Hi Adam, Thanks for looking into this.
On 10:55 Sat 15 Jul , Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Fri, 2017-06-30 at 17:15 +0300, Apollon Oikonomopoulos wrote: > > I would like to update ganeti in Stretch to fix some outstanding issues > > and to introduce non-DSA SSH key support (see also #863320). > > > > Regarding SSH key support, Ganeti by default manages node SSH keys at > > the cluster level. The latest stable releases still rely on DSA keys, > > which however are deemed weak and are not supported by our OpenSSH > > server version by default. Upstream has already introduced RSA & ECDSA > > key support, although it has not been released as part of a stable > > release in over a year, due to upstream development slowing down. I have > > thoroughly tested these changes on a couple production clusters I > > operate myself, as have others and found them to be working in order. > > That's a non-trivial patch, as I'm sure you're aware. :-( Yes, I am :-(. I realise you only have my word that it's working properly, so feel free to reject this part if you feel it's too risky for a stable update. OTOH, it's the only way for Ganeti's key management to work out-of-the box without having people re-enable DSA key support in their OpenSSH setup. > > Apart from non-DSA key support, the proposed package fixes a number > > of issues encountered late in the Stretch freeze phase: > > > > - gnt-instance move does not work with stretch's socat version, as the > > option specifying the TLS method socat uses has changed format. This > > is fixed by removing the argument and letting socat pick the best TLS > > method available (which is better than hardcoding the outdated TLS > > 1.0 anyway). > > - Instances using external storage cannot be failed over from dead > > nodes (#864756). This has been fixed upstream, so we are simply > > backporting the relevant commit. > > This doesn't look like it's fixed in unstable yet? Yes, you're right, I somehow missed that :(. I'll upload the fix to unstable ASAP. Regards, Apollon
