Project

General

Profile

Actions

action #115784

closed

openqa-bootstrap requires ssh key size:M

Added by apappas over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Regressions/Crashes
Target version:
Start date:
2022-08-25
Due date:
% Done:

0%

Estimated time:

Description

Observation

While trying to automate the creation of an openQA test development VM, I installed and ran the open-bootstrap script. Currently this fails because git clone for os-autoninst-* happens over ssh and not https, even though openqa-bootstrap-container does so.

Acceptance Criteria

  • AC1: openqa-bootstrap uses https to clone git repositories
Actions #1

Updated by apappas over 2 years ago

Added the [tools] tag for visibility.

Actions #2

Updated by apappas over 2 years ago

  • Description updated (diff)
Actions #3

Updated by tinita over 2 years ago

  • Target version set to Ready
Actions #4

Updated by openqa_review over 2 years ago

  • Due date set to 2022-09-10

Setting due date based on mean cycle time of SUSE QE Tools

Actions #5

Updated by szarate over 2 years ago

  • Tags set to qe-core-september-sprint
Actions #6

Updated by livdywan over 2 years ago

  • Subject changed from [qe-core][tools]openqa-bootstrap requires ssh key to [qe-core][tools]openqa-bootstrap requires ssh key size:M
  • Description updated (diff)
Actions #7

Updated by livdywan over 2 years ago

  • Due date deleted (2022-09-10)
  • Target version changed from Ready to future

Cycle time doesn't apply since somebody outside the Tools team is working on this ticket

Actions #8

Updated by okurz about 2 years ago

  • Category set to Support
  • Status changed from In Progress to Feedback
  • Assignee changed from apappas to okurz
  • Target version changed from future to Ready

apappas wrote:

While trying to automate the creation of an openQA test development VM, I installed and ran the open-bootstrap script. Currently this fails because git clone for os-autoninst-* happens over ssh and not https, even though openqa-bootstrap-container does so.

@apappas Where do you see this happening? In https://github.com/os-autoinst/openQA/blob/master/script/openqa-bootstrap#L85 I see a clone of the SLE needles repo, using https. In https://github.com/os-autoinst/openQA/blob/master/script/fetchneedles as well https is used. We never used ssh to clone in there. We did use the unencrypted git-protocol but this was already changed in 2022-01 in a88e42061. Maybe this is what you found in an older outdated version of openqa-bootstrap? By the way, openQA tests the bootstrap process itself, see https://openqa.opensuse.org/tests?match=openqa_bootstrap, and there are no SSH keys provided in there.

Actions #9

Updated by okurz about 2 years ago

  • Status changed from Feedback to Resolved

No response, assuming fixed

Actions #10

Updated by apappas about 2 years ago

  • Tags deleted (qe-core-september-sprint)
  • Subject changed from [qe-core][tools]openqa-bootstrap requires ssh key size:M to [qe-core]openqa-bootstrap requires ssh key size:M
  • Status changed from Resolved to In Progress
Actions #11

Updated by apappas about 2 years ago

  • Assignee changed from okurz to apappas
Actions #12

Updated by apappas about 2 years ago

okurz wrote:

We never used ssh to clone in there. We did use the unencrypted git-protocol but this was already changed in 2022-01 in a88e42061.

One cannot use the git protocol on github without ssh keys, which was the reason for poo#104794, see https://github.blog/2021-09-01-improving-git-protocol-security-github/

The problem appears on Leap 15.4 jeos image. When I run openqa-bootstrap we get an older openQA and thus an older fetchneedles

test-openqa:~ # rpm -qf /var/lib/openqa/script/fetchneedles
openQA-4.6.1639414134.aa9bed13e-bp154.1.64.noarch

which when executed gives:

test-openqa:~ # /var/lib/openqa/script/fetchneedles
running as root, re-exec as geekotest ...
cloning git://github.com/os-autoinst/os-autoinst-distri-opensuse.git shallow. Call 'git fetch --unshallow' for full history
Cloning into '.'...

I ran zypper in -f to update only openQA and its dependencies, and the newer version of the script was downloaded.

test-openqa:~ # rpm -qf /var/lib/openqa/script/fetchneedles
openQA-4.6.1668521246.8f456e6-lp154.5395.1.noarch 

On further investigation, I noticed that the openQA package installed on L29 of openqa-bootstrap is always outdated,
because openQA-single-instance pulls an outdated version. I could not figure out why openQA-single-instance does
this.

However by explicitly adding openQA to the list of the packages to be installed, the problems seems to be fixed.

I see that this is tested on openQA and can't explain the discrepancy. I only know that I can reliably reproduce it.

Relevant WIP PR: https://github.com/os-autoinst/openQA/pull/4901

Actions #13

Updated by openqa_review about 2 years ago

  • Due date set to 2022-11-30

Setting due date based on mean cycle time of SUSE QE Tools

Actions #14

Updated by okurz about 2 years ago

  • Category changed from Support to Regressions/Crashes
  • Target version changed from Ready to future
Actions #15

Updated by apappas about 2 years ago

  • Status changed from In Progress to Closed

The contribution was not accepted by the tools team and their suggested solution, to edit the spec file for openQA on github was beyond my capabilities and my time budget. I will keep using my fork until 15.5 lands and I expect this bug to be auto resolved.

As it was moved to future, I will turn it to closed.

Actions #17

Updated by okurz about 2 years ago

  • Tags set to reactive work
  • Subject changed from [qe-core]openqa-bootstrap requires ssh key size:M to openqa-bootstrap requires ssh key size:M
  • Due date changed from 2022-11-30 to 2022-12-16
  • Status changed from Closed to Feedback
  • Assignee changed from apappas to mkittler
  • Target version changed from future to Ready

apappas wrote:

The contribution was not accepted by the tools team and their suggested solution, to edit the spec file for openQA on github was beyond my capabilities and my time budget. I will keep using my fork until 15.5 lands and I expect this bug to be auto resolved.

Well, I think this problem can re-appear unless users are "lucky" to have an updated system before they call openqa-bootstrap.

As it was moved to future, I will turn it to closed.

Sorry if that was misunderstood. That merely means that members of the QE Tools team don't plan to work on it – as you were working on it :)

Let's reopen and handle within the team as mkittler already provided a followup to your suggestion.

@apappas in the meantime https://github.com/os-autoinst/openQA/pull/4933 was merged and a new package was created in devel:openQA. If you like you can test if this updated version of openQA-bootstrap fixes the problem for you.

Actions #18

Updated by mkittler about 2 years ago

  • Status changed from Feedback to Resolved

I'm resolving for now. If https://github.com/os-autoinst/openQA/pull/4933 is not sufficient you can reopen the ticket.

Actions #19

Updated by mkittler about 2 years ago

  • Due date deleted (2022-12-16)
Actions

Also available in: Atom PDF