Actions
action #157744
closedopenQA Project (public) - coordination #105624: [saga][epic] Reconsider how openQA handles secrets
openQA Project (public) - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication
[spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobs
Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Enhancement to existing tests
Target version:
Start date:
2024-03-22
Due date:
% Done:
0%
Estimated time:
Difficulty:
Description
Motivation¶
In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16
Goals¶
- G1: Have an s390x kvm openQA installation job with ssh key authentication instead of password succeed as far as possible
- G2: Identify which follow-up steps need to be done to fully support ssh key based authentication in such scenarios
Suggestions¶
- Take a look where os-autoinst and os-autoinst-distri-opensuse use passwords and try to find a way how to pass public ssh keys to the target s390x kvm systems and use key authentication instead of password
- Consider trying out locally with native virtualization as that feature isn't only relevant for s390x
- After that reserve an s390x kvm system and try it out
- Fix obvious small problems and identify bigger follow-up tasks
Updated by okurz 9 months ago
- Copied from action #157555: [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S added
Updated by okurz 9 months ago
- Subject changed from [spike][timeboxed:10h] Use ssh key authentication in particular for s390x kvm installation openQA jobs to [spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobs
- Status changed from Blocked to Workable
- Assignee deleted (
okurz) - Target version changed from Tools - Next to QE-Core: Ready
@qe-core I have a new task for you that should be planned to work on within the next weeks/months so that we don't get escalations from SUSE's cybersecurity team. Related #157555
Actions