migrate_platform_certificates_to_certmanager playbook fails when trying to ssh to subcloud after subcloud is re-deployed

Bug #2040738 reported by Marcelo de Castro Loebens
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Marcelo de Castro Loebens

Bug Description

Brief Description
-----------------
When subclouds are redeployed, the cert-manager migration playbook fails when attempting to SSH into the subclouds.

Severity
--------
Minor.

Steps to Reproduce
------------------
Deploy a subcloud.
SSH to it.
Delete the subcloud.
Redeploy the subcloud.
Run cert-manager migration playbook targeting the subcloud and observe the error.

Expected Behavior
------------------
SSH should work.

Actual Behavior
----------------
Playbook fails with the warning:
...
Failed to connect to the host via ssh: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
...
Reproducibility
---------------
100%.

System Configuration
--------------------
DC.

Branch/Pull Time/Commit
-----------------------
Master.

Last Pass
---------
NA

Timestamp/Logs
--------------
NA

Test Activity
-------------
Developer Testing.

Workaround
----------
Append this line to the local ansible.cfg
ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

Changed in starlingx:
assignee: nobody → Marcelo de Castro Loebens (mdecastr)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)
Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/899317
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/a71ba86833aa0da7817f1e918cbe3d20bc868d6e
Submitter: "Zuul (22348)"
Branch: master

commit a71ba86833aa0da7817f1e918cbe3d20bc868d6e
Author: Marcelo Loebens <email address hidden>
Date: Wed Oct 25 17:35:28 2023 -0400

    Avoid host key check in cert-manager migration

    Shell calls in cert-manager migration playbook were failing when
    called remotely after redeploying subclouds due to the change in the
    host keys in the sysadmin's known_hosts file.

    Considering that ansible is configured to ignore host keys in the
    other calls, added extra var to instruct ansible to ignore host keys
    and strict host key checking, allowing shell operations over SSH
    during cert-manager migration playbook's execution.

    Test plan:
    PASS: Deploy two subclouds. SSH to them and accept their host keys.
          Open the sysadmin's known_hosts file and change the subcloud's
          host keys to invalid ones.
          Try to SSH to the subclouds, observe that an error message
          regarding the host keys changing is returned.
          Perform cert-manager migration targeting the subclouds.
          Verify that the execution proceeded as expected (i.e., all the
          ssh calls were successful).

    Closes-Bug: 2040738

    Change-Id: I5d44ce53fee2098986fb5672eccd87bdae3f0d01
    Signed-off-by: Marcelo Loebens <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.9.0 stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.