Thursday, 2022-05-12

« Wednesday, 2022-05-11 Index Friday, 2022-05-13 »
*** dviroel|afk is now known as dviroel00:00
*** dviroel is now known as dviroel|out00:24
*** dviroel|out is now known as dviroel00:59
*** rlandy|bbl is now known as rlandy|out01:09
*** ysandeep|rover|out is now known as ysandeep|rover01:19
*** dviroel is now known as dviroel|out01:24
*** ysandeep|rover is now known as ysandeep|afk02:26
*** diablo_rojo_phone is now known as Guest45802:44
*** ysandeep|afk is now known as ysandeep|rover04:44
*** soniya is now known as soniya|ruck05:04
opendevreviewIan Wienand proposed openstack/project-config master: Set context for unbound.log on selinux systems  https://review.opendev.org/c/openstack/project-config/+/84154605:17
*** ysandeep|rover is now known as ysandeep|rover|brb05:57
*** ysandeep|rover|brb is now known as ysandeep|rover06:15
opendevreviewPranali Deore proposed openstack/openstack-zuul-jobs master: Update python testing as per zed cycle testing runtime  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/84136806:53
*** ysandeep|rover is now known as ysandeep|rover|brb07:50
*** ysandeep|rover|brb is now known as ysandeep|rover08:03
*** Guest458 is now known as diablo_rojo_phone08:03
*** jpena|off is now known as jpena09:44
*** ysandeep|rover is now known as ysandeep|rover|lunch10:03
*** rlandy|out is now known as rlandy10:20
*** ysandeep|rover|lunch is now known as ysandeep|rover10:34
*** soniya29 is now known as soniya29|ruck11:08
*** soniya29|ruck is now known as soniya29|ruck|brb11:10
opendevreviewKendall Nelson proposed openstack/ptgbot master: Update Bot to Show Room Descriptions  https://review.opendev.org/c/openstack/ptgbot/+/84157511:15
*** dviroel_ is now known as dviroel11:33
opendevreviewKendall Nelson proposed openstack/ptgbot master: Update Bot to Show Room Descriptions  https://review.opendev.org/c/openstack/ptgbot/+/84157511:44
opendevreviewBar hochman proposed openstack/pbr master: fix: check for the installed version of importlib_metadata. use it only if pbr supports it. bug-report: https://bugs.launchpad.net/pbr/+bug/1972975 Change-Id: If67caac8d7ee7d5f22d0c6d262582b432d3370d1  https://review.opendev.org/c/openstack/pbr/+/84122211:52
*** ysandeep|rover is now known as ysandeep|rover|brb12:01
*** soniya is now known as soniya|ruck12:21
*** ysandeep|rover|brb is now known as ysandeep|rover12:28
*** dasm|off is now known as dasm13:15
opendevreviewMerged openstack/project-config master: Add SRIOV FEC Operator app to StarlingX  https://review.opendev.org/c/openstack/project-config/+/84026313:43
dansmithclarkb: fungi: so, uh, I just upgraded my dev machine and I seem unable to push/pull from gerrit over ssh13:51
dansmithI get an auth error like my key is not accepted, but ssh -v shows it trying it13:51
fungidansmith: your openssh probably decided to stop accepting ssh-rsa host keys with sha-1 signatures, but doesn't fall back to trying to fetch sha-213:52
dansmithfungi: it seems to be accepting the host key13:52
fungiwhat error are you getting?13:52
dansmithdebug1: Found key in /home/dan/.ssh/known_hosts:4913:53
dansmithdanms@review.opendev.org: Permission denied (publickey).13:53
fungii'll check gerrit's ssh log13:53
fungithe debug info shows it connecting to port 29418 not 22, right?13:54
dansmithoh, my git is (still failing) but I was trying 22, let me debug with the right port :D13:55
fungiyeah, completely different sshd with different host key13:55
dansmithyeah same error, which is why I didn't notice the difference I guess13:55
dansmithdebug1: Host '[review.opendev.org]:29418' is known and matches the RSA host key.13:55
dansmithsame complaint13:56
fungican you /msg me the ip address you're connecting from? it doesn't seem to be getting far enough to log an entry with your username in it13:57
*** ysandeep|rover is now known as ysandeep|rover|mtg14:00
fungiinteresting, i can see the failed login attempts you made to the system sshd from that address, but not seeing a connection to the port 29418 sshd logged from there14:01
dansmithI'm trying to think if I submitted patches yesterday before or after the upgrade, but .. nothing else has changed, so seems like it has to be that14:02
fungii do see that ip address in the logs from 2022-05-10 20:26:25 utc14:02
dansmithoh, yes, definitely pushed patches before the upgrade not after14:03
dansmithso yeah14:03
fungithat was the last connection it logged from there14:03
dansmithbut, I'm clearly hitting it14:03
fungiyeah, nothing from your account or that ip address logged yesterday. i'll fire up a packet sniffer to make sure i see the connection inbound14:05
dansmithI wonder if I should force ipv414:06
dansmithsame deal on ipv414:06
fungican you try connecting with your ipv6 address again?14:07
fungii've got tcpdump looking for it now14:07
dansmithdone14:07
fungiyeah, it definitely showed up at the network interface, but gerrit's not logging it14:08
dansmithwell that's a relief :)14:08
dansmithfungi: this did it: https://www.reddit.com/r/Fedora/comments/jhxbdh/no_ssh_public_key_auth_after_upgrade_to_fedora_33/14:09
