action #160739
openSupport ssh keys with special characters like `@` in the name in our infrastructure size:S
0%
Description
Observation¶
In https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/815 and with the following deployment job, we had to realize that currently we're affected by https://github.com/saltstack/salt/issues/61299 :
ada.qe.prg2.suse.org:
----------
ID: ph03nix
Function: ssh_auth.present
Name: sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDF+5kEasMGxX9q6WERpGPOeQGB0j681GMMkRRWo/fg2AAAABHNzaDo= phoenix@racetrack-7290-nitrokey
Result: False
Comment: Invalid public ssh key, most likely has spaces or invalid syntax
Started: 14:36:03.312924
Duration: 1.374 ms
Changes:
----------
ID: ph03nix
Function: ssh_auth.present
Name: sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDeAIjDQ36FJux7JK3vygkWJ5K5/FHUuvPDxRsOnmEC5AAAABHNzaDo= phoenix@racetrack-7290-yk5
Result: False
Comment: Invalid public ssh key, most likely has spaces or invalid syntax
Started: 14:36:03.315261
Duration: 1.349 ms
Changes:
Summary for ada.qe.prg2.suse.org
--------------
Succeeded: 257
Failed: 2
--------------
Total states run: 259
Total run time: 11.519 s
ada.qe.prg2.suse.org:
Error: ssh_auth.present
We had to revert this for now: https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/816
Acceptance criteria¶
- AC1: No more invalid key errors despite keys called like
sk-ssh-ed25519@openssh.com
Suggestions¶
- I think the best we can currently do is either provide an upstream fix or workaround it in our states. For a workaround I would try to simply append each value of
pub_ssh_keyper user (similar to how we do it with other files).- Or provide the workaround and just propese an upstream fix - don't worry about packaging etc here
- Tell the team what this is and why you might want it
Updated by mkittler about 1 month ago
- Tags set to infra
- Category set to Feature requests
- Target version set to Ready
Updated by livdywan about 1 month ago
- Subject changed from Implement workaround for https://github.com/saltstack/salt/issues/61299 / Support for modern ssh keys in our infrastructure to Support ssh keys with special characters like `@` in the name in our infrastructure size:S
- Description updated (diff)
- Status changed from New to Workable
Updated by ybonatakis about 1 month ago
- Status changed from Workable to In Progress
- Assignee set to ybonatakis
Updated by ybonatakis about 1 month ago
Updated by openqa_review about 1 month ago
- Due date set to 2024-06-11
Setting due date based on mean cycle time of SUSE QE Tools
Updated by ybonatakis about 1 month ago
- Due date deleted (
2024-06-11)
I tried to reproduce the problem from https://github.com/saltstack/salt/issues/61299. I didnt encounter any problem. The branch shows salt version 3007.1+208.gaaad0d2ecf while OSD shows 3006.0 for all hosts.
Updated by ybonatakis about 1 month ago
- Status changed from In Progress to Feedback
There is https://build.opensuse.org/request/show/1177117, created 27/05 but it doesnt update to 3007.1 (latest upstream version) and doesnt look like to include any fix for that particular problem. Maybe we could patch the package or update it once this update is released?!
Updated by nicksinger about 1 month ago
- Status changed from Feedback to Workable
My main point here was not to wait for upstream to fix it but rather do it our self. We have two options for this:
- Implement the fix upstream as the still open ticket doesn't look like this got ever solved
- Implement a workaround (as described in the initial ticket)
Updated by ybonatakis about 1 month ago
nicksinger wrote in #note-8:
My main point here was not to wait for upstream to fix it but rather do it our self. We have two options for this:
- Implement the fix upstream as the still open ticket doesn't look like this got ever solved
the ticket is still open, but I couldnt reproduce the problem from their main branch. Thats why I said to a possibility could be to update the package to 3007.1
- Implement a workaround (as described in the initial ticket) This is something I am not sure how to do. I went through the documentation but I am still not sure where this should be applied and how everything(pillars, salt etc) comes together
Updated by livdywan 25 days ago
- https://github.com/saltstack/salt/issues/61299#issuecomment-2133497949
- https://build.opensuse.org/projects/openSUSE:Factory/packages/salt/files/salt.spec?expand=1
Suggested plan of action:
- Try and submit a new package to factory
- Otherwise we can still implement the work-around
Updated by okurz 25 days ago
- Assignee deleted (
ybonatakis) - Target version changed from Ready to future
Suggested plan of action:
- Try and submit a new package to factory
That's not so easy because there is no new package yet in the development project https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt and likely with 100+ patches updating to the new upstream 3007 is far from easy so outside the scope of this ticket.
- Otherwise we can still implement the work-around
Yes, we can try to replace ssh_auth.present with line.managed or something if it's really not more than that. But I see too little RoI for now. Removing the ticket from the backlog.