2166951 – Allow SSH connection callers to not permit agent usage

Bug 2166951 - Allow SSH connection callers to not permit agent usage

Summary: Allow SSH connection callers to not permit agent usage

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tempest
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ga
Target Release:	17.1
Assignee:	Lukas Piwowarski
QA Contact:	Martin Kopec
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2175821
TreeView+	depends on / blocked

Reported:	2023-02-03 16:08 UTC by Jason Paroly
Modified:	2023-08-16 01:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openstack-tempest-33.0.0-1.20230308130919.1580f6f.el9ost
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-16 01:13:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	872566	None	MERGED	Allow SSH connection callers to not permit agent usage	2023-02-16 14:40:16 UTC
Red Hat Issue Tracker	OSP-22044	None	None	None	2023-02-03 16:10:06 UTC
Red Hat Product Errata	RHEA-2023:4577	None	None	None	2023-08-16 01:14:03 UTC

Description Jason Paroly 2023-02-03 16:08:50 UTC

Description of problem:

Ironic tempest plugin rescue scenario test fails when trying to ssh to the ironic node.

While debugging the ``rescue`` test functionality with ironic's
tempest plugin, we discovered that if the environment suggests the
agent is available, then we may enter a situation where the test
can fail because paramiko prefers ssh over password authentication.

This is important, because for rescue functionality in particular,
it is password authentication based without the use of SSH keys,
as a temporary password is generated by the services and provided
to the user requesting to rescue the instance/node.

Instead of trying to make an assumption that password being present
means we should just disable the agent, explicitly allow the caller
to specify it.

Version-Release number of selected component (if applicable):


How reproducible:
Every time

Steps to Reproduce:
1. run ironic tempest rescue test via jenkins
2.
3.

Actual results:
ssh with new user and password fails

Expected results:
ssh succeeds and test passes

Additional info:
using a workaround with "unset SSH_AUTH_SOCK" just before the test run does solve the issue, but it is unfeasible to use this for just this test, it would impact all tempest tests for all teams.

test case code, use rescue mode: https://github.com/openstack/ironic-tempest-plugin/blob/cda96d5ca3f84a5b883fee521bbabbe1c283c2a0/ironic_tempest_plugin/tests/scenario/test_baremetal_basic_ops.py#L258

upstream fixes:

https://review.opendev.org/c/openstack/tempest/+/872566

https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/872567

Comment 5 Martin Kopec 2023-03-20 10:08:54 UTC

The Fixed in version package contains the desired feature and it's available in the latest compose.

Comment 13 errata-xmlrpc 2023-08-16 01:13:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577

Note You need to log in before you can comment on or make changes to this bug.