circleci: add a job using libssh#8444
Closed
bagder wants to merge 3 commits into
Closed
Conversation
Member
Author
|
I spotted that we have no CI build using libssh |
Member
Author
|
This makes test 1459 fail, using On my local machine I have |
... and make test 1459 check for the different return code then.
bagder
added a commit
that referenced
this pull request
Feb 14, 2022
pghmcfc
added a commit
to pghmcfc/curl
that referenced
this pull request
Mar 6, 2022
The 'oldlibssh' feature indicates that the error code returned by libssh for a broken known_hosts file should be 67 rather than 60 (test1459). This feature was added as part of curl#8444 with 'oldlibssh' mapping to libssh versions prior to 0.9.6, and then refined as part of curl#8511 to map to versions prior to 0.9.5. In Red Hat Enterprise Linux 8.5 there is a patched version of libssh version 0.9.4 (https://git.centos.org/rpms/libssh/blob/c8/f/SOURCES) in which test1459 fails because it returns the "new" value rather than the "old" one. It's plausible that one of the patches is responsible for this rather than the underlying code but I don't think so. This change therefore drops the 'oldlibssh' version check to map to libssh versions older than 0.9.4, which fixes builds on RHEL-8.
bagder
pushed a commit
that referenced
this pull request
Mar 7, 2022
The 'oldlibssh' feature indicates that the error code returned by libssh for a broken known_hosts file should be 67 rather than 60 (test1459). This feature was added as part of #8444 with 'oldlibssh' mapping to libssh versions prior to 0.9.6, and then refined as part of #8511 to map to versions prior to 0.9.5. In Red Hat Enterprise Linux 8.5 there is a patched version of libssh version 0.9.4 (https://git.centos.org/rpms/libssh/blob/c8/f/SOURCES) in which test1459 fails because it returns the "new" value rather than the "old" one. It's plausible that one of the patches is responsible for this rather than the underlying code but I don't think so. This change therefore drops the 'oldlibssh' version check to map to libssh versions older than 0.9.4, which fixes builds on RHEL-8. Closes #8548
This was referenced Nov 16, 2025
vszakats
added a commit
that referenced
this pull request
Nov 16, 2025
…I libssh job) test 1459 "SFTP with corrupted known_hosts" was seen failing in the past. To fix it, the test was automatically disabled when detecting libssh 0.9.3 or older, as in the curl CircleCI job, running on Ubuntu 20.04. This work for a long time, until bumping the CircleCI runner to Ubuntu 22.04 (to have OpenSSL 3), where the test was running again, and failing with the isssue seen in the past. - Test skipped with Ubuntu 20.04 (libssh 0.9.3): https://app.circleci.com/pipelines/github/curl/curl/16445/workflows/7f198763-e0b0-4037-9245-4c4b40ab8726/jobs/155164 - Failure seen with Ubuntu 22.04 (libssh 0.9.6): https://app.circleci.com/pipelines/github/curl/curl/16452/workflows/b817a808-0fd4-40b0-8eb0-d064926efe12/jobs/155206?invite=true#step-107-211709_45 - Failure seen with Ubuntu 24.04 (libssh 0.10.6): https://app.circleci.com/pipelines/github/curl/curl/16455/workflows/86c631f1-3c5f-4438-b398-3df2bdab5d20/jobs/155218 Turns out the issue issue isn't libssh 0.9.3 itself, but a CircleCI-specific default configuration in `/etc/ssh/ssh_config`: ``` # BEGIN ANSIBLE MANAGED BLOCK Host * StrictHostKeyChecking no <------ this particular line HashKnownHosts no SendEnv LANG LC_* # END ANSIBLE MANAGED BLOCK ``` libssh will consult configuration files on hard-coded default system locations and alter its behavior based on settings found in them. This libssh behavior is present in all supported versions: https://gitlab.com/libssh/libssh-mirror/-/commit/5a2abd34ce9ad97c69906c5fb7b07e26e96fceaa https://gitlab.com/libssh/libssh-mirror/-/tags/libssh-0.9.0 It means the existing disable logic based on libssh version worked by coincidence, and what needs to be checked is these configurations to decide if it's safe to run the test. Another, simpler option is to also accept the result code 67, though in that case the test wouldn't actually test what we want, but would pass anyway. With the old `oldlibssh` workaround deleted, and the problematic setting manually overridden (`StrictHostKeyChecking yes`): - CircleCI Ubuntu 20.04 passes with 1459 enabled: https://app.circleci.com/pipelines/github/curl/curl/16483/workflows/87a9f389-76a2-4a32-acde-c0b411a4c842/jobs/155302 - CircleCI Ubuntu 22.04 does too: https://app.circleci.com/pipelines/github/curl/curl/16483/workflows/87a9f389-76a2-4a32-acde-c0b411a4c842/jobs/155303 To fix, replace the `runtests` `oldlibssh` detection logic to parse libssh config files (instead of checking for libssh version) and disable test 1459 based on that. Notice the detection is making a light attempt to parse these files, and does not implement most config file features (such as includes, quoted values and `=` operator.) The new runtests workaround tests OK with the: - default CircleCI configuration, disabling 1459 automatically. - a sudoless configuration fix, with 1459 run successfully. Also keep setting this option in CircleCI jobs. - a sudo configuration fix, with 1459 run successfully. Ref: https://app.circleci.com/pipelines/github/curl/curl/16492/workflows/56f39335-97ba-412c-9a9b-3d662694375a GHA jobs are not affected and they work fine, with 1459 running successfully before and after this patch. It's possible the libssh API offers ways to control config file use and/or set the strict host checking option programatically. Maybe to enable in debug mode (albeit CircleCI job are not debug-enabled), or offer an option for them. It may be something for a future patch. Follow-up to 2354092 #8622 Follow-up to 4b01a57 #8548 Follow-up to bdc664a #8490 Follow-up to 7c140f6 #8444 Ref: 6d9c5c9 #19549 Closes #19557
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.