action #159060
opencoordination #155182: [epic] Participate in alpha-testing of new version of velociraptor-client
Rollback/switch to officially installed velociraptor-client repo and server size:S
0%
Description
Motivation¶
#155179 is done. Crosscheck with the velociraptor-client development team and rollback our salt managed machines to use official packages and the non-development server again
Acceptance Criteria¶
- AC1: salt-controlled machines use the stable velociraptor repo
## Suggestions
- Look at https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/736 for previous changes
- Clarify which repo to use, see https://suse.slack.com/archives/C02NJAA1PEC/p1713696437484159
https://download.suse.de/ibs/SUSE:/Velociraptor/15.5/ only offers x86_64. I thought we should use that repo unconditionally but what about aarch64, s390x, ppc64le? Until we found a better place to install aarch64/ppc64le/s390x Leap 15.5 packages from I will revert to the official Leap repository content. Soon we will upgrade to Leap 15.6 anyway- Check that we use the correct endpoint
Updated by okurz 7 months ago
- Copied from action #155179: Participate in alpha-testing of new version of velociraptor-client added
Updated by okurz 7 months ago
- Subject changed from Participate in alpha-testing of new version of velociraptor-client to Rollback to officially installed velociraptor-client repo and server
- Status changed from New to Feedback
- Target version changed from Tools - Next to future
https://suse.slack.com/archives/C02NJAA1PEC/p1713272166072159
(Oliver Kurz) Hi, can we switch the LSG QE machines back from https://download.opensuse.org/repositories/security:/sensor/15.5/ to official Leap packages and the server target URL accordingly?
(Marcela Mašláňová) All machines will need to install from IBS. We are just waiting for the official announcement
(Oliver Kurz) that sounds like a different problem but I will wait for such announcement then
Updated by okurz 7 months ago
- Subject changed from Rollback to officially installed velociraptor-client repo and server to Rollback/switch to officially installed velociraptor-client repo and server
- Target version changed from future to Ready
announcement was sent by Jeff Mahoney in https://suse.slack.com/archives/C02NJAA1PEC/p1713535789090039 pointing to https://confluence.suse.com/display/CS/Sensor+-+Linux+Endpoint+Protection+Agent with deployment instructions on https://gitlab.suse.de/linux-security-sensor/suse-client-deployment and https://confluence.suse.com/display/CS/Deploying+the+Sensor+Client
https://suse.slack.com/archives/C02NJAA1PEC/p1713537499171589
(Oliver Kurz) @Jeff Mahoney 1. "It includes virtual machines and systems that are subject to frequent redeployment, like those in […] test systems." So do the 1..10k automated openQA tests need to install velociraptor-client and report to the server during openQA test runs? […] 3. "any Linux servers maintained by BCL" and "must switch to the IBS release" is not possible for the openqa.opensuse.org infrastructure. I don't know how to fulfill such requirements
Updated by okurz 7 months ago
I checked the config mentioned on the documentation pages and could confirm that we are just expected to go back to https://sec-velociraptor.prg.suse.com:8000 so created https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/783 (merged)
Unfortunately we need to switch to an internal repo but ok:
https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/1160
Updated by livdywan 7 months ago
https://gitlab.suse.de/openqa/salt-states-openqa/-/jobs/2513164
ID: security-sensor.repo
Function: pkgrepo.managed
Result: False
Comment: Failed to configure repo 'security-sensor.repo': refresh_db() got multiple values for keyword argument 'root'
Started: 18:31:20.487570
Duration: 1268.534 ms
Changes:
Updated by okurz 7 months ago
https://suse.slack.com/archives/C02NJAA1PEC/p1713696437484159
(Oliver Kurz) https://download.suse.de/ibs/SUSE:/Velociraptor/15.5/ only offers x86_64. I thought we should use that repo unconditionally but what about aarch64, s390x, ppc64le? Until we found a better place to install aarch64/ppc64le/s390x Leap 15.5 packages from I will revert to the official Leap repository content. Soon we will upgrade to Leap 15.6 anyway
Updated by okurz 7 months ago
- Due date changed from 2024-05-05 to 2024-05-12
Asked in https://suse.slack.com/archives/C02NJAA1PEC/p1714397276453239 now again
Updated by okurz 8 days ago
This is related to #169546 now.
In
https://suse.slack.com/archives/C02NJAA1PEC/p1731488334523429
I asked
Hi, https://jira.suse.com/browse/SENS-111 is unresolved since about 7 months and now we come to more problems due to the common criteria related network changes. With that machines which are not in a CC-compliant location can not access repositories on download.suse.de anymore. Can we switch to an official repository like Leap update channel again? Or second best an OBS repository