Wednesday, 2023-03-01

« Tuesday, 2023-02-28 Index Thursday, 2023-03-02 »
*** promethe- is now known as prometheanfire02:47
*** ralonsoh_ is now known as ralonsoh07:36
bauzasmorning folkks08:45
opendevreviewSylvain Bauza proposed openstack/nova master: Add the 2023.1 Antelope prelude section  https://review.opendev.org/c/openstack/nova/+/87538009:27
sean-k-mooneybauzas: https://review.opendev.org/c/openstack/nova/+/875380/2..3/releasenotes/notes/antelope-prelude-4a99907b00e739f8.yaml is still tecnilaly not correct09:35
sean-k-mooney2024.1 is the first SLURP release offically for all project09:36
bauzasno09:36
sean-k-mooneyyes09:36
bauzassee the TC resolution09:36
bauzas2023.1 is the first 'SLURP release' but upgrade from yoga is considered a test09:37
bauzaswe indeed need to guarantee 2023.1 to 2024.1 upgrades09:37
bauzasbut both are 'officially' SLURP releases09:37
sean-k-mooneycalling it a SLURP release imples its supproted by all project form yoga 09:38
sean-k-mooneywhich was never a requirement09:38
bauzasthe resolution is clear about the requirements09:38
bauzasbut there is a TC meeting today, we can clarify the resolution there09:38
sean-k-mooneythe requirement is to support upgrades form A->C09:38
sean-k-mooneybut that means C is the first SLURP release09:39
sean-k-mooneyits the release you are upgrading too that has to support it09:39
bauzas"Communication: We will use “SLURP” word to designate a SLURP release in release page, release notes page or any other place we want to communicate it. We can also use its full form “Skip Level Upgrade Release Process” if needed. A “not-SLURP” release will not be designated with anything and not having “SLURP” word is enough to communicate that this is not “SLURP” release. Also, the number schema in the releas09:39
bauzase naming process will help all of us to relate which release is “SLURP”."09:39
bauzas"  Testing: Just as we test and guarantee that upgrades are supported between adjacent releases today, we will also test and guarantee that upgrades between two “SLURP” releases are supported. Upgrades are tested for most projects today with grenade. A skip-level job will be maintained in the grenade repository that tests a normal configuration between the last two “SLURP” releases. The job will be updated on every new 09:40
bauzas“SLURP” release, and there will always be a regular single-release grenade job testing between the previous release and current one, as we have today."09:40
sean-k-mooneythat why i made the disticiton wiht A being the first __base__ release you upgrade form to the first SLURP release09:40
bauzasso we need to guarantee between *two* SLURP releases09:40
bauzasYoga being *not* a SLURP release, we don't need to guarantee it, despite 2023.1 *is* a SLURP release09:40
bauzas" Our letter-based release naming scheme is about to wrap back around to A, so the proposal is that the “new A” release be the first one where we enforce this scheme. Y->A should be a “dress rehearsal” where we have the jobs enabled to help smoke out any issues, but where hard guarantees are not yet made."09:41
sean-k-mooneyagain i disagre not on the funtionalty but that the resolution is clear an the terminology is defiend properly09:41
sean-k-mooneyyes i read that and that does not make A a SLURP release09:41
bauzasAs a reminder, OpenStack 2023.1 is our first `Skip-Level-Upgrade Release`__    (starting from now, we name it a `SLURP release`) where you can    rolling-upgrade your compute services from OpenStack Yoga as an experimental    feature. Next SLURP release will be 2024.1.09:42
bauzasI just said two informations :09:42
bauzas1/ 2023.1 *is* a SLURP release09:42
bauzas2/ upgrade from Yoga is not guaranteed09:42
bauzasIIUC, you disagree on #109:43
bauzasbut IMHO the resolution is quite clear09:43
bauzashttps://governance.openstack.org/tc/resolutions/20220210-release-cadence-adjustment.html#example-sequence even shows it09:43
sean-k-mooneycorrect with the caveat that 2024.1 is a slurp relase and upgrade will be guarenteed form 2023.109:43
bauzasI don't disagree on your last sentence09:44
bauzasboth are SLURP releases, but the only guaranteed skip-level upgrade is from 2023.1 to 2024.109:44
