Occasionally when systemd gets into a broken state, socket activation doesn’t work, which can make a system inaccessible if ssh is the only option. This can be avoided configuring a permanently active SSH daemon that forks for each incoming connection.
To do this directly on the CoreOS machine, begin by replacing the default sshd unit file at /etc/systemd/system/sshd.service with the following:
# /etc/systemd/system/sshd.service [Unit] Description=OpenSSH server daemon [Service] Type=forking PIDFile=/var/run/sshd.pid ExecStart=/usr/sbin/sshd ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartSec=30s [Install] WantedBy=multi-user.target
Next mask the systemd.socket unit:
systemctl mask --now sshd.socket
Finally, execute a daemon-reload, stop the sshd.socket service, and start the sshd.service unit:
systemctl daemon-reload systemctl restart sshd.service
The same configuration can be achieved and an actively listening sshd started by providing user-data like:
cloud-config:
#cloud-config coreos: units: - name: sshd.socket command: stop mask: true - name: sshd.service command: start content: | [Unit] Description=OpenSSH server daemon [Service] Type=forking PIDFile=/var/run/sshd.pid ExecStart=/usr/sbin/sshd ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartSec=30s [Install] WantedBy=multi-user.target write_files: - path: "/var/run/sshd.pid" permissions: "0644" owner: "root"
Ignition:
{ "ignition": { "version": "2.0.0" }, "systemd": { "units": [ { "name": "sshd.socket", "mask": true }, { "name": "sshd.service", "enable": true, "contents": "[Unit]\nDescription=OpenSSH server daemon\n[Service]\nType=forking\nPIDFile=/var/run/sshd.pid\nExecStart=/usr/sbin/sshd\nExecReload=/bin/kill -HUP $MAINPID\nKillMode=process\nRestart=on-failure\nRestartSec=30s\n[Install]\nWantedBy=multi-user.target\n" } ] } }