ansible: update Fedora 30 hosts to Fedora 34

[richardlau]

Update the two DigitalOcean Fedora 30 host to Fedora 34.

Refs: #2527 (comment)

Reimaging was fairly painless but I ran into https://www.digitalocean.com/community/questions/fedora-33-how-to-persist-dns-settings-via-etc-resolv-conf (with Fedora 34) meaning our playbooks failed until I went onto the machine and fixed the DNS settings (as per https://www.digitalocean.com/community/questions/fedora-33-how-to-persist-dns-settings-via-etc-resolv-conf?answer=66950).

Deployed. Labels have been swapped so the existing Fedora 32 hosts are now fedora-last-latest-x64 while the reimaged Fedora 34 hosts are now fedora-latest-x64.

[richardlau]

Just in case https://www.digitalocean.com/community/questions/fedora-33-how-to-persist-dns-settings-via-etc-resolv-conf?answer=66950 disappears, the solution to fix the DNS servers is:

1. Edit /etc/systemd/resolved.conf to set the DNS servers to DigitalOcean's, e.g.

DNS=67.207.67.2 67.207.67.3

2. Restart systemd-resolved (or reboot):

$ sudo systemctl restart systemd-resolved.service

[richardlau]

Test builds (master):

• https://ci.nodejs.org/job/node-test-commit-linux/42843/nodes=fedora-latest-x64/console
• https://ci.nodejs.org/job/node-test-commit-linux/42845/nodes=fedora-latest-x64/console

[richardlau]

hmm test builds have lots of "key too small" errors from tests. We saw something similar on Debian 10 (#2612 (comment)) -- I'll check if we picking up a similar OpenSSL config. from the distro.

[richardlau]

Yep we're picking up a stricter OpenSSL security level via Fedora 34's config. Node.js is built with OPENSSLDIR set to /etc/ssl. This means that OpenSSL looks for openssl.cnf there... and on Fedora 34 this exists and contains

[ crypto_policy ]

.include = /etc/crypto-policies/back-ends/opensslcnf.config

and /etc/crypto-policies/back-ends/opensslcnf.config sets SECLEVEL=2:

CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
MinProtocol = TLSv1.2
MaxProtocol = TLSv1.3
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224

which tightens security requirements on minimum key sizes. nodejs/node#27862 tracks tests failures when run with a higher OpenSSL seclevel.

[richardlau]

Added running update-crypto-policies --set LEGACY as we do for UBI:

build/ansible/roles/docker/templates/ubi81.Dockerfile.j2

Lines 35 to 36 in a655f1a

	# Relax crypto policies to allow Node.js tests to pass
	RUN update-crypto-policies --set LEGACY

New test build: https://ci.nodejs.org/job/node-test-commit-linux/42848/nodes=fedora-latest-x64/console ✔️

[mhdawson]

LGTM. Note that these new hosts caused failures on the node-addon-api tests as the compiler reported possible use of initialized variables that were not reported before.

[mhdawson]

LGTM