Page MenuHomePhabricator
Create Task
Maniphest T254013

all network devices must run OpenSSH >= 7.2p1 but != 7.4p1
Closed, ResolvedPublic
Actions

Description

Should happen before whenever OpenSSH upstream deprecates ssh-rsa (see parent T253824)

Currently-running versions:

Routers:

nameOpenSSH versionstatus
cr1-codfwOpenSSH_7.5
cr1-eqiadOpenSSH_7.5
cr1-eqsinSSH-2.0-OpenSSH_7.3
cr2-codfwOpenSSH_7.5
cr2-eqdfwSSH-2.0-OpenSSH_7.5
cr2-eqiadOpenSSH_7.5
cr2-eqordSSH-2.0-OpenSSH_7.5
cr2-eqsinSSH-2.0-OpenSSH_7.5
cr2-esamsOpenSSH_7.5
cr3-esamsOpenSSH_7.5
cr3-knamsSSH-2.0-OpenSSH_7.5
cr3-ulsfoSSH-2.0-OpenSSH_7.5
cr4-ulsfoSSH-2.0-OpenSSH_7.5
mr1-codfwSSH-2.0-OpenSSH_7.5
mr1-eqiadOpenSSH_7.5
mr1-eqsinOpenSSH_7.5
mr1-esamsSSH-2.0-OpenSSH_7.4
mr1-ulsfoOpenSSH_7.5

Switches:

fasw-c-codfwOpenSSH_7.5
fasw-c-eqiadOpenSSH_7.5
msw1-codfwSSH-2.0-OpenSSH_7.2
msw1-eqiadSSH-2.0-OpenSSH_7.3
asw1-eqsinOpenSSH_7.5
asw2-a-eqiadOpenSSH_7.5
asw2-b-eqiadOpenSSH_7.5
asw2-c-eqiadOpenSSH_7.5
asw2-d-eqiadOpenSSH_7.5
asw2-esamsSSH-2.0-OpenSSH_7.3
asw2-ulsfoOpenSSH_7.5
asw-a-codfwOpenSSH_7.5
asw-b-codfwOpenSSH_7.5
asw-c-codfwOpenSSH_7.5
asw-d-codfwSSH-2.0-OpenSSH_6.4

all drmrs is recent too.

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedMoritzMuehlenhoffT253824 planned upstream deprecation of the ssh-rsa signing algorithm (RSA with SHA-1)
 ResolvedayounsiT254013 all network devices must run OpenSSH >= 7.2p1 but != 7.4p1
 ResolvedayounsiT316539 Upgrade network devices to Junos 20+
 ResolvedayounsiT316532 Upgrade POPs asw to Junos 21
 ResolvedayounsiT323094 asw1-eqsin: VC mastership change
 ResolvedNoneT295690 Upgrade core routers to Junos 21+
 ResolvedPapaulT316529 Upgrade management routers and switches to Junos 21
 ResolvedPapaulT295691 Upgrade pfw to Junos 20+
 ResolvedPapaulT316542 Upgrade fasw to Junos 21
 ResolvedcmooneyT316544 Upgrade cloudsw1-c8-eqiad and cloudsw1-d5-eqiad to Junos 20+
 ResolveddcaroT297083 [ceph] Getting rack level HA
 ResolvedRequest CmjohnsonT303058 hw troubleshooting: move cloudcephmon1003.eqiad.wmnet from rack B2 to rack C8
 Resolved CmjohnsonT304096 move cloudcephmon1002.eqiad.wmnet from rack B4 to rack D5
 Resolved nskaggsT329498 [ceph] Move cloudcephosd1001 (b7) and cloudcephosd1002 (b4) to rack e4
ResolvedBUG REPORTdcaroT329535 Cloud Ceph outage 2023-02-13
 ResolveddcaroT329709 [cookbooks.ceph] Add a cookbook to drain a ceph osd in a safe manner
 ResolveddcaroT329711 [ceph] Add monitoring for inter-osd/mon/cloudvirt connectivity
 OpenNoneT329778 [ceph] Investigate if there's a way to degrade instead of failing when jumbo frames are being dropped in the network
 ResolvedcmooneyT329799 Add network-layer protections to avoid inadvertently lowering IRB MTU
 Resolved nskaggsT329502 [ceph] Move cloudcephosd1003 (b2) to rack e4 and cloudcephosd1004 (c8) to rack f4
Resolved nskaggsT329504 [ceph] Move cloudcephosd1005 (c8) and cloudcephosd1010 (d5) to rack f4
ResolveddcaroT329507 [ceph] Test crush tree with rack level HA on codfw
 ResolvedRequestPapaulT330754 hw troubleshooting: Link hard down (probably cable) for cloudcephosd2002-dev.codfw.wmnet
 ResolveddcaroT331141 Change crushmap in eqiad to have rack HA
 ResolveddcaroT331145 [cookbooks] adapt to having an extra level of buckets in the crushmap
 ResolveddcaroT330733 Move coludcephmon1001 from B7 to rack F4
 OpenNoneT331636 [cookbooks.ceph] create a script to get the list of rbd images affected by stuck/inactive PGs
 ResolvedfgiunchediT336845 puppet: profile::auto_restarts::service: have a way to don't deploy the systemd timers
 ResolvedAndrewT371878 [network,D5] reboot cloudsw-d5
 ResolveddcaroT372528 [ceph] Metrics started not responding during the drain
 ResolveddcaroT374043 Drain C8 rack
 ResolvedayounsiT327248 eqiad/codfw virtual-chassis upgrades
 ResolvedayounsiT327925 codfw row A switches upgrade
 ResolvedMarosteguiT327997 Switchover s1 master (db2103 -> db2112)
 ResolvedMarosteguiT327998 Switchover s2 master (db2104 -> db2107)
 ResolvedMarosteguiT327999 Switchover s3 master (db2105 -> db2127)
 ResolvedMarosteguiT328000 Switchover s7 master (db2121 -> db2118)
 ResolvedMarosteguiT328001 Switchover x2 master (db2142 -> db2144)
 ResolvedayounsiT327991 codfw row B switches upgrade
 ResolvedMarosteguiT328022 Switchover s4 master (db2110 -> db2140)
 ResolvedMarosteguiT328023 Switchover s5 master (db2123 -> db2113)
 ResolvedMarosteguiT328024 Switchover s8 master (db2161 -> db2165)
 ResolvedcmooneyT329073 eqiad row A switches upgrade
 ResolvedMarosteguiT329141 Switchover m3 master db1164 -> db1159
 ResolvedMarosteguiT329143 Move db1164 to m1
 ResolvedMarosteguiT329259 Switchover m1 master (db1176 -> db1164)
 ResolvedMarosteguiT331382 Move db1101 to m3 and make it master
 ResolvedMarosteguiT331384 Switchover m3 master db1159 -> db1101
 ResolvedMarosteguiT331387 Switchover m3 master db1101 -> db1159
 ResolvedMarosteguiT331626 Mailman hasn't delivered emails since 2023-03-07 14 UTC (was: reviewer-bot is not working)
 ResolvedayounsiT330165 eqiad row B switches upgrade
 InvalidMarosteguiT330977 Move db1183 to m1
 ResolvedMarosteguiT331510 Switchover m1 master (db1164 -> db1101)
 ResolvedMarosteguiT331511 Move db1101 to m1
 ResolvedMarosteguiT330847 Switchover m5 master (db1183 -> db1176)
 ResolvedayounsiT331882 eqiad row C switches upgrade
 ResolvedLadsgroupT333123 Switchover m1 master (db1101 -> db1164)
 Resolved herronT333478 failover alert1001 to alert2001
 Resolved herronT333837 failover alert2001 to alert1001
 Declined herronT333838 alerting_host: Reduced availability for job icinga-am after failover event
 Resolved herronT333855 vopsbot needed manual restart after alerting hosts failover
 ResolvedcmooneyT333377 eqiad row D switches upgrade
 ResolvedayounsiT334049 codfw row C switches upgrade
 ResolvedayounsiT335042 codfw row D switches upgrade

