Project

General

Profile

action #73483

ipmitool from openSUSE Leap 15.2 and TW to our openQA workers fails with "no matching cipher suite", works on login.suse.de (SLES15SP1)

Added by okurz 9 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
High
Assignee:
Target version:
Start date:
2020-10-18
Due date:
2020-10-30
% Done:

0%

Estimated time:

Description

Observation

When calling ipmitool to administrate our o3/osd workers this commonly fails with errors like

Error in open session response message : no matching cipher suite

Steps to reproduce

podman run --rm -it registry.opensuse.org/home/okurz/container/containers/tumbleweed:ipmitool ipmitool -I lanplus -H openqaworker1-ipmi.suse.de -U $user -P $pass power status

Problem

This seems to happen for all openSUSE Leap 15.2 and openSUSE Tumbleweed installations, but not openSUSE Leap 15.1 or SLES15SP1 however the version of ipmitool itself seems to be the same. ipmitool -V returns 1.8.18 for me. But the build differs, e.g.

$ zypper --no-refresh info ipmitool
…
Version        : 1.8.18+git20200204.7ccea28-lp152.1.3

$ ssh login "zypper --no-refresh info ipmitool"
…
Version        : 1.8.18-7.3.1

Workaround

Use older versions of the ipmitool chain from either other machines or container


Related issues

Related to openQA Infrastructure - action #73234: ipmi management interface of openqaworker7 is inaccessible ("no matching cipher suite") and not pingableResolved2020-10-12

History

#1 Updated by okurz 9 months ago

  • Description updated (diff)
  • Due date set to 2020-10-23
  • Assignee set to nicksinger
  • Priority changed from Normal to High
  • Target version set to Ready

nicksinger you already looked into this. Can you please say what's the current status, what do you think is the underlying problem and any ideas about the proper solution? Might this be a bug in Leap+Tumbleweed or rather in our infrastructure?

#2 Updated by nicksinger 9 months ago

  • Assignee changed from nicksinger to okurz

I think they're trying to make a point: https://github.com/ipmitool/ipmitool/issues/29#issue-347347023
So according to this and my own experiments adding -C 3 seems to be the "proper" way to resolve this.

#3 Updated by mkittler 9 months ago

  • Subject changed from ipmitool from openSUSE Leap 15.2 to our openQA workers fails with "no matching cipher suite", works on login.suse.de (SLES15SP1) to ipmitool from openSUSE Leap 15.2 and TW to our openQA workers fails with "no matching cipher suite", works on login.suse.de (SLES15SP1)

nicksinger Good to know. -C 3 also does the trick under TW.

#4 Updated by okurz 9 months ago

  • Due date changed from 2020-10-23 to 2020-10-30
  • Status changed from New to Feedback

#5 Updated by okurz 9 months ago

  • Status changed from Feedback to Resolved

all merged and done. Everyone can call the command in https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/README.md to have helpful IPMI aliases. I also mentioned that in https://confluence.suse.com/display/openqa/openQA .

#6 Updated by okurz 9 months ago

  • Related to action #73234: ipmi management interface of openqaworker7 is inaccessible ("no matching cipher suite") and not pingable added

Also available in: Atom PDF