.XXX.XXX’, retrying in 8 seconds...
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).
Traceback (most recent call last):
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/bin/..nixops-wrapped-wrapped", line 991, in <module>
    args.op()
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/bin/..nixops-wrapped-wrapped", line 412, in op_deploy
    max_concurrent_activate=args.max_concurrent_activate)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 1063, in deploy
    self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 1052, in run_with_notify
    f()
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 1063, in <lambda>
    self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 996, in _deploy
    nixops.parallel.run_tasks(nr_workers=-1, tasks=self.active_resources.itervalues(), worker_fun=worker)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/parallel.py", line 44, in thread_fun
    result_queue.put((worker_fun(t), None, t.name))
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 979, in worker
    os_release = r.run_command("cat /etc/os-release", capture_stdout=True)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/backends/__init__.py", line 337, in run_command
    return self.ssh.run_command(command, self.get_ssh_flags(), **kwargs)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/ssh_util.py", line 280, in run_command
    master = self.get_master(flags, timeout, user)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/ssh_util.py", line 200, in get_master
    compress=self._compress)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/ssh_util.py", line 57, in __init__
    "‘{0}’&quot;.format(target)
nixops.ssh_util.SSHConnectionFailed: unable to start SSH master connection to ‘root@XXX.XXX.XXX.XXX’

我错过了什么？也许我可以手动添加刚刚生成的密钥 NixOps？

更新：我使用SQLiteBrowser查看 NixOps 状态数据库并将生成的公钥粘贴到authorized_keys. 现在我可以ssh手动使用新生成的密钥，但 NixOps 仍然无法部署。

score 3 · Accepted Answer

以一种不太令人满意的方式暂时解决了它：

浏览数据库以获取 NixOps 生成的公钥 + 私钥
手动将它们添加到authorized_keys虚拟机上
还将旧密钥添加到本地~/.ssh，并在~/.ssh/config

不知道为什么 NixOps 使用本地 ssh 配置，或者如何防止这种情况。有效的条目如下所示：

Host XXX.XXX.XXX.XXX
  HostName XXX.XXX.XXX.XXX
  Port 22
  User root
  IdentityFile ~/.ssh/vultrtest1_rsa

将等待几天，然后将此标记为解决方案，除非有人可以解释如何告诉 NixOps 使用本地密钥.secrets而不是~/.ssh.

score 2 · Accepted Answer

在查看源代码

https://github.com/NixOS/nixops/blob/master/nix/options.nix

有 deployment.provisionSSHKey 选项

这说。

  deployment.provisionSSHKey = mkOption {
  type = types.bool;
  default = true;
  description = ''
    This option specifies whether to let NixOps provision SSH deployment keys.
    NixOps will by default generate an SSH key, store the private key in its state file,
    and add the public key to the remote host.
    Setting this option to <literal>false</literal> will disable this behaviour
    and rely on you to manage your own SSH keys by yourself and to ensure
    that <command>ssh</command> has access to any keys it requires.
  '';
};

也许这可以帮助？一旦我回到我的 Nixops 机器，我会试一试。

linux - NixOps：如何部署到现有的 NixOS VM？

2 回答 2

Related

Reference