Update Fedora to 33 beta

[cevich]

Signed-off-by: Chris Evich cevich@redhat.com

[lsm5]

LGTM.

@cevich and I noticed weirdness when rsa was used, but things worked fine with ed25519. Worth investigating but at least something works :D

[lsm5]

@cevich ok, some progress:

The packer GCP instance doesn't seem to have /etc/ssh/moduli

First, I left make cache_images at the [a]bort, [r]etry step, so I could make changes in the VM and retry ..

In the packer VM, I did:

1. Reinstalling openssh creates /etc/ssh/moduli

$ sudo dnf -y reinstall openssh openssh-server

2. Add ssh-rsa to PubkeyAcceptedTypes in /etc/crypto-policies/back-ends/opensshserver.config

3. Restart

$ sudo systemctl restart sshd

4. Hit retry in the container.

Now, I seem to hit another ssh issue down the road:

    fedora: + common_finalize
    fedora: + cd /
    fedora: + sudo cloud-init clean --logs
    fedora: + sudo rm -rf /tmp/automation_images/cache_images
    fedora: + sudo rm -rf '/var/lib/cloud/instanc*'
    fedora: + sudo rm -rf '/root/.ssh/*'
    fedora: + sudo rm -rf /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
    fedora: + sudo rm -rf /etc/ssh/moduli
    fedora: + sudo rm -rf /home/barfoo /home/baude /home/centos /home/cevich /home/foobar /home/lmandvek /home/lsm5 /home/packer
    fedora: + sudo rm -rf /tmp/automation_images /tmp/script_7582.sh /tmp/ssh-tEii7GoBq1 /tmp/systemd-private-5469808f91de4e94a6f820004019ec9f-chronyd.service-MRVzVf /tmp/systemd-private-5469808f91de4e94a6f820004019ec9f-dbus-broker.service-zy7FRe /tmp/systemd-private-5469808f91de4e94a6f820004019ec9f-systemd-logind.service-7ZglQg /tmp/systemd-private-5469808f91de4e94a6f820004019ec9f-systemd-resolved.service-K3668i
    fedora: + sudo rm -rf /tmp/.font-unix /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix
    fedora: + sudo tee /etc/machine-id
    fedora: + echo -n ''
    fedora: + sudo sync
    fedora: + (( CONTAINER ))
    fedora: + sudo fstrim -av
    fedora: /: 1.9 GiB (2060935168 bytes) trimmed on /dev/sda1
    fedora: + echo 'SUCCESS!'
    fedora: SUCCESS!
==> fedora: Deleting instance...
    fedora: Instance has been deleted!
==> fedora: Creating image...
==> fedora: Deleting disk...
    fedora: Disk has been deleted!
==> fedora: Provisioning step had errors: Running the cleanup provisioner, if present...
Build 'fedora' errored after 10 minutes 3 seconds: Packer experienced an authentication error when trying to connect via SSH. This can happen if your username/password are wrong. You may want to double-check your credentials as part of your debugging process. original error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

==> Wait completed after 10 minutes 3 seconds

==> Some builds didn't complete successfully and had errors:
--> fedora: Packer experienced an authentication error when trying to connect via SSH. This can happen if your username/password are wrong. You may want to double-check your credentials as part of your debugging process. original error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

==> Builds finished but no artifacts were created.
make: *** [Makefile:193: cache_images/manifest.json] Error 1

[cevich]

@lsm5 Thanks for the help!

[cevich]

c6058294462644224

[lsm5]

So, the latest master branch works fine for me for both ubuntu and fedora.

Last evening, you mentioned it could be a packer issue. But I'm not sure I understand. The deletion of /etc/ssh/moduli was done in this repo, was it a prior requirement for packer?

[lsm5]

Also, does this imply that we can now test with fedora 33 in our CI?

[cevich]

Last evening, you mentioned it could be a packer issue.

Oh, meaning: Other distros will likely eventually follow suit, banning ssh-rsa. IIRC, it's based on SHA1 which was found to have collisions not to long ago. I think what packer needs is a new option: ssh_keytype, but maybe there are better ideas. That's the issue I'd like to open with them.

But I'm not sure I understand. The deletion of /etc/ssh/moduli was done in this repo, was it a prior requirement for packer?

Nope, just a guess at my part as to the steps needed to "reset" a VM image. As you saw, prior versions of sshd regenerated the file on startup if it was missing. Apparently not doing that is a new feature? 😄

Also, does this imply that we can now test with fedora 33 in our CI?

Yes! Plop c6058294462644224 in there an away you go!