puppet-openstack-integration

c9s: ssh via floating ip fails with openssl-3.0.1-12

Bug #1962507 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-openstack-integration
Fix Released
Critical
Unassigned

Bug Description

Currently tempest tests are always failing in CentOS 9 Stream integration job, because of the failure with ssh connection via floating ip.

The same issue was earlier reported in TripleO.

https://bugs.launchpad.net/tripleo/+bug/1962298

See original description
Takashi Kajinami (kajinamit)
description: updated
Changed in puppet-openstack-integration:
importance: Undecided → Critical
Revision history for this message
Takashi Kajinami (kajinamit) wrote (last edit ):

It looks like ssh + rsa key doesn't work with the latest openssl,
and it's likely that the issue is related to the recent change to disable SHA1 by default.

https://centos.pkgs.org/9-stream/centos-baseos-x86_64/openssl-3.0.1-12.el9.x86_64.rpm.html

~~~
2022-02-24 - Peter Robinson <email address hidden> - 1:3.0.1-12
- Support KBKDF (NIST SP800-108) with an R value of 8bits
- Resolves: rhbz#2027261

2022-02-23 - Clemens Lang <email address hidden> - 1:3.0.1-11
- Allow SHA1 usage in MGF1 for RSASSA-PSS signatures
- Resolves: rhbz#2031742

2022-02-23 - Dmitry Belyavskiy <email address hidden> - 1:3.0.1-10
- rebuilt

2022-02-22 - Clemens Lang <email address hidden> - 1:3.0.1-9
- Allow SHA1 usage in HMAC in TLS
- Resolves: rhbz#2031742

2022-02-22 - Dmitry Belyavskiy <email address hidden> - 1:3.0.1-8
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
- Resolves: rhbz#1977867
- pkcs12 export broken in FIPS mode
- Resolves: rhbz#2049265

2022-02-22 - Clemens Lang <email address hidden> - 1:3.0.1-8
- Disable SHA1 signature creation and verification by default
- Set rh-allow-sha1-signatures = yes to re-enable
- Resolves: rhbz#2031742

2022-02-03 - Sahana Prasad <email address hidden> - 1:3.0.1-7
- s_server: correctly handle 2^14 byte long records
- Resolves: rhbz#2042011

2022-02-01 - Dmitry Belyavskiy <email address hidden> - 1:3.0.1-6
- Adjust FIPS provider version
- Related: rhbz#2026445
~~~~

I've tested the ecdsa key and now ssh succeeds during tempest tests.

 https://review.opendev.org/c/openstack/puppet-openstack-integration/+/831322

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-openstack-integration (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/831337

Changed in puppet-openstack-integration:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-openstack-integration (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/831337
Committed: https://opendev.org/openstack/puppet-openstack-integration/commit/01fd062068f21c117c64a668b7ff693c0cb1c2af
Submitter: "Zuul (22348)"
Branch: master

commit 01fd062068f21c117c64a668b7ff693c0cb1c2af
Author: Takashi Kajinami <email address hidden>
Date: Tue Mar 1 14:47:55 2022 +0900

    Use ecdsa key in CentOS 9 Stream

    ... as rsa key no longer works with the latest openssl in CentOS 9
    Stream repo.

    Closes-Bug: #1962507
    Depends-on: https://review.opendev.org/831336
    Change-Id: I7a9a35a263d510301e437e84f7f7c56961977cf5

Changed in puppet-openstack-integration:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-openstack-integration (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/831765

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-openstack-integration (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/831765
Committed: https://opendev.org/openstack/puppet-openstack-integration/commit/f7ba5e33bbb7fb899e5615cb5da33eedbe6ce70f
Submitter: "Zuul (22348)"
Branch: master

commit f7ba5e33bbb7fb899e5615cb5da33eedbe6ce70f
Author: Takashi Kajinami <email address hidden>
Date: Thu Mar 3 17:06:29 2022 +0000

    Revert "Revert "Make CentOS 9 integration jobs voting""

    This reverts commit 7e2afcda8f498a34519e866f091deacfa5da07f5.

    Reason for revert:
    The broken jobs have been fixed.

    Related-Bug: #1962506
    Related-Bug: #1962507
    Change-Id: Ie8091933acbab967d2f386b4cab52f3716b49c1b

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-openstack-integration (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/833002

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-openstack-integration (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/833004

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-openstack-integration (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/833004
Committed: https://opendev.org/openstack/puppet-openstack-integration/commit/b4c2c9d56aa1e0bc5ca0e9a031a02b598f19349b
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit b4c2c9d56aa1e0bc5ca0e9a031a02b598f19349b
Author: Takashi Kajinami <email address hidden>
Date: Tue Mar 1 14:47:55 2022 +0900

    Use ecdsa key in CentOS 9 Stream

    ... as rsa key no longer works with the latest openssl in CentOS 9
    Stream repo.

    Conflicts:
            manifests/tempest.pp

    Backport note:
    - RDO runs p-o-i scenarios on wallaby branch with CentOS Stream 9. This
      change is backported so that the same manifests can be leveraged in
      RDO CI.

    Closes-Bug: #1962507
    Depends-on: https://review.opendev.org/831782
    Change-Id: I7a9a35a263d510301e437e84f7f7c56961977cf5
    (cherry picked from commit 01fd062068f21c117c64a668b7ff693c0cb1c2af)
    (cherry picked from commit 4d59fa171fa0e4826436f4a46201a0d35eb20d3f)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-openstack-integration (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/833002
Committed: https://opendev.org/openstack/puppet-openstack-integration/commit/4d59fa171fa0e4826436f4a46201a0d35eb20d3f
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 4d59fa171fa0e4826436f4a46201a0d35eb20d3f
Author: Takashi Kajinami <email address hidden>
Date: Tue Mar 1 14:47:55 2022 +0900

    Use ecdsa key in CentOS 9 Stream

    ... as rsa key no longer works with the latest openssl in CentOS 9
    Stream repo.

    Conflicts:
            manifests/tempest.pp

    Backport note:
    - RDO runs p-o-i scenarios on xena branch with CentOS Stream 9. This
      change is backported so that the same manifests can be leveraged in
      RDO CI.

    Closes-Bug: #1962507
    Depends-on: https://review.opendev.org/831756
    Change-Id: I7a9a35a263d510301e437e84f7f7c56961977cf5
    (cherry picked from commit 01fd062068f21c117c64a668b7ff693c0cb1c2af)

tags: added: in-stable-xena
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.