-
Notifications
You must be signed in to change notification settings - Fork 314
(3.7.0‐3.12.0) Cluster creation failure on custom Ubuntu AMIs shipping OpenSSH 9.7 , caused by unsupported DSA keys
hanwen-cluster edited this page Mar 31, 2025
·
4 revisions
We have discovered an issue that causes cluster creation failure when an Ubuntu AMI with OpenSSH 9.7+ is used on the head node and login nodes are configured with the cluster. If your cluster is affected, cluster creation would fail with the following error message in the head node’s chef-client.log:
---- Begin output of bash /opt/parallelcluster/shared_login_nodes/scripts/keys-manager.sh --create --folder-path /opt/parallelcluster/shared_login_nodes ----
STDOUT: [INFO] Creating host keys
STDERR: unknown key type dsa
---- End output of bash /opt/parallelcluster/shared_login_nodes/scripts/keys-manager.sh --create --folder-path /opt/parallelcluster/shared_login_nodes ----
Ran bash /opt/parallelcluster/shared_login_nodes/scripts/keys-manager.sh --create --folder-path /opt/parallelcluster/shared_login_nodes returned 255"
The issue occurs because OpenSSH 9.7+ does not support creation of DSA keys, which are included, along with RSA keys, in the head nodes bootstrap process.
ParallelCluster 3.7.0-3.12.0 on custom AMI based on Ubuntu where OpenSSH 9.7+ is installed. It does not impact other OSes because the head node creates DSA keys only on Ubuntu.
To mitigate, you need to build a new ParallelCluster AMI where the cookbook is patched.
- Follow the steps 1-6 described in the official guide Modify an AWS ParallelCluster AMI
- Customize the AMI by downloading and running the patch:
wget https://us-east-1-aws-parallelcluster.s3.amazonaws.com/patches/dsa-keys-for-login-nodes/patch.sh
chmod 777 patch.sh
sudo ./patch.sh https
- Proceeds with steps 8-11 described in the official guide Modify an AWS ParallelCluster AMI
- Create a cluster using the generated AMI.