Hello,
About a year ago Fedora 33 released and gave us a preview of OpenSSH's sha1 + RSA key deprecation fallout. Fedora 33 users noticed they could no longer use SSH RSA keys to connect to our Gerrit at review.opendev.org. This happens because Fedora 33's OpenSSH packaging has deprecated sha1 hashes for RSA, and despite both the client and server supporting rsa-sha2-* variants they couldn't negotiate their use between them. OpenSSH 8.8 released recently and did similar in the upstream software which means users with up to date OpenSSH installations are noticing similar problems (Arch Linux for example).
There are a couple of workarounds that you can use. Probably the best option is to use an ed25519 or ecdsa key with our Gerrit. Modern clients and our Gerrit SSHD negotiate these keys without issue. Less optimal is to manually re-enable the use of the ssh-rsa hash, but we recommend against this as your software providers have decided this is no longer secure enough.
On our end we've brought this up with the MINA SSHD devs [0] with the hope that the SSH implementation that Gerrit uses can be updated to negotiate the sha2 hashes properly. Also, the rsa-sha2 RFC indicates [1] clients may fallback to a sha2 variant instead of the sha1 variant which would workaround MINA's lack of support for negotiation in the protocol. If you are an OpenSSH>=8.8 or Fedora>=33 user you might consider filing bugs against your ssh clients to change the default fallback to a sha2 variant on your platforms.
[0] https://issues.apache.org/jira/browse/SSHD-1141
[1] https://datatracker.ietf.org/doc/html/rfc8332#section-3.3
Hopefully I've put enough keywords in this email that the various search engines will index it, and the next time someone runs into these problems they'll find this explanation.
Clark
Hello Fellow OpenStack and OpenDev Folks!
TL;DR click on [3] and enjoy.
I am starting this thread to not hijack the discussion happening on [1].
First of all, I would like to thank gibi (Balazs Gibizer) for hacking
a way to get the place to render the table in the first place (pun
intended).
I have been a long-time-now user of [2].
I have improved and customised it for myself but never really got to
share back the changes I made.
The new Gerrit obviously broke the whole script so it was of no use to
share at that particular state.
However, inspired by gibi's work, I decided to finally sit down and
fix it to work with Gerrit 3 and here it comes: [3].
Works well on Chrome with Tampermonkey. Not tested others.
I hope you will enjoy this little helper (I do).
I know the script looks super fugly but it generally boils down to a
mix of styles of 3 people and Gerrit having funky UI rendering.
Finally, I'd also like to thank hrw (Marcin Juszkiewicz) for linking
me to the original Michel's script in 2019.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-November/019051…
[2] https://opendev.org/x/coats/src/commit/444c95738677593dcfed0cfd9667d4c4f0d5…
[3] https://gist.github.com/yoctozepto/7ea1271c299d143388b7c1b1802ee75e
Kind regards,
-yoctozepto
Hello,
We will meet with this agenda on January 25, 2022 at 19:00 UTC in #opendev-meeting:
== Agenda for next meeting ==
* Announcements
** OpenInfra Summit CFP and programming committee need your input: https://openinfra.dev/summit/
** Service Coordinator nomination time has begun.
* Actions from last meeting
* Specs Review
* Topics
** Improving OpenDev's CD throughput (clarkb 20220125)
*** Bootstrapping bridge via Zuul is now a complicated subject. Can use zuul secrets to make it happen. Are we comfortable with this?
