Help with fresh 4.0.0 installation for newbie


#1

I’m trying to install concourse 4.0.0. I have followed the documentation as closely as possible (except using systemd unit files to start with environment var configs and have it fronted with nginx and an SSL cert). Have concourse web running as user concourse with the following config environment:

CONCOURSE_SESSION_SIGNING_KEY=/etc/concourse/session_signing_key
CONCOURSE_TSA_HOST_KEY=/etc/concourse/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS=/etc/concourse/authorized_worker_keys
CONCOURSE_POSTGRES_SOCKET=/var/run/postgresql/
CONCOURSE_EXTERNAL_URL=https://build.MYDOMAIN
CONCOURSE_BIND_IP=127.0.0.1
CONCOURSE_PEER_URL=http://127.0.0.1:8080
CONCOURSE_ADD_LOCAL_USER=admin:admin_password
CONCOURSE_AUTH_DURATION=60d
CONCOURSE_MAIN_TEAM_LOCAL_USER=admin

and a concourse worker running as user root with the following config environment:

CONCOURSE_WORK_DIR=/var/lib/concourse
CONCOURSE_TSA_WORKER_PRIVATE_KEY=/etc/concourse/worker_key
CONCOURSE_TSA_PUBLIC_KEY=/etc/concourse/tsa_host_key.pub

Both are started and listening:

# netstat -atnp | grep LISTEN
tcp        0      0 127.0.0.1:7788          0.0.0.0:*               LISTEN      13995/concourse 
tcp        0      0 127.0.0.1:8079          0.0.0.0:*               LISTEN      13935/concourse 
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      13935/concourse 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      8894/nginx -g daemo
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1677/sshd       
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      9314/postgres   
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      8894/nginx -g daemo
tcp        0      0 127.0.0.1:7777          0.0.0.0:*               LISTEN      13995/concourse 
tcp        0      0 127.0.0.1:8099          0.0.0.0:*               LISTEN      13995/concourse 
tcp6       0      0 :::2222                 :::*                    LISTEN      13935/concourse 
tcp6       0      0 :::22                   :::*                    LISTEN      1677/sshd    

Database is setup and migrated.

So I try the tutorial https://concoursetutorial.com/ with this setup.

$ git clone https://github.com/starkandwayne/concourse-tutorial
$ cd concourse-tutorial/tutorials/basic/task-hello-world

now login fly as the created admin user:

$ fly --target tutorial login --concourse-url https://build.MYDOMAIN
logging in to team 'main'

navigate to the following URL in your browser:

  https://build.MYDOMAIN/sky/login?redirect_uri=http://127.0.0.1:38963/auth/callback

or enter token manually: 
target saved

$ fly --target tutorial sync
version 4.0.0 already matches; skipping

$ fly -t tutorial execute -c task_hello_world.yml
could not find a valid token.
logging in to team 'main'

navigate to the following URL in your browser:

  https://build.MYDOMAIN/sky/login?redirect_uri=http://127.0.0.1:33643/auth/callback

or enter token manually: 
target saved
executing build 6 at https://build.MYDOMAIN/builds/6 
initializing
no workers
errored

So a few questions about my install and setup.

  1. Why do I constantly have to re-auth fly? You can see it says “could not find a valid token.” the second time (and thereafter). If I cat ~/.flyrc I see I have a Bearer token granted to me. How do I find out why my authentication isn’t “sticking”?

  2. Why does it say “no workers/errored” when I have a worker running? How do I find out why this worker can’t be “seen” from the main ATC web component?

  3. As a side node I see that port 2222 is only bound on ipv6 (the default address is 0.0.0.0). I thought this may be the source of the problem and I tried binding it to 127.0.0.1 and specifying that as the worker address, but it did not fix anything. Is this a problem? Should it also be bound to the ipv4 default address?

As extra info, the end of my concourse web journal looks like this:

Aug 16 12:51:51 build concourse[13935]: {"timestamp":"1534423911.360254526","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39692","session":"519"}}
Aug 16 12:51:51 build concourse[13935]: {"timestamp":"1534423911.368062258","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39694","session":"520"}}
Aug 16 12:51:51 build concourse[13935]: {"timestamp":"1534423911.375870228","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39696","session":"521"}}
Aug 16 12:51:53 build concourse[13935]: {"timestamp":"1534423913.821436405","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39702","session":"522"}}
Aug 16 12:51:58 build concourse[13935]: {"timestamp":"1534423918.828063011","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39716","session":"523"}}
Aug 16 12:52:02 build concourse[13935]: {"timestamp":"1534423922.196336985","source":"atc","message":"atc.dex.event","log_level":1,"data":{"fields":{},"message":"login successful: connector \"local\", name=\"\", email=\"admin\", groups=[]","session":"5"}}
Aug 16 12:52:03 build concourse[13935]: {"timestamp":"1534423923.836579800","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39758","session":"524"}}
Aug 16 12:52:08 build concourse[13935]: {"timestamp":"1534423928.845410109","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39776","session":"525"}}
Aug 16 12:52:12 build concourse[13935]: {"timestamp":"1534423932.546507359","source":"atc","message":"atc.dex.event","log_level":1,"data":{"fields":{},"message":"login successful: connector \"local\", name=\"\", email=\"admin\", groups=[]","session":"5"}}
Aug 16 12:52:13 build concourse[13935]: {"timestamp":"1534423933.852450609","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39822","session":"526"}}
Aug 16 12:52:18 build concourse[13935]: {"timestamp":"1534423938.859483957","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39834","session":"527"}}
Aug 16 12:52:21 build concourse[13935]: {"timestamp":"1534423941.354752064","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39844","session":"528"}}
Aug 16 12:52:21 build concourse[13935]: {"timestamp":"1534423941.356717825","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39848","session":"529"}}
Aug 16 12:52:21 build concourse[13935]: {"timestamp":"1534423941.363841772","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39850","session":"530"}}
Aug 16 12:52:21 build concourse[13935]: {"timestamp":"1534423941.370580673","source":"tsa","message":"tsa.connection.handshake-failed","log_level":1,"data":{"error":"[ssh: no auth passed yet, unknown public key]","remote":"127.0.0.1:39852","session":"531"}}

and the worker tail looks like this:

