Fix the CI on CentOS 9

* Prefer modern SSH key algorithms * Generate an ECDSA key if Cirros is used * Always resolve symlinks when copying logs Remove all previous work-arounds. Change-Id: Ie9248584c71f7d326d5839710d6b9bdf6d779749
2022-03-03 14:00:09 +01:00 · 2022-03-03 14:00:09 +01:00 · 2fe879dd0d
commit 2fe879dd0d
parent 6e4dc0badf
6 changed files with 16 additions and 22 deletions
--- a/playbooks/roles/bifrost-configdrives-dynamic/tasks/ssh_public_key_path.yaml
+++ b/playbooks/roles/bifrost-configdrives-dynamic/tasks/ssh_public_key_path.yaml
@ -17,8 +17,9 @@
      set_fact:
        ssh_public_key_path: "{{ item }}"
      with_first_found:
-        - "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
        - "{{ lookup('env', 'HOME') }}/.ssh/id_ed25519.pub"
+        - "{{ lookup('env', 'HOME') }}/.ssh/id_ecdsa.pub"
+        - "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
      when: ssh_public_key_path is undefined
      ignore_errors: yes

--- a/playbooks/roles/bifrost-ironic-install/ssh_public_key_path.yaml
+++ b/playbooks/roles/bifrost-ironic-install/ssh_public_key_path.yaml
@ -17,8 +17,9 @@
      set_fact:
        ssh_public_key_path: "{{ item }}"
      with_first_found:
-        - "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
        - "{{ lookup('env', 'HOME') }}/.ssh/id_ed25519.pub"
+        - "{{ lookup('env', 'HOME') }}/.ssh/id_ecdsa.pub"
+        - "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
      when: ssh_public_key_path is undefined
      ignore_errors: yes

--- a/playbooks/roles/bifrost-prepare-for-test-dynamic/tasks/main.yml
+++ b/playbooks/roles/bifrost-prepare-for-test-dynamic/tasks/main.yml
@ -54,12 +54,3 @@
 - name: "Add testvm hosts from SSH known_hosts file."
  shell: ssh-keyscan "{{ ipv4_address }}" >> "{{ ansible_env.HOME }}/.ssh/known_hosts"
  when: ipv4_address is defined
- name: "Allow ssh-rsa algorithm for CentOS Stream 9"
-  lineinfile:
-    path: ~/.ssh/config
-    line: PubkeyAcceptedKeyTypes +ssh-rsa
-    create: yes
-    mode: '0600'
-  when:
-    - ansible_distribution == "CentOS"
-    - ansible_distribution_version|int >= 9
--- a/releasenotes/notes/ecdsa-4bf0cd160426922c.yaml
+++ b/releasenotes/notes/ecdsa-4bf0cd160426922c.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    When several SSH public keys are available, prefers modern algorithms
+    rather than RSA. This fixes logging in Cirros on CentOS 9.
--- a/scripts/collect-test-info.sh
+++ b/scripts/collect-test-info.sh
@ -68,7 +68,7 @@ if $(ip link &>/dev/null); then
 fi

 mkdir -p ${LOG_LOCATION}/all
-sudo cp -a /var/log/* ${LOG_LOCATION}/all/.
+sudo cp -aL /var/log/* ${LOG_LOCATION}/all/.
 sudo chown -R $USER ${LOG_LOCATION}/all

 sudo systemctl > ${LOG_LOCATION}/all-services.txt
--- a/scripts/test-bifrost.sh
+++ b/scripts/test-bifrost.sh
@ -72,6 +72,12 @@ if which setenforce &> /dev/null; then
    sudo setenforce Enforcing
 fi

+if [ ${USE_CIRROS} = "true" ] && [ ! -f "$HOME/.ssh/id_ecdsa.pub" ]; then
+    # CentOS/RHEL 8 and 9, as well as Fedora, do not work with the RSA key
+    # that the Cirros' SSH server uses. Generate an ECDSA key pair instead.
+    ssh-keygen -t ECDSA -f "$HOME/.ssh/id_ecdsa" -N ""
+fi
+
 # Note(cinerama): activate is not compatible with "set -u";
 # disable it just for this line.
 set +u
@ -114,17 +120,7 @@ if [ ${USE_VMEDIA} = "true" ]; then
    CLOUD_CONFIG+=" -e enabled_hardware_types=redfish"
 fi

-CURRENT_CRYPTO_POLICY=
-if [ ${USE_CIRROS} = "true" ] && which update-crypto-policies 2>&1 > /dev/null; then
-    # Crypto policies in newer Fedora prevent SSH into Cirros
-    CURRENT_CRYPTO_POLICY=$(sudo update-crypto-policies --show)
-    sudo update-crypto-policies --set LEGACY
-fi
-
 on_exit() {
-    if [ -n "$CURRENT_CRYPTO_POLICY}" ]; then
-        sudo update-crypto-policies --set $CURRENT_CRYPTO_POLICY || true
-    fi
    $SCRIPT_HOME/collect-test-info.sh
 }
 trap on_exit EXIT