#9760 release blocker: release process bug closed fixed (fixed)

azure pipelines builds are failing on Windows due to OpenSSH integration tests

Reported by: Glyph Owned by: Glyph
Priority: highest Milestone:
Component: conch Keywords:
Cc: Branch: 9760-windows-build-failures
branch-diff, diff-cov, branch-cov, buildbot

Change History (11)

comment:1 Changed 23 months ago by Glyph

I set up a local Windows development environment and can't reproduce these.

comment:2 Changed 23 months ago by Glyph

After tweaking the tests to be just the tiniest bit verbose, I see this:

Failure: twisted.conch.error.ConchError: ('exit code was not 0: 255 (b\'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
nPermissions for
\' are too open.
nIt is required that your private key files are NOT accessible by others.
nThis private key will be ignored.
nLoad key "dsa_test": bad permissions
ntestuser@ Permission denied (publickey).
n\')', None)

which clearly suggests the problem is that something about the permissions we're explicitly setting in the tests is getting ignored in this configuration.

This Stack Overflow question https://superuser.com/questions/1296024/windows-ssh-permissions-for-private-key-are-too-open indicates that this might be happening because our tmpdir now inherits undesirable permissions.

comment:3 Changed 23 months ago by Colin Watson

If it helps, I think this is the implementation of the relevant security check on Windows:


comment:4 Changed 22 months ago by Glyph

Branch: 9760-windows-build-failures

comment:5 Changed 22 months ago by Glyph

Further investigation has yielded that the problem user is S-1-5-32-545, which is BUILTIN_USERS according to https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

comment:6 Changed 22 months ago by Glyph

Component: coreconch
Keywords: review added

OK, I think this gets across the desired semantics for the test skip; hopefully CI will be happy with the result.

comment:8 Changed 22 months ago by Colin Dunklau

Owner: set to Colin Dunklau

comment:9 Changed 22 months ago by Colin Dunklau

Keywords: review removed
Owner: changed from Colin Dunklau to Glyph

I'm vaguely dissatisfied with the conditional skip in ConchServerSetupMixin._createFiles, but not enough to dig in my feet. I suggest a new ticket asking for help verifying that the tests that wind up calling that method on various platforms and versions.

LGTM, please merge

comment:10 Changed 22 months ago by Glyph

That's the idea with the "for real" followup I already filed / linked in the skip :). I am also not happy with this, but also; I really want to unblock the 20 other things that are backed up behind this.

Thanks for the review!

comment:11 Changed 22 months ago by Glyph <glyph@…>

Resolution: fixed
Status: newclosed

In b719119:

Error: Processor CommitTicketReference failed
 does not appear to be a Git repository. See the log for more information.
Note: See TracTickets for help on using tickets.