Control: tags -1 + moreinfo On Fri, 2017-06-30 at 17:15 +0300, Apollon Oikonomopoulos wrote: > I would like to update ganeti in Stretch to fix some outstanding issues > and to introduce non-DSA SSH key support (see also #863320). > > Regarding SSH key support, Ganeti by default manages node SSH keys at > the cluster level. The latest stable releases still rely on DSA keys, > which however are deemed weak and are not supported by our OpenSSH > server version by default. Upstream has already introduced RSA & ECDSA > key support, although it has not been released as part of a stable > release in over a year, due to upstream development slowing down. I have > thoroughly tested these changes on a couple production clusters I > operate myself, as have others and found them to be working in order.
That's a non-trivial patch, as I'm sure you're aware. :-( > Apart from non-DSA key support, the proposed package fixes a number of > issues encountered late in the Stretch freeze phase: > > - gnt-instance move does not work with stretch's socat version, as the > option specifying the TLS method socat uses has changed format. This > is fixed by removing the argument and letting socat pick the best TLS > method available (which is better than hardcoding the outdated TLS > 1.0 anyway). > - Instances using external storage cannot be failed over from dead > nodes (#864756). This has been fixed upstream, so we are simply > backporting the relevant commit. This doesn't look like it's fixed in unstable yet? > - The pre-migration hypervisor version compatibility check would always > fail when migrating between different KVM versions in a non-intented > way. Again, we are backporting the relevant upstream fix. Regards, Adam
