⚲

Project

General

Profile

Home
Projects
Help

Search:

openQA Infrastructure (public)

All Projects

openQA Infrastructure (public)

Overview
Activity
Roadmap
Issues

Custom queries

openQA Infrastructure Project
openqa-review - Closed tickets last updated by openqa-review, last 30 days
QA roadmap long-term
QA SLE functional
QA SLE Functional - closed in last 14 days
QA SLE Functional - High, need to be refined
QA SLE Functional - over cycle time median
QA SLE u
QA SLE y
QA tools (tag not necessary in openQA and subprojects)
QA tools tag (tag not necessary in openQA and subprojects; excluding tickets in "Ready" version as they are already on the backlog)
QAC - Backlog
QE tools team - backlog (dev)
QE tools team - backlog (ready issues)
QE tools team - backlog SLA high
QE tools team - backlog SLA immediate
QE tools team - backlog SLA no immediate/urgent in feedback/blocked
QE tools team - backlog SLA normal
QE tools team - backlog SLA urgent
QE tools team - backlog SLO high
QE tools team - backlog SLO normal
QE tools team - backlog SLO urgent
QE tools team - backlog, high-level view (epics and higher)
QE tools team - backlog, non-reactive work, needs parent
QE tools team - backlog, top-level view (all sagas)
QE tools team - closed within last 14 days
QE tools team - closed within last 60 days
QE tools team - closed yesterday
QE Tools Team - Collaborative Session
QE tools team - due date forecast
QE tools team - exceeding due-date
QE tools team - infrastructure backlog
QE tools team - next - sorted by update time
QE tools team - next issues
QE tools team - non-estimated (unblocked) issues (dev)
QE tools team - non-estimated (unblocked) issues (infra)
QE tools team - ready issues - Workable
QE tools team - ready, not assigned/blocked/low
QE tools team - SLO high forecast
QE tools team - update forecast
QE tools team - updated by priority
QE tools team - what members of the team are working on - Feedback (not-low)
QE Tools Team Backlog By Assignee
Tools Team Retrospective
Tools Team Retrospective (not estimated or assigned)

Actions

Copy link

action #101006

closed

Provide unique non-dictionary passwords for all our IPMI/HMC interfaces size:S

Added by okurz about 3 years ago. Updated about 3 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

mkittler

Category:

Target version:

openQA Project (public) - Ready

Start date:

2021-10-14

Due date:

% Done:

Estimated time:

Description

Motivation¶

bmwiedemann from SUSE-IT informed me that security scans have shown openqaworkers to be vulnerable due to the default IPMI passwords. We should provide a unique password for that purpose, potentially unique for each host.

Acceptance criteria¶

AC1: No IPMI/BMC connection in https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/openqa/workerconf.sls references the default password anymore

Suggestions¶

~~Generate a password for each host with xkcdpass from python3-xkcdpass~~ Just use the same password we have for sp.openqaw8-vmware.qa.suse.de where bmwiedemann recently set a new password
Set password from each host, e.g. with

rcipmi start 
ipmitool user list
ipmitool user set password 2 'FOOBAR'

Update https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/openqa/workerconf.sls

History
Notes
Property changes

Actions

Copy link

Updated by okurz about 3 years ago

Description updated (diff)
Priority changed from Low to Normal
Target version changed from future to Ready

bmwiedemann asked me to expedite this task

Actions

Copy link

Updated by okurz about 3 years ago

I added a hint on https://progress.opensuse.org/projects/openqav3/wiki/Wiki/diff?utf8=%E2%9C%93&version=135&version_from=134&commit=View+differences to add new IPMI password for new machines

Actions

Copy link

Updated by livdywan about 3 years ago

Subject changed from Provide unique non-dictionary passwords for all our IPMI/HMC interfaces to Provide unique non-dictionary passwords for all our IPMI/HMC interfaces size:S
Status changed from New to Workable

Actions

Copy link

Updated by mkittler about 3 years ago

Assignee set to mkittler

Actions

Copy link

Updated by mkittler about 3 years ago

Status changed from Workable to Feedback

Everything should be updated, including web hooks and documentation on https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/373.

I could not access fsp1-malbec.arch.suse.de from the outside (before and after the update) but I could change the password locally.

Actions

Copy link

Updated by okurz about 3 years ago

Status changed from Feedback to Resolved

I could verify all that. Thx. That should be good enough

Actions

Copy link

Updated by okurz about 3 years ago

Status changed from Resolved to Feedback

Currently failing alerts for arm-1, arm-2, arm-3. Likely related

Actions

Copy link

Updated by mkittler about 3 years ago

Yes, I suppose I needed to URL-encode the password.

I ran the recovery script now locally (setting DEFAULT_IPMI_PASSWORD) and it worked. So the script is fine. I hope only the parameter passing was broken (due to the lack of URL-encoding).

Actions

Copy link

Updated by mkittler about 3 years ago

I've checked with a web hook that just logs the env (see https://gitlab.suse.de/openqa/grafana-webhook-actions/-/commit/e0741e8b329b094756e15693171f5f0c35ef6e65) and could clearly reproduce the problem and that the URL-encoding helps.

Actions

Copy link

#10

Updated by mkittler about 3 years ago

Status changed from Feedback to Resolved

Looks like the recovery works again, e.g. https://gitlab.suse.de/openqa/grafana-webhook-actions/-/jobs/742232

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

QA (public) » openQA Project (public) » openQA Infrastructure (public)

Tags

Custom queries

action #101006

Provide unique non-dictionary passwords for all our IPMI/HMC interfaces size:S

Motivation¶

Acceptance criteria¶

Suggestions¶

Updated by okurz about 3 years ago

Updated by okurz about 3 years ago

Updated by livdywan about 3 years ago

Updated by mkittler about 3 years ago

Updated by mkittler about 3 years ago

Updated by okurz about 3 years ago

Updated by okurz about 3 years ago

Updated by mkittler about 3 years ago

Updated by mkittler about 3 years ago

Updated by mkittler about 3 years ago