Closed lpiwowar closed 2 years ago
osfrickler
commented
2 years ago Thanks for you interest in cirros. I have already prepared a setup with a newer builtroot, I just need to find some time to finalize it. See https://github.com/osfrickler/cirros/tree/updates for my current state of things, if you want to build an image from that and test it, that would be helpful.
lpiwowar
commented
2 years ago @osfrickler thanks, to have cirros image built with a newer version of buildroot would probably help us.
I checked your updates branch. I have successfully built the image. But I have some problems with running the built image. It seems so far as it is issue on my side. I will let you know how it went.
lpiwowar
commented
2 years ago @osfrickler I have successfully run the image and tested it with newer version of paramiko and it worked! I am not sure if everything is ok with the image. I did not test it that thoroughly but I was able to connect to it using rsa-sha2.
rh-jelabarre
commented
2 years ago When the Cirros image gets updated to support rsa-sha2, will that require dropping rsa-sha1 support? Since I will still have to be testing/validating for older OpenStack versions, I'd need to see if we have to pull a particular Cirros version rather than defaulting to the latest. Not so much of a problem as long as I know what my configuration will need to be.
lpiwowar
commented
2 years ago @rh-jelabarre I think that both rsa-sha2 and rsa-sha1 should be supported but I am not 100 % sure. Maybe someone else should answer this.
hrw
commented
2 years ago 0.6 release will have dropbear v2020.81 - should be enough.
hrw
commented
2 years ago 0.6.0 is released
Hi :), thanks for maintaining the Cirros image.
We have currently an issue with using Cirros for OpenStack testing with tempest library [1]. Tempest uses paramiko (ssh library) to connect to Cirros VMs. Recently new paramiko version was released and with it the support of rsa-sha1 changed. The paramiko library no longer uses rsa-sha1 as default algorithm for ssh and switched to rsa-sha2 [6]. This is a problem for us because Cirros does not support rsa-sha2 which prevents us from connecting to it.
I did a little investigation and this is what I found:
Is there a plan to move to a newer version of buildroot? What I understand from line [2] is that changing the version of buildroot is not an easy task (this would probably fix the issue as newer version of buildroot supports newer version of dropbear).
Or would it be possible to patch the current version of buildroot so it uses the newer version of dropbear? (I have tried to do so myself but I have encountered some problems - buildroot was failing to apply patches it uses for dropbear [5].)
[1] https://bugs.launchpad.net/tempest/+bug/1960692 [3] https://github.com/buildroot/buildroot/blob/5a6d31c87e1573bc83986471c194b944d7a365b7/package/dropbear/dropbear.mk#L7 [4] https://mirror.dropbear.nl/mirror/CHANGES [5] https://github.com/buildroot/buildroot/blob/2019.02.x/package/dropbear/0001-only-advertise-single-server-ecdsa-key-when-R-is-used.patch [6] https://www.paramiko.org/changelog.html#2.9.0 [2] https://github.com/cirros-dev/cirros/blob/77a944c1e65f57ec145e8502eec1a02bd7e99a84/bin/build-release#L31