)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"91189bf65e62b907c2d79e95acd8ab2e5c668ba3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"7ea05947_188e2665","updated":"2023-05-02 09:40:52.000000000","message":"I feel it\u0027s nice but we need to be cautious with the fact that if we default to ED25519, we may hit guests that don\u0027t support it. Not saying to not do anything, but specifying the requirement in a command doc helper or somewhere else could be nice.","commit_id":"0f51232f55d2f81265d0e751c5af72fa5f3f718d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bd038f940131e7841298f826240051df0aad9ef5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"960dc5fd_a4649e2d","in_reply_to":"7ea05947_188e2665","updated":"2023-05-02 11:19:41.000000000","message":"Let me know if my clarifications do the trick","commit_id":"0f51232f55d2f81265d0e751c5af72fa5f3f718d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"f991d017a1081adb721565db4a1eb9ae3fe9e90e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"a230e1be_9bec9e51","updated":"2023-05-04 11:36:09.000000000","message":"Two +1s from nova cores and +2 from gtema. I think this is good to go.","commit_id":"2454636386d443473dedff1f07f8623108e87298"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"5a33615082fe8f716638c9a7d3ffb98d2b90ca50","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"f3f00f58_9953f61e","updated":"2023-05-02 14:13:06.000000000","message":"i chatted to stephen about this too on irc\nso im ok with proceedign in this directions and alwasy doign the generation client side","commit_id":"2454636386d443473dedff1f07f8623108e87298"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"253f904c75bd6300af9bc9f9f13ca9c67d5f0679","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"9c26d6b8_08d3b0a3","updated":"2023-05-02 12:37:22.000000000","message":"in general i can see why you might want to do this.\n\nim conficted if this shoudl be done always as in this patch or only based on the microverion\n\ni.e. leaving nova do it for old microversion and osc for new.\n\nboth have pros and cons.\n\nthe pros of the current apptch is you get consitent behavior and you can document that ssh key generation is alwasy down client side.\n\nthe con is that you break compaitbleity with operating systesms that dont support support ed25519\n\nso if we are goign to take this approch i woudl add a new parmater to allow specifying the key type and continue to default to ed25519 but allow them to select rsa or edcsa if they need a fips compatible type.\n\nwith that said ed25519 is currently undergoing certificaion by NIST to be included in the next revions of the FIPS standard as a replacement for edcsa so eventually we will converge on ed25519 anyway\n\n-1 is to discuss this brifely but i generally agree that ed25519 is the correct default i just wonder if you are open to allowing other algoritims is we are going to add client side generateion instead of just suggesting you use ssh-keygen or simialr instead.","commit_id":"2454636386d443473dedff1f07f8623108e87298"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"48d13aadf5ddf8975a86b9d91995e999a64b625c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"de75c4f3_318cc07c","in_reply_to":"9c26d6b8_08d3b0a3","updated":"2023-05-02 13:11:05.000000000","message":"I specifically didn\u0027t expose a knob to change the format since I didn\u0027t want to effectively reinvent ssh-keygen. I _could_ opt to wrap \u0027ssh-keygen\u0027 and pass arguments through (like we do for \u0027openstack server ssh\u0027 and the \u0027ssh\u0027 command) but that seems far more complicated. I think the guidance in the help text to use \u0027ssh-keygen\u0027 directly if you want more control is adequate. I would hazard a guess that the vast majority of guest OS\u0027 are Debian- or RHEL-based, which means they should support Ed25519 without issue.\n\nRegarding client vs. server-side generation, if generating ssh-rsa was still a sensible/viable option then I would agree with you: we could just do client-side generation for newer microversion. However, because the algorithm used now differs, I think we\u0027re obliged to do it client-side for all API versions. Making the algorithm used dependent on the nova microversion sounds silly.","commit_id":"2454636386d443473dedff1f07f8623108e87298"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"5a33615082fe8f716638c9a7d3ffb98d2b90ca50","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"00bb0afa_567d9787","in_reply_to":"de75c4f3_318cc07c","updated":"2023-05-02 14:13:06.000000000","message":"ack i can by that argument (we shoudl do it for all microversion)\n\ni was kind of unhappy with doing it only for new microversion because the api would not actully supprot it so its kind of a lie in that sense.","commit_id":"2454636386d443473dedff1f07f8623108e87298"}],"openstackclient/compute/v2/keypair.