Closed hswong3i closed 3 years ago
@ladar The current implementation (https://github.com/lavabit/robox/pull/173/files#diff-f910de6f4744660a002d304cbe816512bf93f5c5c848581bf062adf2e47c6063R40-R42) should be logically correct:
diff --git a/scripts/fedora33/vagrant.sh b/scripts/fedora33/vagrant.sh
index d320b35..67cd67f 100644
--- a/scripts/fedora33/vagrant.sh
+++ b/scripts/fedora33/vagrant.sh
@@ -36,3 +36,7 @@ chown -R vagrant:vagrant /home/vagrant/.ssh
# Mark the vagrant box build time.
date --utc > /etc/vagrant_box_build_time
+
+# Ensures maximum compatibility with legacy systems (64-bit security).
+# https://github.com/hashicorp/vagrant/issues/11783#issuecomment-702100872
+update-crypto-policies --set LEGACY
Though out the entire packer provisioners
stage, I could confirm that update-crypto-policies --show
is LEGACY
.
BTW, after post-processors
stage completed and manually vagrant box add
the result image, vagrant up
still get stuck.
If I manually login though virt console and execute update-crypto-policies --show
it resumed as DEFAULT
(!!).
Now if execute update-crypto-policies --set LEGACY
again, the stuck vagrant up
now continuous and complete without error (!?). Moreover, vagrant ssh
now working fine, too.
As I am using vagrant-libvirt
with virt-sysprep
available (i.e. libguestfs-tools
installed under Ubuntu 20.04), I guess that maybe resumed by virt-sysprep
during vagrant package
being called by vagrant post-processors
?
UPDATE: no, it shouldn't related to virt-sysprep
nor libguestfs-tools
, issue still happening even binary/package already removed. Somehow it should be re-initialized during first startup...
Even downgrade from packer
1.6.2 to 1.4.5, the update-crypto-policies --set LEGACY
still couldn't persist after vagrant package
stage, and always rollback as DEFAULT
during vagrant up
... Sorry I have no more idea about how to fixing this :-(
@ladar Oh you already mery this PR ^_^||
BTW, from https://github.com/hashicorp/vagrant/issues/11783#issuecomment-720822960 which goes to https://pagure.io/fedora-kickstarts/pull-request/669#request_diff from official Fedora Vagrant image, the change should be something like:
cat > /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf <<EOF
# For now the vagrant insecure key is an rsa key
# https://github.com/hashicorp/vagrant/issues/11783
PubkeyAcceptedKeyTypes=+ssh-rsa
EOF
@hswong3i I like this new method a lot more. I updated the vagrant.sh
module accordingly. The 3.1.2
release is almost finished, but this change should be reflected in the 3.1.4
build.
@ladar OMG!!! So this two lines (https://github.com/lavabit/robox/commit/1526688695510cfec850c0b44861f9a6a8e24723#diff-f910de6f4744660a002d304cbe816512bf93f5c5c848581bf062adf2e47c6063R46-R47) are the tricks for keeping the file exists after provisioning!? I had been trying out for more than 2 days but just missing this two lines O_o!?
chcon system_u:object_r:etc_t:s0 /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf
chmod 600 /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf
EDIT: Oh I get it!! So its the SELinux getting me into the trobule, AGAIN!! But why Fedora official vagrant box (https://pagure.io/fedora-kickstarts/blob/master/f/fedora-cloud-base.ks#_29) didn't affected!?
selinux --enforcing
@hswong3i SElinux is enabled in our version as well. You can confirm by running sestatus
...
@ladar just try vagrant init generic/fedora33 --box-version 3.1.0
then vagrant up --provider libvirt
but still failed due to https://github.com/lavabit/robox/commit/8f0d1f50a7e61e7dd2b6fe63bed9c13706175699 implementation.
Most likely we need your updated version with https://github.com/lavabit/robox/commit/1526688695510cfec850c0b44861f9a6a8e24723 in order to get rid of SELinux related issue ;-)
@hswong3i yes, the issue wasn't fixed in 3.1.0
... I think the update-crypto-policies
fix made it into 3.1.2
which just started uploading... so it should release in the next couple of days (uploads take awhile because of cloud limits).
Either way, I'm starting the 3.1.4
build now, which will include the SSH config fix. That version should be done building by Monday, and should release next week, assuming there aren't too many box build failures.
Upstream SSH has been claiming for a few releases now that:
Also see: