Project

General

Profile

Actions

action #157555

closed

openQA Project (public) - coordination #105624: [saga][epic] Reconsider how openQA handles secrets

openQA Project (public) - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication

[spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S

Added by okurz 9 months ago. Updated 5 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Infrastructure
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Sprint:
QE-Core: May Sprint 24 (May 07 - Jun 04)

Description

Motivation

In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16

Goals

  • G1: Have an s390x kvm (or any other svirt backend) openQA installation job with non-default password succeed as far as possible
  • G2: Identify which follow-up steps need to be done to fully support non-default passwords in such scenarios

Suggestions


Related issues 3 (0 open3 closed)

Copied to openQA Tests (public) - action #157744: [spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobsRejected2024-03-22

Actions
Copied to openQA Infrastructure (public) - action #158242: Prevent ssh access to test VMs on svirt hypervisor hosts with firewall size:MRejecteddheidler2024-03-28

Actions
Copied to openQA Tests (public) - action #160325: [qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3tResolvedrfan12024-05-14

Actions
Actions #1

Updated by okurz 9 months ago

  • Copied to action #157744: [spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobs added
Actions #2

Updated by okurz 9 months ago

  • Priority changed from Normal to High
  • Target version changed from future to Ready

According to https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we likely need this sooner rather than later. Adding to our backlog.

Actions #3

Updated by livdywan 9 months ago

  • Subject changed from [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs to [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S
  • Description updated (diff)
  • Status changed from New to Workable
Actions #4

Updated by okurz 9 months ago

  • Assignee set to okurz

I have an alternative idea: firewall on svirt hosts preventing access from outside only workers in the same network OR openQA workers on the hypervisor hosts themselves

Actions #5

Updated by okurz 9 months ago

  • Copied to action #158242: Prevent ssh access to test VMs on svirt hypervisor hosts with firewall size:M added
Actions #6

Updated by okurz 9 months ago

  • Status changed from Workable to Blocked
  • Target version changed from Ready to Tools - Next

Created #158242, let's try that first.

Actions #7

Updated by okurz 8 months ago

  • Project changed from openQA Infrastructure (public) to openQA Tests (public)
  • Subject changed from [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S to [spike][timeboxed:10h][qe-core] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S
  • Category deleted (Feature requests)
  • Status changed from Blocked to Workable
  • Assignee deleted (okurz)
  • Target version changed from Tools - Next to QE-Core: Ready

@qe-core I have a new task for you that should be planned to work on within the next weeks/months so that we don't get escalations from SUSE's cybersecurity team. Related #157744

Actions #9

Updated by slo-gin 7 months ago

This ticket was set to High priority but was not updated within the SLO period. Please consider picking up this ticket or just set the ticket to the next lower priority.

Actions #10

Updated by szarate 7 months ago

  • Subject changed from [spike][timeboxed:10h][qe-core] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S to [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S
  • Description updated (diff)
  • Priority changed from High to Normal
Actions #11

Updated by szarate 7 months ago

  • Copied to action #160325: [qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3t added
Actions #12

Updated by szarate 7 months ago

  • Sprint set to QE-Core: May Sprint 25 (May 07 - Jun 04)
Actions #13

Updated by szarate 7 months ago

  • Category set to Infrastructure
Actions #14

Updated by okurz 7 months ago

With #159069 resolved there is a firewall on the hypervisor hosts preventing access over SSH or VNC from general network. With that this task is not strictly necessary anymore. Hence I suggest to reject this task for now.

Actions #15

Updated by okurz 5 months ago

  • Status changed from Workable to Rejected
  • Assignee set to okurz

#158242 is sufficient as alternative

Actions

Also available in: Atom PDF