sean-k-mooneyfor me a SLURP release guarnetes upgrade of more then one release 09:44
bauzasthat's what I disagree, based on my reading of the TC resolution :)09:45
sean-k-mooneythat the thing the guarentee is a majory part of the definiton fo a slurp release09:45
sean-k-mooneyif we dont have that in my book its wrong to call it one09:45
sean-k-mooneywhich is why i dont think we should call 2023.1 a SLURP release09:45
bauzasthe 'P' is important09:45
bauzas2023.1 is in the process of a skip-level-upgrade09:45
sean-k-mooneyit is the base releae for a skiplevel upgrade09:46
bauzasyes09:46
sean-k-mooneybut it is not a skip level upgrade release its self09:46
bauzasit's a 'SLURP release' as per the TC charter :)09:46
sean-k-mooneyi think there is ambiguity in the wrodign and the curent statement is controditory09:46
bauzashence me saying that the rollingupgrade feature is officially experimental09:47
bauzasit clarifies the expectations09:47
bauzasthis is just a demo showcase 09:47
sean-k-mooneyif A cant guarentee a skip level upgrade form a previos release i dont think it can be considerd  a slurp release so i think "Deployments wishing to move to a one year upgrade cycle will synchronize on a “SLURP” release, and then skip the following “not-SLURP” release, upgrading when the subsequent “SLURP” is released" is not sufficent09:48
bauzassince Yoga *isn't* a SLURP release09:48
bauzaswell,09:48
bauzas"we will also test and guarantee that upgrades between two “SLURP” releases are supported. " is the key information09:48
sean-k-mooneyi think that sentance should be changed and we should add 2 new deffintion to the details section09:48
bauzasthat's a TC amendment, feel free to drop a patch09:49
bauzasI don't disagree this can be confusing, but I think I avoided it by the prelude09:49
sean-k-mooneyi can but as it stand i dont think the prelude is correct. i wont block it but i think its a little misleading09:49
bauzassean-k-mooney: and honestly, we have an internal meeting conflicting at the same time of the TC meeting, but I'd like to attend this TC call then to clarify the wordings09:50
bauzaslemme ask the TC folks in their chan what they think about the namings09:50
bauzassean-k-mooney: feel free to drop again a comment on my prelude patch09:53
bauzasI'll show it to the TC folks09:53
bauzassean-k-mooney: anyway, pointed it out in the TC chan09:57
sean-k-mooneyi am going to push a patch to the governace repo for review10:01
bauzascool thanks10:01
bauzassean-k-mooney: the odds of reno make me think that we should merge the prelude without waiting for the TC clarification 10:02
bauzasbut if the TC agrees on saying 'A isn't a SLURP release' then we could later modify the prelude10:03
bauzasgiven the first commit will be included in the 2023.1 branch, we won't miss it 10:03
sean-k-mooneyhttps://review.opendev.org/c/openstack/governance/+/87585310:06
sean-k-mooneyyes we can backport a change to the prelude10:06
bauzassean-k-mooney: fwiw, said +1 to placement rc1 https://review.opendev.org/c/openstack/releases/+/875452 even if I know that we have a concurrent db cleanup patch10:12
*** ralonsoh__ is now known as ralonsoh10:18
opendevreviewSylvain Bauza proposed openstack/nova master: Add service version for Antelope  https://review.opendev.org/c/openstack/nova/+/87493210:19
opendevreviewSylvain Bauza proposed openstack/nova master: DNM (yet) Update min support for Bobcat  https://review.opendev.org/c/openstack/nova/+/87562110:19
opendevreview周众 proposed openstack/nova master: Instance unexpected shutdown when source node startup  https://review.opendev.org/c/openstack/nova/+/87585910:22
opendevreview周众 proposed openstack/nova master: Instance unexpected shutdown when source node startup  https://review.opendev.org/c/openstack/nova/+/87585910:25
sean-k-mooneybauzas: ah the unique constatit one10:27
sean-k-mooneyya that is an existing issue that was not intoduced in this release so it woudl not be an RC candiate bug anyway10:28
sean-k-mooneyit can be backported after we do the release10:28
sean-k-mooneyso im fine with the  +1 there10:28
opendevreviewzhouzhong proposed openstack/nova master: Instance unexpected shutdown when source node startup  https://review.opendev.org/c/openstack/nova/+/87585910:30
opendevreviewzhouzhong proposed openstack/nova master: Instance unexpected shutdown when source node startup  https://review.opendev.org/c/openstack/nova/+/87585910:32
opendevreviewzhouzhong proposed openstack/nova master: Instance unexpected shutdown when source node startup  https://review.opendev.org/c/openstack/nova/+/87585910:33
opendevreviewOpenStack Release Bot proposed openstack/placement stable/2023.1: Update .gitreview for stable/2023.1  https://review.opendev.org/c/openstack/placement/+/87587310:50
opendevreviewOpenStack Release Bot proposed openstack/placement stable/2023.1: Update TOX_CONSTRAINTS_FILE for stable/2023.1  https://review.opendev.org/c/openstack/placement/+/87587410:50
opendevreviewOpenStack Release Bot proposed openstack/placement master: Update master for stable/2023.1  https://review.opendev.org/c/openstack/placement/+/87587510:50
opendevreviewJorge San Emeterio proposed openstack/nova master: WIP: Have schema for 'lock' action be applied to all microversions.  https://review.opendev.org/c/openstack/nova/+/87565310:58
bauzasfolks, placement-rc1 tag is done, master is now on Bobcat and Antelope is branched for Placement, I repeat, Antelope is branched for Placement11:05
gibibauzas: \0/11:55
sean-k-mooneya day ahead of schdule and all :P12:00
sean-k-mooneybut cool12:00
sean-k-mooneythe non client libs like os-vif and os-traits are also already branched12:01
sean-k-mooneywell at least os-vif is but i assume the same is true for the rest12:01
bauzassean-k-mooney: indeed, I approved https://review.opendev.org/c/openstack/releases/+/87445013:00
*** lowercase is now known as Guest629814:48
*** lowercase_ is now known as lowercase14:48
dansmithbauzas: so my skip-level job failed because we can't ssh to the guest15:07
dansmithit's clearly working (reachable) but rejecting maybe the key or something15:07
dansmithcan you think of what about running on jammy would affect that?15:08
sean-k-mooneycould it be related to sha1/rsa keys15:12
sean-k-mooneyi think tempest is using ec keys now15:12
sean-k-mooneybut thats a guess15:12
dansmiththat's what I was thinking too, but we're generating the keys with osc15:12
dansmithoh, but maybe jammy as the host refuses to use them?15:13
dansmithI would think that if we needed a change, that'd be wrapped up in grenade already though...15:13
sean-k-mooneyfedora reject rsa keys. osc will only generate rsa keys because that all nova does15:13
sean-k-mooneyso unless its gnereated in tempest itself it would fail if jammy rejects them15:13
sean-k-mooneywith that said im expecting that job to still use tempest master right15:14
dansmiththis is pre-tempest, this is grenade resource creation15:14
sean-k-mooneywe dont pin it or anything strange for grenade15:14
bauzasdansmith: lemme look at your change15:14
dansmithsean-k-mooney: https://github.com/openstack/grenade/blob/master/projects/70_cinder/resources.sh#L18615:15
dansmithsean-k-mooney: https://github.com/openstack/grenade/blob/master/projects/70_cinder/resources.sh#L12115:15
dansmithand when we try to ssh:15:15
dansmith2023-02-28 20:55:58.894 | debug1: Will attempt key: /opt/stack/save/cinder_key.pem  explicit15:15
dansmith2023-02-28 20:55:58.897 | debug1: SSH2_MSG_SERVICE_ACCEPT received15:15
dansmithahh15:15
dansmith2023-02-28 20:55:58.902 | sign_and_send_pubkey: no mutual signature supported15:16
dansmiththere ^15:16
dansmithbut surely grenade is running on jammy nodes already, so I'm not sure why it wouldn't have been configured to support the old keys15:16
sean-k-mooneydansmith: proably not15:18
sean-k-mooneyfor antelop i think it used focal15:18
dansmithlooks like not yeah15:18
dansmithokay, well, I can fix that then I guess15:19
sean-k-mooneyso likely we jsut need to call ssh-keygen directly15:19
sean-k-mooneyinstead of osc15:19
bauzaswait15:19
dansmithwell, I was going to configure the host to allow that key type15:19
bauzashttps://github.com/openstack/grenade/blob/master/projects/70_cinder/resources.sh#L12115:19
bauzaswe no longer support this by Zed15:19
bauzasoh no, sorry15:20
