[puppet] Gate blocker: CentOS 9 integration jobs are broken

Takashi Kajinami tkajinam at redhat.com
Thu Mar 10 00:00:53 UTC 2022

Thanks Clark for follow-up.
My explanation was not correct, and I should have said RSA + SHA1 no longer

Our problem was that the key generated by create keypair api in nova uses
thus ssh by tempest with that key no longer works since SHA1 was disabled
in a recent update
in CentOS 9 Stream.

On Thu, Mar 10, 2022 at 12:31 AM Clark Boylan <cboylan at sapwetik.org> wrote:

> On Tue, Mar 8, 2022, at 10:01 PM, Takashi Kajinami wrote:
> > Both of the two issues have been resolved and c9s integration jobs are
> > voting again.
> >
> > As a side note, It seems the second issue within tempest tests was
> > caused by recent
> > change in openssl in CentOS9 Stream repo and rsa key is no longer
> > allowed for ssh.
> To clarify this is RSA no longer allowed with SSH or is it just RSA +
> SHA1? The RSA + SHA1 problem has been known for a bit due to Fedora making
> that update a while back. But RSA + SHA2 does work on Fedora. The issue
> there is some servers like the dropbear server in Cirros and the MINA SSHD
> used by Gerrit either don't support RSA + SHA2 or lack the required
> negotation bits to allow RSA + SHA2.
> Gerrit 3.6 should fix this, and I believe there is some effort to update
> Cirros to a newer version of dropbear which will support RSA + SHA2.
> Separately, it might be a good idea to try and push back on these systems
> to stop defaulting to RSA + SHA1 if that combination is not allowed. They
> should default to RSA + SHA2 if that is the only version of RSA that will
> function on their platform. Then if the server supports it but cannot
> negotiate it properly (this is the case with Gerrit) it should continue to
> function.
> > We worked around the issue by the feature in tempest to use a different
> > format but
> > I've submitted a feedback to know about current usage of rsa key[1].
> >  [1] https://bugs.launchpad.net/nova/+bug/1962726
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220310/b8726fa5/attachment.htm>

More information about the openstack-discuss mailing list