*** https://review.opendev.org/c/opendev/infra-specs/+/821645 -- spec outlining some of the issues with secrets
*** https://review.opendev.org/c/opendev/system-config/+/821155 -- sample of secret writing; more info in changelog
** Container maintenance (clarkb 20220125)
*** https://etherpad.opendev.org/p/opendev-container-maintenance
*** Buster to Bullseye updates are complete.
*** Running container with dedicated users. Next up all the ircbots.
*** Upgrading Zookeeper
*** Upgrading MariaDB
*** Eventually convert MariaDB container's from uid 999 to something that makes more sense on the system.
** Spring cleaning our Nodepool images (clarkb 20220125)
*** http://lists.opendev.org/pipermail/service-announce/2021-December/000029.ht… cleanup announcement
*** Plan to remove CentOS 8 from Nodepool and Zuul first thing next week.
** Spring cleaning for old reviews? (frickler 20220125)
*** system-config has >300 open reviews, most of them in merge-conflict and >1y old
*** Do we see value in keeping those or could we run some script to auto-abandon those with a helpful comment?
*** Neutron has a script that could be easily adopted for this task
**** https://opendev.org/openstack/neutron/src/branch/master/tools/abandon_old_r…
*** (clarkb) Considering that we had a big shift in approach to config management about 2 years ago I would say abandoning anything prior to that is probably fine. I have a change or two since then that might be good to keep around. Maybe we start at 2 years and see what that looks like? We can always restore changes too.
** Updating Grafana (clarkb 20220125)
*** https://review.opendev.org/c/opendev/grafyaml/+/825990 needed to fix api use against newer grafana
*** https://review.opendev.org/c/opendev/system-config/+/825410 update to latest grafana
* Open discussion
We will meet January 18, 2022 at 19:00 UTC in #opendev-meeting with this agenda:
* Announcements
** OpenInfra Summit CFP and programming committee need your input: https://openinfra.dev/summit/
* Actions from last meeting
* Specs Review
* Topics
** Improving OpenDev's CD throughput (clarkb 20220118)
*** Bootstrapping bridge via Zuul is now a complicated subject. Can use zuul secrets to make it happen. Are we comfortable with this?
*** https://review.opendev.org/c/opendev/infra-specs/+/821645 -- spec outlining some of the issues with secrets
*** https://review.opendev.org/c/opendev/system-config/+/821155 -- sample of secret writing; more info in changelog
** Container maintenance (clarkb 20220118)
*** https://etherpad.opendev.org/p/opendev-container-maintenance
*** Buster to Bullseye updates are complete.
*** Running container with dedicated users. Next up all the ircbots.
*** Upgrading Zookeeper
*** Upgrading MariaDB
*** Eventually convert MariaDB container's from uid 999 to something that makes more sense on the system.
** Spring cleaning our Nodepool images (clarkb 20220118)
*** http://lists.opendev.org/pipermail/service-announce/2021-December/000029.ht… cleanup announcement
*** Tumbleweed has been removed
*** CentOS 8 removal process has begun. Gave projects until the end of the month before we remove the nodeset and nodepool configs.
** Scheduling Gerrit Project Renames (clarkb 20220118)
*** Target January 24 around 22:00 UTC?
** Spring cleaning for old reviews? (frickler 20220113)
*** system-config has >300 open reviews, most of them in merge-conflict and >1y old
*** Do we see value in keeping those or could we run some script to auto-abandon those with a helpful comment?
*** Neutron has a script that could be easily adopted for this task
**** https://opendev.org/openstack/neutron/src/branch/master/tools/abandon_old_r…
* Open discussion
On Tue, Dec 7, 2021, at 8:38 AM, Clark Boylan wrote:
> Hello,
>
> CentOS 8 reaches end of life on December 31, 2021. This means now is
> the time for you to convert jobs to CentOS 8|9 Stream or some other
> appropriate platform. The OpenDev team will plan to remove CentOS 8
> images and mirrors from our infrastructure in early January, hopefully
> by January 14, 2022. Again, please update your jobs now so that you are
> prepared. These changes are necessary as the distro will no longer be
> supported, and there is no way for us to ensure that the images will be
> secure or that we'll even be able to build them.
>
> We've also got Fedora 35 lined up to replace Fedora 34. Due to Fedora's
> short support window we typically swap out one Fedora release with the
> next when the next is ready. If you are using the fedora-34 label
> please update it to fedora-35. If you are using fedora-latest we'll be
> updating that to use fedora-35 and the swap will happen automatically
> for you. We expect to have Fedora 34 cleaned up by the end of the year.