Aug 16 12:51:03 build concourse[13995]: {"timestamp":"1534423863.738844156","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:51:08 build concourse[13995]: {"timestamp":"1534423868.745883942","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [publickey none], no supported methods remain"
Aug 16 12:51:13 build concourse[13995]: {"timestamp":"1534423873.752539873","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:51:18 build concourse[13995]: {"timestamp":"1534423878.762469292","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.339855909","source":"worker","message":"worker.reporting-containers","log_level":1,"data":{}}
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.340424538","source":"guardian","message":"guardian.list-containers.starting","log_level":1,"data":{"session":"84"}}
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.340520144","source":"guardian","message":"guardian.list-containers.finished","log_level":1,"data":{"session":"84"}}
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.348202705","source":"worker","message":"worker.failed-to-execute-cmd","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods rem
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.348250628","source":"worker","message":"worker.failed-to-report-containers","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported metho
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.348266125","source":"worker","message":"worker.sweeper.failed-to-report-containers","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no support
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.355873108","source":"worker","message":"worker.failed-to-execute-cmd","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods rem
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.355897665","source":"worker","message":"worker.failed-to-report-volumes","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods 
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.355907679","source":"worker","message":"worker.sweeper.failed-to-report-volumes","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported 
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.355934858","source":"worker","message":"worker.sweep","log_level":1,"data":{"cmd":"sweep-containers"}}
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.362530708","source":"worker","message":"worker.sweeper.failed-to-sweep-containers","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supporte
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.362565994","source":"worker","message":"worker.sweep","log_level":1,"data":{"cmd":"sweep-volumes"}}
Aug 16 12:51:21 build concourse[13995]: {"timestamp":"1534423881.369450331","source":"worker","message":"worker.sweeper.failed-to-sweep-volumes","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported m
Aug 16 12:51:23 build concourse[13995]: {"timestamp":"1534423883.769099712","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:51:28 build concourse[13995]: {"timestamp":"1534423888.778687000","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:51:33 build concourse[13995]: {"timestamp":"1534423893.791327715","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:51:38 build concourse[13995]: {"timestamp":"1534423898.799204111","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:51:43 build concourse[13995]: {"timestamp":"1534423903.806297541","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:51:48 build concourse[13995]: {"timestamp":"1534423908.813230991","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [publickey none], no supported methods remain"
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.339895010","source":"worker","message":"worker.reporting-containers","log_level":1,"data":{}}
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.341012955","source":"guardian","message":"guardian.list-containers.starting","log_level":1,"data":{"session":"85"}}
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.341082335","source":"guardian","message":"guardian.list-containers.finished","log_level":1,"data":{"session":"85"}}
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.350524902","source":"worker","message":"worker.failed-to-execute-cmd","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods rem
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.351081133","source":"worker","message":"worker.failed-to-report-containers","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported metho
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.351106644","source":"worker","message":"worker.sweeper.failed-to-report-containers","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no support
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.358686209","source":"worker","message":"worker.failed-to-execute-cmd","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods rem
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.358757734","source":"worker","message":"worker.failed-to-report-volumes","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods 
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.358777046","source":"worker","message":"worker.sweeper.failed-to-report-volumes","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported 
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.358799458","source":"worker","message":"worker.sweep","log_level":1,"data":{"cmd":"sweep-containers"}}
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.366994381","source":"worker","message":"worker.sweeper.failed-to-sweep-containers","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [publickey none], no supporte
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.367059708","source":"worker","message":"worker.sweep","log_level":1,"data":{"cmd":"sweep-volumes"}}
Aug 16 12:51:51 build concourse[13995]: {"timestamp":"1534423911.375199080","source":"worker","message":"worker.sweeper.failed-to-sweep-volumes","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported m
Aug 16 12:51:53 build concourse[13995]: {"timestamp":"1534423913.820621729","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:51:58 build concourse[13995]: {"timestamp":"1534423918.827344656","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:52:03 build concourse[13995]: {"timestamp":"1534423923.835719824","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:52:08 build concourse[13995]: {"timestamp":"1534423928.844604731","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:52:13 build concourse[13995]: {"timestamp":"1534423933.851680517","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"
Aug 16 12:52:18 build concourse[13995]: {"timestamp":"1534423938.858815193","source":"worker","message":"worker.beacon.restarting","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [publickey none], no supported methods remain"
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.339875221","source":"worker","message":"worker.reporting-containers","log_level":1,"data":{}}
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.340506315","source":"guardian","message":"guardian.list-containers.starting","log_level":1,"data":{"session":"86"}}
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.340580702","source":"guardian","message":"guardian.list-containers.finished","log_level":1,"data":{"session":"86"}}
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.347772837","source":"worker","message":"worker.failed-to-execute-cmd","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods rem
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.347843409","source":"worker","message":"worker.failed-to-report-containers","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported metho
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.347857714","source":"worker","message":"worker.sweeper.failed-to-report-containers","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no support
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.355401039","source":"worker","message":"worker.failed-to-execute-cmd","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods rem
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.355427504","source":"worker","message":"worker.failed-to-report-volumes","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods 
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.355437517","source":"worker","message":"worker.sweeper.failed-to-report-volumes","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported 
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.355477095","source":"worker","message":"worker.sweep","log_level":1,"data":{"cmd":"sweep-containers"}}
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.362910271","source":"worker","message":"worker.sweeper.failed-to-sweep-containers","log_level":2,"data":{"error":"failed to construct client connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supporte
Aug 16 12:52:21 build concourse[13995]: {"timestamp":"1534423941.362962961","source":"worker","message":"worker.sweep","log_level":1,"data":{"cmd":"sweep-volumes"}}

Sorry about the line truncation. Systemd pipes its log viewing through less which makes it hard to just get a plain raw dump of them.

