New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: DO NOT MERGE: RHEL 9 smoke test #538
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
f9637ce
to
8cb4fa2
Compare
8cb4fa2
to
2dbec98
Compare
/test all |
/test perfscale-aws-ingress-perf |
An additional sample: /test perfscale-aws-ingress-perf |
/test e2e-upgrade |
/test perfscale-aws-ingress-perf |
1 similar comment
/test perfscale-aws-ingress-perf |
/test e2e-upgrade |
/retest |
The origin test "when FIPS is disabled the HAProxy router should serve routes when configured with a 1024-bit RSA key" fails because HAProxy 2.6.13 with OpenSSL 3 (on RHEL 9) fails to start. Pulling out the cert data from: https://github.com/openshift/origin/blob/master/test/extended/router/certs.go#L79 we see the following:
which actually doesn't tell us very much. If you run with haproxy-2.8.3 then you see a hint at what's actually at fault:
Notably "ca md too weak". Peeking at the certificate I see that the signature is based on SHA-1:
SHA-1 is now considered a weak hashing algorithm due to its susceptibility to collision attacks. This is likely the reason HAProxy is reporting "ca md too weak". Running: % openssl genrsa -out testkey.pem 1024
% openssl req -new -x509 -sha256 -key testkey.pem -out testcert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:
% cat testcert.pem testkey.pem > testrun/certs/domain.pem and checking again with haproxy's % ocp-haproxy-2.8.3 -c -f ./testrun/haproxy/
Configuration file is valid
% ocp-haproxy-2.6.13 -c -f ./testrun/haproxy/
Configuration file is valid Looking at the signature of the new certs we now have SHA-256:
|
The RPM associated with this PR has been untagged. Any further test iterations on this PR will fail because the RPM is no longer available. Slack thread: https://redhat-internal.slack.com/archives/CB95J6R4N/p1701271843429409?thread_ts=1674550176.823119&cid=CB95J6R4N. |
Created /test images |
/test images |
1 similar comment
/test images |
@frobware: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
WORKDIR /go/src/github.com/openshift/router | ||
COPY . . | ||
RUN make | ||
|
||
FROM registry.ci.openshift.org/ocp/4.15:base | ||
FROM registry.ci.openshift.org/ocp/4.15:base-rhel9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be /4.16:...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah thanks
/close |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@gcs278: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
No description provided.