RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1772475 - Connecting through ssh is not possible during system upgrade
Summary: Connecting through ssh is not possible during system upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: crypto-policies
Version: 8.1
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: 8.2
Assignee: Tomas Mraz
QA Contact: Ondrej Moriš
URL:
Whiteboard:
: 1774233 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-14 12:47 UTC by Renaud Métrich
Modified: 2023-09-07 20:59 UTC (History)
7 users (show)

Fixed In Version: crypto-policies-20191128-1.git23e1bf1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:46:50 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-31266 0 None None None 2023-02-12 22:22:03 UTC
Red Hat Knowledge Base (Solution) 4587501 0 None None None 2019-11-14 15:22:48 UTC
Red Hat Product Errata RHBA-2020:1811 0 None None None 2020-04-28 16:47:00 UTC

Description Renaud Métrich 2019-11-14 12:47:22 UTC 
Description of problem:

While performing a system upgrade from 8.0 to 8.1, sshd.service dies repeatedly until yum post scriptlets run.
During outage, we can see the following in the journal:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Nov 14 13:35:49 vm-uefi8 systemd[1]: Starting OpenSSH server daemon...
Nov 14 13:35:49 vm-uefi8 sshd[5926]: command-line: line 0: Bad configuration option: CASignatureAlgorithms
Nov 14 13:35:49 vm-uefi8 systemd[1]: sshd.service: Main process exited, code=exited, status=1/FAILURE
Nov 14 13:35:49 vm-uefi8 systemd[1]: sshd.service: Failed with result 'exit-code'.
Nov 14 13:35:49 vm-uefi8 systemd[1]: Failed to start OpenSSH server daemon.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

An attempt is done every 42 seconds, so this resolves after some time (depends on how many packages are to be upgraded) but it's anyway problematic for the end user.


Version-Release number of selected component (if applicable):

openssh-server-8.0p1-3.el8.x86_64


How reproducible:

Always


Steps to Reproduce:
1. Upgrade a RHEL8.0 system to 8.1 (had openssh-server-7.8p1-4.el8.x86_64 on RHEL8.0)

Actual results:

See above


Expected results:

No outage
Comment 1 Tomas Mraz 2019-11-14 13:05:08 UTC 
I do not think there is any reasonable way to solve this. It might be something to note for future updates of openssh and crypto-policies i.e. do not do any updates of a similar kind where new configuration value is added to openssh and simultaneously used in new crypto-policies version.
Comment 2 Jakub Jelen 2019-11-14 13:19:21 UTC 
I agree with Tomas. There is no simple way how to make the system working during the updates by making sure these the packages are updated close to each other. We do not plan any z-strean updates (and this will probably not qualify for one) which could fix this. I think the updates from 8.0 are not very common use case among our customers as many things were stabilizing up to 8.1. The good thing is that the systemd service autorestart solves this problem eventually.

We certainly do not plan any big changes like this in future of RHEL8. I will keep this bug open as a landing page in case some other poeple manage to hit this issue, but I do not think there is anything we could do about that now.
Comment 3 Renaud Métrich 2019-11-14 13:27:16 UTC 
Hi guys,

Thanks for looking into this. Could you give the exact reasons why it fails (until scriptlet runs apparently)?
I didn't find any obvious change in the configuration. I'll then document this.

Renaud.
Comment 6 Tomas Mraz 2019-11-20 08:15:17 UTC 
*** Bug 1774233 has been marked as a duplicate of this bug. ***
Comment 13 errata-xmlrpc 2020-04-28 16:46:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1811
Note You need to log in before you can comment on or make changes to this bug.