Add user data to downgrade the system-wide crypto policy

See #69 for details. Also add a command to the final provisioner to undo this change.
cisagov · Oct 15, 2021 · d2f3772 · d2f3772
1 parent e0cda95
commit d2f3772
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/src/packer.json b/src/packer.json
@@ -55,6 +55,7 @@
         "Team": "VM Fusion - Development"
       },
       "type": "amazon-ebs",
+      "user_data_file": "src/user_data.txt",
       "vpc_filter": {
         "filters": {
           "tag:Name": "AMI Build"
@@ -93,6 +94,7 @@
     {
       "execute_command": "chmod +x {{ .Path }}; sudo env {{ .Vars }} {{ .Path }} ; rm -f {{ .Path }}",
       "inline": [
+        "update-crypto-policies --set DEFAULT",
         "sed -i '/^users:/ {N; s/users:.*/users: []/g}' /etc/cloud/cloud.cfg",
         "rm --force /etc/sudoers.d/90-cloud-init-users",
         "rm --force /root/.ssh/authorized_keys",

diff --git a/src/user_data.txt b/src/user_data.txt
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# See https://github.com/cisagov/freeipa-server-packer/issues/69 and
+# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2#Upgrade.2Fcompatibility_impact
+update-crypto-policies --set DEFAULT:FEDORA32