From a9b7953c534e252b0ab99c78f70ebe476b5aa21c Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Wed, 4 Oct 2023 15:58:28 +0200 Subject: [PATCH] Add AlmaLinux 8 support (#308) * Add AlmaLinux 8 support * Add support for stdlib 9 * Update other Puppet module dependencies * Add support for Puppet 8 * Drop support for Puppet 6 * Add missing Hiera data for AlmaLinux * Simplify repo gpg key logic to support AlmaLinux --- CHANGELOG | 7 + data/os/AlmaLinux-8.yaml | 33 ++++ data/os/AlmaLinux.yaml | 150 ++++++++++++++++++ functions/yum/repo/gpgkeys/simp.pp | 31 ++-- manifests/init.pp | 2 +- manifests/server.pp | 2 +- metadata.json | 22 ++- .../yum/repo/local_os_updates_spec.rb | 13 +- .../00_classes/yum/repo/local_simp_spec.rb | 5 +- 9 files changed, 227 insertions(+), 38 deletions(-) create mode 100644 data/os/AlmaLinux-8.yaml create mode 100644 data/os/AlmaLinux.yaml diff --git a/CHANGELOG b/CHANGELOG index 7aba9a50..88ff03fb 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,10 @@ +* Tue Oct 03 2023 Steven Pritchard - 4.18.0 +- Add AlmaLinux 8 support +- Add support for stdlib 9 +- Update other Puppet module dependencies +- Add support for Puppet 8 +- Drop support for Puppet 6 + * Mon Jul 31 2023 Chris Tessmer - 4.17.0 - Add RockyLinux 8 support diff --git a/data/os/AlmaLinux-8.yaml b/data/os/AlmaLinux-8.yaml new file mode 100644 index 00000000..f8968bf3 --- /dev/null +++ b/data/os/AlmaLinux-8.yaml @@ -0,0 +1,33 @@ +--- +simp::scenario::data::el8: + - rkhunter + - chrony +simp::scenario_map: + one_shot: "%{alias('simp::scenario::data::el8')}" + simp: "%{alias('simp::scenario::data::el8')}" + simp_lite: "%{alias('simp::scenario::data::el8')}" +simp::server::scenario_map: + poss: "%{alias('simp::scenario::data::el8')}" + simp: "%{alias('simp::scenario::data::el8')}" + simp_lite: "%{alias('simp::scenario::data::el8')}" + +simp::puppetdb::cipher_suites: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + - TLS_DHE_RSA_WITH_AES_256_CBC_SHA + - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + - TLS_DHE_RSA_WITH_AES_128_CBC_SHA + - TLS_EMPTY_RENEGOTIATION_INFO_SCSV diff --git a/data/os/AlmaLinux.yaml b/data/os/AlmaLinux.yaml new file mode 100644 index 00000000..98af1323 --- /dev/null +++ b/data/os/AlmaLinux.yaml @@ -0,0 +1,150 @@ +# +--- +simp::scenario_map: + none: [] + poss: + - deferred_resources + - pupmod + - simp::scenario::poss + + remote_access: + - deferred_resources + - pam::access + - pam::wheel + - pupmod + - resolv + - simp::admin + - simp::nsswitch + - simp::scenario::poss + - simp::sssd::client + - ssh + + simp_lite: + # Shared with 'poss' + - pupmod + # Shared with 'simp' + - aide + - at + - auditd + - cron + - deferred_resources + - incron + - issue + - pam::access + - resolv + - simp::admin + - simp::base_apps + - simp::base_services + - simp::kmod_blacklist + - simp::mountpoints + - simp::nsswitch + - simp::prelink + - simp::scenario::base + - simp::sysctl + - simp::yum::schedule + - simp_rsyslog + - ssh + - swap + - timezone + - tuned + - useradd + + simp: + # Shared with 'poss' + - pupmod + # Shared with 'simp_lite' + - aide + - at + - auditd + - cron + - deferred_resources + - incron + - issue + - pam::access + - resolv + - simp::admin + - simp::base_apps + - simp::base_services + - simp::kmod_blacklist + - simp::mountpoints + - simp::nsswitch + - simp::prelink + - simp::scenario::base + - simp::sysctl + - simp::yum::schedule + - simp_rsyslog + - ssh + - swap + - timezone + - tuned + - useradd + # These classes are only in 'simp' + - fips + - pam::wheel + - selinux + - svckill + + one_shot: + # Shared with 'simp' + - aide + - at + - auditd + - cron + - deferred_resources + - incron + - issue + - pam::access + - pupmod + - resolv + - simp::admin + - simp::base_apps + - simp::base_services + - simp::kmod_blacklist + - simp::mountpoints + - simp::nsswitch + - simp::prelink + - simp::scenario::base + - simp::sysctl + - simp::yum::schedule + - simp_rsyslog + - ssh + - swap + - timezone + - tuned + - useradd + # These classes are only in 'one_shot' + - simp::one_shot + +simp::server::data: + - simp::server::rsync_shares + # Shared with 'poss' + - pupmod + # Shared with 'simp_lite' + - aide + - at + - cron + - deferred_resources + - incron + - issue + - pam::access + - resolv + - simp::admin + - simp::base_apps + - simp::base_services + - simp::kmod_blacklist + - simp::mountpoints + - simp::nsswitch + - simp::prelink + - simp::sysctl + - ssh + - swap + - timezone + - tuned + - useradd + - '--simp::scenario::base' + - '--auditd' + # These classes are only in 'simp' + - fips + - pam::wheel + - selinux + - svckill diff --git a/functions/yum/repo/gpgkeys/simp.pp b/functions/yum/repo/gpgkeys/simp.pp index 099cdcc8..dbfad9b1 100644 --- a/functions/yum/repo/gpgkeys/simp.pp +++ b/functions/yum/repo/gpgkeys/simp.pp @@ -3,31 +3,18 @@ # @return [Array] # function simp::yum::repo::gpgkeys::simp() { - # Common keys, distributed in simp-gpgkeys - $_simp_gpgkeys = [ + if $facts['os']['family'] != 'RedHat' or ($facts['os']['name'] in ['Fedora','Amazon']) { + fail("There are no Yumrepo GPG keys for OS '${facts['os']['name']}'") + } + + [ + # Common keys, distributed in simp-gpgkeys 'RPM-GPG-KEY-puppet-20250406', 'RPM-GPG-KEY-puppet', 'RPM-GPG-KEY-puppetlabs', 'RPM-GPG-KEY-SIMP-6', 'RPM-GPG-KEY-PGDG-94', - ] - - # keys needed by specific OSes - if $facts['os']['name'] in ['RedHat','CentOS','OracleLinux','Rocky'] { - case $facts['os']['release']['major'] { - '7': { $_os_rel_gpgkeys = ['RPM-GPG-KEY-EPEL-7'] } - '8': { $_os_rel_gpgkeys = ['RPM-GPG-KEY-EPEL-8'] } - default: { $_os_rel_gpgkeys = [] } - } - - $_full_os_gpgkeys = case $facts['os']['name'] { - 'RedHat': { concat( $_os_rel_gpgkeys, 'RPM-GPG-KEY-redhat-release' ) } - 'OracleLinux': { concat( $_os_rel_gpgkeys, 'RPM-GPG-KEY-oracle' ) } - 'Rocky': { concat( $_os_rel_gpgkeys, 'RPM-GPG-KEY-rockyofficial' ) } - default: { $_os_rel_gpgkeys } - } - } - else { fail("There are no Yumrepo GPG keys for OS '${facts['os']['name']}'") } - - concat( $_simp_gpgkeys, $_full_os_gpgkeys ) + # keys needed by specific OSes + "RPM-GPG-KEY-EPEL-${facts['os']['release']['major']}", + ] + simp::yum::repo::gpgkeys::os_updates() } diff --git a/manifests/init.pp b/manifests/init.pp index b6c46d18..cfb2869b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -198,7 +198,7 @@ # # in order to permit-non-SIMP OSes to use the `poss` scenario - if $scenario_map.has_key($scenario) { + if $scenario in $scenario_map { $_classlist = simp::knockout(union($scenario_map[$scenario], $classes)) if ($_classlist.empty) { if ($classification_warning) { diff --git a/manifests/server.pp b/manifests/server.pp index 327240cb..fa6ef26d 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -44,7 +44,7 @@ ) { simplib::module_metadata::assert($module_name, { 'blacklist' => ['Windows'] }) - if $scenario_map.has_key($scenario) { + if $scenario in $scenario_map { $_included_classes = $simp_options::authselect ? { # In environments using authselect, we want to manage nsswitch.conf # with the authselect class instead of the nsswitch class diff --git a/metadata.json b/metadata.json index 4643cee8..04f03817 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-simp", - "version": "4.17.0", + "version": "4.18.0", "author": "SIMP