action #157555
closedopenQA Project - coordination #105624: [saga][epic] Reconsider how openQA handles secrets
openQA Project - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication
[spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S
0%
Description
Motivation¶
In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16
Goals¶
- G1: Have an s390x kvm (or any other svirt backend) openQA installation job with non-default password succeed as far as possible
- G2: Identify which follow-up steps need to be done to fully support non-default passwords in such scenarios
Suggestions¶
- os-autoinst-distri-opensuse in principle supports using a different password, see https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/lib/main_common.pm#L165
- Clone a default s390x kvm openQA installation job https://openqa.suse.de/tests/13875911 from this scenario https://openqa.suse.de/tests/latest?arch=s390x&distri=sle&flavor=Online&machine=s390x-kvm&test=default&version=15-SP6 but with
PASSWORD=<new_password>with<new_password>being anything you setup temporary and see how far the test can reach - Fix obvious small problems and identify bigger follow-up tasks
- Actually s390x shouldn't really matter that much in this context, could also be an "svirt" job
Updated by okurz 8 months ago
- Copied to action #157744: [spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobs added
Updated by okurz 8 months ago
- Priority changed from Normal to High
- Target version changed from future to Ready
According to https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we likely need this sooner rather than later. Adding to our backlog.
Updated by livdywan 8 months ago
- Subject changed from [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs to [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S
- Description updated (diff)
- Status changed from New to Workable
Updated by okurz 8 months ago
- Copied to action #158242: Prevent ssh access to test VMs on svirt hypervisor hosts with firewall size:M added
Updated by okurz 8 months ago
- Project changed from openQA Infrastructure to openQA Tests
- Subject changed from [spike][timeboxed:10h] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S to [spike][timeboxed:10h][qe-core] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S
- Category deleted (
Feature requests) - Status changed from Blocked to Workable
- Assignee deleted (
okurz) - Target version changed from Tools - Next to QE-Core: Ready
@qe-core I have a new task for you that should be planned to work on within the next weeks/months so that we don't get escalations from SUSE's cybersecurity team. Related #157744
Updated by slo-gin 7 months ago
This ticket was set to High priority but was not updated within the SLO period. Please consider picking up this ticket or just set the ticket to the next lower priority.
Updated by szarate 6 months ago
- Subject changed from [spike][timeboxed:10h][qe-core] Use a different ssh root password for s390x kvm installation openQA jobs (or svirt) size:S to [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S
- Description updated (diff)
- Priority changed from High to Normal
Updated by szarate 6 months ago
- Copied to action #160325: [qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3t added