← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1621536] [NEW] Remove paramiko dependency

 

Public bug reported:

In Liberty, key pair creation (previously done via ssh-keygen) was
replaced with paramiko library calls. While paramiko was listed as a
dependency in Liberty, it wasn't actually used until that commit.

  Replace ssh exec calls with paramiko lib
  https://review.openstack.org/#/c/157931/

The above commit was unintentionally backwards incompatible.
Specifically, it changed the SSH key ASN.1 encoding from DER to BER.
Apparently golang doesn't support BER, meaning tools like Terraform no
longer work with OpenStack.

  ssh-keygen-to-Paramiko change breaks third-party tools
  https://bugs.launchpad.net/nova/+bug/1483132

This has since been fixed in paramiko 2.0, but that major version bump
doesn't make it into Nova until Newton, meaning these third-party tools
are unusable for Liberty & Mitaka in the mean time.

   stable/liberty: paramiko>=1.13.0
   upper-constraints: paramiko===1.16.0

   stable/mitaka: paramiko>=1.16.0
   upper-constraints: paramiko===1.16.0

   master (newton): paramiko>=2.0
   upper-constraints: paramiko===2.0.2

The bump to paramiko 2.0 was a big change, complete with a huge red
warning in the changelog (which I suspect makes a backport that bumps
the paramiko version to 2.0+ unrealistic for Liberty & Mitaka).

  http://www.paramiko.org/changelog.html
  http://bitprophet.org/blog/2016/04/23/paramiko-2.0-is-coming/

The switch to paramiko also introduced a number of Nova regressions
along the way.

  Tolerate installation of pycryptodome
  https://review.openstack.org/#/c/279909/

  crypto: Add support for Paramiko 2.x
  https://review.openstack.org/#/c/314592/

  Drop paramiko < 2 compat code
  https://review.openstack.org/#/c/314639/

All this, coupled with the known security implications of using the
older paramiko versions, makes me think that perhaps we should just go
back to using ssh-keygen.

Ideally, I'd like to backport this change all the way down to
stable/liberty.

** Affects: nova
     Importance: Undecided
     Assignee: Diana Clarke (diana-clarke)
         Status: In Progress

** Changed in: nova
     Assignee: (unassigned) => Diana Clarke (diana-clarke)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1621536

Title:
  Remove paramiko dependency

Status in OpenStack Compute (nova):
  In Progress

Bug description:
  In Liberty, key pair creation (previously done via ssh-keygen) was
  replaced with paramiko library calls. While paramiko was listed as a
  dependency in Liberty, it wasn't actually used until that commit.

    Replace ssh exec calls with paramiko lib
    https://review.openstack.org/#/c/157931/

  The above commit was unintentionally backwards incompatible.
  Specifically, it changed the SSH key ASN.1 encoding from DER to BER.
  Apparently golang doesn't support BER, meaning tools like Terraform no
  longer work with OpenStack.

    ssh-keygen-to-Paramiko change breaks third-party tools
    https://bugs.launchpad.net/nova/+bug/1483132

  This has since been fixed in paramiko 2.0, but that major version bump
  doesn't make it into Nova until Newton, meaning these third-party
  tools are unusable for Liberty & Mitaka in the mean time.

     stable/liberty: paramiko>=1.13.0
     upper-constraints: paramiko===1.16.0

     stable/mitaka: paramiko>=1.16.0
     upper-constraints: paramiko===1.16.0

     master (newton): paramiko>=2.0
     upper-constraints: paramiko===2.0.2

  The bump to paramiko 2.0 was a big change, complete with a huge red
  warning in the changelog (which I suspect makes a backport that bumps
  the paramiko version to 2.0+ unrealistic for Liberty & Mitaka).

    http://www.paramiko.org/changelog.html
    http://bitprophet.org/blog/2016/04/23/paramiko-2.0-is-coming/

  The switch to paramiko also introduced a number of Nova regressions
  along the way.

    Tolerate installation of pycryptodome
    https://review.openstack.org/#/c/279909/

    crypto: Add support for Paramiko 2.x
    https://review.openstack.org/#/c/314592/

    Drop paramiko < 2 compat code
    https://review.openstack.org/#/c/314639/

  All this, coupled with the known security implications of using the
  older paramiko versions, makes me think that perhaps we should just go
  back to using ssh-keygen.

  Ideally, I'd like to backport this change all the way down to
  stable/liberty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1621536/+subscriptions


Follow ups