Project

General

Profile

Actions
Copy link

action #125750

closed

QA - coordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability

In salt-states-openqa support machines requiring ssh password login for root user size:M

Added by okurz about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
osukup
Category:
-
Target version:
openQA Project - Ready
Start date:
Due date:
% Done:

0%

Estimated time:
Tags:
security, salt, authentication, ssh, infra, password

Description

Motivation

openqaw5-xen requires login of root with password over ssh for openQA tests, see https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/openqa/workerconf.sls#L138, hence we can not directly apply https://gitlab.suse.de/openqa/salt-states-openqa/-/blob/master/sshd/sshd_config#L44

PermitRootLogin without-password

Acceptance criteria

  • AC1: openqaw5-xen can be controlled by salt while allowing root-ssh-password login
  • AC2: By default all machines in salt still prevent password authentication in salt

Suggestions

  • Optional: We could temporarily change to allow password login over ssh
  • Find a way to allow individual machines root-ssh-password login
  • Optional: Adapt os-autoinst backend to support ssh key login
  • Ensure by default machines still apply PermitRootLogin without-password

Rollback steps

  • Add openqaw5-xen back to salt and ensure a high state can be applied while still allowing password login for root on this machine

Related issues 1 (0 open1 closed)

Copied from openQA Infrastructure - action #125534: Consolidate the installation of openqaw5-xen with SUSE QE Tools maintained machines size:MResolvedokurz2023-03-07

Actions
Actions
Copy link
 #1

Updated by okurz about 1 year ago

  • Copied from action #125534: Consolidate the installation of openqaw5-xen with SUSE QE Tools maintained machines size:M added
Actions
Copy link
 #3

Updated by nicksinger about 1 year ago

  • Subject changed from In salt-states-openqa support machines requiring ssh password login for root user to In salt-states-openqa support machines requiring ssh password login for root user size:M
  • Status changed from New to Workable
Actions
Copy link
 #4

Updated by livdywan about 1 year ago

okurz wrote:

https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/804 to allow password login for now

I'm okay to accept it as a solution. I don't realistically see this as a work-around because there's no incentive to work on it if we don't consistently require it.

Actions
Copy link
 #5

Updated by osukup about 1 year ago

  • Status changed from Workable to In Progress
  • Assignee set to osukup
Actions
Copy link
 #6

Updated by openqa_review about 1 year ago

  • Due date set to 2023-04-11

Setting due date based on mean cycle time of SUSE QE Tools

Actions
Copy link
 #7

Updated by osukup about 1 year ago

this should permit root login only on openqaw5-xen
https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/821

Actions
Copy link
 #8

Updated by osukup about 1 year ago

  • Status changed from In Progress to Feedback
Actions
Copy link
 #9

Updated by osukup about 1 year ago

  • Status changed from Feedback to In Progress
Actions
Copy link
 #10

Updated by osukup about 1 year ago

  • Status changed from In Progress to Feedback

both AC completed ..

for next --> use custom grains to enable password login instead hardcoded grains['host'] == host

Actions
Copy link
 #11

Updated by mkittler about 1 year ago

To avoid hard-coding concrete hostnames in the salt states, you could follow a similar approach to what I've recently done to exclude a systemd service on a specific host from alerting (see #127097#note-11).

Actions
Copy link
 #12

Updated by okurz about 1 year ago

  • Due date changed from 2023-04-11 to 2023-04-18
  • Priority changed from Normal to High
Actions
Copy link
 #13

Updated by osukup about 1 year ago

https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/836 should be without hardcoded hostname

simply define passwordlogin: True in grains on host where we need enabled password login for root

Actions
Copy link
 #14

Updated by osukup about 1 year ago

  • Status changed from Feedback to Resolved

changes merged.

while deploying host which needs root password login enabled simply add to configuration steps for salt minion echo 'passwordlogin: True' >> /etc/salt/grains

Actions
Copy link
 #15

Updated by okurz about 1 year ago

  • Description updated (diff)
  • Due date changed from 2023-04-18 to 2023-04-28
  • Status changed from Resolved to In Progress
  • Priority changed from High to Urgent

sudo salt --no-color --state-output=changes 'openqaw5-xen.qa.suse.de' state.apply test=True shows that the configuration is reset to "PasswordAuthentication no" and "PermitRootLogin without-password". I removed openqaw5-xen from salt-keys. Please look into this again.

Actions
Copy link
 #16

Updated by okurz about 1 year ago

  • Due date deleted (2023-04-28)
  • Status changed from In Progress to Resolved
  • Priority changed from Urgent to High

I checked locally on openqaw5-xen.qa.suse.de with salt-call --no-color --state-output=changes state.show_sls sshd | less && salt-call --no-color --state-output=changes state.apply sshd; grep -i password /etc/ssh/sshd_config and I could confirm that the files are properly evaluated and the password authentication is kept properly. I guess test=True does not evaluate grains or so. So everything looks fine. salt key is added, state is cleanly applied from OSD.

Actions
Copy link

Also available in: Atom PDF