Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Packer incompatible with Fedora 33 or Fedora 34 #69

Closed
jsf9k opened this issue Oct 15, 2021 · 0 comments · Fixed by #65
Closed

Packer incompatible with Fedora 33 or Fedora 34 #69

jsf9k opened this issue Oct 15, 2021 · 0 comments · Fixed by #65
Assignees
@jsf9k
Labels
bug This issue or pull request addresses broken functionality

Comments

@jsf9k
Copy link
Member

jsf9k commented Oct 15, 2021
edited
Loading

🐛 Summary

Fedora 33 updated the system-wide crypto policy to disallow SHA-1 hashes in signatures. This is a good thing, especially since OpenSSH follows suit as of version 8.8.

Unfortunately, Packer cannot support this change because of an inflexibility in go (see also golang/go#36261 and golang/go#37278). This is blocking us from upgrading our FreeIPA AMI to Fedora 33+, since Packer is unable to ssh to the instance launched from the base AMI after it is spun up.

It should be possible for us to workaround this limitation by switching to a different system-wide crypto policy via the userdata fed to the base AMI when it is spun up. This change can then be undone via an additional of a Packer provisioner in the packer.json configuration file.
@jsf9k jsf9k added the bug This issue or pull request addresses broken functionality label Oct 15, 2021
@jsf9k jsf9k self-assigned this Oct 15, 2021
@jsf9k jsf9k mentioned this issue Oct 15, 2021
Merged
11 tasks
jsf9k added a commit that referenced this issue Oct 15, 2021
@jsf9k
Add user data to downgrade the system-wide crypto policy
e76b25e 
See #69 for details.
jsf9k added a commit that referenced this issue Oct 15, 2021
@jsf9k
Add user data to downgrade the system-wide crypto policy
d2f3772 
See #69 for details.

Also add a command to the final provisioner to undo this change.
@jsf9k jsf9k closed this as completed in #65 Oct 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsf9k jsf9k

Labels
bug This issue or pull request addresses broken functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade to Fedora 34 cisagov/freeipa-server-packer
1 participant
@jsf9k