Bump paramiko version

Most tobiko tests are failing on RHEL9 environments due to ssh auth issues. It was found that with newer paramiko version the issues do not occur. There is an open issue[1] in Paramiko starting from 2.9.2 (which allows to connect to new servers like the one of RHEL 9) but in the while it brakes the support for the old CirrOS image server (image version 5.2). To keep support for old version we now uses disable_algorithms[1] option when creating an SSH connection to CirrOS images. The workaround has been documented in the Paramiko project page [2] [1] https://github.com/paramiko/paramiko/issues/1961 [2] https://github.com/rhevm-qe-automation/python-rrmngmnt/pull/149/files#diff-7b3ed02bc73dc06b7db906cf97aa91dec2b2eb21f2d92bc5caa761df5bbc168f Change-Id: I301c18a832a05ddfd331bddd7ad2bc839205ad2d
2022-04-28 09:49:36 +02:00 · 2022-04-28 09:49:36 +02:00 · c1d30b3cac
commit c1d30b3cac
parent f4984ca548
12 changed files with 41 additions and 16 deletions
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -10,7 +10,7 @@ netaddr==0.8.0
 neutron-lib==2.7.0
 oslo.config==8.4.0
 oslo.log==4.4.0
-paramiko==2.7.2
+paramiko==2.9.2
 pbr==5.5.1
 psutil==5.8.0
 pytest===6.2.5
--- a/requirements.txt
+++ b/requirements.txt
@ -10,7 +10,7 @@ netaddr>=0.8.0                  # BSD
 neutron-lib>=2.7.0              # Apache-2.0
 oslo.config>=8.4.0              # Apache-2.0
 oslo.log>=4.4.0                 # Apache-2.0
-paramiko>=2.7.2                 # LGPLv2.1
+paramiko>=2.9.2                # LGPLv2.1
 pbr>=5.5.1                      # Apache-2.0
 psutil>=5.8.0                   # BSD
 python-dateutil>=2.8.0          # Apache-2.0
--- a/tobiko/openstack/glance/_image.py
+++ b/tobiko/openstack/glance/_image.py
@ -87,6 +87,7 @@ class GlanceImageFixture(_client.HasGlanceClientMixin, tobiko.SharedFixture):
    image_name: typing.Optional[str] = None
    username: typing.Optional[str] = None
    password: typing.Optional[str] = None
+    disabled_algorithms: typing.Optional[typing.Dict[str, typing.Any]] = None
    image = None
    wait_interval = 5.

--- a/tobiko/openstack/glance/config.py
+++ b/tobiko/openstack/glance/config.py
@ -65,7 +65,13 @@ def get_images_options():
             cfg.FloatOpt('connection_timeout',
                          default=None,
                          help=("Default " + name +
-                                " SSH connection timeout (seconds)")), ]
+                                " SSH connection timeout (seconds)")),
+             cfg.DictOpt('disabled_algorithms',
+                         default=None,
+                         help=("Allow to disable SSH auth algorithms"
+                               "in order to SSH to old servers like"
+                               "CirrOS ones")),
+             ]
        )]

    return options
--- a/tobiko/openstack/stacks/_centos.py
+++ b/tobiko/openstack/stacks/_centos.py
@ -35,6 +35,7 @@ class CentosImageFixture(glance.URLGlanceImageFixture):
    username = CONF.tobiko.centos.username or 'centos'
    password = CONF.tobiko.centos.password
    connection_timeout = CONF.tobiko.centos.connection_timeout or 800.
+    disabled_algorithms = CONF.tobiko.centos.disabled_algorithms


 CENTOS7_IMAGE_URL = (
--- a/tobiko/openstack/stacks/_cirros.py
+++ b/tobiko/openstack/stacks/_cirros.py
@ -49,6 +49,10 @@ class CirrosImageFixture(glance.URLGlanceImageFixture):
    username = CONF.tobiko.cirros.username or 'cirros'
    password = CONF.tobiko.cirros.password or 'gocubsgo'
    connection_timeout = CONF.tobiko.cirros.connection_timeout or 200.
+    disabled_algorithms = CONF.tobiko.cirros.disabled_algorithms or {
+        #: disabled_algorithms is required to connect to CirrOS servers
+        # when using recent Paramiko versions (>= 2.9.2)
+        'pubkeys': ['rsa-sha2-256', 'rsa-sha2-512']}


 class CirrosFlavorStackFixture(_nova.FlavorStackFixture):
--- a/tobiko/openstack/stacks/_fedora.py
+++ b/tobiko/openstack/stacks/_fedora.py
@ -38,6 +38,7 @@ class FedoraBaseImageFixture(glance.URLGlanceImageFixture):
    username = CONF.tobiko.fedora.username or 'fedora'
    password = CONF.tobiko.fedora.password
    connection_timeout = CONF.tobiko.fedora.connection_timeout or 800.
+    disabled_algorithms = CONF.tobiko.fedora.disabled_algorithms


 class FedoraImageFixture(FedoraBaseImageFixture,
--- a/tobiko/openstack/stacks/_nova.py
+++ b/tobiko/openstack/stacks/_nova.py
@ -130,6 +130,10 @@ class ServerStackFixture(heat.HeatStackFixture, abc.ABC):
    def connection_timeout(self) -> tobiko.Seconds:
        return self.image_fixture.connection_timeout

+    @property
+    def disabled_algorithms(self) -> typing.Dict[str, typing.Any]:
+        return self.image_fixture.disabled_algorithms
+
    flavor_stack: tobiko.RequiredFixture[FlavorStackFixture]

    @property
@ -165,14 +169,19 @@ class ServerStackFixture(heat.HeatStackFixture, abc.ABC):
        return bool(self.floating_network)

    @property
-    def ssh_client(self) -> ssh.SSHClientFixture:
-        return ssh.ssh_client(host=self.ip_address,
-                              username=self.username,
-                              password=self.password,
-                              connection_timeout=self.connection_timeout)
+    def ssh_client_parameters(self) -> typing.Dict[str, typing.Any]:
+        return dict(host=self.ip_address,
+                    username=self.username,
+                    password=self.password,
+                    connection_timeout=self.connection_timeout,
+                    disabled_algorithms=self.disabled_algorithms)

    @property
-    def peer_ssh_client(self) -> typing.Optional[ssh.SSHClientFixture]:
+    def ssh_client(self) -> ssh.SSHClientFixture:
+        return ssh.ssh_client(**self.ssh_client_parameters)
+
+    @property
+    def peer_ssh_client(self) -> ssh.SSHClientType:
        """Nearest SSH client to an host that can see server fixed IPs ports

        """
@ -473,12 +482,10 @@ class PeerServerStackFixture(ServerStackFixture, abc.ABC):
    peer_stack: tobiko.RequiredFixture[ServerStackFixture]

    @property
-    def ssh_client(self) -> ssh.SSHClientFixture:
-        return ssh.ssh_client(host=self.ip_address,
-                              username=self.username,
-                              password=self.password,
-                              connection_timeout=self.connection_timeout,
-                              proxy_jump=self.peer_ssh_client)
+    def ssh_client_parameters(self) -> typing.Dict[str, typing.Any]:
+        parameters = super().ssh_client_parameters
+        parameters.update(proxy_jump=self.peer_ssh_client)
+        return parameters

    @property
    def peer_ssh_client(self) -> ssh.SSHClientFixture:
--- a/tobiko/openstack/stacks/_redhat.py
+++ b/tobiko/openstack/stacks/_redhat.py
@ -71,6 +71,7 @@ class RhelImageFixture(glance.URLGlanceImageFixture):
    username = CONF.tobiko.rhel.username or 'cloud-user'
    password = CONF.tobiko.rhel.password
    connection_timeout = CONF.tobiko.rhel.connection_timeout
+    disabled_algorithms = CONF.tobiko.rhel.disabled_algorithms


 class RedHatFlavorStackFixture(_centos.CentosFlavorStackFixture):
--- a/tobiko/openstack/stacks/_ubuntu.py
+++ b/tobiko/openstack/stacks/_ubuntu.py
@ -44,6 +44,7 @@ class UbuntuMinimalImageFixture(glance.URLGlanceImageFixture):
    username = CONF.tobiko.ubuntu.username or 'ubuntu'
    password = CONF.tobiko.ubuntu.password or 'ununtu'
    connection_timeout = CONF.tobiko.ubuntu.connection_timeout or 600.
+    disabled_algorithms = CONF.tobiko.ubuntu.disabled_algorithms


 IPERF3_SERVICE_FILE = """
--- a/tobiko/shell/ssh/_client.py
+++ b/tobiko/shell/ssh/_client.py
@ -151,6 +151,9 @@ SSH_CONNECT_PARAMETERS = {

    #: Command to be executed to open proxy sock
    'proxy_command': str,
+
+    #: Allow to disable some algorithms for old servers
+    'disabled_algorithms': dict
 }


--- a/upper-constraints.txt
+++ b/upper-constraints.txt
@ -281,7 +281,7 @@ ovs===2.16.0
 ovsdbapp===1.13.0
 packaging===21.3
 pact===1.12.0
-paramiko===2.8.1
+paramiko===2.10.4
 passlib===1.7.4
 Paste===3.5.0
 PasteDeploy===2.1.1