From 28849389eab3905ba73b76e90df02c8ef2a506d5 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 11 Nov 2025 06:26:50 +0000 Subject: [PATCH 1/2] fix: Add SSH username configuration for Proxmox provider - Added pm_ssh_username variable (default: "root") - Updated Proxmox provider SSH config to use username - Fixes "unable to authenticate user "" over SSH" error - Updated terraform.tfvars.example with SSH username - Enhanced README with complete SSH setup instructions - Added troubleshooting for common SSH authentication issues --- .../proxmox-examples/docker-host/README.md | 58 ++++++++++++++++--- .../proxmox-examples/docker-host/main.tf | 3 +- .../docker-host/terraform.tfvars.example | 3 + .../proxmox-examples/docker-host/variables.tf | 6 ++ 4 files changed, 60 insertions(+), 10 deletions(-) diff --git a/terraform/proxmox-examples/docker-host/README.md b/terraform/proxmox-examples/docker-host/README.md index 0cb40d5..0414cae 100644 --- a/terraform/proxmox-examples/docker-host/README.md +++ b/terraform/proxmox-examples/docker-host/README.md @@ -203,9 +203,26 @@ nano terraform.tfvars **Required changes:** - `pm_api_token_secret` - Your Proxmox API secret +- `pm_ssh_username` - SSH username for Proxmox host (usually "root") - `vm_ssh_keys` - Your SSH public key - `vm_password` - Set a secure password +**Important:** Before running terraform, ensure you have SSH access: +```bash +# Test SSH access to Proxmox +ssh root@proxmox.local + +# If prompted for password, set up key-based auth: +ssh-copy-id root@proxmox.local + +# Start ssh-agent and add your key +eval "$(ssh-agent -s)" +ssh-add ~/.ssh/id_rsa # or id_ed25519, etc. + +# Verify key is loaded +ssh-add -L +``` + **Optional changes:** - `vm_name` - Change VM name - `vm_cores` / `vm_memory` - Adjust resources @@ -513,27 +530,50 @@ pvesm add dir local-snippets --path /var/lib/vz/snippets --content snippets ### SSH Authentication Failed -Error: `failed to open SSH client: unable to authenticate` +Error: `failed to open SSH client: unable to authenticate user "" over SSH` -**Cause:** The Proxmox provider needs SSH access to upload cloud-init files +**Cause:** The Proxmox provider needs SSH access to upload cloud-init files. This error occurs when: +1. SSH username is not set +2. SSH key is not in ssh-agent +3. SSH key is not authorized on Proxmox host -**Solution 1 - Add SSH key to Proxmox (Recommended):** +**Solution - Complete SSH Setup:** ```bash -# On your workstation, generate SSH key if you don't have one +# 1. Generate SSH key if you don't have one ssh-keygen -t ed25519 -C "terraform@homelab" +# Save to: /home/youruser/.ssh/id_ed25519 -# Copy to Proxmox host -ssh-copy-id root@proxmox.local +# 2. Copy to Proxmox host (replace with your actual Proxmox IP) +ssh-copy-id root@10.0.0.169 -# Add key to ssh-agent +# 3. Start ssh-agent (REQUIRED!) eval "$(ssh-agent -s)" + +# 4. Add your key to ssh-agent (REQUIRED!) ssh-add ~/.ssh/id_ed25519 -# Verify +# 5. Verify key is loaded ssh-add -L -ssh root@proxmox.local "echo 'SSH works!'" +# Should show your public key + +# 6. Test SSH connection +ssh root@10.0.0.169 "echo 'SSH works!'" +# Should succeed without password + +# 7. Ensure pm_ssh_username is set in terraform.tfvars +# pm_ssh_username = "root" + +# 8. Now run terraform +./scripts/tf apply ``` +**Common Issues:** + +- **ssh-agent not running:** Run `eval "$(ssh-agent -s)"` in your current terminal +- **Key not added:** Run `ssh-add ~/.ssh/id_ed25519` (or id_rsa) +- **Wrong username:** Check `pm_ssh_username` in terraform.tfvars matches your Proxmox SSH user +- **Key not authorized:** Run `ssh-copy-id` again to ensure key is in ~/.ssh/authorized_keys on Proxmox + **Solution 2 - Use API token only (workaround):** If SSH is problematic, you can create the cloud-init snippet manually: diff --git a/terraform/proxmox-examples/docker-host/main.tf