fungii definitely see it logging successful logins from other clients14:09
dansmithweird that it says it's trying the key14:09
fungiyeah, the client side logging from that is definitely confusing14:10
dansmithjust pushed with git-review and it worked14:10
dansmithwtf14:10
fungiwe updated our manual to recommend ecdsa keys so that new users hopefully don't run into it14:10
dansmithsorry for the noise, I thought I ruled out that ssh key type thing by seeing it try it very plainly in debug14:11
fungigerrit 3.15 (or is it 3.16?) should have host key signature negotiation support in its sshd, but it will be a while before we're on that version14:11
dansmithbut this is a client-side setting about my key, not the host one right?14:12
fungiand we can't easily patch it in because it's entangled with a bunch of other changes to their sshd apparently14:12
dansmiththat r/fedora post says the guy spend "a couple days" so I don't feel so bad :)14:12
fungiit's a client-side setting telling your sshd to be willing to accept ssh-rsa (sha-1) key signatures14:13
dansmithmy ssh, not sshd right?14:13
fungiyes14:14
fungiit's about the server's key signatures your client is evaluating in order to decide whether to connect to it14:14
fungiwhich have been deprecated for a while in favor of sha-2 based key signatures, but even after dropping ssh-rsa support openssh continues to assume rsa keys use ssh-rsa unless the negotiation extension to the protocol is supported by the server14:14
dansmithyeah, but the confusing bit is the "trying this key..." log when it clearly isn't14:15
fungirather than just trying sha-2 (which would work with gerrit)14:15
fungisad that openssh falls back to something it knows it doesn't support14:15
dansmithwhat's sad is that it says "offering $key" even though it apparently isn't14:16
dansmiththis is the "key" I guess: debug1: send_pubkey_test: no mutual signature algorithm14:17
dansmithI glazed right over that14:17
fungiyeah, that's the one14:19
dansmithI first had this problem during macos upgrades, which surely seemed to behave differently,14:20
dansmithso I thought from the ssh -v that it was not the same issue14:20
fungiunderstandable14:25
dpawlikfungi, clarkb: Hey, about parsing performance.json and pushing the data to separate index - instead of create new tool that is pulling performance.json results from Opensearch, parse and push it into separate index, I add new fields into the same doc - opensearch will display only performance.json fields for those documents that are related to it. 15:11
dpawlikdon't want to make offtop on tc meeting15:11
clarkbfungi: dansmith yes the real issue tehre is that openssh and fedora won't update their broken clients to fallback to sha2 when they know sha1 (their current fallback) will never work for them15:17
clarkbany ya gerrit 3.6 (not 3.16) should fix this by updating the smarts on the server side to explicitly negotiate sha215:18
fungid'oh, yes i've been down a python version rabbit hole all morning with 3.11 deprecations for removals in 3.1315:18
fungiso my brain just inserted a 1 for no good reason15:19
clarkbdpawlik: there were a couple of reasons I was suggesting a separate index. The first is you can store small performance data for long periods of time if stored separately from the logs which are rotated quickly. The other is you potentailly get better performance since the performance data has a stable schema when the lgos do not. Neither are the end of the world and startin15:19
clarkbsomewhere and switching later is probably fine15:19
dpawlikclarkb: ah, that makes sense15:20
dpawliklet's talk on that after tc/tomorrow15:21
dpawlikclarkb: need to go. Let's talk tomorrow15:45
clarkbok15:46
opendevreviewMerged openstack/project-config master: Set context for unbound.log on selinux systems  https://review.opendev.org/c/openstack/project-config/+/84154615:51
*** ysandeep|rover|mtg is now known as ysandeep|rover15:56
*** soniya|ruck is now known as soniya|out16:11
*** ysandeep|rover is now known as ysandeep|rover|out16:28
fungigagehugo: can you abandon project:openstack/openstack-helm-docs is:open before i approve 839427?16:33
fungihttps://review.opendev.org/q/project:openstack/openstack-helm-docs+is:open16:33
*** jpena is now known as jpena|off17:21
opendevreviewMichael Johnson proposed openstack/project-config master: Fix selinux context for unbound.log  https://review.opendev.org/c/openstack/project-config/+/84162919:25
opendevreviewMerged openstack/project-config master: Retire openstack-helm-docs repo, step 3.3  https://review.opendev.org/c/openstack/project-config/+/83942720:05
*** dviroel is now known as dviroel|afk21:09
*** dasm is now known as dasm|off21:11
opendevreviewMerged openstack/project-config master: Fix selinux context for unbound.log  https://review.opendev.org/c/openstack/project-config/+/84162921:56
*** prometheanfire is now known as Guest022:26
*** rlandy is now known as rlandy|bbl23:02
« Wednesday, 2022-05-11 Index Friday, 2022-05-13 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!