action #105040
closed[tools][sle][s390x] handle select_console 'root-console' failure if root ssh is not permitted in system with Common Criteria role
Description
Description¶
For system with Common Criteria role enabled, root ssh is not permitted by default, and it is hard request for Common Criteria.
However, in current openQA tests on s390x, select_console 'root-console' will try to ssh login with root user by default.
I did some workaround to by pass the issue with below commit:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/13305
please refer to https://progress.opensuse.org/issues/99096 #99096
However, I don't think it is good enough since I change the default security level.
Expection¶
Can we do some enhancement for select_console 'root-console' utility on s390x?
even root ssh is not permitted by default, we can still access into the root console.
Updated by okurz almost 3 years ago
- Status changed from New to Feedback
- Assignee set to okurz
- Target version set to Ready
Your workaround looks valid for the time being. As alternative you could log in as non-privileged user and change to the root account. Or only run tests that don't need the root account
Updated by rfan1 almost 3 years ago
Thanks @okurz for the quick reply!
Actually, There are other test modules on s390x need root ssh access permission[e.g. https://openqa.suse.de/tests/7976976/modules/boot_to_desktop/steps/1/src], we may need consider it as well.
At the same time, there are so many test cases use "select_console 'root-console'". so asking for your kindly help to see if we can enhance this function. then I can switch to root-console and don't need care about the root ssh login is enabled/disabled :).
Updated by okurz almost 3 years ago
- Description updated (diff)
I thought further about it and I don't see better solutions. Either you avoid the root account or you give SSH access for the root user (as you did in https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/13305/) or you switch to the root account after logging in as a user as you proposed in #99096#note-1.
By the way, the test module "tests/installation/logs_from_installation_system.pm" is a very bad location to change access control for the SUT. The test module name is clearly something different. I suggest you better create a dedicated test module with a proper name.
So you should be either ok with the current approach as done in https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/13305 which I think is fine or do what you did in #99096#note-1
Is there anything else I could provide?
Updated by rfan1 almost 3 years ago
Thanks Oliver.
I will enhance my test code then.
However, I still have concern for the current logic for "select_console 'root-console'" on s390x. it should access the system with "ssh +root".
In this case, it will fail on the systems "root ssh is not permitted"
Not only on CC setup, but aslo on TW, the root ssh is not permitted by default, we also had a workaround there:
commit b861887b897b5a47d3a5c10361e3c1b9634ee201
Author: Sarah Julia Kriesch krieschsa69526@th-nuernberg.de
Date: Sun Jul 11 15:11:38 2021 +0200
Add password possibility for ssh access with s390x on Tumbleweed (poo#93949)
The test reconnect_mgmt_console is failing for openSUSE Tumbleweed because of forbidden passwords for root via ssh.
The function ssh_password_possibility is a workaround on s390x.
So, I suggest we can enhance 'select_console' utils if possible.
- If root ssh is not permitted by default, "select_console 'root-console'" can still work, then we don't need to do many code changes in our test modules.
Updated by livdywan over 2 years ago
rfan1 wrote:
So, I suggest we can enhance 'select_console' utils if possible.
- If root ssh is not permitted by default, "select_console 'root-console'" can still work, then we don't need to do many code changes in our test modules.
Did you ever file a feature request for this idea?
Updated by rfan1 over 2 years ago
cdywan wrote:
rfan1 wrote:
So, I suggest we can enhance 'select_console' utils if possible.
- If root ssh is not permitted by default, "select_console 'root-console'" can still work, then we don't need to do many code changes in our test modules.
Did you ever file a feature request for this idea?
Thanks @cdywan,
Actually not yet!
I did some workaround via PR https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14096. [It is reverted since we didn't use this test module on any job]
However, for our current Common criteria tests, we still "enable the root ssh login" during the installation phase. we need to disable it for our tests since
"For system with Common Criteria role enabled, root ssh is not permitted by default, and it is hard request for Common Criteria." [already in our plan]¶
IMO, in newer SLE/LEAP or TW releases, if the root ssh is not permitted by default. we should find a way to handle it.
1) Enhance serlect_console 'root-console'
2) Enhance our test module to use user_console by default.
Updated by livdywan over 2 years ago
rfan1 wrote:
IMO, in newer SLE/LEAP or TW releases, if the root ssh is not permitted by default. we should find a way to handle it.
1) Enhance serlect_console 'root-console'
2) Enhance our test module to use user_console by default.
If you ask me 2) is cleaner and less likely to cause surprises down the road.
Updated by rfan1 over 2 years ago
cdywan wrote:
rfan1 wrote:
IMO, in newer SLE/LEAP or TW releases, if the root ssh is not permitted by default. we should find a way to handle it.
1) Enhance serlect_console 'root-console'
2) Enhance our test module to use user_console by default.If you ask me 2) is cleaner and less likely to cause surprises down the road.
Thank you @cdywan!
I agree with you, I will try to modify my test module then.
Updated by okurz over 2 years ago
- Project changed from openQA Infrastructure to openQA Project
- Category set to Support
- Status changed from Feedback to Resolved
resolving as support ticket as per #105040#note-8