From: Anil Belur <abelur@linuxfoundation.org>
Date: Tue, 4 Jul 2023 07:38:19 +0000 (+1000)
Subject: Fix: Remove unwanted extra args
X-Git-Tag: v0.14.1^0
X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;h=09cb3bcf48185afdc5af0a548be904491ae215de;p=releng%2Fcommon-packer.git

Fix: Remove unwanted extra args

RSA/SHA-1 was deprecated since the OpenSSH release 8.8.
This causes builds with latest version of packer to fail with the
below error:

Error:

Data could not be sent to remote host "127.0.0.1". Make sure this
host can be reached over ssh: command-line: line 0: Bad
configuration option: pubkeyacceptedalgorithms.

Add workaroud and pass required HostKeyAlgorithms through ssh extra
argumements. Testing with cloud builds and since we are using multiple
flavors the only options required are "IdentitiesOnly=yes"
and "HostKeyAlgorithms=+ssh-rsa".

Issue: RELENG-4764
Ref: https://github.com/hashicorp/packer-plugin-ansible/issues/69
Change-Id: I80ff152d5153d739d6586c217fbc392e8be80f2a
Signed-off-by: Anil Belur <abelur@linuxfoundation.org>
---

diff --git a/releasenotes/notes/fix-templates-ssh-hostkeyalgos-3b1088d7187e0ec9.yaml b/releasenotes/notes/fix-templates-ssh-hostkeyalgos-3b1088d7187e0ec9.yaml
new file mode 100644
index 0000000..d7aa198
--- /dev/null
+++ b/releasenotes/notes/fix-templates-ssh-hostkeyalgos-3b1088d7187e0ec9.yaml
@@ -0,0 +1,13 @@
+---
+issues:
+  - |
+    RSA/SHA-1 was deprecated in the latest OpenSSH release 8.8
+    causing builds fail with the following error:
+
+    Data could not be sent to remote host "127.0.0.1". Make sure this host
+    can be reached over ssh: command-line: line 0: Bad configuration
+    option: pubkeyacceptedalgorithms
+fixes:
+  - |
+    Add workaroud and pass required HostKeyAlgorithms through ssh extra
+    argumements.
diff --git a/templates/builder-aws.pkr.hcl b/templates/builder-aws.pkr.hcl
index 0878e63..448331e 100644
--- a/templates/builder-aws.pkr.hcl
+++ b/templates/builder-aws.pkr.hcl
@@ -181,8 +181,7 @@ build {
     ]
     command            = "./common-packer/ansible-playbook.sh"
     extra_arguments    = [
-        "--scp-extra-args", "'-O'",
-        "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa"
+        "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa"
     ]
     playbook_file      = "provision/local-builder.yaml"
     skip_version_check = true
diff --git a/templates/builder.pkr.hcl b/templates/builder.pkr.hcl
index 25e7c7b..ab331b0 100644
--- a/templates/builder.pkr.hcl
+++ b/templates/builder.pkr.hcl
@@ -143,9 +143,18 @@ build {
   }
 
   provisioner "ansible" {
-    ansible_env_vars   = ["ANSIBLE_NOCOWS=1", "ANSIBLE_PIPELINING=True", "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}", "ANSIBLE_CALLBACK_WHITELIST=profile_tasks", "ANSIBLE_STDOUT_CALLBACK=debug"]
+    ansible_env_vars   = [
+        "ANSIBLE_NOCOWS=1",
+        "ANSIBLE_PIPELINING=False",
+        "ANSIBLE_HOST_KEY_CHECKING=False",
+        "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}",
+        "ANSIBLE_CALLBACK_WHITELIST=profile_tasks",
+        "ANSIBLE_STDOUT_CALLBACK=debug"
+    ]
     command            = "./common-packer/ansible-playbook.sh"
-    extra_arguments    = ["--scp-extra-args", "'-O'", "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa"]
+    extra_arguments    = [
+        "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa"
+    ]
     playbook_file      = "provision/local-builder.yaml"
     skip_version_check = true
   }
diff --git a/templates/devstack-pre-pip-yoga.pkr.hcl b/templates/devstack-pre-pip-yoga.pkr.hcl
index 3453914..da3c366 100644
--- a/templates/devstack-pre-pip-yoga.pkr.hcl
+++ b/templates/devstack-pre-pip-yoga.pkr.hcl
@@ -146,9 +146,19 @@ build {
   }
 
   provisioner "ansible" {
-    ansible_env_vars   = ["ANSIBLE_DEBUG=False", "ANSIBLE_NOCOWS=1", "ANSIBLE_PIPELINING=True", "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}", "ANSIBLE_CALLBACK_WHITELIST=profile_tasks", "ANSIBLE_STDOUT_CALLBACK=debug"]
+    ansible_env_vars   = [
+        "ANSIBLE_NOCOWS=1",
+        "ANSIBLE_PIPELINING=False",
+        "ANSIBLE_HOST_KEY_CHECKING=False",
+        "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}",
+        "ANSIBLE_CALLBACK_WHITELIST=profile_tasks",
+        "ANSIBLE_STDOUT_CALLBACK=debug"
+    ]
     command            = "./common-packer/ansible-playbook.sh"
-    extra_arguments    = ["--extra-vars", "os_branch=stable/yoga rdo_branch=yoga", "--scp-extra-args", "'-O'", "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa"]
+    extra_arguments    = [
+        "--extra-vars", "os_branch=stable/yoga rdo_branch=yoga",
+        "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa"
+    ]
     playbook_file      = "provision/devstack-pre-pip-centos.yaml"
     skip_version_check = true
   }
diff --git a/templates/devstack.pkr.hcl b/templates/devstack.pkr.hcl
index 9a815e5..13b613b 100644
--- a/templates/devstack.pkr.hcl
+++ b/templates/devstack.pkr.hcl
@@ -148,9 +148,19 @@ build {
   }
 
