Project

General

Profile

action #115784

openqa-bootstrap requires ssh key size:M

Added by apappas 5 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Concrete Bugs
Target version:
Start date:
2022-08-25
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

Observation

While trying to automate the creation of an openQA test development VM, I installed and ran the open-bootstrap script. Currently this fails because git clone for os-autoninst-* happens over ssh and not https, even though openqa-bootstrap-container does so.

Acceptance Criteria

  • AC1: openqa-bootstrap uses https to clone git repositories

History

#1 Updated by apappas 5 months ago

Added the [tools] tag for visibility.

#2 Updated by apappas 5 months ago

  • Description updated (diff)

#3 Updated by tinita 5 months ago

  • Target version set to Ready

#4 Updated by openqa_review 5 months ago

  • Due date set to 2022-09-10

Setting due date based on mean cycle time of SUSE QE Tools

#5 Updated by szarate 5 months ago

  • Tags set to qe-core-september-sprint

#6 Updated by cdywan 5 months ago

  • Subject changed from [qe-core][tools]openqa-bootstrap requires ssh key to [qe-core][tools]openqa-bootstrap requires ssh key size:M
  • Description updated (diff)

#7 Updated by cdywan 5 months ago

  • Due date deleted (2022-09-10)
  • Target version changed from Ready to future

Cycle time doesn't apply since somebody outside the Tools team is working on this ticket

#8 Updated by okurz 4 months ago

  • Category set to Support
  • Status changed from In Progress to Feedback
  • Assignee changed from apappas to okurz
  • Target version changed from future to Ready

apappas wrote:

While trying to automate the creation of an openQA test development VM, I installed and ran the open-bootstrap script. Currently this fails because git clone for os-autoninst-* happens over ssh and not https, even though openqa-bootstrap-container does so.

apappas Where do you see this happening? In https://github.com/os-autoinst/openQA/blob/master/script/openqa-bootstrap#L85 I see a clone of the SLE needles repo, using https. In https://github.com/os-autoinst/openQA/blob/master/script/fetchneedles as well https is used. We never used ssh to clone in there. We did use the unencrypted git-protocol but this was already changed in 2022-01 in a88e42061. Maybe this is what you found in an older outdated version of openqa-bootstrap? By the way, openQA tests the bootstrap process itself, see https://openqa.opensuse.org/tests?match=openqa_bootstrap, and there are no SSH keys provided in there.

#9 Updated by okurz 3 months ago

  • Status changed from Feedback to Resolved

No response, assuming fixed

#10 Updated by apappas 3 months ago

  • Tags deleted (qe-core-september-sprint)
  • Subject changed from [qe-core][tools]openqa-bootstrap requires ssh key size:M to [qe-core]openqa-bootstrap requires ssh key size:M
  • Status changed from Resolved to In Progress

#11 Updated by apappas 3 months ago

  • Assignee changed from okurz to apappas

#12 Updated by apappas 3 months ago

okurz wrote:

We never used ssh to clone in there. We did use the unencrypted git-protocol but this was already changed in 2022-01 in a88e42061.

One cannot use the git protocol on github without ssh keys, which was the reason for poo#104794, see https://github.blog/2021-09-01-improving-git-protocol-security-github/

The problem appears on Leap 15.4 jeos image. When I run openqa-bootstrap we get an older openQA and thus an older fetchneedles

test-openqa:~ # rpm -qf /var/lib/openqa/script/fetchneedles
openQA-4.6.1639414134.aa9bed13e-bp154.1.64.noarch

which when executed gives:

test-openqa:~ # /var/lib/openqa/script/fetchneedles
running as root, re-exec as geekotest ...
cloning git://github.com/os-autoinst/os-autoinst-distri-opensuse.git shallow. Call 'git fetch --unshallow' for full history
Cloning into '.'...

I ran zypper in -f to update only openQA and its dependencies, and the newer version of the script was downloaded.

test-openqa:~ # rpm -qf /var/lib/openqa/script/fetchneedles
openQA-4.6.1668521246.8f456e6-lp154.5395.1.noarch 

On further investigation, I noticed that the openQA package installed on L29 of openqa-bootstrap is always outdated,
because openQA-single-instance pulls an outdated version. I could not figure out why openQA-single-instance does
this.

However by explicitly adding openQA to the list of the packages to be installed, the problems seems to be fixed.

I see that this is tested on openQA and can't explain the discrepancy. I only know that I can reliably reproduce it.

Relevant WIP PR: https://github.com/os-autoinst/openQA/pull/4901

#13 Updated by openqa_review 3 months ago

  • Due date set to 2022-11-30

Setting due date based on mean cycle time of SUSE QE Tools

#14 Updated by okurz 3 months ago

  • Category changed from Support to Concrete Bugs
  • Target version changed from Ready to future

#15 Updated by apappas about 2 months ago

  • Status changed from In Progress to Closed

The contribution was not accepted by the tools team and their suggested solution, to edit the spec file for openQA on github was beyond my capabilities and my time budget. I will keep using my fork until 15.5 lands and I expect this bug to be auto resolved.

As it was moved to future, I will turn it to closed.

#17 Updated by okurz about 2 months ago

  • Tags set to reactive work
  • Subject changed from [qe-core]openqa-bootstrap requires ssh key size:M to openqa-bootstrap requires ssh key size:M
  • Due date changed from 2022-11-30 to 2022-12-16
  • Status changed from Closed to Feedback
  • Assignee changed from apappas to mkittler
  • Target version changed from future to Ready

apappas wrote:

The contribution was not accepted by the tools team and their suggested solution, to edit the spec file for openQA on github was beyond my capabilities and my time budget. I will keep using my fork until 15.5 lands and I expect this bug to be auto resolved.

Well, I think this problem can re-appear unless users are "lucky" to have an updated system before they call openqa-bootstrap.

As it was moved to future, I will turn it to closed.

Sorry if that was misunderstood. That merely means that members of the QE Tools team don't plan to work on it – as you were working on it :)

Let's reopen and handle within the team as mkittler already provided a followup to your suggestion.

apappas in the meantime https://github.com/os-autoinst/openQA/pull/4933 was merged and a new package was created in devel:openQA. If you like you can test if this updated version of openQA-bootstrap fixes the problem for you.

#18 Updated by mkittler about 2 months ago

  • Status changed from Feedback to Resolved

I'm resolving for now. If https://github.com/os-autoinst/openQA/pull/4933 is not sufficient you can reopen the ticket.

#19 Updated by mkittler about 2 months ago

  • Due date deleted (2022-12-16)

Also available in: Atom PDF