Project

General

Profile

Actions
Copy link

action #152008

closed

s390zl13 redirecting http to https because of .wget-hsts but we don't install ca-certificates-suse on all salt-controlled machines

Added by okurz 5 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
High
Assignee:
okurz
Category:
-
Target version:
openQA Project - Ready
Start date:
2023-12-04
Due date:
% Done:

0%

Estimated time:
Tags:
infra

Description

Motivation

https://suse.slack.com/archives/C02CANHLANP/p1701670062570439

(Richard Fan) Hello folks, did you hit the same issue? http://openqa.suse.de/tests/12958521#step/bootloader_start/24

Steps to reproduce

wget http://openqa.suse.de/assets/repo/SLE-15-SP6-Full-s390x-Build41.1-Media1/boot/s390x/initrd -O /dev/null

Only on s390zl13. The problem is /root/.wget-hsts on s390zl13.oqa.prg2.suse.org but many production jobs use FTP hence are not affected.

Suggestions

  • We already install ca-certificates-suse for webui+worker but not for other roles

Alternatives to consider

  1. Use FTP instead of HTTP/HTTPS
  2. In the test code curl instead of wget
  3. Use wget with --no-hsts
Actions
Copy link
 #2

Updated by okurz 5 months ago

  • Status changed from In Progress to Resolved

MR merged. Original tests already passed as they had been retriggered until they ran on s390zl12. Now also

s390zl13:~ # wget http://openqa.suse.de/assets/repo/SLE-15-SP6-Full-s390x-Build41.1-Media1/boot/s390x/initrd -O /dev/null
URL transformed to HTTPS due to an HSTS policy
--2023-12-04 13:47:35--  https://openqa.suse.de/assets/repo/SLE-15-SP6-Full-s390x-Build41.1-Media1/boot/s390x/initrd
Resolving openqa.suse.de (openqa.suse.de)... 2a07:de40:b203:12:0:ff:fe4f:7c2b, 10.145.10.207
Connecting to openqa.suse.de (openqa.suse.de)|2a07:de40:b203:12:0:ff:fe4f:7c2b|:443... connected.
HTTP request sent, awaiting response... 200 OK
…
Actions
Copy link
 #3

Updated by okurz 5 months ago

  • Status changed from Resolved to In Progress

https://gitlab.suse.de/openqa/salt-states-openqa/-/jobs/2033151#L289

      Result: False
     Comment: Failed to configure repo 'SUSE_CA': refresh_db() got multiple values for keyword argument 'root'
Actions
Copy link
 #4

Updated by okurz 5 months ago

  • Status changed from In Progress to Resolved

I did

sudo salt -L 'openqa-piworker.qe.nue2.suse.org,unreal6.qe.nue2.suse.org,baremetal-support.qe.nue2.suse.org,jenkins.qe.nue2.suse.org' cmd.run 'zypper rr SUSE_CA'
sudo salt -L 'openqa-piworker.qe.nue2.suse.org,unreal6.qe.nue2.suse.org,baremetal-support.qe.nue2.suse.org,jenkins.qe.nue2.suse.org' state.apply

and that looks better. https://gitlab.suse.de/openqa/salt-states-openqa/-/pipelines green again.

Actions
Copy link

Also available in: Atom PDF