SSH permissions error when resizing or migrating an instance (OpenStack)

If you are resizing or migrating an instance KVM, KVM for IBM z Systems®, or PowerKVM hypervisors, you might encounter an ssh ...Permission denied error.

In this situation, you must ensure that the hypervisors can ssh (as a Nova user) to each other by public key. To do so, complete the following steps:
  1. Obtain a key pair (public key and private key). You can use the root key that is in the `/root/.ssh/id_rsa and /root/.ssh/id_ras.pub directories or you can generate a new key pair.
  2. Run setenforce 0 to put SELinux into permissive mode.
  3. Enable login abilities for the Nova user. 
    usermod -s /bin/bash nova
    Now you can switch to the Nova account by using the following command. 
    su nova
  4. Create the folder that is needed by ssh and place the private key that you obtained in step 1 into this folder.
    mkdir -p /var/lib/nova/.ssh
cp <private key>  /var/lib/nova/.ssh/id_rsa
cat<pub key> >> /var/lib/nova/.ssh/authorized_keys
echo 'StrictHostKeyChecking no' >> /var/lib/nova/.ssh/config
chmod 600 /var/lib/nova/.ssh/id_rsa /var/lib/nova/.ssh/authorized_keys
  5. Repeat steps 2-4 on each node.
    Important: All the nodes share a key pair and you must not generate a new key pair for the second node.
  6. Ensure that the key is working properly. 
    # su - nova
# ssh node-another
    Note:
    1. You log in to the node-another node without a password.
    2. If your server is configured with both the IP address and the hostname, you must run this command twice. For example:
      1. su nova ssh nova@host-name
      2. su nova ssh nova@x.x.x.x

        where x.x.x.x is the server IP address.