Anyone have any idea why I’m getting all these ssh handshake failed messages?

Regards

Crispin


#2

Not sure why you’d have to log in repeatedly, but from the logs it looks like your worker’s key hasn’t been authorized with the TSA.

Have you appended its public key line to the TSA’s authorized_keys file? (Can you show the content? It’s just the public portion so it should be safe to share, I just want to check for any bogus formatting.)


#3

I have not touched any authorized_keys files at all! This is a great pointer leading me to realising I missed that part of the docs. Going back:

root@build:~# cat /etc/concourse/authorized_worker_keys
cat: /etc/concourse/authorized_worker_keys: No such file or directory
root@build:~# cat /etc/concourse/worker_key.pub >> /etc/concourse/authorized_worker_keys
root@build:~# cat /etc/concourse/authorized_worker_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtUJ1PIqCpsvfNAsBm35oylZbwYIG9DJ7JA6Rx5oDVf1SvtVZI7IlH6yFheEFzKtnonIoE2U2l0IEYrJcTB35O7Fg0P2GwdtPz7tqlqi9cSMhAArNEAMTpP0fwGFbMao74mDWWPAKS5Xtp9zU6+lxO2zH3H6Pn9eiIsx7BdBtcX6FeksR+5NNN6ZxlUN4T7eU9njjtSEWHoUUzmwbsr/9cet7yXBIGRlZ8go/93sylGZ4QPaPuLCRyQSVn+m2IyX243QKr5pANe3RiIExDqvklm76X9G1ToRV0C8o1Uw+s5yTtLnjFqS2xxlBm1qpFVR6V8G5d0GkOnU1IpDS+kWhV crispin@vash
root@build:~# service concourse-web restart
root@build:~# service concourse-worker restart

Then from workstation:

$ fly -t tutorial loginlogging in to team 'main'

navigate to the following URL in your browser:

  https://build.MYDOMAIN/sky/login?redirect_uri=http://127.0.0.1:36581/auth/callback

or enter token manually: 
target saved

$ fly -t tutorial execute -c task_hello_world.yml
could not find a valid token.
logging in to team 'main'

navigate to the following URL in your browser:

  https://build.MYDOMAIN/sky/login?redirect_uri=http://127.0.0.1:43667/auth/callback

or enter token manually: 
target saved
executing build 9 at https://build.MYDOMAIN/builds/9 
initializing
waiting for docker to come up...
Pulling busybox@sha256:cb63aa0641a885f54de20f61d152187419e8f6b159ed11a251a09d115fdff9bd...
sha256:cb63aa0641a885f54de20f61d152187419e8f6b159ed11a251a09d115fdff9bd: Pulling from library/busybox
8c5a7da1afbc: Pulling fs layer
8c5a7da1afbc: Verifying Checksum
8c5a7da1afbc: Download complete
8c5a7da1afbc: Pull complete
Digest: sha256:cb63aa0641a885f54de20f61d152187419e8f6b159ed11a251a09d115fdff9bd
Status: Downloaded newer image for busybox@sha256:cb63aa0641a885f54de20f61d152187419e8f6b159ed11a251a09d115fdff9bd

Successfully pulled busybox@sha256:cb63aa0641a885f54de20f61d152187419e8f6b159ed11a251a09d115fdff9bd.

running echo hello world
hello world
succeeded

Brilliant! Now I’m underway!

I was hoping that would have fixed my repeated login problem, but alas not to be. Any ideas about that? Is it something to do with the line logging in to team 'main'? Do I need to setup teams perhaps?

