Remove paramiko dependency
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
In Liberty, key pair creation (previously done via ssh-keygen) was replaced with paramiko library calls. While paramiko was listed as a dependency in Liberty, it wasn't actually used until that commit.
Replace ssh exec calls with paramiko lib
https:/
The above commit was unintentionally backwards incompatible. Specifically, it changed the SSH key ASN.1 encoding from DER to BER. Apparently golang doesn't support BER, meaning tools like Terraform no longer work with OpenStack.
ssh-keygen-
https:/
This has since been fixed in paramiko 2.0, but that major version bump doesn't make it into Nova until Newton, meaning these third-party tools are unusable for Liberty & Mitaka in the mean time.
stable/liberty: paramiko>=1.13.0
upper-
stable/mitaka: paramiko>=1.16.0
upper-
master (newton): paramiko>=2.0
upper-
The bump to paramiko 2.0 was a big change, complete with a huge red warning in the changelog (which I suspect makes a backport that bumps the paramiko version to 2.0+ unrealistic for Liberty & Mitaka).
http://
http://
The switch to paramiko also introduced a number of Nova regressions along the way.
Tolerate installation of pycryptodome
https:/
crypto: Add support for Paramiko 2.x
https:/
Drop paramiko < 2 compat code
https:/
All this, coupled with the known security implications of using the older paramiko versions, makes me think that perhaps we should just go back to using ssh-keygen.
Ideally, I'd like to backport this change all the way down to stable/liberty.
Changed in nova: | |
assignee: | nobody → Diana Clarke (diana-clarke) |
Changed in nova: | |
status: | New → In Progress |
Changed in nova: | |
assignee: | Diana Clarke (diana-clarke) → nobody |
Patch for master (newton):
https:/ /review. openstack. org/#/c/ 367395/