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"91189bf65e62b907c2d79e95acd8ab2e5c668ba3","unresolved":true,"context_lines":[{"line_number":41,"context_line":"    :returns: A `Keypair` named tuple with the generated private and public"},{"line_number":42,"context_line":"    keys."},{"line_number":43,"context_line":"    \"\"\""},{"line_number":44,"context_line":"    key \u003d ed25519.Ed25519PrivateKey.generate()"},{"line_number":45,"context_line":"    private_key \u003d key.private_bytes("},{"line_number":46,"context_line":"        serialization.Encoding.PEM,"},{"line_number":47,"context_line":"        serialization.PrivateFormat.OpenSSH,"}],"source_content_type":"text/x-python","patch_set":1,"id":"f5e26c99_9df4cd79","line":44,"updated":"2023-05-02 09:40:52.000000000","message":"yeah, OK, ED25519 keys are continued to be supported in recent OSes, but are also supported starting with OpenSSH 6.5 which is quite old enough (9 years ago)\n\nMaybe clarify that : very very old guests that don\u0027t have openssh-6.5 may not accept the private key.","commit_id":"0f51232f55d2f81265d0e751c5af72fa5f3f718d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"2f99763e1cdfaf52f8d82733c00a257498b908d1","unresolved":false,"context_lines":[{"line_number":41,"context_line":"    :returns: A `Keypair` named tuple with the generated private and public"},{"line_number":42,"context_line":"    keys."},{"line_number":43,"context_line":"    \"\"\""},{"line_number":44,"context_line":"    key \u003d ed25519.Ed25519PrivateKey.generate()"},{"line_number":45,"context_line":"    private_key \u003d key.private_bytes("},{"line_number":46,"context_line":"        serialization.Encoding.PEM,"},{"line_number":47,"context_line":"        serialization.PrivateFormat.OpenSSH,"}],"source_content_type":"text/x-python","patch_set":1,"id":"763ad2f4_c89adc0c","line":44,"in_reply_to":"f5e26c99_9df4cd79","updated":"2023-05-02 11:19:25.000000000","message":"Ack. Added to the release note and extended the help text for the option","commit_id":"0f51232f55d2f81265d0e751c5af72fa5f3f718d"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"253f904c75bd6300af9bc9f9f13ca9c67d5f0679","unresolved":true,"context_lines":[{"line_number":43,"context_line":"    \"\"\""},{"line_number":44,"context_line":"    key \u003d ed25519.Ed25519PrivateKey.generate()"},{"line_number":45,"context_line":"    private_key \u003d key.private_bytes("},{"line_number":46,"context_line":"        serialization.Encoding.PEM,"},{"line_number":47,"context_line":"        serialization.PrivateFormat.OpenSSH,"},{"line_number":48,"context_line":"        serialization.NoEncryption()"},{"line_number":49,"context_line":"    ).decode()"}],"source_content_type":"text/x-python","patch_set":2,"id":"e588d8ea_0224794f","line":46,"range":{"start_line":46,"start_character":7,"end_line":46,"end_character":35},"updated":"2023-05-02 12:37:22.000000000","message":"ssh-keygen uses https://www.rfc-editor.org/rfc/rfc4716\nas its default format https://man.openbsd.org/ssh-keygen.1#m\n\nthis is how we privoulsy did it in nova\nhttps://github.com/openstack/nova/blob/3d83bb3356e10355437851919e161f258cebf761/nova/crypto.py#L97-L104\n\nwe delegated to paramiko\n\nwhich uses the \"serialization.PrivateFormat.TraditionalOpenSSL\" vs serialization.PrivateFormat.OpenSSH\n\ni think that change is ok as serialization.PrivateFormat.OpenSSH is rfc4716 i belive and serialization.PrivateFormat.TraditionalOpenSSL is the pre RFC standarisation format to adopting the standard is fine.\n\nhttps://github.com/paramiko/paramiko/blob/b77ef44a049c3b99e770a360e7b1312ca6940ce4/paramiko/rsakey.py#L152-L158\n\nparamico also uses pem encodiing as you have set here.\nhttps://github.com/paramiko/paramiko/blob/b77ef44a049c3b99e770a360e7b1312ca6940ce4/paramiko/pkey.py#L573\n\nthis surprises me as i did not think we were using pem format files via the nova api.\n\ni was edxpect this to be  serialization.Encoding.OpenSSH\n\ni think that would be more comment place as i have only seen pem format used on windows in the past partically i associate it with putty.