Thanks heaps

Crispin


#4

Ok, digging into the constant login problem I do this:

$ rm ~/.flyrc
$ fly -t tutorial login --concourse-url https://build.MYDOMAIN
logging in to team 'main'

navigate to the following URL in your browser:

  https://build.MYDOMAIN/sky/login?redirect_uri=http://127.0.0.1:37369/auth/callback

or enter token manually: 
target saved

$ fly -t tutorial status
please login again.

token validation failed with error : Token is expired

token expired… hmm thats interesting. I go have a look at the file:

$ cat ~/.flyrc 
targets:
  tutorial:
    api: https://build.MYDOMAIN
    team: main
    token:
      type: Bearer
      value: eyJhbGciOiJSUzI1NiIsImtpZCI6IiIsInR5cCI6IkpXVCJ9.eyJjc3JmIjoiZDcyZDQ1MzZjNmMxMDg0MjMzZjI5ZDAxZjgyYjZiMmExZjRlYzZjNWU3NGYxZDBkNWRlY2IzMjY4NDI2ZGNmNyIsImVtYWlsIjoiYWRtaW4iLCJleHAiOjE1MzQ0MzI4MDcsImlzX2FkbWluIjp0cnVlLCJuYW1lIjoiIiwic3ViIjoiQ2dWaFpHMXBiaElGYkc5allXdyIsInRlYW1zIjpbIm1haW4iXSwidXNlcl9pZCI6ImFkbWluIiwidXNlcl9uYW1lIjoiYWRtaW4ifQ.oWqC485KS5Oi_oH3ykTGhz06h9aN2Pj4qFqLfHDOMx_6tMcDaRrMI_WLG7xoYFvTOOCus4s_1K6hTJfMgJYiiSWpcXKRsu516e4bKvhLlhSeWNNB4Vo60tQE2m_BhGjQ3tpeK720bkprAK8kXZoSQUMqOBfLrErZOD0-N15zzaXpvksF5daNpWgxzrJRIbkEVBAxaIGLCfGpqUgA7Xdy8mtk6yeTKYIWDHHzPW8p_hcjpxP8wb4pVHgyW51koSRtcRagV4ttB4v722zvCJdMHJz6hk27VD3zSxPhpyK72BMTvUT139ylmbP6q2lCVnch62NAB7N6pU3CsfrgnWxOig

looks like a jwt token, so head over to jwt.io to see if I can decode its header and payload. Get this for its header:

{
  "alg": "RS256",
  "kid": "",
  "typ": "JWT"
}

and payload is:

{
  "csrf": "d72d4536c6c1084233f29d01f82b6b2a1f4ec6c5e74f1d0d5decb3268426dcf7",
  "email": "admin",
  "exp": 1534432807,
  "is_admin": true,
  "name": "",
  "sub": "CgVhZG1pbhIFbG9jYWw",
  "teams": [
    "main"
  ],
  "user_id": "admin",
  "user_name": "admin"
}

Now thing is, that expiry time is right now. So somehow I am getting a token that expires immediately.

Looking into my config I see I stupidly set CONCOURSE_AUTH_DURATION to “60d” for 60 days. I thought d might work because the help said:

  --auth-duration=                                              Length of time for which tokens are
                                                                valid. Afterwards, users will have to log
                                                                back in. (default: 24h)

Hey, is “24h” works, then maybe “60d” works? Not one of my better moments, I know. Come to think of it, does “24h” even work, or should you pass it in as seconds? How do you specify the time?

I get super conservative and just remove the line completely. Restart. Now my login persists! Yes.

Thanks for your help.

Crispin


#5

That option wants seconds. Having said that, think about the implications of 60 days: when your users will be logged out, they will have forgotten how they logged in or their password. I suggest to accept the default of 24 hours.


#6

Ah, yeah having an earlier error for a bad format there would have been nice. I’m not sure why it didn’t bail out early - we use time.ParseDuration for that, which only goes up to hour units (h). Testing it online I get an error: time: unknown unit d in duration 10d. Could be a bug with the option parsing.