action #120459
closed[security] luks1_decrypt_ssh_server fails on tumbleweed; test-logic: unlock_via_ssh_server seems flawed
100%
Description
Observation¶
The test is based on two machines, client (admin interface) and server (remote server)
The idea is that a remote server with encrypted disk can be rebooted and then the password to decrypt entered via ssh.
The test somewhat 'works' (worked) with some (unnoticed flaws):
- The server is setup with a 'strange' partition layout: /boot encrypted, but / is not
As a consequence, before the ssh server is even reachable, an admin needed to locally unlock the /boot encryption (making dracut-ssh completely useless, as an admin was already local to the system anyway)
This has now popped up as an error on openQA as recent grub forwards the key it receives to decrypt itself to the partitions - which in this case it 'auto-unlocks' during the boot process, making dracut-ssh not having anything to do (tried to unlock /boot again)
IMHO, the partitioning layout it inversed: / should be encrypted, /boot decrypted
openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-luks1_decrypt_ssh_server@64bit fails in
unlock_via_ssh_server
Test suite description¶
Maintainer: QE Security
Fails since (at least) Build 20221114
Last good: 20221109 (or more recent)
Further details¶
Always latest result in this scenario: latest
This test uses HDD Created by test suite create_hdd_gnome_encrypt_separate_boot using YAML schedule/security/autoyast_btrfs_luks1_separate_boot.yaml, which refers to autoyast_sle15/autoyast_btrfs_luks1_separate_boot.xml, and the test itself uses YAML schedule/security/luks1_decrypt_ssh_server.yaml.
Internal discussion that resulted in filing this ticket https://suse.slack.com/archives/C02CANHLANP/p1668499778430149
Related bug report https://bugzilla.suse.com/show_bug.cgi?id=1141868
Acceptance Criteria¶
- Restructure create_hdd_gnome_encrypt_separate_boot to create a qcow2 with unencrypted boot and encrypted /, accepting passphrase for / over SSH server started in initrd from /boot
- Update the maintainer of the test to be QE Security
Updated by maritawerner about 2 years ago
- Subject changed from test-logic: unlock_via_ssh_server seems flawed to [security] test-logic: unlock_via_ssh_server seems flawed
Updated by tjyrinki_suse about 2 years ago
- Subject changed from [security] test-logic: unlock_via_ssh_server seems flawed to [security] luks1_decrypt_ssh_server fails on tumbleweed; test-logic: unlock_via_ssh_server seems flawed
- Description updated (diff)
- Start date deleted (
2022-11-15) - Estimated time set to 48.00 h
Added more further details and also acceptance criteria (debatable..). I've checked and the HDD in question seems to be only used for this one particular test, so the restructuring should be possible.
Updated by openqa_review almost 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: luks1_decrypt_ssh_server
https://openqa.opensuse.org/tests/2913543#step/unlock_via_ssh_server/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by punkioudi almost 2 years ago
- Status changed from New to In Progress
- Assignee set to punkioudi
Updated by openqa_review almost 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: luks1_decrypt_ssh_server
https://openqa.opensuse.org/tests/3129396#step/unlock_via_ssh_server/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 108 days if nothing changes in this ticket.
Updated by openqa_review over 1 year ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: luks1_decrypt_ssh_server
https://openqa.opensuse.org/tests/3247808#step/unlock_via_ssh_server/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 88 days if nothing changes in this ticket.
Updated by openqa_review over 1 year ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: luks1_decrypt_ssh_server
https://openqa.opensuse.org/tests/3454401#step/unlock_via_ssh_server/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 176 days if nothing changes in this ticket.
Updated by pstivanin 11 months ago
- Related to action #152455: [security][15-SP6] GRUB now passes through unlocking, test needs to be changed added
Updated by pstivanin 11 months ago
- % Done changed from 0 to 100
as discussed with Richard, we can remove those tests:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/18433
https://github.com/os-autoinst/opensuse-jobgroups/pull/412
https://gitlab.suse.de/qe-security/osd-sle15-security/-/merge_requests/205