Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1484404

Summary: fence_drac5 requires specifying custom SSH options to work properly
Product: [oVirt] ovirt-engine Reporter: Petr Matyáš <pmatyas>
Component: BLL.InfraAssignee: Eli Mesika <emesika>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Matyáš <pmatyas>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.5.2CC: bugs, cluster-maint, cluster-qe, lveyde, mgoldboi, mperina, oalbrigt, pmatyas, trichard
Target Milestone: ovirt-4.1.9Flags: rule-engine: ovirt-4.1+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.1.8.1 Doc Type: Enhancement
Doc Text:
You can now use key=key=value format (where the value of a fence option key is itself in a key=value format) when setting fence agent options, in order to support old drac5 devices that require "ssh_options=-oCiphers=+3des-cbc" in the Options field to enable no-longer-enabled-insecure ciphers for SSH connection.
 Story Points: ---
Clone Of: 1481280 Environment:
Last Closed: 2018-01-24 10:40:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1481280, 1523304    
Bug Blocks:    

Comment 1 Martin Perina 2017-08-24 06:26:21 UTC 
Reducing severity to high as we need to wait if/how underlying RHEL issue is handled. But at the moment we cannot do anything about it
Comment 2 Yaniv Kaul 2017-10-18 17:24:44 UTC 
(In reply to Martin Perina from comment #1)
> Reducing severity to high as we need to wait if/how underlying RHEL issue is
> handled. But at the moment we cannot do anything about it

Any updates?
Comment 3 Martin Perina 2017-10-19 08:31:13 UTC 
(In reply to Yaniv Kaul from comment #2)
> (In reply to Martin Perina from comment #1)
> > Reducing severity to high as we need to wait if/how underlying RHEL issue is
> > handled. But at the moment we cannot do anything about it
> 
> Any updates?

We can't do anything, platform needs to provide a fix for that (more info in BZ1481280).
Comment 4 Martin Perina 2017-10-27 12:38:24 UTC 
So according to platform bug BZ1481280, they will not re-enable no longer secure cipher 3des-cbc, so the only way how to use the cipher is to specify it in additional paramater for fence_drac5 agent using Options field in webadmin:

  ssh_options="-oCiphers=+3des-cbc"

Unfortunately we are not able to enter such value into Options field as it somehow breaks our current validation.
Comment 5 Petr Matyáš 2017-11-27 13:47:31 UTC 
Using ovirt-engine-4.1.8.1-0.1.el7.noarch and adding ssh_options="-oCiphers=+3des-cbc" still gives me unable to login error
Comment 13 Martin Perina 2018-01-08 15:51:37 UTC 
Moving back to modified, because we have already provided the infra to be able to set key=key=value into Options field of Fence Agent.

If platform doesn't change the defaults, then users will need to set login_timeout=30 along with ssh_options="-oCiphers=+3des-cbc" into Options field. Otherwise specifying ssh_options is enough
Comment 14 Petr Matyáš 2018-01-16 11:47:13 UTC 
Verified on ovirt-engine-4.1.9-0.2.el7.noarch

Using these values in options field: ssh_options="-oCiphers=+3des-cbc,login_timeout=30
Comment 15 Sandro Bonazzola 2018-01-24 10:40:10 UTC 
This bugzilla is included in oVirt 4.1.9 release, published on Jan 24th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.1.9 release, published on Jan 24th 2018, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.