kolla-ansible

ed25519 keys unsupported due to old pyopenssl

Bug #1890922 reported by kyle schleich
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Confirmed
Undecided
Unassigned
kolla
Opinion
Undecided
Unassigned
kolla-ansible
Invalid
Undecided
Unassigned
Ubuntu
Confirmed
Undecided
Unassigned

Bug Description

What happened:
When attempting to import an ed25519 based ssh key horizon reports the error "Error: Unable to import the keypair."

What you expected to happen:
The import will succeed as the key has been used in previous Openstack deploys (non kolla based) and the key is known to be valid.

How to reproduce it (minimal and precise):
Import a key through horizon that was generated using ssh-keygen -t ed25519, the import will fail with the above horizon. The nova api error is "HTTP exception thrown: Keypair data is invalid: failed to generate fingerprint" The internal error is "cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported by this version of OpenSSL."

While testing we found that the version of pyOpenSSL shipped with the most recent version of kolla/ubuntu-binary-nova-api:ussuri was 17.5.0. That version does not support ed25519 keys, updating to the newest version 19.1.0 will fixe the issue.

Environment:
Docker image Install type (source/binary): Binary
Docker image distribution: Ubuntu
Are you using official images from Docker Hub or self built? Official
Docker images: Ussuri

Revision history for this message
Radosław Piliszek (yoctozepto) wrote :

Indeed, Ubuntu Bionic does not seem to meet the requirements: https://opendev.org/openstack/requirements/src/commit/7ea3fea5458a8e3ef4e03ba15ea64b2ff16dfcf1/upper-constraints.txt#L184

However, this is not a Kolla issue as binary builds simply ensure compatibility with distributions and this distribution delivers this version.

If Ubuntu ever provided a newer version, we would pick it up.

Changed in kolla-ansible:
status: New → Invalid
Changed in kolla:
status: New → Opinion
Changed in ubuntu:
status: New → Confirmed
Changed in cloud-archive:
status: New → Confirmed
Revision history for this message
Radosław Piliszek (yoctozepto) wrote :

If you need to use this right away, I recommend you switch to our source images as we control them entirely.

Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

Looking at the package versions shipped with Ubuntu, it looks like Ubuntu Bionic ships 17.5.0, but that Focal (where Ubuntu shipped Ussuri) ships 19.0.0. The cloud-archive hasn't carried pyopenssl since Xenial and Ubuntu won't backport a major change to an LTS release so I wonder if another option for using this is for the Kolla images to update the base image to a Focal source?

I'm discussing with @james-page the idea of carrying pyopenssl in the cloud-archive again as it would be useful for Bionic-Ussuri to have access to the newer crypto bits.

Revision history for this message
Radosław Piliszek (yoctozepto) wrote :

Kolla is officially supporting Focal since Victoria but it should not be too hard for users to switch the base image for Ussuri too.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.