Actions
action #157555
openopenQA Project - coordination #105624: [saga][epic] Reconsider how openQA handles secrets
openQA Project - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication
[spike][timeboxed:10h][qe-core] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S
Start date:
Due date:
% Done:
0%
Estimated time:
Difficulty:
Description
Motivation¶
In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16
Goals¶
- G1: Have an s390x kvm openQA installation job with non-default password succeed as far as possible
- G2: Identify which follow-up steps need to be done to fully support non-default passwords in such scenarios
Suggestions¶
- os-autoinst-distri-opensuse in principle supports using a different password, see https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/lib/main_common.pm#L165
- Clone a default s390x kvm openQA installation job https://openqa.suse.de/tests/13875911 from this scenario https://openqa.suse.de/tests/latest?arch=s390x&distri=sle&flavor=Online&machine=s390x-kvm&test=default&version=15-SP6 but with
PASSWORD=<new_password>
with<new_password>
being anything you setup temporary and see how far the test can reach - Fix obvious small problems and identify bigger follow-up tasks
- Actually s390x shouldn't really matter that much in this context, could also be an "svirt" job
Updated by okurz about 1 month ago
- Copied to action #157744: [spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobs added
Updated by okurz about 1 month ago
- Priority changed from Normal to High
- Target version changed from future to Ready
According to https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we likely need this sooner rather than later. Adding to our backlog.
Updated by livdywan 30 days ago
- Subject changed from [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs to [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S
- Description updated (diff)
- Status changed from New to Workable
Updated by okurz 30 days ago
- Copied to action #158242: Prevent ssh access to test VMs on svirt hypervisor hosts with firewall size:M added
Updated by okurz 19 days ago
- Project changed from openQA Infrastructure to openQA Tests
- Subject changed from [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S to [spike][timeboxed:10h][qe-core] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S
- Category deleted (
Feature requests) - Status changed from Blocked to Workable
- Assignee deleted (
okurz) - Target version changed from Tools - Next to QE-Core: Ready
@qe-core I have a new task for you that should be planned to work on within the next weeks/months so that we don't get escalations from SUSE's cybersecurity team. Related #157744
Actions