action #115784
closedopenqa-bootstrap requires ssh key size:M
0%
Description
Observation¶
While trying to automate the creation of an openQA test development VM, I installed and ran the open-bootstrap script. Currently this fails because git clone
for os-autoninst-* happens over ssh and not https, even though openqa-bootstrap-container
does so.
Acceptance Criteria¶
- AC1: openqa-bootstrap uses https to clone git repositories
Updated by openqa_review about 2 years ago
- Due date set to 2022-09-10
Setting due date based on mean cycle time of SUSE QE Tools
Updated by livdywan about 2 years ago
- Subject changed from [qe-core][tools]openqa-bootstrap requires ssh key to [qe-core][tools]openqa-bootstrap requires ssh key size:M
- Description updated (diff)
Updated by livdywan about 2 years ago
- Due date deleted (
2022-09-10) - Target version changed from Ready to future
Cycle time doesn't apply since somebody outside the Tools team is working on this ticket
Updated by okurz almost 2 years ago
- Category set to Support
- Status changed from In Progress to Feedback
- Assignee changed from apappas to okurz
- Target version changed from future to Ready
apappas wrote:
While trying to automate the creation of an openQA test development VM, I installed and ran the open-bootstrap script. Currently this fails because
git clone
for os-autoninst-* happens over ssh and not https, even thoughopenqa-bootstrap-container
does so.
@apappas Where do you see this happening? In https://github.com/os-autoinst/openQA/blob/master/script/openqa-bootstrap#L85 I see a clone of the SLE needles repo, using https. In https://github.com/os-autoinst/openQA/blob/master/script/fetchneedles as well https is used. We never used ssh to clone in there. We did use the unencrypted git-protocol but this was already changed in 2022-01 in a88e42061. Maybe this is what you found in an older outdated version of openqa-bootstrap? By the way, openQA tests the bootstrap process itself, see https://openqa.opensuse.org/tests?match=openqa_bootstrap, and there are no SSH keys provided in there.
Updated by okurz almost 2 years ago
- Status changed from Feedback to Resolved
No response, assuming fixed
Updated by apappas almost 2 years ago
- Tags deleted (
qe-core-september-sprint) - Subject changed from [qe-core][tools]openqa-bootstrap requires ssh key size:M to [qe-core]openqa-bootstrap requires ssh key size:M
- Status changed from Resolved to In Progress
Updated by apappas almost 2 years ago
okurz wrote:
We never used ssh to clone in there. We did use the unencrypted git-protocol but this was already changed in 2022-01 in a88e42061.
One cannot use the git protocol on github without ssh keys, which was the reason for poo#104794, see https://github.blog/2021-09-01-improving-git-protocol-security-github/
The problem appears on Leap 15.4 jeos image. When I run openqa-bootstrap we get an older openQA and thus an older fetchneedles
test-openqa:~ # rpm -qf /var/lib/openqa/script/fetchneedles
openQA-4.6.1639414134.aa9bed13e-bp154.1.64.noarch
which when executed gives:
test-openqa:~ # /var/lib/openqa/script/fetchneedles
running as root, re-exec as geekotest ...
cloning git://github.com/os-autoinst/os-autoinst-distri-opensuse.git shallow. Call 'git fetch --unshallow' for full history
Cloning into '.'...
I ran zypper in -f
to update only openQA and its dependencies, and the newer version of the script was downloaded.
test-openqa:~ # rpm -qf /var/lib/openqa/script/fetchneedles
openQA-4.6.1668521246.8f456e6-lp154.5395.1.noarch
On further investigation, I noticed that the openQA package installed on L29 of openqa-bootstrap
is always outdated,
because openQA-single-instance
pulls an outdated version. I could not figure out why openQA-single-instance
does
this.
However by explicitly adding openQA to the list of the packages to be installed, the problems seems to be fixed.
I see that this is tested on openQA and can't explain the discrepancy. I only know that I can reliably reproduce it.
Relevant WIP PR: https://github.com/os-autoinst/openQA/pull/4901
Updated by openqa_review almost 2 years ago
- Due date set to 2022-11-30
Setting due date based on mean cycle time of SUSE QE Tools
Updated by okurz almost 2 years ago
- Category changed from Support to Regressions/Crashes
- Target version changed from Ready to future
Updated by apappas almost 2 years ago
- Status changed from In Progress to Closed
The contribution was not accepted by the tools team and their suggested solution, to edit the spec file for openQA on github was beyond my capabilities and my time budget. I will keep using my fork until 15.5 lands and I expect this bug to be auto resolved.
As it was moved to future, I will turn it to closed.
Updated by livdywan almost 2 years ago
Updated by okurz almost 2 years ago
- Tags set to reactive work
- Subject changed from [qe-core]openqa-bootstrap requires ssh key size:M to openqa-bootstrap requires ssh key size:M
- Due date changed from 2022-11-30 to 2022-12-16
- Status changed from Closed to Feedback
- Assignee changed from apappas to mkittler
- Target version changed from future to Ready
apappas wrote:
The contribution was not accepted by the tools team and their suggested solution, to edit the spec file for openQA on github was beyond my capabilities and my time budget. I will keep using my fork until 15.5 lands and I expect this bug to be auto resolved.
Well, I think this problem can re-appear unless users are "lucky" to have an updated system before they call openqa-bootstrap.
As it was moved to future, I will turn it to closed.
Sorry if that was misunderstood. That merely means that members of the QE Tools team don't plan to work on it – as you were working on it :)
Let's reopen and handle within the team as mkittler already provided a followup to your suggestion.
@apappas in the meantime https://github.com/os-autoinst/openQA/pull/4933 was merged and a new package was created in devel:openQA. If you like you can test if this updated version of openQA-bootstrap fixes the problem for you.
Updated by mkittler almost 2 years ago
- Status changed from Feedback to Resolved
I'm resolving for now. If https://github.com/os-autoinst/openQA/pull/4933 is not sufficient you can reopen the ticket.