From 2fe879dd0d11b7c89845a51f6c88cdac4427059e Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Thu, 3 Mar 2022 14:00:09 +0100
Subject: [PATCH] Fix the CI on CentOS 9

* Prefer modern SSH key algorithms
* Generate an ECDSA key if Cirros is used
* Always resolve symlinks when copying logs

Remove all previous work-arounds.

Change-Id: Ie9248584c71f7d326d5839710d6b9bdf6d779749
---
 .../tasks/ssh_public_key_path.yaml               |  3 ++-
 .../ssh_public_key_path.yaml                     |  3 ++-
 .../tasks/main.yml                               |  9 ---------
 releasenotes/notes/ecdsa-4bf0cd160426922c.yaml   |  5 +++++
 scripts/collect-test-info.sh                     |  2 +-
 scripts/test-bifrost.sh                          | 16 ++++++----------
 6 files changed, 16 insertions(+), 22 deletions(-)
 create mode 100644 releasenotes/notes/ecdsa-4bf0cd160426922c.yaml

diff --git a/playbooks/roles/bifrost-configdrives-dynamic/tasks/ssh_public_key_path.yaml b/playbooks/roles/bifrost-configdrives-dynamic/tasks/ssh_public_key_path.yaml
index 0e4470142..b96879267 100644
--- a/playbooks/roles/bifrost-configdrives-dynamic/tasks/ssh_public_key_path.yaml
+++ b/playbooks/roles/bifrost-configdrives-dynamic/tasks/ssh_public_key_path.yaml
@@ -17,8 +17,9 @@
       set_fact:
         ssh_public_key_path: "{{ item }}"
       with_first_found:
-        - "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
         - "{{ lookup('env', 'HOME') }}/.ssh/id_ed25519.pub"
+        - "{{ lookup('env', 'HOME') }}/.ssh/id_ecdsa.pub"
+        - "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
       when: ssh_public_key_path is undefined
       ignore_errors: yes
 
diff --git a/playbooks/roles/bifrost-ironic-install/ssh_public_key_path.yaml b/playbooks/roles/bifrost-ironic-install/ssh_public_key_path.yaml
index d12702b59..16db56004 100644
--- a/playbooks/roles/bifrost-ironic-install/ssh_public_key_path.yaml
+++ b/playbooks/roles/bifrost-ironic-install/ssh_public_key_path.yaml
@@ -17,8 +17,9 @@
       set_fact:
         ssh_public_key_path: "{{ item }}"
       with_first_found:
-        - "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
         - "{{ lookup('env', 'HOME') }}/.ssh/id_ed25519.pub"
+        - "{{ lookup('env', 'HOME') }}/.ssh/id_ecdsa.pub"
+        - "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
       when: ssh_public_key_path is undefined
       ignore_errors: yes
 
diff --git a/playbooks/roles/bifrost-prepare-for-test-dynamic/tasks/main.yml b/playbooks/roles/bifrost-prepare-for-test-dynamic/tasks/main.yml
index 322dc2a42..82a4342b0 100644
--- a/playbooks/roles/bifrost-prepare-for-test-dynamic/tasks/main.yml
+++ b/playbooks/roles/bifrost-prepare-for-test-dynamic/tasks/main.yml
@@ -54,12 +54,3 @@
 - name: "Add testvm hosts from SSH known_hosts file."
   shell: ssh-keyscan "{{ ipv4_address }}" >> "{{ ansible_env.HOME }}/.ssh/known_hosts"
   when: ipv4_address is defined
-- name: "Allow ssh-rsa algorithm for CentOS Stream 9"
-  lineinfile:
-    path: ~/.ssh/config
-    line: PubkeyAcceptedKeyTypes +ssh-rsa
-    create: yes
-    mode: '0600'
-  when:
-    - ansible_distribution == "CentOS"
-    - ansible_distribution_version|int >= 9
\ No newline at end of file
diff --git a/releasenotes/notes/ecdsa-4bf0cd160426922c.yaml b/releasenotes/notes/ecdsa-4bf0cd160426922c.yaml
new file mode 100644
index 000000000..14789d154
--- /dev/null
+++ b/releasenotes/notes/ecdsa-4bf0cd160426922c.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    When several SSH public keys are available, prefers modern algorithms
+    rather than RSA. This fixes logging in Cirros on CentOS 9.
diff --git a/scripts/collect-test-info.sh b/scripts/collect-test-info.sh
index 810120db2..4ff434e3c 100755
--- a/scripts/collect-test-info.sh
+++ b/scripts/collect-test-info.sh
@@ -68,7 +68,7 @@ if $(ip link &>/dev/null); then
 fi
 
 mkdir -p ${LOG_LOCATION}/all
-sudo cp -a /var/log/* ${LOG_LOCATION}/all/.
+sudo cp -aL /var/log/* ${LOG_LOCATION}/all/.
 sudo chown -R $USER ${LOG_LOCATION}/all
 
 sudo systemctl > ${LOG_LOCATION}/all-services.txt
diff --git a/scripts/test-bifrost.sh b/scripts/test-bifrost.sh
index a8f455c91..d6a6daa72 100755
--- a/scripts/test-bifrost.sh
+++ b/scripts/test-bifrost.sh
@@ -72,6 +72,12 @@ if which setenforce &> /dev/null; then
     sudo setenforce Enforcing
 fi
 
+if [ ${USE_CIRROS} = "true" ] && [ ! -f "$HOME/.ssh/id_ecdsa.pub" ]; then
+    # CentOS/RHEL 8 and 9, as well as Fedora, do not work with the RSA key
+    # that the Cirros' SSH server uses. Generate an ECDSA key pair instead.
+    ssh-keygen -t ECDSA -f "$HOME/.ssh/id_ecdsa" -N ""
+fi
+
 # Note(cinerama): activate is not compatible with "set -u";
 # disable it just for this line.
 set +u
@@ -114,17 +120,7 @@ if [ ${USE_VMEDIA} = "true" ]; then
     CLOUD_CONFIG+=" -e enabled_hardware_types=redfish"
 fi
 
-CURRENT_CRYPTO_POLICY=
-if [ ${USE_CIRROS} = "true" ] && which update-crypto-policies 2>&1 > /dev/null; then
-    # Crypto policies in newer Fedora prevent SSH into Cirros
-    CURRENT_CRYPTO_POLICY=$(sudo update-crypto-policies --show)
-    sudo update-crypto-policies --set LEGACY
-fi
-
 on_exit() {
-    if [ -n "$CURRENT_CRYPTO_POLICY}" ]; then
-        sudo update-crypto-policies --set $CURRENT_CRYPTO_POLICY || true
-    fi
     $SCRIPT_HOME/collect-test-info.sh
 }
 trap on_exit EXIT