dansmithbauzas: but it works if you use the old microversion, which osc is doing right?15:20
bauzasyou're passing the key15:20
bauzasdansmith: ah right too15:20
dansmithalso that :)15:20
bauzasbut I wonder, that's probably why we have a problem with rsa15:20
bauzascould we maybe try to create ed keys ?15:21
dansmithI mean, I guess, but it seems more upgrade-y to allow the use of the older key type during the upgrade15:22
dansmithhmm, that keypair create *is* generating the key in nova right?15:23
dansmith$CINDER_KEY is just the key name15:23
bauzasyeah15:24
bauzasand by default it creates a ssh-rsa key15:24
dansmithlooks like that's the only place we run keypair create, so maybe it's best to just generate it properly15:24
bauzasbut you're creating it in Yoga, right?15:24
bauzasor in Zed ?15:24
dansmithit's master grenade15:25
bauzasagainst a master devstack then ?15:25
bauzasoh15:25
bauzasit defaults to the previous release before upgrading15:26
bauzasright?15:26
dansmithnot a master devstack15:26
bauzasI mean the grenade base15:26
dansmithat this point in the phase, we've run devstack from yoga, we're running grenade from master to do some things against it, then upgrade to devstack master15:27
bauzashttps://github.com/openstack/grenade/blob/master/grenaderc#L3615:27
bauzasok15:28
bauzasso15:28
bauzaswe created a yoga devstack, we're running grenade against it15:28
bauzaswhich will create a key15:28
bauzasand after this, we would upgrade to devstack master15:28
bauzasso the environment that OSC calls is a Yoga nova-API service15:28
bauzasamirite ?15:29
dansmithyes15:29
* bauzas looks at https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_f59/875773/3/check/grenade-skip-level-continuous/f597bdf/job-output.txt15:30
dansmithhttps://review.opendev.org/c/openstack/grenade/+/87594015:31
dansmiththat ^ is what I'm thinking15:31
bauzashttps://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_f59/875773/3/check/grenade-skip-level-continuous/f597bdf/controller/logs/grenade.sh_log.txt15:32
bauzasI see the problem15:32
bauzasbut this is using jammy15:32
opendevreviewDan Smith proposed openstack/nova master: Add continuous skip-level job for nova  https://review.opendev.org/c/openstack/nova/+/87577315:33
bauzasso I guess ssh-rsa keys are no longer accepted15:33
bauzassince you created them with yoga, it was accepted by Nova15:33
bauzasand the guest was accordingly created15:33
dansmithI don't think it has anything to do with yoga,15:34
dansmithbecause even if we were running on jammy, we'd still be able to generate because of the old microversion right>?15:34
bauzasyou're true15:34
bauzasnothing related15:34
bauzaswe continue to accept to blindly create ssh-rsa keys by default15:35
bauzasif you don't opt(in15:35
bauzasbut, jammy guests should no longer accept it15:35
bauzaslemme verify this15:35
dansmithit's not jammy guests, it's hosts15:35
bauzasoooh, then I understand15:35
dansmiththe host won't even use the ssh key to try to ssh to a remote if it's not one of the allowed key types15:35
dansmiththe error messaging for this has been terrible15:36
* bauzas was wondering why grenade by hit, compared to the ssh connections we make in tempest15:36
dansmithbecause it shows that it's trying the key, but it's not15:36
dansmithI struggled with this when I upgraded myself15:36
dansmithyeah15:36
bauzasdansmith: -1 on https://review.opendev.org/c/openstack/grenade/+/87594015:42
bauzasIMHO, you need to specify another keytype to be safe15:43
bauzasI mean another algorithm15:43
dansmiththat's been the default for years now right?15:43
bauzashttps://transang.me/ssh-handshake-is-rejected-with-no-mutual-signature-algorithm-error/15:43
dansmithoh, maybe not:15:44
dansmith"If invoked without any arguments, ssh-keygen will gen‐15:44
bauzasno, I think we continue defaulting to ssh-rsa15:44
dansmith     erate an RSA key."15:44
dansmithhow stupid, when ssh will reject the default15:44
dansmithffs :)15:44
bauzasanother option on the client side is to invoke to accept the key15:44
bauzas+o PubkeyAcceptedKeyTypes +ssh-rsa15:45
bauzaswhen you ssh15:45
dansmithright I mentioned that above as another option15:45
bauzasor add it in your ssh config15:45
