[puppet] Gate blocker: CentOS 9 integration jobs are broken

Clark Boylan cboylan at sapwetik.org
Wed Mar 9 15:26:55 UTC 2022

On Tue, Mar 8, 2022, at 10:01 PM, Takashi Kajinami wrote:
> Both of the two issues have been resolved and c9s integration jobs are 
> voting again.
> As a side note, It seems the second issue within tempest tests was 
> caused by recent
> change in openssl in CentOS9 Stream repo and rsa key is no longer 
> allowed for ssh.

To clarify this is RSA no longer allowed with SSH or is it just RSA + SHA1? The RSA + SHA1 problem has been known for a bit due to Fedora making that update a while back. But RSA + SHA2 does work on Fedora. The issue there is some servers like the dropbear server in Cirros and the MINA SSHD used by Gerrit either don't support RSA + SHA2 or lack the required negotation bits to allow RSA + SHA2.

Gerrit 3.6 should fix this, and I believe there is some effort to update Cirros to a newer version of dropbear which will support RSA + SHA2.

Separately, it might be a good idea to try and push back on these systems to stop defaulting to RSA + SHA1 if that combination is not allowed. They should default to RSA + SHA2 if that is the only version of RSA that will function on their platform. Then if the server supports it but cannot negotiate it properly (this is the case with Gerrit) it should continue to function.

> We worked around the issue by the feature in tempest to use a different 
> format but
> I've submitted a feedback to know about current usage of rsa key[1].
>  [1] https://bugs.launchpad.net/nova/+bug/1962726

More information about the openstack-discuss mailing list