action #105040
closed
[tools][sle][s390x] handle select_console 'root-console' failure if root ssh is not permitted in system with Common Criteria role
Added by rfan1 almost 3 years ago.
Updated over 2 years ago.
Description
Description¶
For system with Common Criteria role enabled, root ssh is not permitted by default, and it is hard request for Common Criteria.
However, in current openQA tests on s390x, select_console 'root-console' will try to ssh login with root user by default.
I did some workaround to by pass the issue with below commit:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/13305
please refer to https://progress.opensuse.org/issues/99096 #99096
However, I don't think it is good enough since I change the default security level.
Expection¶
Can we do some enhancement for select_console 'root-console' utility on s390x?
even root ssh is not permitted by default, we can still access into the root console.
- Status changed from New to Feedback
- Assignee set to okurz
- Target version set to Ready
Your workaround looks valid for the time being. As alternative you could log in as non-privileged user and change to the root account. Or only run tests that don't need the root account
Thanks @okurz for the quick reply!
Actually, There are other test modules on s390x need root ssh access permission[e.g. https://openqa.suse.de/tests/7976976/modules/boot_to_desktop/steps/1/src], we may need consider it as well.
At the same time, there are so many test cases use "select_console 'root-console'". so asking for your kindly help to see if we can enhance this function. then I can switch to root-console and don't need care about the root ssh login is enabled/disabled :).
- Description updated (diff)
Thanks Oliver.
I will enhance my test code then.
However, I still have concern for the current logic for "select_console 'root-console'" on s390x. it should access the system with "ssh +root".
In this case, it will fail on the systems "root ssh is not permitted"
Not only on CC setup, but aslo on TW, the root ssh is not permitted by default, we also had a workaround there:
commit b861887b897b5a47d3a5c10361e3c1b9634ee201
Author: Sarah Julia Kriesch krieschsa69526@th-nuernberg.de
Date: Sun Jul 11 15:11:38 2021 +0200
Add password possibility for ssh access with s390x on Tumbleweed (poo#93949)
The test reconnect_mgmt_console is failing for openSUSE Tumbleweed because of forbidden passwords for root via ssh.
The function ssh_password_possibility is a workaround on s390x.
So, I suggest we can enhance 'select_console' utils if possible.
- If root ssh is not permitted by default, "select_console 'root-console'" can still work, then we don't need to do many code changes in our test modules.
rfan1 wrote:
So, I suggest we can enhance 'select_console' utils if possible.
- If root ssh is not permitted by default, "select_console 'root-console'" can still work, then we don't need to do many code changes in our test modules.
Did you ever file a feature request for this idea?
cdywan wrote:
rfan1 wrote:
So, I suggest we can enhance 'select_console' utils if possible.
- If root ssh is not permitted by default, "select_console 'root-console'" can still work, then we don't need to do many code changes in our test modules.
Did you ever file a feature request for this idea?
Thanks @cdywan,
Actually not yet!
I did some workaround via PR https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14096. [It is reverted since we didn't use this test module on any job]
However, for our current Common criteria tests, we still "enable the root ssh login" during the installation phase. we need to disable it for our tests since
"For system with Common Criteria role enabled, root ssh is not permitted by default, and it is hard request for Common Criteria." [already in our plan]¶
IMO, in newer SLE/LEAP or TW releases, if the root ssh is not permitted by default. we should find a way to handle it.
1) Enhance serlect_console 'root-console'
2) Enhance our test module to use user_console by default.
rfan1 wrote:
IMO, in newer SLE/LEAP or TW releases, if the root ssh is not permitted by default. we should find a way to handle it.
1) Enhance serlect_console 'root-console'
2) Enhance our test module to use user_console by default.
If you ask me 2) is cleaner and less likely to cause surprises down the road.
cdywan wrote:
rfan1 wrote:
IMO, in newer SLE/LEAP or TW releases, if the root ssh is not permitted by default. we should find a way to handle it.
1) Enhance serlect_console 'root-console'
2) Enhance our test module to use user_console by default.
If you ask me 2) is cleaner and less likely to cause surprises down the road.
Thank you @cdywan!
I agree with you, I will try to modify my test module then.
- Project changed from openQA Infrastructure (public) to openQA Project (public)
- Category set to Support
- Status changed from Feedback to Resolved
Also available in: Atom
PDF