[CI] Searchable snapshots tests fail to start secureHdfsFixture on Java 17 #78423
Comments
mark-vieira
added
>test-failure
elasticmachine
added
Team:Distributed (Obsolete)
|
Pinging @elastic/es-distributed (Team:Distributed) |
|
Pinging @elastic/es-security (Team:Security) |
mark-vieira
changed the title
|
This looks suspiciously like what I was seeing on my machine. The root cause was that the keytab was using the deprecated des3-cbc-sha1-kd encryption type. I fixed it locally by switching the keytab to use aes256-cts-hmac-sha1-96 instead. But since CI wasn't failing I didn't commit this (since I wasn't sure what the FIPS implications would be). Sounds like it's time to make this change though. |
Yeah, we don't run the full Java support matrix for every pull request. We generally just run with the minimum runtime Java version (which for |
|
I created #78703 with the changes I had made locally. This is outside of my area of expertise though, so glad to close that one if there's a better solution. |
|
Another one: https://gradle-enterprise.elastic.co/s/64cq7tjqhnaay |
|
I've merged the PR that ought to fix this. |
|
@masseyke looks like the error still persists: https://gradle-enterprise.elastic.co/s/orcgb5gttvgss |
|
OK I can reproduce this on java 17. It works fine on Java 16. Here's what I used to reproduce it: |
|
Looking at the keytab from that failure with ksutil, it's still using the des3-cbc-sha1-kd encryption type. There are a couple of files that still reference that. I'll have a PR up in a few minutes to fix that. |
…bc-sha1-kd (elastic#78703) The des3-cbc-sha1-kd encryption type is deprecated and no longer supported by newer jvm, causing tests that use the krb5kdc-fixture to fail. This commit changes the encryption type of the test keytab to aes256-cts-hmac-sha1-96. Relates elastic#78423
|
Oh actually it's just that I hadn't backported this to the 7.x line because I hadn't realized that it was going to be built with Java 17. I've just created the PR to backport the fix from master to 7.16. |
|
I don't see any failure since the last backport was merged so I'm closing this issue. Thanks @masseyke ! |
…bc-sha1-kd (elastic#78703) The des3-cbc-sha1-kd encryption type is deprecated and no longer supported by newer jvm, causing tests that use the krb5kdc-fixture to fail. This commit changes the encryption type of the test keytab to aes256-cts-hmac-sha1-96. Relates elastic#78423
…bc-sha1-kd (#78703) (#80537) The des3-cbc-sha1-kd encryption type is deprecated and no longer supported by newer jvm, causing tests that use the krb5kdc-fixture to fail. This commit changes the encryption type of the test keytab to aes256-cts-hmac-sha1-96. Relates #78423 Co-authored-by: Keith Massey <[email protected]>
Looks like this just started happening on Sep 26th. I suspect this is auto security related in some way, but don't quote me on that. Looks ot be specific to running on Java 17.
Build scan:
https://gradle-enterprise.elastic.co/s/us3iizodx5g3k/console-log?task=:x-pack:plugin:searchable-snapshots:qa:hdfs:secureHdfsFixture
Repro line:
./gradlew :x-pack:plugin:searchable-snapshots:qa:hdfs:integTestSecure -Druntime.java=17Reproduces locally?:
Yes
Applicable branches:
masterFailure history:
https://gradle-enterprise.elastic.co/scans/failures?failures.failureClassification=all_failures&failures.failureMessage=Execution%20failed%20for%20task%20*%0A%3E%20Failed%20to%20start%20secureHdfsFixture&search.relativeStartTime=P7D&search.timeZoneId=America/Los_Angeles
Failure excerpt:
The text was updated successfully, but these errors were encountered: