Bug 1772475

Summary: Connecting through ssh is not possible during system upgrade
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: crypto-policiesAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact:
Priority: medium    
Version: 8.1CC: fperalta, jjelen, nmavrogi, omoris, pdwyer, ravpatil, tmraz
Target Milestone: rcKeywords: Triaged
Target Release: 8.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: crypto-policies-20191128-1.git23e1bf1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:46:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2019-11-14 12:47:22 UTC 
Description of problem:

While performing a system upgrade from 8.0 to 8.1, sshd.service dies repeatedly until yum post scriptlets run.
During outage, we can see the following in the journal:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Nov 14 13:35:49 vm-uefi8 systemd[1]: Starting OpenSSH server daemon...
Nov 14 13:35:49 vm-uefi8 sshd[5926]: command-line: line 0: Bad configuration option: CASignatureAlgorithms
Nov 14 13:35:49 vm-uefi8 systemd[1]: sshd.service: Main process exited, code=exited, status=1/FAILURE
Nov 14 13:35:49 vm-uefi8 systemd[1]: sshd.service: Failed with result 'exit-code'.
Nov 14 13:35:49 vm-uefi8 systemd[1]: Failed to start OpenSSH server daemon.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

An attempt is done every 42 seconds, so this resolves after some time (depends on how many packages are to be upgraded) but it's anyway problematic for the end user.


Version-Release number of selected component (if applicable):

openssh-server-8.0p1-3.el8.x86_64


How reproducible:

Always


Steps to Reproduce:
1. Upgrade a RHEL8.0 system to 8.1 (had openssh-server-7.8p1-4.el8.x86_64 on RHEL8.0)

Actual results:

See above


Expected results:

No outage
Comment 1 Tomas Mraz 2019-11-14 13:05:08 UTC 
I do not think there is any reasonable way to solve this. It might be something to note for future updates of openssh and crypto-policies i.e. do not do any updates of a similar kind where new configuration value is added to openssh and simultaneously used in new crypto-policies version.
Comment 2 Jakub Jelen 2019-11-14 13:19:21 UTC 
I agree with Tomas. There is no simple way how to make the system working during the updates by making sure these the packages are updated close to each other. We do not plan any z-strean updates (and this will probably not qualify for one) which could fix this. I think the updates from 8.0 are not very common use case among our customers as many things were stabilizing up to 8.1. The good thing is that the systemd service autorestart solves this problem eventually.

We certainly do not plan any big changes like this in future of RHEL8. I will keep this bug open as a landing page in case some other poeple manage to hit this issue, but I do not think there is anything we could do about that now.
Comment 3 Renaud Métrich 2019-11-14 13:27:16 UTC 
Hi guys,

Thanks for looking into this. Could you give the exact reasons why it fails (until scriptlet runs apparently)?
I didn't find any obvious change in the configuration. I'll then document this.

Renaud.
Comment 6 Tomas Mraz 2019-11-20 08:15:17 UTC 
*** Bug 1774233 has been marked as a duplicate of this bug. ***
Comment 13 errata-xmlrpc 2020-04-28 16:46:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1811