b/terraform/proxmox-examples/docker-host/main.tf index 8232977..53c1ff2 100644 --- a/terraform/proxmox-examples/docker-host/main.tf +++ b/terraform/proxmox-examples/docker-host/main.tf @@ -18,7 +18,8 @@ provider "proxmox" { insecure = var.pm_tls_insecure ssh { - agent = true + agent = true + username = var.pm_ssh_username } } diff --git a/terraform/proxmox-examples/docker-host/terraform.tfvars.example b/terraform/proxmox-examples/docker-host/terraform.tfvars.example index 879a934..11a3cf9 100644 --- a/terraform/proxmox-examples/docker-host/terraform.tfvars.example +++ b/terraform/proxmox-examples/docker-host/terraform.tfvars.example @@ -4,6 +4,9 @@ pm_api_token_id = "root@pam!terraform" pm_api_token_secret = "your-secret-here" pm_tls_insecure = true +# SSH username for Proxmox host (for uploading cloud-init snippets) +pm_ssh_username = "root" + # Proxmox Configuration proxmox_node = "pve" template_vm_id = 9000 diff --git a/terraform/proxmox-examples/docker-host/variables.tf b/terraform/proxmox-examples/docker-host/variables.tf index ce6c0f7..6f23cc6 100644 --- a/terraform/proxmox-examples/docker-host/variables.tf +++ b/terraform/proxmox-examples/docker-host/variables.tf @@ -22,6 +22,12 @@ variable "pm_tls_insecure" { default = true } +variable "pm_ssh_username" { + description = "SSH username for Proxmox host (used for uploading cloud-init files)" + type = string + default = "root" +} + variable "proxmox_node" { description = "Proxmox node name" type = string From 460610986cce79ce76117f8ec32fd9d3412f06f7 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 11 Nov 2025 06:28:37 +0000 Subject: [PATCH 2/2] docs: Add non-root SSH user support for Terraform - Updated documentation for users who disable root SSH - Added setup instructions for non-root user with sudo access - Configured write permissions for /var/lib/vz/snippets - Added Option A (root) and Option B (non-root) SSH setup guides - Enhanced troubleshooting for permission denied errors - Updated terraform.tfvars.example with non-root user example --- .../proxmox-examples/docker-host/README.md | 94 +++++++++++++++---- .../docker-host/terraform.tfvars.example | 2 + .../proxmox-examples/docker-host/variables.tf | 2 +- 3 files changed, 80 insertions(+), 18 deletions(-) diff --git a/terraform/proxmox-examples/docker-host/README.md b/terraform/proxmox-examples/docker-host/README.md index 0414cae..7cf3a2b 100644 --- a/terraform/proxmox-examples/docker-host/README.md +++ b/terraform/proxmox-examples/docker-host/README.md @@ -208,19 +208,51 @@ nano terraform.tfvars - `vm_password` - Set a secure password **Important:** Before running terraform, ensure you have SSH access: -```bash -# Test SSH access to Proxmox -ssh root@proxmox.local -# If prompted for password, set up key-based auth: +**Option A - Root SSH (if enabled):** +```bash +# Set in terraform.tfvars +pm_ssh_username = "root" + +# Set up key-based auth ssh-copy-id root@proxmox.local # Start ssh-agent and add your key eval "$(ssh-agent -s)" ssh-add ~/.ssh/id_rsa # or id_ed25519, etc. -# Verify key is loaded -ssh-add -L +# Verify +ssh root@proxmox.local "echo 'SSH works!'" +``` + +**Option B - Non-root user with sudo (recommended for security):** +```bash +# Set in terraform.tfvars +pm_ssh_username = "eduardo" # Your username + +# Set up key-based auth for your user +ssh-copy-id eduardo@proxmox.local + +# On Proxmox host, ensure your user can write to snippets directory +ssh eduardo@proxmox.local +sudo usermod -aG www-data eduardo # Add to www-data group +sudo chmod g+w /var/lib/vz/snippets +sudo chown root:www-data /var/lib/vz/snippets + +# OR set up passwordless sudo for snippet uploads (more secure) +sudo visudo -f /etc/sudoers.d/terraform-snippets +# Add this line (replace 'eduardo' with your username): +# eduardo ALL=(ALL) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/* + +# Exit