User can execute `docker ps` on the node, and if the SSH server version is at least version 6.7 or higher

[d.chac@box-06 ~]$ ./rke --debug up --config ./rancher-cluster.yml
DEBU[0000] RKE version v0.1.11
DEBU[0000] Parsing cluster file [nodes:

  • address: box-03 # air gap node external IP
    user: d.chac
    role: [ “controlplane”, “etcd”, “worker” ]
    ssh_key_file: /home/d.chac/.ssh/id_rsa

private_registries:

  • url: box-04:8888 # private registry url
    user: d.chac
    password: “xxxx”
    is_default: true
    ]
    INFO[0000] Building Kubernetes cluster
    DEBU[0000] Host: box-03 has role: controlplane
    DEBU[0000] Host: box-03 has role: etcd
    DEBU[0000] Host: box-03 has role: worker
    INFO[0000] [dialer] Setup tunnel for host [box-03]
    DEBU[0000] Connecting to Docker API for host [box-03]
    WARN[0000] Failed to set up SSH tunneling for host [box-03]: Can’t retrieve Docker Info: error during connect: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: Unable to access the Docker socket (/var/run/docker.sock). Please check if the configured user can execute docker ps on the node, and if the SSH server version is at least version 6.7 or higher. If you are using RedHat/CentOS, you can’t use the user root. Please refer to the documentation for more instructions. Error: ssh: rejected: administratively prohibited (open failed)
    WARN[0000] Removing host [box-03] from node lists
    FATA[0000] Cluster must have at least one etcd plane host: failed to connect to the following etcd host(s) [box-03]
    [dinesh.chacko@box-06 ~]$ sshd -v
    unknown option – v
    OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

I enabled ssh-copy-id to login to box-03 directly and run ‘docker ps -a’ using the non-root account.
The box has OpenSSH_7.4p1.

The non-root user can use doker just fine:
[d.chac@box-06 ~]$ ssh d.chac@box-03 docker version
Client:
Version: 17.03.2-ce
API version: 1.27
Go version: go1.7.5
Git commit: f5ec1e2
Built: Tue Jun 27 02:21:36 2017
OS/Arch: linux/amd64

Server:
Version: 17.03.2-ce
API version: 1.27 (minimum version 1.12)
Go version: go1.7.5
Git commit: f5ec1e2
Built: Tue Jun 27 02:21:36 2017
OS/Arch: linux/amd64
Experimental: false

Fixed by doing the below steps:
Set “AllowTcpForwarding yes” “PermitTunnel yes” to /etc/ssh/sshd_config
Restart sshd service

1 Like

That saved my day ! Thanks for that