Skip to content

Commit

Permalink
wrote docs for emergency ssh access workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@miampf
miampf committed Jan 14, 2025
1 parent d245759 commit 3e22f8a
Showing 1 changed file with 45 additions and 15 deletions.
60 changes: 45 additions & 15 deletions docs/docs/workflows/troubleshooting.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,6 @@ A solution is to add the [required permissions](../getting-started/install.md#re

If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior.



### Nodes fail to join with error `untrusted measurement value`

This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice).
Expand Down Expand Up @@ -128,24 +126,56 @@ Debugging via a shell on a node is [directly supported by Kubernetes](https://ku

1. Figure out which node to connect to:

```bash
kubectl get nodes
# or to see more information, such as IPs:
kubectl get nodes -o wide
```
```bash
kubectl get nodes
# or to see more information, such as IPs:
kubectl get nodes -o wide
```

2. Connect to the node:

```bash
kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox
```
```bash
kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox
```

You will be presented with a prompt.
You will be presented with a prompt.

Check warning on line 141 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Passive] 'be presented' looks like passive voice.

Raw Output:
{"message": "[Microsoft.Passive] 'be presented' looks like passive voice.", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 141, "column": 13}}}, "severity": "INFO"}

The nodes file system is mounted at `/host`.
The nodes file system is mounted at `/host`.

Check warning on line 143 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Passive] 'is mounted' looks like passive voice.

Raw Output:
{"message": "[Microsoft.Passive] 'is mounted' looks like passive voice.", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 143, "column": 26}}}, "severity": "INFO"}

3. Once finished, clean up the debug pod:

```bash
kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj
```
```bash
kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj
```

### Emergency SSH access

Check warning on line 151 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Headings] 'Emergency SSH access' should use sentence-style capitalization.

Raw Output:
{"message": "[Microsoft.Headings] 'Emergency SSH access' should use sentence-style capitalization.", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 151, "column": 5}}}, "severity": "INFO"}

Check warning on line 151 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.HeadingAcronyms] Avoid using acronyms in a title or heading.

Raw Output:
{"message": "[Microsoft.HeadingAcronyms] Avoid using acronyms in a title or heading.", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 151, "column": 15}}}, "severity": "INFO"}

Emergency SSH access to nodes can be useful to diagnose issues or download important data even in the event that the kubernetes API is not accessible anymore.

Check warning on line 153 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Wordiness] Consider using 'if' instead of 'in the event that'.

Raw Output:
{"message": "[Microsoft.Wordiness] Consider using 'if' instead of 'in the event that'.", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 153, "column": 96}}}, "severity": "WARNING"}

Check failure on line 153 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'kubernetes'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'kubernetes'?", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 153, "column": 118}}}, "severity": "ERROR"}

Check failure on line 153 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Contractions] Use 'isn't' instead of 'is not'.

Raw Output:
{"message": "[Microsoft.Contractions] Use 'isn't' instead of 'is not'.", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 153, "column": 133}}}, "severity": "ERROR"}

Check warning on line 153 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Vocab] Verify your use of 'accessible' with the A-Z word list.

Raw Output:
{"message": "[Microsoft.Vocab] Verify your use of 'accessible' with the A-Z word list.", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 153, "column": 140}}}, "severity": "INFO"}

1. Enter the `constellation-terraform` directory in your constellation workspace and allow emergency SSH access to the cluster:

Check warning on line 155 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Vocab] Verify your use of 'allow' with the A-Z word list.

Raw Output:
{"message": "[Microsoft.Vocab] Verify your use of 'allow' with the A-Z word list.", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 155, "column": 86}}}, "severity": "INFO"}

```bash
cd constellation-terraform
echo "emergency_ssh = true" >> ./terraform.tfvars
terraform apply
```

2. Sign an existing SSH keypair with your master secret:

Check failure on line 163 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'keypair'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'keypair'?", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 163, "column": 25}}}, "severity": "ERROR"}

```bash
cd ../ # go back to your constellation workspace
constellation ssh --key your_public_key.pub
```

A certificate will be written into the `constellation-terraform` directory.

Check warning on line 170 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Passive] 'be written' looks like passive voice.

Raw Output:
{"message": "[Microsoft.Passive] 'be written' looks like passive voice.", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 170, "column": 23}}}, "severity": "INFO"}

The certificate is valid for 24 hours and allows you to access your constellation nodes using

Check warning on line 172 in docs/docs/workflows/troubleshooting.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Vocab] Verify your use of 'allows' with the A-Z word list.

Raw Output:
{"message": "[Microsoft.Vocab] Verify your use of 'allows' with the A-Z word list.", "location": {"path": "docs/docs/workflows/troubleshooting.md", "range": {"start": {"line": 172, "column": 46}}}, "severity": "INFO"}
[certificate based authentication](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication).

3. Finally, you can connect to any constellation node:

```bash
ssh -F ./constellation-terraform/ssh_config -i your_private_key <PRIVATE_NODE_IP>
```

You can obtain the private IP via your CSPs web UI.

0 comments on commit 3e22f8a

Please sign in to comment.