Event Timeline

CDanis created this task.May 29 2020, 2:26 PM
ayounsi updated the task description. (Show Details)May 29 2020, 4:51 PM
ayounsi updated the task description. (Show Details)May 29 2020, 4:53 PM
ayounsi subscribed.May 29 2020, 4:56 PM
  • Junos recommended version for the MX480s have OpenSSH_6.9
  • The SRXs will need new models (SRX300) to support junos >12.1
  • Switches upgrades (when possible) are very impactful
ayounsi changed the task status from Open to Stalled.May 29 2020, 4:56 PM
ayounsi triaged this task as Low priority.
ayounsi updated the task description. (Show Details)Oct 28 2020, 3:10 PM
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 9:00 PM
ayounsi mentioned this in T299482: Paramiko > 2.8.1 incompatibility with some Juniper devices.Jan 19 2022, 8:40 AM
ayounsi added a comment.Jan 19 2022, 10:50 AM

Juniper bumped their recommended version to at least Junos 20 on a lot of platforms.

ayounsi added a comment.EditedMar 3 2022, 9:35 AM

Slightly related, as of today those devices don't support ssh-ed25519:

(11)
asw2-b-eqiad.mgmt.eqiad.wmnet
asw2-c-eqiad.mgmt.eqiad.wmnet
asw2-d-eqiad.mgmt.eqiad.wmnet
asw1-eqsin.mgmt.eqsin.wmnet
asw2-ulsfo.mgmt.ulsfo.wmnet
asw-a-codfw.mgmt.codfw.wmnet
asw-b-codfw.mgmt.codfw.wmnet
asw-c-codfw.mgmt.codfw.wmnet
asw-d-codfw.mgmt.codfw.wmnet
fasw-c-codfw.mgmt.codfw.wmnet
fasw-c-eqiad.mgmt.eqiad.wmnet

(thanks @Volans for the cumin run!)

ayounsi added a subscriber: Volans.Mar 3 2022, 9:36 AM
ayounsi added a subtask: T316539: Upgrade network devices to Junos 20+.Aug 29 2022, 1:45 PM
ayounsi moved this task from Backlog to Watching on the netops board.Feb 20 2023, 4:26 PM
ayounsi updated the task description. (Show Details)May 2 2023, 2:01 PM
ayounsi closed this task as Resolved.May 16 2023, 1:28 PM
ayounsi claimed this task.

Done with all the sub-tasks upgrades.

ayounsi closed subtask T316539: Upgrade network devices to Junos 20+ as Resolved.Feb 19 2025, 10:57 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits