Public bug reported: In Liberty, key pair creation (previously done via ssh-keygen) was replaced with paramiko library calls. While paramiko was listed as a dependency in Liberty, it wasn't actually used until that commit.
Replace ssh exec calls with paramiko lib https://review.openstack.org/#/c/157931/ The above commit was unintentionally backwards incompatible. Specifically, it changed the SSH key ASN.1 encoding from DER to BER. Apparently golang doesn't support BER, meaning tools like Terraform no longer work with OpenStack. ssh-keygen-to-Paramiko change breaks third-party tools https://bugs.launchpad.net/nova/+bug/1483132 This has since been fixed in paramiko 2.0, but that major version bump doesn't make it into Nova until Newton, meaning these third-party tools are unusable for Liberty & Mitaka in the mean time. stable/liberty: paramiko>=1.13.0 upper-constraints: paramiko===1.16.0 stable/mitaka: paramiko>=1.16.0 upper-constraints: paramiko===1.16.0 master (newton): paramiko>=2.0 upper-constraints: paramiko===2.0.2 The bump to paramiko 2.0 was a big change, complete with a huge red warning in the changelog (which I suspect makes a backport that bumps the paramiko version to 2.0+ unrealistic for Liberty & Mitaka). http://www.paramiko.org/changelog.html http://bitprophet.org/blog/2016/04/23/paramiko-2.0-is-coming/ The switch to paramiko also introduced a number of Nova regressions along the way. Tolerate installation of pycryptodome https://review.openstack.org/#/c/279909/ crypto: Add support for Paramiko 2.x https://review.openstack.org/#/c/314592/ Drop paramiko < 2 compat code https://review.openstack.org/#/c/314639/ All this, coupled with the known security implications of using the older paramiko versions, makes me think that perhaps we should just go back to using ssh-keygen. Ideally, I'd like to backport this change all the way down to stable/liberty. ** Affects: nova Importance: Undecided Assignee: Diana Clarke (diana-clarke) Status: In Progress ** Changed in: nova Assignee: (unassigned) => Diana Clarke (diana-clarke) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1621536 Title: Remove paramiko dependency Status in OpenStack Compute (nova): In Progress Bug description: In Liberty, key pair creation (previously done via ssh-keygen) was replaced with paramiko library calls. While paramiko was listed as a dependency in Liberty, it wasn't actually used until that commit. Replace ssh exec calls with paramiko lib https://review.openstack.org/#/c/157931/ The above commit was unintentionally backwards incompatible. Specifically, it changed the SSH key ASN.1 encoding from DER to BER. Apparently golang doesn't support BER, meaning tools like Terraform no longer work with OpenStack. ssh-keygen-to-Paramiko change breaks third-party tools https://bugs.launchpad.net/nova/+bug/1483132 This has since been fixed in paramiko 2.0, but that major version bump doesn't make it into Nova until Newton, meaning these third-party tools are unusable for Liberty & Mitaka in the mean time. stable/liberty: paramiko>=1.13.0 upper-constraints: paramiko===1.16.0 stable/mitaka: paramiko>=1.16.0 upper-constraints: paramiko===1.16.0 master (newton): paramiko>=2.0 upper-constraints: paramiko===2.0.2 The bump to paramiko 2.0 was a big change, complete with a huge red warning in the changelog (which I suspect makes a backport that bumps the paramiko version to 2.0+ unrealistic for Liberty & Mitaka). http://www.paramiko.org/changelog.html http://bitprophet.org/blog/2016/04/23/paramiko-2.0-is-coming/ The switch to paramiko also introduced a number of Nova regressions along the way. Tolerate installation of pycryptodome https://review.openstack.org/#/c/279909/ crypto: Add support for Paramiko 2.x https://review.openstack.org/#/c/314592/ Drop paramiko < 2 compat code https://review.openstack.org/#/c/314639/ All this, coupled with the known security implications of using the older paramiko versions, makes me think that perhaps we should just go back to using ssh-keygen. Ideally, I'd like to backport this change all the way down to stable/liberty. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1621536/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
