#11006 Help with the basessh role
Closed: Fixed a year ago by kevin. Opened a year ago by praiskup.

I will apply a workaround for now to unblock us; but we have troubles with generated d25519 host ssh keys. When generated, Batcave fails to trust them - and every run of playbook tries to modify known_hosts file:

Wednesday 23 November 2022 11:54:09 +0000 (0:00:00.085) 0:00:00.889 *
Wednesday 23 November 2022 11:54:09 +0000 (0:00:00.085) 0:00:00.888
*
The authenticity of host 'copr-be-dev.aws.fedoraproject.org (18.208.10.131)' can't be established.
RSA key fingerprint is SHA256:ETl7I7zT9Hnb0hASlPFZXI5x2pe99dNKP2XXjfe4AlA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C


Metadata Update from @phsmoura:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops

a year ago

I think you can remove your workaround and it should work again.

We were having troubles with this role when we upgraded to newer ansible, but we fixed those, so I think this will work.

Perhaps we can try reverting it and test?

Thank you @kevin.

CC @frostyx, @nikromen, for possible testing (I'm OOO now).

If fixed - I believe we can revert the patch, closed this bug, and test (perhaps even later).

ok. I reverted and tested, it seems to work to me.
:)

Please let ue know if it fails anywhere.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

FTR, I installed this patch: https://pagure.io/fedora-infra/ansible/c/eccbf58b3fd7325f31f552d9376be1fe06ef44fa

One of the additional problems was that we are first signing the
certificate against copr-be-temp hostname, and later against "just"
copr-be (dropping the -temp suffix).

The basessh role doesn't detect this situation, so if we don't remove
the certificates during the second playbook run, the hostkeys are not
resigned.

I'm not sure if any other action is needed, let me know if it is.

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog