foreman icon indicating copy to clipboard operation
foreman copied to clipboard
verified publisher icon theforeman

Fixes #38361 - Use the system's SSH instead of net/ssh for provisioning

Open stejskalleos opened this issue 9 months ago • 9 comments

Ruby's net/ssh implementation fails to connect RHEL8 and RHEL8 with enabled FIPS.

To avoid problems in the future, use the system's SSH instead of Ruby's.

Notes

  • Foreman::Provision::Ssh is used only in core and deprecated plugins; changes should not affect outsiders.
  • If password and key are present in options, key takes precedence over the password.

Related PRs

  • https://github.com/theforeman/foreman-packaging/pull/11946

stejskalleos avatar Apr 10 '25 07:04 stejskalleos

Sample rake task for testing:

namespace :ssh do
  task :play => :environment do
    options = {
      template: '/path/to/ssh_template.sh',
      password: 'vagrant',
      key_data: File.read('path/to/.ssh/id_rsa'),
    }

    client = Foreman::Provision::Ssh.new('vm-ip-or-hostname', 'root', options)

    if client.deploy!
      puts "SSH command executed successfully"
    else
      puts "SSH command failed"
    end
  end
end

stejskalleos avatar Apr 10 '25 07:04 stejskalleos

Added

  • Cleanup of the script after the execution
  • Check for authentication methods. If both are available, the key takes precedence over the password.

stejskalleos avatar Apr 17 '25 07:04 stejskalleos

Have you considered these?

I didn't. So if we cannot use scp, does it mean we have to stick with net-scp, therefore scratching this effort?

stejskalleos avatar Apr 29 '25 12:04 stejskalleos

So if we cannot use scp, does it mean we have to stick with net-scp, therefore scratching this effort?

Not really. Iirc scp was deprecated in favor of sftp, so you could either use that or roll your own. In rex we essentially do echo 'contents' | ssh user@host tee /path/on/the/remote

adamruzicka avatar Apr 29 '25 12:04 adamruzicka

Not really. Iirc scp was deprecated in favor of sftp, so you could either use that or roll your own. In rex we essentially do echo 'contents' | ssh user@host tee /path/on/the/remote

I think it is confusing. My interpretation is that the scp protocol is deprecated but in EL9 the scp utility now uses the sftp protocol under the hood.

https://devcoops.com/sftp-transfer-files-through-cli-non-interactive/ has some examples of non-interactive sftp utility usage which can also be considered.

ekohl avatar Apr 29 '25 13:04 ekohl

@ekohl If the scp utility uses the sftp protocol, this PR will work as intended, right?

With the stfp, I couldn't find a way to upload a local file to a specific remote file, which is problematic with the whole remote_script naming. So, can we keep it as it is?

stejskalleos avatar May 02 '25 10:05 stejskalleos

@ekohl @adamruzicka rebased and updated, replaced scp with sftp.

stejskalleos avatar May 06 '25 11:05 stejskalleos

@adamruzicka @ekohl CI is green and all the comments have been addressed. IMO the PR is ready for QE, WDYT?

stejskalleos avatar May 09 '25 05:05 stejskalleos

@ShimShtein can you take a look please?

stejskalleos avatar May 22 '25 11:05 stejskalleos

@adamruzicka I think it's OK. If you're also OK with it, please push the green button :)

ShimShtein avatar Jun 22 '25 14:06 ShimShtein

Thank you @stejskalleos !

adamruzicka avatar Jun 23 '25 07:06 adamruzicka

Late to the party, but should this have dropped the gem dependencies: https://github.com/theforeman/foreman/blob/f4246cdaca1d0039d93de65cda9e52862c02f81b/Gemfile#L30-L31

ekohl avatar Jul 01 '25 10:07 ekohl

Created a PR for it https://github.com/theforeman/foreman/pull/10588; Once it's green I'll update foreman-packaging as well

stejskalleos avatar Jul 01 '25 11:07 stejskalleos