Skip to content

(3.7.0‐3.12.0) Cluster creation failure on custom Ubuntu AMIs shipping OpenSSH 9.7 , caused by unsupported DSA keys

Jump to bottom
Himani Anil Deshpande edited this page Feb 10, 2025 · 2 revisions

The issue

We have discovered an issue that causes cluster creation failure when an Ubuntu AMI with OpenSSH 9.7+ is used on the head node and login nodes are configured with the cluster. If your cluster is affected, cluster creation would fail with the following error message in the head node’s chef-client.log:

---- Begin output of bash /opt/parallelcluster/shared_login_nodes/scripts/keys-manager.sh --create --folder-path /opt/parallelcluster/shared_login_nodes ----  
STDOUT: [INFO] Creating host keys  
STDERR: unknown key type dsa  
---- End output of bash /opt/parallelcluster/shared_login_nodes/scripts/keys-manager.sh --create --folder-path /opt/parallelcluster/shared_login_nodes ----  
Ran bash /opt/parallelcluster/shared_login_nodes/scripts/keys-manager.sh --create --folder-path /opt/parallelcluster/shared_login_nodes returned 255"

The issue occurs because OpenSSH 9.7+ does not support creation of DSA keys, which are included, along with RSA keys, in the head nodes bootstrap process.

Affected ParallelCluster versions, OSes and schedulers

ParallelCluster 3.7.0-3.12.0 on custom AMI based on Ubuntu where OpenSSH 9,7+ is installed. It does not impact other OSes because the head node creates DSA keys only on Ubuntu.

Mitigation

The mitigation entails patching the ParallelCluster cookbook upon cluster creation by removing the creation of DSA keys before the cookbook gets executed.

To do so, create the cluster with a OnNodeStart custom action script to patch the cookbook. The following config snippets shows how you can set the custom action in the ParallelCluster configuration file.

If the head node has internet access, use the following configuration:

HeadNode:
  ...
  CustomActions:
    OnNodeStart:
      Sequence:
        - Script: https://us-east-1-aws-parallelcluster.s3.amazonaws.com/patches/dsa-keys-for-login-nodes/patch.sh 
          Args:
            - https

otherwise:

HeadNode:
  ...
  CustomActions:
    OnNodeStart:
      Sequence:
        - Script: s3://us-east-1-aws-parallelcluster/patches/dsa-keys-for-login-nodes/patch.sh 
          Args:
            - s3
Clone this wiki locally