Hello,
About a year ago Fedora 33 released and gave us a preview of OpenSSH's sha1 + RSA key deprecation fallout. Fedora 33 users noticed they could no longer use SSH RSA keys to connect to our Gerrit at review.opendev.org. This happens because Fedora 33's OpenSSH packaging has deprecated sha1 hashes for RSA, and despite both the client and server supporting rsa-sha2-* variants they couldn't negotiate their use between them. OpenSSH 8.8 released recently and did similar in the upstream software which means users with up to date OpenSSH installations are noticing similar problems (Arch Linux for example).
There are a couple of workarounds that you can use. Probably the best option is to use an ed25519 or ecdsa key with our Gerrit. Modern clients and our Gerrit SSHD negotiate these keys without issue. Less optimal is to manually re-enable the use of the ssh-rsa hash, but we recommend against this as your software providers have decided this is no longer secure enough.
On our end we've brought this up with the MINA SSHD devs [0] with the hope that the SSH implementation that Gerrit uses can be updated to negotiate the sha2 hashes properly. Also, the rsa-sha2 RFC indicates [1] clients may fallback to a sha2 variant instead of the sha1 variant which would workaround MINA's lack of support for negotiation in the protocol. If you are an OpenSSH>=8.8 or Fedora>=33 user you might consider filing bugs against your ssh clients to change the default fallback to a sha2 variant on your platforms.
[0] https://issues.apache.org/jira/browse/SSHD-1141
[1] https://datatracker.ietf.org/doc/html/rfc8332#section-3.3
Hopefully I've put enough keywords in this email that the various search engines will index it, and the next time someone runs into these problems they'll find this explanation.
Clark
Hello Fellow OpenStack and OpenDev Folks!
TL;DR click on [3] and enjoy.
I am starting this thread to not hijack the discussion happening on [1].
First of all, I would like to thank gibi (Balazs Gibizer) for hacking
a way to get the place to render the table in the first place (pun
intended).
I have been a long-time-now user of [2].
I have improved and customised it for myself but never really got to
share back the changes I made.
The new Gerrit obviously broke the whole script so it was of no use to
share at that particular state.
However, inspired by gibi's work, I decided to finally sit down and
fix it to work with Gerrit 3 and here it comes: [3].
Works well on Chrome with Tampermonkey. Not tested others.
I hope you will enjoy this little helper (I do).
I know the script looks super fugly but it generally boils down to a
mix of styles of 3 people and Gerrit having funky UI rendering.
Finally, I'd also like to thank hrw (Marcin Juszkiewicz) for linking
me to the original Michel's script in 2019.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-November/019051…
[2] https://opendev.org/x/coats/src/commit/444c95738677593dcfed0cfd9667d4c4f0d5…
[3] https://gist.github.com/yoctozepto/7ea1271c299d143388b7c1b1802ee75e
Kind regards,
-yoctozepto
Hello,
We will meet on May 31, 2022 at 19:00 UTC in #opendev-meeting with this agenda:
* Announcements
** Summit happens June 7-9.
* Actions from last meeting
* Specs Review
* Topics
** Improving OpenDev's CD throughput (clarkb 20220531)
*** Bootstrapping bridge via Zuul is now a complicated subject. Can use zuul secrets to make it happen. Are we comfortable with this?
*** https://review.opendev.org/c/opendev/infra-specs/+/821645 -- spec outlining some of the issues with secrets
*** https://review.opendev.org/c/opendev/system-config/+/821155 -- sample of secret writing; more info in changelog
*** https://opendev.org/opendev/system-config/src/branch/master/playbooks/zuul_… Automated graceful Zuul upgrades and server reboots
**** Hit a bug with zuul merger graceful shutdowns
**** Hit a bug in zuul's model api 8 transition
**** Otherwise seemed to work well.
** Container maintenance (clarkb 20220531)
*** https://etherpad.opendev.org/p/opendev-container-maintenance
*** Continue to update services with dedicated users.
*** Upgrading Zookeeper
*** Upgrading MariaDB
*** Eventually convert MariaDB container's from uid 999 to something that makes more sense on the system.
** Gerrit 3.5 upgrade planning (ianw 20220531)
*** https://etherpad.opendev.org/p/gerrit-upgrade-3.5
*** http://lists.opendev.org/pipermail/service-announce/2022-May/000039.html Scheduled for 20:00 UTC June 19, 2022
*** Need to explicitly enable conflict checking
** Manually triggering periodic jobs (frickler 20220531)
*** What is the correct process for manually triggering periodic jobs?
** Zuul changing default Ansible version to v5 soon (clarkb 20220531)
*** Now that Zuul supports Ansible v5 the next step is to default to v5
*** Need to send an announcement for the default change in OpenDev happening at the end of June.
** Removing Ethercalc (clarkb 20220531)
*** Announced removal date was May 31, 2022
*** Last call before clarkb proceeds with this cleanup
** Do we want to hold a meeting June 7, 2022 (clarkb 20220531)
*** clarkb and fungi are unlikely to be able to attend due to the summit acting as a conflict
* Open discussion
We will meet on May 17, 2022 at 19:00 UTC in #opendev-meeting with this agenda:
* Announcements
** The OpenInfra Summit is about a month away. Its been a while since we had one of those in person.
** ClarkB out May 18
* Actions from last meeting
* Specs Review
* Topics
** Improving OpenDev's CD throughput (clarkb 20220510)
*** Bootstrapping bridge via Zuul is now a complicated subject. Can use zuul secrets to make it happen. Are we comfortable with this?
