SSH Keys on CloudStack Guest Instances Using Cloud-init

See earlier blog post on installing Cloud-init on CloudStack CentOS/RHEL guest instances.

To have cloud-init install SSH public key for the root user on CentOS 6.x guest instances under CloudStack…

  1. Install and configure cloud-init on CentOS 6.x with CloudStack as the data source. See this blog post on how to do that
  2. Configure CloudMonkey CLI to run the various API commands. As of CloudStack 4.2, the UI does not have support for creating and registering SSH keys for an account
  3. Create a new SSH keypair using the createSSHKeyPair API via CloudMonkey. Save the resulting private key (the contents with the BEGIN and END section) as cloudstack.pem under .ssh/ folder with perms 0600. Alternatively, you can also register an existing SSH public key via the registerSSHKeyPair
    $ cloudmonkey create sshkeypair account=shanker name=shanker-sshkey domainid=dcf5a90d-bf1f-4ec8-94b4-5a5b4e363a54
    name = shanker-sshkey
    fingerprint = 60:5b:08:ed:93:f3:42:76:a0:51:06:4d:1c:55:6e:52
    privatekey = -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
  4. List the newly created ssh keypairs
    $ cloudmonkey list sshkeypairs
    count = 1
    name = shanker-sshkey
    fingerprint = 60:5b:08:ed:93:f3:42:76:a0:51:06:4d:1c:55:6e:52
  5. Create a new guest instance with the keypair
    $ cloudmonkey deploy virtualmachine displayname=centos2 name=centos2 templateid=ce0dd127-a8d6-48f9-abf5-f7398e774824 serviceofferingid=826812d5-4ee5-44d4-a980-300488795f3d zoneid=2f328497-79bf-44dd-93a4-d5844b151437 keypair=shanker-sshkey startvm=false
    accountid = f1195e69-4362-424e-996e-264ba43b4ab7
    cmd = org.apache.cloudstack.api.command.user.vm.DeployVMCmd
    created = 2013-10-28T04:59:33-0400
    jobid = 271ff2c8-dec0-4ca8-a330-b4cfc6aae5f6
    jobprocstatus = 0
    id = b208da56-723e-4d5d-bd79-91de64f596d0
    name = centos2
    account = shanker
    cpunumber = 1
    cpuspeed = 500
    created = 2013-10-28T04:59:33-0400
    displayname = centos2
    displayvm = True
    domain = sysCredence
    domainid = dcf5a90d-bf1f-4ec8-94b4-5a5b4e363a54
    guestosid = 74b917c6-3962-11e3-9d1c-000c290d9baa
    haenable = False
    hypervisor = XenServer
    isdynamicallyscalable = True
    jobid = 271ff2c8-dec0-4ca8-a330-b4cfc6aae5f6
    jobstatus = 0
    keypair = shanker-sshkey
    memory = 512
    id = aab6f369-75db-4d9e-8e51-e9e67ba3f233
    gateway =
    ipaddress =
    isdefault = True
    macaddress = 02:00:32:07:00:09
    netmask =
    networkid = 329f8f46-7eb8-4f40-a3a3-518589e09ab9
    networkname = Internal
    traffictype = Guest
    type = Isolated
    passwordenabled = True
    rootdeviceid = 0
    rootdevicetype = ROOT
    serviceofferingid = 826812d5-4ee5-44d4-a980-300488795f3d
    serviceofferingname = Small Instance
    state = Stopped
    templatedisplaytext = CentOS-6.4-64bit
    templateid = ce0dd127-a8d6-48f9-abf5-f7398e774824
    templatename = CentOS 6.4 (64-bit)
    zoneid = 2f328497-79bf-44dd-93a4-d5844b151437
    zonename = Zone21
    jobresultcode = 0
    jobresulttype = object
    jobstatus = 1
    userid = 5cce9cbc-7715-45f8-9612-f829c259e90f

Once the instance is created and available on the network, you can ssh as below while specifying the private key:

$ ssh -l root  -i .ssh/cloudstack.pem
Last login: Mon Oct 28 05:13:00 2013 from
[root@centos2 ~]# 

You can compare the public key that’s been installed under .ssh/authorized_keys on the guest instance with the one on the Virtual Router URL http://VIRTUAL_ROUTER_IP/latest/public-keys – it has to match. (The Virtual Router (VR) IP would be the same as the gateway IP).

[root@centos2 ~]# curl
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCo7oENxlkAKlvwdpxgO
[root@centos2 ~]# cat .ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCo7oENxlkAKlvwdpxgO
[root@centos2 ~]# 

By Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.


  1. The cloud-init packages are to be installed on the Guest VMs. The hypervisor and CloudStack management servers don’t require any additional packages to be installed.

Leave a comment

Your email address will not be published. Required fields are marked *