bauzasbut I'd prefer to switch to the latest ed25519 if not edcsa15:45
dansmithbut since we're already using a deprecated thing, it seems better to just move to what people should be doing, and since this wasn't generated by the old devstack,15:45
bauzasyeah15:45
dansmithit's not an upgrade-y thing like I mentioned15:45
bauzasagreed15:45
opendevreviewJorge San Emeterio proposed openstack/nova master: WIP: Have schema for 'lock' action be applied to all microversions.  https://review.opendev.org/c/openstack/nova/+/87565315:48
opendevreviewJorge San Emeterio proposed openstack/nova master: WIP: Have schema for 'lock' action be applied to all microversions.  https://review.opendev.org/c/openstack/nova/+/87565315:55
opendevreviewJorge San Emeterio proposed openstack/nova master: WIP: Have schema for 'lock' action be applied to all microversions.  https://review.opendev.org/c/openstack/nova/+/87565315:58
bauzasgmann: fwiw, I added the new RBAC policies mention in the prelude https://review.opendev.org/c/openstack/nova/+/875380/3/releasenotes/notes/antelope-prelude-4a99907b00e739f8.yaml#4915:59
bauzasfeel free to vote on it15:59
bauzasgmann: also, I forgot about it because the original change wasn't correctly tracked on the nova side : no blueprint at least15:59
bauzashence my miss15:59
clarkbbauzas: dansmith: RSA is fine with openssh. THe issue is openssh + rsa + sha116:10
bauzasI see16:10
bauzasssh-rsa 16:10
dansmithclarkb: oh, so rsa with ssh-keygen that uses sha256 would be fine/16:10
bauzasby default ssh-rsa uses sha1 yes16:11
clarkbdansmith: at keygen time the sha version isn't a concern. It is negotiated at connection time16:11
clarkbbut ya ssh-rsa is ssh + sha1. rsa-sha-256 or whatever the name is is the sha2 variant16:11
dansmithokay I'm confused then16:12
bauzasclarkb: I -1 on https://review.opendev.org/c/openstack/grenade/+/875940/1/projects/70_cinder/resources.sh#12116:12
clarkbfor a concrete example gerri's sshd didn't know how to negotiate rsa + sha2 with clients until recently (we opendev addressed that and now it works). This broke fedora who deprecated rsa + sha1 before everyone else16:12
bauzasclarkb: do you think it would be better to rather use rsa with sha256 ?16:12
clarkbtoday fedora users can use those same exact rsa keys to talk to gerrit because the gerrit sshd will now negotiate with the fedora ssh client to use sha216:12
clarkbbauzas: if ou want to use rsa then ya that is he non deprecated option16:13
clarkbone consideration here is fips testing. fips doesn't allow ed25519 keys. Which means you're stuck using ecdsa or rsa16:13
clarkbPersonally when all this started becoming a problem I switched my personal things to ed25519 as I don't care about fips at home16:14
bauzasclarkb: ok, then your preference would be  "-t rsa -E sha256 " correct ?16:14
bauzasfor ssh-keygen16:14
clarkbbauzas: the sha version shouldn't matter at keygen time its all dynamic protocol negoatiation16:14
clarkbbauzas: is this talking to cirros?16:15
clarkbif so cirros' dropbear server may not support sha2 negotiation which would be a similar problem to what we addressed in Gerrit16:16
bauzasclarkb: context https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_f59/875773/3/check/grenade-skip-level-continuous/f597bdf/controller/logs/grenade.sh_log.txt16:17
bauzasclarkb: coming from https://github.com/openstack/grenade/blob/master/projects/70_cinder/resources.sh#L186 failing16:17
clarkbya thats cirros. And the test node must be jammy?16:18
bauzaswe generate ssh-rsa keys by default with jammy16:18
bauzasyup16:18
clarkbI think your options are: use newer cirros with newer dropbear, use ecdsa/ed25519 key if dropbear supports these, explicitly override configs to allow rsa + sha1 on the jammy side to talk to dropbear that only knows this combo16:18
clarkbPart of the problem here is that when everyone deprecated sha1 they kept the fallback default in protocol negotiation as rsa + sha1 despite knowing it will not work. It would've been better if they updated the fallback default to be rsa + sha2 which would have worked with gerrit its only problem was understanding how to negotiate things, not lack of sha2 support16:19
clarkbdropbear version 2020.79 added support for both ed25519 keys and rsa sha216:21
clarkbthe easiest thing is probably using ecdsa keys and that would also satisfiy fips16:22
bauzasclarkb: cool, then16:27
opendevreviewAlexey Stupnikov proposed openstack/nova stable/train: reenable greendns in nova.  https://review.opendev.org/c/openstack/nova/+/83343816:33
gmannbauzas: thanks for RBAC things in prelude. I will check17:08
bauzascool17:08
dansmithclarkb: okay, so you're saying the different key type ends up using a different hash algo in the negotiation and that's what sidesteps the problem?17:09
dansmithI thought it was the key type itself17:09
clarkbdansmith: correct17:10
dansmithhrm17:10
clarkball the newer keys use hashes that are secure enough to have not been replaced17:10
clarkbrsa didn't so has extra negotiation requirements when setting up a connection17:10
dansmithbut I thought you said the hash wasn't part of the key?17:10
clarkbits the key exchange extensions bit of the ssh protocol17:10
clarkbsorry correct to the first statement not to the second17:10
clarkbthis is not part of the key itself. It is part of how the key is used at connection time17:11
dansmithbecause I thought even ssh'ing between two newer machines still fails with the old key17:11
clarkbit shouldn't17:11
dansmiththat hasn't been my experience, but perhaps I was just missing what the linkage was17:12
clarkbI think cirros + dropbear and gerrit + mina sshd may have created confusion around that? But new openssh to new opensshd should be fine17:13
dansmithI had to enable two things over the course of the last few years:17:13
dansmithPubkeyAcceptedKeyTypes +ssh-rsa17:13
dansmithand17:13
dansmithKexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha117:13
dansmithseems like the latter must be the part you're talking about17:14
dansmithbut at some point, something (one of my systems, which might have been macos) stopped even considering rsa keys17:14
dansmithalthough some docs make the PubkeyAcceptedTypes sound like maybe it's not the key type? I dunno, it's just confusing (to me) :)17:17
bauzasiiuc, it's a matter of negotiation like clarkb said17:26
bauzasthe current interim solution allows the existing keys to continue to work by asking the server to negociate with them17:26
bauzaslater, "they" could drop support of those keys and then the pubkeyacceptedtypes hint wouldn't work17:27
bauzasthe idea of that option hint is to leave a graceful period to ops to generate new keys and deliver their public ones into the servers17:27
bauzasbut like every other migration helper, people will rather use the workaround instead of migrating their keys17:28
bauzasuntil the full removal arrives17:28
dansmithbauzas: you see that documented somewhere/17:35
dansmithbecause if I read what clarkb is saying, there's nothing wrong with rsa keys themselves...17:35
bauzaswell, I need to remember that situation17:35
dansmithback in the day, I migrated all my keys to dsa because that was "the way" and then dsa was dropped and I had to migrate back17:36
dansmithso forgive me if I'm a bit skeptical :D17:36
clarkbcorrect you should not need to generate new keys to fix this17:37
clarkbits purely a I'm making a connection we need to negotiate details and can't agree on those details problem17:37
bauzashttps://www.rfc-editor.org/rfc/rfc8332#section-5.217:37
bauzas"Nevertheless,    implementations SHOULD start to disable "ssh-rsa" in their default    configurations as soon as the implementers believe that new RSA    signature algorithms have been widely adopted."17:38
dansmithclarkb: so why do I need the PubkeyAcceptedTypes change?17:39
clarkbdansmith: because ssh-rsa means sha117:40
clarkbdansmith: the protocl uses something liks rsa-sha-256 to denote the sha2 varints17:40
dansmithclarkb: so is the option really "PubkeyExchangeNegotiationTypes" ?17:40
clarkband the server doesn't know to negotiate rsa-sha-256 because the default when you don't know how to negotiate is ssh-rsa17:40
dansmithlike, the key is rsa, and ssh-rsa is not the key type *on disk* but the key type "in our negotiation" ?17:41