Team", "summary": "default profiles for core SIMP installations", "license": "Apache-2.0", @@ -17,19 +17,19 @@ "dependencies": [ { "name": "puppet/kmod", - "version_requirement": ">= 2.1.0 < 4.0.0" + "version_requirement": ">= 2.1.0 < 5.0.0" }, { - "name": "herculesteam/augeasproviders_sysctl", - "version_requirement": ">= 2.2.0 < 3.0.0" + "name": "puppet/augeasproviders_sysctl", + "version_requirement": ">= 2.2.0 < 4.0.0" }, { "name": "puppet/chrony", - "version_requirement": ">= 1.0.0 < 3.0.0" + "version_requirement": ">= 1.0.0 < 4.0.0" }, { "name": "puppetlabs/concat", - "version_requirement": ">= 6.4.0 < 8.0.0" + "version_requirement": ">= 6.4.0 < 10.0.0" }, { "name": "puppetlabs/puppetdb", @@ -37,7 +37,7 @@ }, { "name": "puppetlabs/stdlib", - "version_requirement": ">= 8.0.0 < 9.0.0" + "version_requirement": ">= 8.0.0 < 10.0.0" }, { "name": "saz/timezone", @@ -195,7 +195,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 6.22.1 < 8.0.0" + "version_requirement": ">= 7.0.0 < 9.0.0" } ], "operatingsystem_support": [ @@ -239,6 +239,12 @@ "operatingsystemrelease": [ "8" ] + }, + { + "operatingsystem": "AlmaLinux", + "operatingsystemrelease": [ + "8" + ] } ] } diff --git a/spec/classes/00_classes/yum/repo/local_os_updates_spec.rb b/spec/classes/00_classes/yum/repo/local_os_updates_spec.rb index d2116450..3f13080b 100644 --- a/spec/classes/00_classes/yum/repo/local_os_updates_spec.rb +++ b/spec/classes/00_classes/yum/repo/local_os_updates_spec.rb @@ -30,8 +30,10 @@ gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-oracle" elsif os_name == 'Rocky' gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-rockyofficial" - else + elsif os_name == 'CentOS' gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-#{os_name}-#{os_maj_rel}" + else + gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-#{os_name}" end if os_maj_rel <= '7' @@ -64,9 +66,10 @@ gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-oracle" elsif os_name == 'Rocky' gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-rockyofficial" - else - #it should be CentOS. + elsif os_name == 'CentOS' gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-#{os_name}-#{os_maj_rel}" + else + gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-#{os_name}" end if os_maj_rel <= '7' @@ -124,8 +127,10 @@ gpgkey = gpg_prefixes.map{|x| "#{x}/RPM-GPG-KEY-oracle" }.join("\n ") elsif os_name == 'Rocky' gpgkey = gpg_prefixes.map{|x| "#{x}/RPM-GPG-KEY-rockyofficial" }.join("\n ") - else + elsif os_name == 'CentOS' gpgkey = gpg_prefixes.map{|x| "#{x}/RPM-GPG-KEY-#{os_name}-#{os_maj_rel}" }.join("\n ") + else + gpgkey = gpg_prefixes.map{|x| "#{x}/RPM-GPG-KEY-#{os_name}" }.join("\n ") end gpgkey += "\n #{arbitrary_url}/RPM-GPG-KEY-#{os_name}-#{os_maj_rel}" diff --git a/spec/classes/00_classes/yum/repo/local_simp_spec.rb b/spec/classes/00_classes/yum/repo/local_simp_spec.rb index 04e945ac..2fc70298 100644 --- a/spec/classes/00_classes/yum/repo/local_simp_spec.rb +++ b/spec/classes/00_classes/yum/repo/local_simp_spec.rb @@ -27,11 +27,12 @@ { 'RedHat-7' => ['RPM-GPG-KEY-EPEL-7','RPM-GPG-KEY-redhat-release'], 'OracleLinux-7' => ['RPM-GPG-KEY-EPEL-7','RPM-GPG-KEY-oracle'], - 'CentOS-7' => ['RPM-GPG-KEY-EPEL-7'], + 'CentOS-7' => ['RPM-GPG-KEY-EPEL-7','RPM-GPG-KEY-CentOS-7'], 'RedHat-8' => ['RPM-GPG-KEY-EPEL-8','RPM-GPG-KEY-redhat-release'], 'OracleLinux-8' => ['RPM-GPG-KEY-EPEL-8','RPM-GPG-KEY-oracle'], - 'CentOS-8' => ['RPM-GPG-KEY-EPEL-8'], + 'CentOS-8' => ['RPM-GPG-KEY-EPEL-8','RPM-GPG-KEY-CentOS-8'], 'Rocky-8' => ['RPM-GPG-KEY-EPEL-8','RPM-GPG-KEY-rockyofficial'], + 'AlmaLinux-8' => ['RPM-GPG-KEY-EPEL-8','RPM-GPG-KEY-AlmaLinux'], } }