*** https://review.opendev.org/c/opendev/infra-specs/+/821645 -- spec outlining some of the issues with secrets
*** https://review.opendev.org/c/opendev/system-config/+/821155 -- sample of secret writing; more info in changelog
** Container maintenance (clarkb 20220510)
*** https://etherpad.opendev.org/p/opendev-container-maintenance
*** Continue to update services with dedicated users.
*** Upgrading Zookeeper
*** Upgrading MariaDB
*** Eventually convert MariaDB container's from uid 999 to something that makes more sense on the system.
** Support for Ubuntu 22.04 LTS aka Jammy Jellyfish (frickler 20220510)
*** Last major missing piece is wheel builds and mirroring
** Gerrit 3.5 upgrade planning (ianw 20220517)
*** https://etherpad.opendev.org/p/gerrit-upgrade-3.5
*** Scheduling
* Open discussion
Hello,
We will meet on May 10, 2022 at 19:00 UTC in #opendev-meeting with this agenda:
== Agenda for next meeting ==
* Announcements
** The OpenInfra Summit is about a month away. Its been a while since we had one of those in person.
* Actions from last meeting
* Specs Review
* Topics
** Improving OpenDev's CD throughput (clarkb 20220510)
*** Bootstrapping bridge via Zuul is now a complicated subject. Can use zuul secrets to make it happen. Are we comfortable with this?
*** https://review.opendev.org/c/opendev/infra-specs/+/821645 -- spec outlining some of the issues with secrets
*** https://review.opendev.org/c/opendev/system-config/+/821155 -- sample of secret writing; more info in changelog
** Container maintenance (clarkb 20220510)
*** https://etherpad.opendev.org/p/opendev-container-maintenance
*** Continue to update services with dedicated users.
*** Upgrading Zookeeper
*** Upgrading MariaDB
*** Eventually convert MariaDB container's from uid 999 to something that makes more sense on the system.
** Spring cleaning for old reviews? (frickler 20220510)
*** system-config has >300 open reviews, most of them in merge-conflict and >1y old
**** Some changes have been labeled with topic:system-config-cleanup and are worth landing: https://review.opendev.org/q/project:opendev/system-config+status:open+topi…
*** Please look at your changes and update/rebase as necessary and set topic:system-config-cleanup and we can try to get through this backlog. Or abandon unnecessary changes.
** Automating the build process for our Ubuntu PPA packages (clarkb 20220510)
*** ianw is adding more automation to our vhd-util and openafs package builds. This should make it easier for us to update the packages and add new distro releases.
** Support for Ubuntu 22.04 LTS aka Jammy Jellyfish (frickler 20220510)
*** Last major missing piece is wheel builds and mirroring
** Keycloak container image update (clarkb 20220510)
*** Keycloak stopped publishing to Docker Hub.
*** Keycloak has two versions of the image. The Legacy wildfly image (what we use) and a non wildfly image we should probably convert to.
*** https://review.opendev.org/c/opendev/system-config/+/840529 Pull keycloak from quay.io
* Open discussion
We will meet with this agenda on May 3, 2022 at 19:00 UTC in @opendev-meeting:
== Agenda for next meeting ==
* Announcements
* Actions from last meeting
* Specs Review
* Topics
** Improving OpenDev's CD throughput (clarkb 20220503)
*** Bootstrapping bridge via Zuul is now a complicated subject. Can use zuul secrets to make it happen. Are we comfortable with this?
*** https://review.opendev.org/c/opendev/infra-specs/+/821645 -- spec outlining some of the issues with secrets
*** https://review.opendev.org/c/opendev/system-config/+/821155 -- sample of secret writing; more info in changelog
** Container maintenance (clarkb 20220503)
*** https://etherpad.opendev.org/p/opendev-container-maintenance
*** Continue to update services with dedicated users.
*** Upgrading Zookeeper
*** Upgrading MariaDB
*** Eventually convert MariaDB container's from uid 999 to something that makes more sense on the system.
** Spring cleaning for old reviews? (frickler 20220503)
*** system-config has >300 open reviews, most of them in merge-conflict and >1y old
**** Some changes have been labeled with topic:system-config-cleanup and are worth landing: https://review.opendev.org/q/project:opendev/system-config+status:open+topi…
*** Please look at your changes and update/rebase as necessary and set topic:system-config-cleanup and we can try to get through this backlog. Or abandon unnecessary changes.
** Support for Ubuntu 22.04 LTS aka Jammy Jellyfish (frickler 20220503)
*** Ubuntu-ports mirroring is in progress
*** Do we need to build our openafs package for jammy (this would be to build wheel mirrors to start, but would potentially be used on zuul executors etc in the future)
** Shutting down Ethercalc (clarkb 20220503)
*** The software doesn't seem to be well maintained
*** The software lacks history tracking and rollback like etherpad
*** Is largely used for PTG and other tools could be used for that (like PTGbot)
*** clarkb would like to propose shutting this service down at the end of the month.
* Open discussion