clarkbdansmith: sort of? I think what goes on is both sides need to agree on the pubkey type they will accept. The server if old like dropbear says ssh-rsa but not rsa-sha-256. Your client is new and only says rsa-sha-256 and there is no overlp and it fails17:41
dansmithI guess the thing that is confusing is that I consider the "type of the key" to be a property or characteristic of the content of my file on disk17:42
dansmithbut it sounds like that's not what "Pubkey .. Type" means both to ssh over the wire and in its config17:42
clarkbcorrect17:42
dansmithall I want is you to hug me and tell me I'm not crazy for finding that confusing :D17:43
clarkbyou are not crzy. When we first ran into this with gerrit and fedora making the change early there was a couple days of major head scratching17:43
sean-k-mooneyfedora used to have a tool to cofniuure thigns https://fedoraproject.org/wiki/Changes/StrongCryptoSettings217:54
*** jamesdenton_ is now known as jamesdenton17:54
sean-k-mooneyand yes you can use rsa-sha2-256 or rsa-sha2-51217:55
bauzasclarkb: you have way more background than me on this one, do you agree with me on the fact that the current pubkey hint will be later dropped, if I read carefully https://www.rfc-editor.org/rfc/rfc8332#section-5.2 ?17:55
sean-k-mooneyso you would add PubkeyAcceptedKeyTypes +rsa-sha2-256 to the sshconfig17:55
sean-k-mooneyafter i had it working and then it broke with gerrit later i jsut gave in and stopped using rsa keys17:56
bauzassean-k-mooney: my thought was that PubkeyAcceptedKeyTypes +ssh-rsa was only a temporary workaround until all OpenSSH clients were supposed new enough to drop this compat natively17:58
sean-k-mooneyyes but you can disable his on the server side too17:58
sean-k-mooneyfor gerrit it did not supprot swaping to sha2 until very recently17:59
clarkbbauzas: what that is saying is that ssh-rsa is going away which means rsa + sha1 is going away. There are no plans to remove rsa + sha2 as far as I know18:00
bauzasanyway, for the grenade need, generating a ecdsa key is OK18:00
sean-k-mooneybauzas: i fyou look at https://fedoraproject.org/wiki/Changes/StrongCryptoSettings218:00
bauzasclarkb: yeah that's what I found18:01
sean-k-mooneyfedor aplanned to drop rsa for key excachange in a future defualt policy that was for f3318:01
sean-k-mooneyi think that came intor affect aroudn f3518:01
bauzasthat's not the RSA keys which are deprecated, that's the SHA1 signature algorithm which is (hence the +o PubkeyAcceptedKeyTypes +ssh-rsa be only a temporary workaround)18:01
clarkbsean-k-mooney: thats only rsa + sha118:02
sean-k-mooney key exchange: ECDHE, DHE18:02
sean-k-mooneyunder FUture18:02
clarkbwut18:02
clarkboh dhe is rsa iirc18:03
sean-k-mooneyanyway it sould liek a this is related to rsa/sha1 and we shoudl be able to fix that by using a ecdsa key which will work for fips too18:03
sean-k-mooneyinstead of hacking in the old key type which wont18:03
clarkband if anyone can grok the openssh code better than I a PR to default to rsa + sha2 as teh fallback might generate interesting conversations18:05
sean-k-mooneyso we should just replace https://github.com/openstack/grenade/blob/master/projects/70_cinder/resources.sh#L12118:05
sean-k-mooneywith a call to ssh-keygen18:05
clarkbthe rfc suggests this happen eventually but as far as I can tell it hasn't happened yet which leads to annoying failures n a lot of cases18:05
bauzassean-k-mooney: patch is up to change grenade https://review.opendev.org/c/openstack/grenade/+/875940/18:06
sean-k-mooneycool18:07
sean-k-mooneyso ye were just discussing why this is needed18:07
bauzasyeah18:07
sean-k-mooneyrahter then trying to find a solution18:07
sean-k-mooneyok18:07
dansmithyeah because I definitely didn't18:07
bauzaswell18:07
bauzaswe are trying to untangle the oddness of ssh negociation18:07
dansmithand I have a bunch of hacks in my own ssh_config that probably need revisiting now that more of my systems are upgraded18:07
bauzasme too18:07
bauzasthis discussion is half-workwise, halp-personalwise18:08
sean-k-mooneyok i got burned by this years ago and have helped other fix it in the past so i mostly just accpet it at this point18:08
bauzasI just shamelessly tuned the signature negociation on the fly with my ssh_config18:08