>
> Additionally both OpenSUSE 15 and Tumbleweed could use some help. For
> OpenSUSE 15 we need to update it to 15.3 as well as updating the
> associated mirrors if we plan to keep it around. I'm happy to keep this
> image around if we can get volunteers in the community that can help
> with that. If there isn't interest in modernizing the OpenSUSE 15
> images I'd like to propose we clean them up in January along with the
> CentOS 8 images. For Tumbleweed, the images haven't received much use
> or attention. I'd like to propose that we simply retire this image and
> clean it up. We had thought it might be a good platform for monitoring
> upcoming changes in the Linux world, but the reality is that only works
> if you've got people active caring for it and adjusting to those
> changes. The Tumbleweed cleanup will likely begin before the end of the
> year.
>
> Finally, our Gentoo images bounce between being buildable and broken
> with more time spent being broken than not. I'd like to propose that
> this image also get cleaned up in the near future. Again, if there is
> interest in the community for keeping this alive I think we can make
> that happen. But as is this image is not in a sustainable place and it
> would be better for us to stop running jobs on it.
>
> Let us know if you have any questions or comments,
To followup on this we have found volunteers for Gentoo and OpenSUSE Leap 15 maintenance. This means those images are not immediately up for removal. However, if those volunteers find they aren't sustainable for one reason or another they may still be removed.
OpenSUSE Tumbleweed has been removed and as far as we could tell nothing was using it when we removed it. Shouldn't create any problems.
CentOS 8 removal has begun with a number of changes [0] to start removing some of the infrastructure bits (like wheel mirrors and openafs packages) that supported it. I will be reaching out to OpenStack as well as they seem to be the primary users of the centos-8 label. Hopefully we'll be able to remove all of the existing centos-8 jobs cleanly, but if not then we'll wait until a reasonable amount of time and cleanup has passed (a couple of weeks?) before force merging the removal of the nodeset and label from our zuul configs.
Fedora 34 cleanup is still in progress, but should pick up again as people return from holiday.
[0] https://review.opendev.org/q/topic:%22remove-centos-8%22+status:open
Our first meeting of the year will be held January 11, 2022 at 19:00 UTC in #opendev-meeting. I expect it will still be pretty quiet due to holidays so we might get through it quickly. This is our agenda:
== Agenda for next meeting ==
* Announcements
** OpenInfra Foundation Board Election happening this week. Don't forget to vote.
* Actions from last meeting
* Specs Review
* Topics
** ansible-lint failures (clarkb 20220111)
*** An unpinned dep (rich) in old ansible-lint has updated and broken ansible-lint. Need to pin rich or update ansible-lint.
*** clarkb has a number of these changes up for review now. topic:ansible-lint
** Improving OpenDev's CD throughput (clarkb 20220111)
*** Bootstrapping bridge via Zuul is now a complicated subject. Can use zuul secrets to make it happen. Are we comfortable with this?
*** https://review.opendev.org/c/opendev/infra-specs/+/821645 -- spec outlining some of the issues with secrets
*** https://review.opendev.org/c/opendev/system-config/+/821155 -- sample of secret writing; more info in changelog
** Container maintenance (clarkb 20220111)
*** https://etherpad.opendev.org/p/opendev-container-maintenance
*** Updating Buster images to Bullseye
**** https://review.opendev.org/q/hashtag:%22bullseye-image-update%22+status:open The uwsgi image update in particular could use review.
*** Running container with dedicated users. Next up all the ircbots.
*** Upgrading Zookeeper
*** Upgrading MariaDB
*** Eventually convert MariaDB container's from uid 999 to something that makes more sense on the system.
** Spring cleaning our Nodepool images (clarkb 20220111)
*** http://lists.opendev.org/pipermail/service-announce/2021-December/000029.ht… cleanup announcement
*** CentOS 8 and OpenSUSE Tumbleweed need cleanup this month.
** Scheduling Gerrit Project Renames (clarkb 20220111)
* Open discussion