\n\nbut this is at least consitent with the nova api so i guess this is what we should use even if it diverges for the export format used by ssh-keygen https://man.openbsd.org/ssh-keygen.1#e\n\ni would personally prefer not to use pem format but am i correct in assumign ^ is why you chose it?","commit_id":"2454636386d443473dedff1f07f8623108e87298"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"5a33615082fe8f716638c9a7d3ffb98d2b90ca50","unresolved":false,"context_lines":[{"line_number":43,"context_line":"    \"\"\""},{"line_number":44,"context_line":"    key \u003d ed25519.Ed25519PrivateKey.generate()"},{"line_number":45,"context_line":"    private_key \u003d key.private_bytes("},{"line_number":46,"context_line":"        serialization.Encoding.PEM,"},{"line_number":47,"context_line":"        serialization.PrivateFormat.OpenSSH,"},{"line_number":48,"context_line":"        serialization.NoEncryption()"},{"line_number":49,"context_line":"    ).decode()"}],"source_content_type":"text/x-python","patch_set":2,"id":"8b45aebd_56447041","line":46,"range":{"start_line":46,"start_character":7,"end_line":46,"end_character":35},"in_reply_to":"54e40e3d_07568b79","updated":"2023-05-02 14:13:06.000000000","message":"ack ok im fine with keeping this as is for consitency as i said so +1","commit_id":"2454636386d443473dedff1f07f8623108e87298"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"fd65aeb1c254cbfe6a030e98df6cffa9b85444ae","unresolved":false,"context_lines":[{"line_number":43,"context_line":"    \"\"\""},{"line_number":44,"context_line":"    key \u003d ed25519.Ed25519PrivateKey.generate()"},{"line_number":45,"context_line":"    private_key \u003d key.private_bytes("},{"line_number":46,"context_line":"        serialization.Encoding.PEM,"},{"line_number":47,"context_line":"        serialization.PrivateFormat.OpenSSH,"},{"line_number":48,"context_line":"        serialization.NoEncryption()"},{"line_number":49,"context_line":"    ).decode()"}],"source_content_type":"text/x-python","patch_set":2,"id":"17505935_53d87dde","line":46,"range":{"start_line":46,"start_character":7,"end_line":46,"end_character":35},"in_reply_to":"8b45aebd_56447041","updated":"2023-05-02 15:45:00.000000000","message":"ditto","commit_id":"2454636386d443473dedff1f07f8623108e87298"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"48d13aadf5ddf8975a86b9d91995e999a64b625c","unresolved":false,"context_lines":[{"line_number":43,"context_line":"    \"\"\""},{"line_number":44,"context_line":"    key \u003d ed25519.Ed25519PrivateKey.generate()"},{"line_number":45,"context_line":"    private_key \u003d key.private_bytes("},{"line_number":46,"context_line":"        serialization.Encoding.PEM,"},{"line_number":47,"context_line":"        serialization.PrivateFormat.OpenSSH,"},{"line_number":48,"context_line":"        serialization.NoEncryption()"},{"line_number":49,"context_line":"    ).decode()"}],"source_content_type":"text/x-python","patch_set":2,"id":"54e40e3d_07568b79","line":46,"range":{"start_line":46,"start_character":7,"end_line":46,"end_character":35},"in_reply_to":"e588d8ea_0224794f","updated":"2023-05-02 13:11:05.000000000","message":"Yup, I mimicked what paramiko was doing. I\u0027ve no issues changing things around but quick testing of this shows that OpenSSH version on both Ubuntu 20.04 and RHEL 8.4 are happy with this format so I think it\u0027s a reasonable choice.\n\nAs an aside, I learned a lot about SSH keys by generating this. I had no idea there were so many configurable knobs here, or that what OpenSSH did wasn\u0027t necessarily following a standard (in fact, it seems the standards are often written based on the OpenSSH implementation, after the fact)","commit_id":"2454636386d443473dedff1f07f8623108e87298"}],"releasenotes/notes/keypair-create-client-side-generation-73d8dd36192f70c9.yaml":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"fd65aeb1c254cbfe6a030e98df6cffa9b85444ae","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    disabled by default starting in OpenSSH 8.8, which prevents its use in"},{"line_number":9,"context_line":"    guests using this version of OpenSSH in the default configuration."},{"line_number":10,"context_line":"    ssh-ed25519 support is widespread and is supported by OpenSSH 6.5 or later"},{"line_number":11,"context_line":"    and Dropbear 2020.79 or later."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"2d5a8861_ae701b70","line":11,"updated":"2023-05-02 15:45:00.000000000","message":"++ (good catch on Dropbear)","commit_id":"2454636386d443473dedff1f07f8623108e87298"}]}