From 363ee36566f654c60864e3cee8187e8059f2be7e Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Wed, 26 Jan 2022 21:02:28 +0100 Subject: [PATCH] feat: add test for Rocky Linux 8 (#1) Co-authored-by: Robert Kaussow Co-committed-by: Robert Kaussow --- .drone.jsonnet | 4 +- .drone.yml | 37 +++++++- defaults/main.yml | 39 +++++---- molecule/default | 2 +- molecule/rocky8/converge.yml | 5 ++ molecule/rocky8/create.yml | 120 ++++++++++++++++++++++++++ molecule/rocky8/destroy.yml | 78 +++++++++++++++++ molecule/rocky8/molecule.yml | 24 ++++++ molecule/rocky8/prepare.yml | 15 ++++ molecule/rocky8/tests/test_default.py | 16 ++++ tasks/ssh_default.yml | 21 ++++- tasks/ssh_univention.yml | 38 +++++--- templates/etc/ssh/sshd_config.j2 | 39 ++++----- templates/etc/sysconfig/sshd.j2 | 20 +++++ 14 files changed, 401 insertions(+), 57 deletions(-) create mode 100644 molecule/rocky8/converge.yml create mode 100644 molecule/rocky8/create.yml create mode 100644 molecule/rocky8/destroy.yml create mode 100644 molecule/rocky8/molecule.yml create mode 100644 molecule/rocky8/prepare.yml create mode 100644 molecule/rocky8/tests/test_default.py create mode 100644 templates/etc/sysconfig/sshd.j2 diff --git a/.drone.jsonnet b/.drone.jsonnet index 18fab09..439fb8e 100644 --- a/.drone.jsonnet +++ b/.drone.jsonnet @@ -71,7 +71,7 @@ local PipelineDeployment(scenario='centos7') = { 'linting', ], trigger: { - ref: ['refs/heads/master', 'refs/tags/**'], + ref: ['refs/heads/master', 'refs/tags/**', 'refs/pull/**'], }, }; @@ -116,6 +116,7 @@ local PipelineDocumentation = { }, depends_on: [ 'testing-centos7', + 'testing-rocky8', ], }; @@ -154,6 +155,7 @@ local PipelineNotification = { [ PipelineLinting, PipelineDeployment(scenario='centos7'), + PipelineDeployment(scenario='rocky8'), PipelineDocumentation, PipelineNotification, ] diff --git a/.drone.yml b/.drone.yml index 45cfe9c..2dfd738 100644 --- a/.drone.yml +++ b/.drone.yml @@ -62,6 +62,40 @@ trigger: ref: - refs/heads/master - refs/tags/** + - refs/pull/** + +depends_on: + - linting + +--- +kind: pipeline +name: testing-rocky8 + +platform: + os: linux + arch: amd64 + +concurrency: + limit: 1 + +workspace: + base: /drone/src + path: ${DRONE_REPO_NAME} + +steps: + - name: ansible-molecule + image: thegeeklab/molecule:3 + commands: + - molecule test -s rocky8 + environment: + HCLOUD_TOKEN: + from_secret: hcloud_token + +trigger: + ref: + - refs/heads/master + - refs/tags/** + - refs/pull/** depends_on: - linting @@ -108,6 +142,7 @@ trigger: depends_on: - testing-centos7 + - testing-rocky8 --- kind: pipeline @@ -147,6 +182,6 @@ depends_on: --- kind: signature -hmac: 6fb4bbe578d0a67f6def789d5b7a11d422bca42f07695c24fac97950f02cf51a +hmac: 4e3ffd7002957963c30b32275a59b62e7c19a1ccf7bd40369411bca13d94614e ... diff --git a/defaults/main.yml b/defaults/main.yml index 198f20f..869c58c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,15 +1,16 @@ --- sshd_protocol: 2 -sshd_permit_root_login: 'yes' -sshd_permit_empty_passwords: 'no' -sshd_password_authentication: 'no' -sshd_gssapi_authentication: 'yes' -sshd_strict_modes: 'yes' +sshd_permit_root_login: "yes" +sshd_permit_empty_passwords: "no" +sshd_password_authentication: "no" +sshd_gssapi_authentication: "no" +sshd_strict_modes: "yes" sshd_allow_groups: [] -sshd_ignore_rhosts: 'yes' -sshd_hostbased_authentication: 'no' +sshd_ignore_rhosts: "yes" +sshd_hostbased_authentication: "no" sshd_client_alive_interval: 900 sshd_client_alive_count_max: 0 + sshd_ciphers: - chacha20-poly1305@openssh.com - aes256-gcm@openssh.com @@ -17,33 +18,37 @@ sshd_ciphers: - aes256-ctr - aes192-ctr - aes128-ctr + sshd_kex: - curve25519-sha256@libssh.org - diffie-hellman-group-exchange-sha256 + sshd_moduli_minimum: 2048 + sshd_macs: - hmac-sha2-512-etm@openssh.com - hmac-sha2-256-etm@openssh.com - - hmac-ripemd160-etm@openssh.com - umac-128-etm@openssh.com - hmac-sha2-512 - hmac-sha2-256 - - hmac-ripemd160 -sshd_allow_agent_forwarding: 'no' -sshd_x11_forwarding: 'yes' -sshd_allow_tcp_forwarding: 'yes' + - umac-128@openssh.com + +sshd_allow_agent_forwarding: "no" +sshd_x11_forwarding: "yes" +sshd_allow_tcp_forwarding: "yes" sshd_compression: delayed sshd_log_level: INFO sshd_max_auth_tries: 6 sshd_max_sessions: 10 -sshd_tcp_keep_alive: 'yes' -sshd_use_dns: 'yes' +sshd_tcp_keep_alive: "yes" +sshd_use_dns: "no" + +sshd_disable_crypto_policy: False # @var sshd_challenge_response_authentication:description: > -# If you disable password auth you should disable -# ChallengeResponseAuth also. +# If you disable password auth you should disable ChallengeResponseAuth also. # @end -sshd_challenge_response_authentication: 'no' +sshd_challenge_response_authentication: "no" # @var sshd_google_auth_enabled:description: > # Google Authenticator required ChallengeResponseAuth! diff --git a/molecule/default b/molecule/default index 2fdf3e8..62ea184 120000 --- a/molecule/default +++ b/molecule/default @@ -1 +1 @@ -centos7 \ No newline at end of file +rocky8 \ No newline at end of file diff --git a/molecule/rocky8/converge.yml b/molecule/rocky8/converge.yml new file mode 100644 index 0000000..ae4e544 --- /dev/null +++ b/molecule/rocky8/converge.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: xoxys.sshd diff --git a/molecule/rocky8/create.yml b/molecule/rocky8/create.yml new file mode 100644 index 0000000..8b945cd --- /dev/null +++ b/molecule/rocky8/create.yml @@ -0,0 +1,120 @@ +--- +- name: Create + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + vars: + ssh_port: 22 + ssh_user: root + ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key" + tasks: + - name: Create SSH key + user: + name: "{{ lookup('env', 'USER') }}" + generate_ssh_key: true + ssh_key_file: "{{ ssh_path }}" + force: true + register: generated_ssh_key + + - name: Register the SSH key name + set_fact: + ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}" + + - name: Register SSH key for test instance(s) + hcloud_ssh_key: + name: "{{ ssh_key_name }}" + public_key: "{{ generated_ssh_key.ssh_public_key }}" + state: present + + - name: Create molecule instance(s) + hcloud_server: + name: "{{ item.name }}" + server_type: "{{ item.server_type }}" + ssh_keys: + - "{{ ssh_key_name }}" + image: "{{ item.image }}" + location: "{{ item.location | default(omit) }}" + datacenter: "{{ item.datacenter | default(omit) }}" + user_data: "{{ item.user_data | default(omit) }}" + api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" + state: present + register: server + loop: "{{ molecule_yml.platforms }}" + async: 7200 + poll: 0 + + - name: Wait for instance(s) creation to complete + async_status: + jid: "{{ item.ansible_job_id }}" + register: hetzner_jobs + until: hetzner_jobs.finished + retries: 300 + loop: "{{ server.results }}" + + - name: Create volume(s) + hcloud_volume: + name: "{{ item.name }}" + server: "{{ item.name }}" + location: "{{ item.location | default(omit) }}" + size: "{{ item.volume_size | default(10) }}" + api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" + state: "present" + loop: "{{ molecule_yml.platforms }}" + when: item.volume | default(False) | bool + register: volumes + async: 7200 + poll: 0 + + - name: Wait for volume(s) creation to complete + async_status: + jid: "{{ item.ansible_job_id }}" + register: hetzner_volumes + until: hetzner_volumes.finished + retries: 300 + when: volumes.changed + loop: "{{ volumes.results }}" + + # Mandatory configuration for Molecule to function. + + - name: Populate instance config dict + set_fact: + instance_conf_dict: + { + "instance": "{{ item.hcloud_server.name }}", + "ssh_key_name": "{{ ssh_key_name }}", + "address": "{{ item.hcloud_server.ipv4_address }}", + "user": "{{ ssh_user }}", + "port": "{{ ssh_port }}", + "identity_file": "{{ ssh_path }}", + "volume": "{{ item.item.item.volume | default(False) | bool }}", + } + loop: "{{ hetzner_jobs.results }}" + register: instance_config_dict + when: server.changed | bool + + - name: Convert instance config dict to a list + set_fact: + instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}" + when: server.changed | bool + + - name: Dump instance config + copy: + content: | + # Molecule managed + + {{ instance_conf | to_nice_yaml(indent=2) }} + dest: "{{ molecule_instance_config }}" + when: server.changed | bool + + - name: Wait for SSH + wait_for: + port: "{{ ssh_port }}" + host: "{{ item.address }}" + search_regex: SSH + delay: 10 + loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}" + + - name: Wait for VM to settle down + pause: + seconds: 30 diff --git a/molecule/rocky8/destroy.yml b/molecule/rocky8/destroy.yml new file mode 100644 index 0000000..6454c71 --- /dev/null +++ b/molecule/rocky8/destroy.yml @@ -0,0 +1,78 @@ +--- +- name: Destroy + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + tasks: + - name: Check existing instance config file + stat: + path: "{{ molecule_instance_config }}" + register: cfg + + - name: Populate the instance config + set_fact: + instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}" + + - name: Destroy molecule instance(s) + hcloud_server: + name: "{{ item.instance }}" + api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" + state: absent + register: server + loop: "{{ instance_conf }}" + async: 7200 + poll: 0 + + - name: Wait for instance(s) deletion to complete + async_status: + jid: "{{ item.ansible_job_id }}" + register: hetzner_jobs + until: hetzner_jobs.finished + retries: 300 + loop: "{{ server.results }}" + + - pause: + seconds: 5 + + - name: Destroy volume(s) + hcloud_volume: + name: "{{ item.instance }}" + server: "{{ item.instance }}" + api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" + state: "absent" + register: volumes + loop: "{{ instance_conf }}" + when: item.volume | default(False) | bool + async: 7200 + poll: 0 + + - name: Wait for volume(s) deletion to complete + async_status: + jid: "{{ item.ansible_job_id }}" + register: hetzner_volumes + until: hetzner_volumes.finished + retries: 300 + when: volumes.changed + loop: "{{ volumes.results }}" + + - name: Remove registered SSH key + hcloud_ssh_key: + name: "{{ instance_conf[0].ssh_key_name }}" + state: absent + when: (instance_conf | default([])) | length > 0 + + # Mandatory configuration for Molecule to function. + + - name: Populate instance config + set_fact: + instance_conf: {} + + - name: Dump instance config + copy: + content: | + # Molecule managed + + {{ instance_conf | to_nice_yaml(indent=2) }} + dest: "{{ molecule_instance_config }}" + when: server.changed | bool diff --git a/molecule/rocky8/molecule.yml b/molecule/rocky8/molecule.yml new file mode 100644 index 0000000..0b47461 --- /dev/null +++ b/molecule/rocky8/molecule.yml @@ -0,0 +1,24 @@ +--- +dependency: + name: galaxy + options: + role-file: molecule/requirements.yml + requirements-file: molecule/requirements.yml + env: + ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false" +driver: + name: delegated +platforms: + - name: rocky8-sshd + image: rocky-8 + server_type: cx11 +lint: | + /usr/local/bin/flake8 +provisioner: + name: ansible + env: + ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter} + ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library} + log: False +verifier: + name: testinfra diff --git a/molecule/rocky8/prepare.yml b/molecule/rocky8/prepare.yml new file mode 100644 index 0000000..183f4d3 --- /dev/null +++ b/molecule/rocky8/prepare.yml @@ -0,0 +1,15 @@ +--- +- name: Prepare + hosts: all + gather_facts: false + tasks: + - name: Bootstrap python for Ansible + raw: | + command -v python3 python || ( + (test -e /usr/bin/dnf && sudo dnf install -y python3) || + (test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) || + (test -e /usr/bin/yum && sudo yum -y -qq install python3) || + echo "Warning: Python not boostrapped due to unknown platform." + ) + become: true + changed_when: false diff --git a/molecule/rocky8/tests/test_default.py b/molecule/rocky8/tests/test_default.py new file mode 100644 index 0000000..5460f39 --- /dev/null +++ b/molecule/rocky8/tests/test_default.py @@ -0,0 +1,16 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ["MOLECULE_INVENTORY_FILE"] +).get_hosts("all") + + +def test_sshd_config_file(host): + sshd = host.file("/etc/ssh/sshd_config") + + assert sshd.exists + assert sshd.user == "root" + assert sshd.group == "root" + assert sshd.mode == 0o600 diff --git a/tasks/ssh_default.yml b/tasks/ssh_default.yml index 8265a2a..a900068 100644 --- a/tasks/ssh_default.yml +++ b/tasks/ssh_default.yml @@ -1,4 +1,9 @@ --- +- name: Gather package facts + package_facts: + check_mode: False + when: sshd_disable_crypto_policy | bool + - block: - name: Hardening sshd config template: @@ -16,8 +21,9 @@ check_mode: no - name: Remove all small primes - shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ; - [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true + shell: + awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ; + [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true notify: __sshd_restart when: __sshd_register_moduli.stdout @@ -26,5 +32,16 @@ name: "{{ item }}" state: present loop: "{{ sshd_allow_groups }}" + + - name: Disable SSH server CRYPTO_POLICY + copy: + src: etc/sysconfig/sshd + dest: /etc/sysconfig/sshd + owner: "root" + group: "root" + mode: "0640" + when: + - sshd_disable_crypto_policy | bool + - ('crypto-policies' in ansible_facts.packages) become: True become_user: root diff --git a/tasks/ssh_univention.yml b/tasks/ssh_univention.yml index 7291dd2..a07d12f 100644 --- a/tasks/ssh_univention.yml +++ b/tasks/ssh_univention.yml @@ -5,18 +5,30 @@ path: "{{ item.path }}" value: "{{ item.value }}" loop: - - { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" } - - { path: sshd/PermitEmptyPasswords, value: "{{ sshd_permit_empty_passwords | default('') }}" } - - { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" } - - { path: sshd/passwordauthentication, value: "{{ sshd_password_authentication | default('') }}" } - - { path: sshd/challengeresponse, value: "{{ sshd_password_authentication | default('') }}" } - - { path: sshd/IgnoreRhosts, value: "{{ sshd_ignore_rhosts | default('') }}" } - - { path: sshd/HostbasedAuthentication, value: "{{ sshd_hostbased_authentication | default('') }}" } - - { path: sshd/ClientAliveInterval, value: "{{ sshd_client_alive_interval | default('') }}" } - - { path: sshd/ClientAliveCountMax, value: "{{ sshd_client_alive_count_max | default('') }}" } - - { path: sshd/Ciphers, value: "{{ sshd_ciphers | default('[]') | join(',') }}" } - - { path: sshd/KexAlgorithms, value: "{{ sshd_kex | default('[]') | join(',') }}" } - - { path: sshd/MACs, value: "{{ sshd_macs | default('[]') | join(',') }}" } + - path: sshd/permitroot + value: "{{ sshd_permit_root_login | default('') }}" + - path: sshd/PermitEmptyPasswords + value: "{{ sshd_permit_empty_passwords | default('') }}" + - path: sshd/permitroot + value: "{{ sshd_permit_root_login | default('') }}" + - path: sshd/passwordauthentication + value: "{{ sshd_password_authentication | default('') }}" + - path: sshd/challengeresponse + value: "{{ sshd_password_authentication | default('') }}" + - path: sshd/IgnoreRhosts + value: "{{ sshd_ignore_rhosts | default('') }}" + - path: sshd/HostbasedAuthentication + value: "{{ sshd_hostbased_authentication | default('') }}" + - path: sshd/ClientAliveInterval + value: "{{ sshd_client_alive_interval | default('') }}" + - path: sshd/ClientAliveCountMax + value: "{{ sshd_client_alive_count_max | default('') }}" + - path: sshd/Ciphers + value: "{{ sshd_ciphers | default('[]') | join(',') }}" + - path: sshd/KexAlgorithms + value: "{{ sshd_kex | default('[]') | join(',') }}" + - path: sshd/MACs + value: "{{ sshd_macs | default('[]') | join(',') }}" loop_control: label: "variable: {{ item.path }}={{ item.value }}" notify: __sshd_restart @@ -30,7 +42,7 @@ - name: Create SSH Usergroup group: name: "{{ item }}" - system: 'yes' + system: "yes" state: present loop: "{{ sshd_allow_groups }}" become: True diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2 index a6b8858..fdd9026 100644 --- a/templates/etc/ssh/sshd_config.j2 +++ b/templates/etc/ssh/sshd_config.j2 @@ -1,9 +1,8 @@ #jinja2: lstrip_blocks: True {{ ansible_managed | comment }} -# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. +# This is the sshd server system-wide configuration file. +# See sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin @@ -20,30 +19,31 @@ #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: +{% if ansible_distribution_major_version is version('8', '<') %} -# The default requires explicit activation of protocol 1 Protocol {{ sshd_protocol }} +{% endif %} -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - # Ciphers and keying #RekeyLimit default none + +{% if not sshd_disable_crypto_policy | bool %} +# This system is following system-wide crypto policy. The changes to +# crypto properties (Ciphers, MACs, ...) will not have any effect here. +# They will be overridden by command-line options passed to the server +# on command line. +# Please, check manual pages for update-crypto-policies(8) and sshd_config(5). +{% else %} Ciphers {{ sshd_ciphers | join(',') }} KexAlgorithms {{ sshd_kex | join(',') }} MACs {{ sshd_macs | join(',') }} +{% endif %} # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV LogLevel {{ sshd_log_level }} @@ -59,7 +59,6 @@ AllowGroups {{ sshd_allow_groups|join(',') }} MaxAuthTries {{ sshd_max_auth_tries }} MaxSessions {{ sshd_max_sessions }} -#RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 @@ -71,12 +70,7 @@ AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 HostbasedAuthentication {{ sshd_hostbased_authentication }} -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts {{ sshd_ignore_rhosts }} @@ -116,8 +110,8 @@ GSSAPICleanupCredentials no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several -# problems. +# WARNING: 'UsePAM no' is not supported on RH based systems and may +# cause several problems. UsePAM yes AllowAgentForwarding {{ sshd_allow_agent_forwarding }} @@ -131,12 +125,13 @@ X11Forwarding {{ sshd_x11_forwarding }} #PrintLastLog no TCPKeepAlive {{ sshd_tcp_keep_alive }} #UseLogin no +{% if ansible_distribution_major_version is version('8', '<') %} UsePrivilegeSeparation sandbox +{% endif %} #PermitUserEnvironment no Compression {{ sshd_compression }} ClientAliveInterval {{ sshd_client_alive_interval }} ClientAliveCountMax {{ sshd_client_alive_count_max }} -#ShowPatchLevel no UseDNS {{ sshd_use_dns }} #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 diff --git a/templates/etc/sysconfig/sshd.j2 b/templates/etc/sysconfig/sshd.j2 new file mode 100644 index 0000000..a32ac3a --- /dev/null +++ b/templates/etc/sysconfig/sshd.j2 @@ -0,0 +1,20 @@ +#jinja2: lstrip_blocks: True +{{ ansible_managed | comment }} + +# Configuration file for the sshd service. + +# The server keys are automatically generated if they are missing. +# To change the automatic creation, adjust sshd.service options for +# example using systemctl enable sshd-keygen@dsa.service to allow creation +# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key +# creation. + +# Do not change this option unless you have hardware random +# generator and you REALLY know what you are doing + +SSH_USE_STRONG_RNG=0 +# SSH_USE_STRONG_RNG=1 + +# System-wide crypto policy: +# To opt-out, uncomment the following line +CRYPTO_POLICY=