Proxmox and test locally +exit + +# Start ssh-agent and add your key +eval "$(ssh-agent -s)" +ssh-add ~/.ssh/id_rsa # or id_ed25519, etc. + +# Verify SSH and write access +ssh eduardo@proxmox.local "ls -la /var/lib/vz/snippets" ``` **Optional changes:** @@ -538,12 +570,13 @@ Error: `failed to open SSH client: unable to authenticate user "" over SSH` 3. SSH key is not authorized on Proxmox host **Solution - Complete SSH Setup:** + +**For root user:** ```bash # 1. Generate SSH key if you don't have one ssh-keygen -t ed25519 -C "terraform@homelab" -# Save to: /home/youruser/.ssh/id_ed25519 -# 2. Copy to Proxmox host (replace with your actual Proxmox IP) +# 2. Copy to Proxmox host ssh-copy-id root@10.0.0.169 # 3. Start ssh-agent (REQUIRED!) @@ -552,18 +585,44 @@ eval "$(ssh-agent -s)" # 4. Add your key to ssh-agent (REQUIRED!) ssh-add ~/.ssh/id_ed25519 -# 5. Verify key is loaded -ssh-add -L -# Should show your public key - -# 6. Test SSH connection +# 5. Test SSH connection ssh root@10.0.0.169 "echo 'SSH works!'" -# Should succeed without password -# 7. Ensure pm_ssh_username is set in terraform.tfvars -# pm_ssh_username = "root" +# 6. Set in terraform.tfvars +pm_ssh_username = "root" -# 8. Now run terraform +# 7. Run terraform +./scripts/tf apply +``` + +**For non-root user (if root SSH is disabled):** +```bash +# 1. Generate SSH key if you don't have one +ssh-keygen -t ed25519 -C "terraform@homelab" + +# 2. Copy to Proxmox host (use your username) +ssh-copy-id eduardo@10.0.0.169 + +# 3. Configure write permissions on Proxmox +ssh eduardo@10.0.0.169 +sudo usermod -aG www-data eduardo +sudo chmod g+w /var/lib/vz/snippets +sudo chown root:www-data /var/lib/vz/snippets +exit + +# 4. Start ssh-agent (REQUIRED!) +eval "$(ssh-agent -s)" + +# 5. Add your key to ssh-agent (REQUIRED!) +ssh-add ~/.ssh/id_ed25519 + +# 6. Test SSH and permissions +ssh eduardo@10.0.0.169 "touch /var/lib/vz/snippets/test.txt && rm /var/lib/vz/snippets/test.txt" + +# 7. Set in terraform.tfvars +pm_ssh_username = "eduardo" # Your username + +# 8. Run terraform ./scripts/tf apply ``` @@ -573,6 +632,7 @@ ssh root@10.0.0.169 "echo 'SSH works!'" - **Key not added:** Run `ssh-add ~/.ssh/id_ed25519` (or id_rsa) - **Wrong username:** Check `pm_ssh_username` in terraform.tfvars matches your Proxmox SSH user - **Key not authorized:** Run `ssh-copy-id` again to ensure key is in ~/.ssh/authorized_keys on Proxmox +- **Permission denied writing snippets (non-root user):** Ensure your user has write access to `/var/lib/vz/snippets` (see non-root setup steps above) **Solution 2 - Use API token only (workaround):** diff --git a/terraform/proxmox-examples/docker-host/terraform.tfvars.example b/terraform/proxmox-examples/docker-host/terraform.tfvars.example index 11a3cf9..f45e556 100644 --- a/terraform/proxmox-examples/docker-host/terraform.tfvars.example +++ b/terraform/proxmox-examples/docker-host/terraform.tfvars.example @@ -5,6 +5,8 @@ pm_api_token_secret = "your-secret-here" pm_tls_insecure = true # SSH username for Proxmox host (for uploading cloud-init snippets) +# If root SSH is disabled, use your personal user (must have sudo access) +# Example: pm_ssh_username = "eduardo" pm_ssh_username = "root" # Proxmox Configuration diff --git a/terraform/proxmox-examples/docker-host/variables.tf b/terraform/proxmox-examples/docker-host/variables.tf index 6f23cc6..1ab0776 100644 --- a/terraform/proxmox-examples/docker-host/variables.tf +++ b/terraform/proxmox-examples/docker-host/variables.tf @@ -23,7 +23,7 @@ variable "pm_tls_insecure" { } variable "pm_ssh_username" { - description = "SSH username for Proxmox host (used for uploading cloud-init files)" + description = "SSH username for Proxmox host (used for uploading cloud-init files). Use your personal user if root SSH is disabled." type = string default = "root" }