   provisioner "ansible" {
-    ansible_env_vars   = ["ANSIBLE_NOCOWS=1", "ANSIBLE_PIPELINING=True", "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}", "ANSIBLE_CALLBACK_WHITELIST=profile_tasks", "ANSIBLE_STDOUT_CALLBACK=debug"]
+    ansible_env_vars   = [
+        "ANSIBLE_NOCOWS=1",
+        "ANSIBLE_PIPELINING=False",
+        "ANSIBLE_HOST_KEY_CHECKING=False",
+        "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}",
+        "ANSIBLE_CALLBACK_WHITELIST=profile_tasks",
+        "ANSIBLE_STDOUT_CALLBACK=debug"
+    ]
     command            = "./common-packer/ansible-playbook.sh"
-    extra_arguments    = ["--scp-extra-args", "'-O'", "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa"]
+    extra_arguments    = [
+        "--extra-vars", "os_branch=stable/yoga rdo_branch=yoga",
+        "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa"
+    ]
     playbook_file      = "provision/devstack-centos.yaml"
     skip_version_check = true
   }
diff --git a/templates/docker-aws.pkr.hcl b/templates/docker-aws.pkr.hcl
index 63f0f50..38fb09f 100644
--- a/templates/docker-aws.pkr.hcl
+++ b/templates/docker-aws.pkr.hcl
@@ -171,9 +171,18 @@ build {
   }
 
   provisioner "ansible" {
-    ansible_env_vars   = ["ANSIBLE_NOCOWS=1", "ANSIBLE_PIPELINING=False", "ANSIBLE_HOST_KEY_CHECKING=False", "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}", "ANSIBLE_CALLBACK_WHITELIST=profile_tasks", "ANSIBLE_STDOUT_CALLBACK=debug"]
+    ansible_env_vars   = [
+        "ANSIBLE_NOCOWS=1",
+        "ANSIBLE_PIPELINING=False",
+        "ANSIBLE_HOST_KEY_CHECKING=False",
+        "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}",
+        "ANSIBLE_CALLBACK_WHITELIST=profile_tasks",
+        "ANSIBLE_STDOUT_CALLBACK=debug"
+    ]
     command            = "./common-packer/ansible-playbook.sh"
-    extra_arguments    = ["--scp-extra-args", "'-O'", "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa"]
+    extra_arguments    = [
+        "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa"
+    ]
     playbook_file      = "provision/local-docker.yaml"
     skip_version_check = true
     user               = "${var.ssh_user}"
diff --git a/templates/docker.pkr.hcl b/templates/docker.pkr.hcl
index c4ebe54..2282cd2 100644
--- a/templates/docker.pkr.hcl
+++ b/templates/docker.pkr.hcl
@@ -150,16 +150,16 @@ build {
 
   provisioner "ansible" {
     ansible_env_vars   = [
-      "ANSIBLE_NOCOWS=1",
-      "ANSIBLE_PIPELINING=True",
-      "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}",
-      "ANSIBLE_CALLBACK_WHITELIST=profile_tasks",
-      "ANSIBLE_STDOUT_CALLBACK=debug"
+        "ANSIBLE_NOCOWS=1",
+        "ANSIBLE_PIPELINING=False",
+        "ANSIBLE_HOST_KEY_CHECKING=False",
+        "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}",
+        "ANSIBLE_CALLBACK_WHITELIST=profile_tasks",
+        "ANSIBLE_STDOUT_CALLBACK=debug"
     ]
     command            = "./common-packer/ansible-playbook.sh"
     extra_arguments    = [
-      "--scp-extra-args", "'-O'",
-      "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa"
+        "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa"
     ]
     playbook_file      = "provision/local-docker.yaml"
     skip_version_check = true
diff --git a/templates/windows-builder.pkr.hcl b/templates/windows-builder.pkr.hcl
index 94065fe..e6759b3 100644
--- a/templates/windows-builder.pkr.hcl
+++ b/templates/windows-builder.pkr.hcl
@@ -148,18 +148,18 @@ build {
 
   provisioner "ansible" {
     ansible_env_vars   = [
-      "ANSIBLE_NOCOWS=1",
-      "ANSIBLE_PIPELINING=True",
-      "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}",
-      "ANSIBLE_CALLBACK_WHITELIST=profile_tasks",
-      "ANSIBLE_STDOUT_CALLBACK=debug"
+        "ANSIBLE_NOCOWS=1",
+        "ANSIBLE_PIPELINING=False",
+        "ANSIBLE_HOST_KEY_CHECKING=False",
+        "ANSIBLE_ROLES_PATH=${var.ansible_roles_path}",
+        "ANSIBLE_CALLBACK_WHITELIST=profile_tasks",
+        "ANSIBLE_STDOUT_CALLBACK=debug"
     ]
     command            = "./common-packer/ansible-playbook.sh"
-    extra_arguments = [
-      "--extra-vars", "ansible_shell_type=powershell",
-      "--extra-vars", "ansible_shell_executable=None",
-      "--scp-extra-args", "'-O'",
-      "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa"
+    extra_arguments    = [
+        "--extra-vars", "ansible_shell_type=powershell",
+        "--extra-vars", "ansible_shell_executable=None",
+        "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa"
     ]
     playbook_file   = "provision/local-windows-builder.yaml"
     skip_version_check = true