bauzasas I didn't wanted to generate a new pair of ECDSA or something else keys18:09
sean-k-mooneyya i still have  PubkeyAcceptedKeyTypes +ssh-rsa for one site in my config18:09
sean-k-mooneybut i think thats offline18:09
bauzasbut now if I understand correctly, I could rather continue to use my RSA keys but ask for a different signature 18:09
sean-k-mooneyi also still have18:09
sean-k-mooneyhost review.opendev.org18:10
bauzasusing rsa-sha218:10
sean-k-mooney  HostKeyAlgorithms ssh-rsa18:10
sean-k-mooney  KexAlgorithms +diffie-hellman-group1-sha118:10
sean-k-mooney  Ciphers +aes128-cbc18:10
sean-k-mooneyfor some reason witch i relly dont need18:10
clarkbbauzas: correct. The problem is that some servers don't know how to negotiate that with you like old dropbear and old gerrit18:10
sean-k-mooneythats what i treid when PubkeyAcceptedKeyTypes +ssh-rsa stopped working for gerrit18:10
bauzasclarkb: so the per-host config is still required, gotcha18:11
clarkbthe gerrit we have deployed at review.opendev.org should work fine though. ianw and I worked with gerrit and mina sshd upstream and got that all fixed and eventually got it backported to gerrit 3.5 (it was always on 3.6)18:11
clarkbbauzas: if the servers don't know how to negotiate rsa + sha218:11
clarkbreview.opendev.org should not need this anymore18:11
bauzasyeah got it18:11
bauzasclarkb: how to enable rsa+sha2 globally in the config ?18:12
clarkbbauzas: if your openssh client is new (like on fedora or jammy etc) then thats the only version they will use by default18:12
bauzasbecause I assume my current OS doesn't have its defaults changed 18:12
bauzasoh18:12
clarkbthats why it failed to talk to cirros. jammy will only use rsa + sha2 by default, but cirros dropbear will only do rsa + sha118:12
clarkbthis mismatch leads to a failure to negotiate between them and no ssh connection18:13
sean-k-mooneyi think you would add PubkeyAcceptedKeyTypes rsa-sha2-25618:13
sean-k-mooneyunder "HOST *"18:13
clarkbsean-k-mooney: that shouldn't be necessary its automatic18:13
clarkbsince all the new lcients only do sha218:13
bauzashmmm18:13
sean-k-mooneyya it should not but if you wanted to force it that would be how18:13
bauzasyeah got it18:14
bauzasthis chat is definitely a helper18:14
bauzasclarkb: thanks a lot !18:14
* sean-k-mooney still wishise osc/keystone support using ssh keys for auth18:15
* bauzas got those weird connection issues since Fedora 33 and never took decent time to understand more the problem despite thinking he would eventually need to generate a new pair of keys, which is now I know a wrong assumption18:15
sean-k-mooneyi really would like to just upload a pulic key to keystone and use that to authenticate with osc18:15
sean-k-mooneybauzas: for what its woth its in te seciryt enhancmetns secation fo the 22.04 release notes https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/2466818:23
sean-k-mooneyit was disabled by defult in openssh https://www.openssh.com/txt/release-8.818:25
sean-k-mooneyafter being deprecated in 8.3 https://lwn.net/Articles/821544/18:26
clarkbright but they didn't change the fallback key18:42
clarkbso there are layers of problems here. The first is that you can no longer negotiate ssh-rsa with servers that need it. Second is that when that negotiate fails both sides expect ssh-rsa18:42
clarkbwhich of course fails making the fallback useless18:42
clarkbthey should've changed the fallback to rsa-sha-256 so that clients would attempt that after a failed negotiation. This wold still fail on cirros but would've worked with gerrit18:43
opendevreviewMerged openstack/nova stable/victoria: Fix the wrong exception used to retry detach API calls  https://review.opendev.org/c/openstack/nova/+/86608618:52
opendevreviewDan Smith proposed openstack/nova master: Add grenade-skip-level-always to nova  https://review.opendev.org/c/openstack/nova/+/87577322:39
opendevreviewmelanie witt proposed openstack/nova master: testing: Reset affinity support global variables  https://review.opendev.org/c/openstack/nova/+/87599123:59
« Tuesday, 2023-02-28 Index Thursday, 2023-03-02 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!