action #157555
openopenQA Project - coordination #105624: [saga][epic] Reconsider how openQA handles secrets
openQA Project - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication
[spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S
0%
Description
Motivation¶
In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16
Goals¶
- G1: Have an s390x kvm (or any other svirt backend) openQA installation job with non-default password succeed as far as possible
- G2: Identify which follow-up steps need to be done to fully support non-default passwords in such scenarios
Suggestions¶
- os-autoinst-distri-opensuse in principle supports using a different password, see https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/lib/main_common.pm#L165
- Clone a default s390x kvm openQA installation job https://openqa.suse.de/tests/13875911 from this scenario https://openqa.suse.de/tests/latest?arch=s390x&distri=sle&flavor=Online&machine=s390x-kvm&test=default&version=15-SP6 but with
PASSWORD=<new_password>with<new_password>being anything you setup temporary and see how far the test can reach - Fix obvious small problems and identify bigger follow-up tasks
- Actually s390x shouldn't really matter that much in this context, could also be an "svirt" job
Updated by okurz about 2 months ago
- Copied to action #157744: [spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobs added
Updated by okurz about 2 months ago
- Priority changed from Normal to High
- Target version changed from future to Ready
According to https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we likely need this sooner rather than later. Adding to our backlog.
Updated by livdywan about 2 months ago
- Subject changed from [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs to [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S
- Description updated (diff)
- Status changed from New to Workable
Updated by okurz about 2 months ago
- Assignee set to okurz
I have an alternative idea: firewall on svirt hosts preventing access from outside only workers in the same network OR openQA workers on the hypervisor hosts themselves
Updated by okurz about 2 months ago
- Copied to action #158242: Prevent ssh access to test VMs on svirt hypervisor hosts with firewall size:M added
Updated by okurz about 2 months ago
- Status changed from Workable to Blocked
- Target version changed from Ready to Tools - Next
Created #158242, let's try that first.
Updated by okurz about 1 month ago
- Project changed from openQA Infrastructure to openQA Tests
- Subject changed from [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S to [spike][timeboxed:10h][qe-core] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S
- Category deleted (
Feature requests) - Status changed from Blocked to Workable
- Assignee deleted (
okurz) - Target version changed from Tools - Next to QE-Core: Ready
@qe-core I have a new task for you that should be planned to work on within the next weeks/months so that we don't get escalations from SUSE's cybersecurity team. Related #157744
Updated by slo-gin 11 days ago
This ticket was set to High priority but was not updated within the SLO period. Please consider picking up this ticket or just set the ticket to the next lower priority.
Updated by szarate 4 days ago
- Subject changed from [spike][timeboxed:10h][qe-core] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S to [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S
- Description updated (diff)
- Priority changed from High to Normal
Updated by szarate 4 days ago
- Copied to action #160325: [qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3t added