Bug 1826410
Summary: | Build of rugged doesn't allow for SSH auth | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Nick LaMuro <nlamuro> | ||||
Component: | Build | Assignee: | Satoe Imaishi <simaishi> | ||||
Status: | CLOSED ERRATA | QA Contact: | Gaurav Talreja <gtalreja> | ||||
Severity: | medium | Docs Contact: | Red Hat CloudForms Documentation <cloudforms-docs> | ||||
Priority: | medium | ||||||
Version: | 5.11.0 | CC: | akarol, dmetzger, duhlmann, gmccullo, mkanoor, obarenbo, sigbjorn.lie, simaishi | ||||
Target Milestone: | GA | Keywords: | ZStream | ||||
Target Release: | 5.11.7 | Flags: | pm-rhel:
cfme-5.11.z+
|
||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | 5.11.7.0 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-08-06 14:32:54 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | Bug | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | CFME Core | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Nick LaMuro
2020-04-21 15:46:49 UTC
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low. After doing some more testing with an older version of CFME, it turns out that this seems to have been broken since at least `5.11.0.19-`, so my guess is since the change of EmbeddedAnsible's re-write in that release. I think this will warrant reducing the priority of this a bit since it has been broken, but not reported, since the changes to EmbeddedAnsible have been updated. Probably makes sense to step back and figure this out, and there probably is no immediate need to get this fixed as it hasn't been reported previously in the past 5 minor releases. Deferring to Dennis to set the priority given the info above (just noticed the `needinfo?` I just canceled with my last comment). 5.11.0.26 uses OpenSSH 7.8 which was released on 2018-08-24 and from the release notes, "...write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key [with:]" ssh-keygen -p -m PEM -f ~/.ssh/id_rsa (note that this is potentially destructive, it converts to the old format, so it'd be good to make a backup first) I did try the converted key on a 5.11 and didn't see the error when I did. I'll look more into the exact version tomorrow. Created attachment 1680698 [details]
bz_1826410_replication_script.rb
Thought I should also update and share a script for reproducing on an appliance:
private_key = <<-SSH_PRIVATE_KEY_DATA_HERE
SSH_PRIVATE_KEY_DATA_HERE
worktree_params = {
:clone => true,
:url => 'ssh://git/NickLaMuro/manageiq-playbooks',
:path => '/var/www/miq/vmdb/tmp/repo_from_test_script',
:certificate_check => -> (_valid, _host) { true },
:username => 'git',
:ssh_private_key => private_key
}
GitWorktree.new(worktree_params)
You will have to supply your own SSH private key at the top, and you can use whatever repo you see fit instead of my own.
I put the script in `/var/www/miq/vmdb` and ran with `bin/rails r bz_1826410_replication_script.rb`
I believe this is only broken on 5.11 as the latest 5.10 is using OpenSSH 7.4. Gaurav, Please test and make sure that the packages are getting updated. Verified in Version : 5.11.7.0.20200714215453_0da8a4a Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Critical: CloudForms 5.0.7 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3358 |