I will apply a workaround for now to unblock us; but we have troubles with generated d25519 host ssh keys. When generated, Batcave fails to trust them - and every run of playbook tries to modify known_hosts file:
Wednesday 23 November 2022 11:54:09 +0000 (0:00:00.085) 0:00:00.889 * Wednesday 23 November 2022 11:54:09 +0000 (0:00:00.085) 0:00:00.888 * The authenticity of host 'copr-be-dev.aws.fedoraproject.org (18.208.10.131)' can't be established. RSA key fingerprint is SHA256:ETl7I7zT9Hnb0hASlPFZXI5x2pe99dNKP2XXjfe4AlA. Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C
The workaround is here: https://pagure.io/fedora-infra/ansible/c/50a7bd5e58291c239e8aaf41cb06df7583a9d45b
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, low-trouble, ops
I think you can remove your workaround and it should work again.
We were having troubles with this role when we upgraded to newer ansible, but we fixed those, so I think this will work.
Perhaps we can try reverting it and test?
Thank you @kevin.
CC @frostyx, @nikromen, for possible testing (I'm OOO now).
If fixed - I believe we can revert the patch, closed this bug, and test (perhaps even later).
ok. I reverted and tested, it seems to work to me. :)
Please let ue know if it fails anywhere.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
FTR, I installed this patch: https://pagure.io/fedora-infra/ansible/c/eccbf58b3fd7325f31f552d9376be1fe06ef44fa
One of the additional problems was that we are first signing the certificate against copr-be-temp hostname, and later against "just" copr-be (dropping the -temp suffix).
copr-be-temp
copr-be
The basessh role doesn't detect this situation, so if we don't remove the certificates during the second playbook run, the hostkeys are not resigned.
basessh
I'm not sure if any other action is needed, let me know if it is.
Login to comment on this ticket.