diff --git a/CHANGELOG.md b/CHANGELOG.md index 2be633c..0dfd9cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +### 1.20.0 / 2021-01-05 +* Added: + * A `enable_epel_on` function that follows the instructions on the EPEL + website to properly enable EPEL on hosts. May be disabled using + `BEAKER_enable_epel=no`. + * An Ubuntu nodeset to make sure our default settings don't destroy other + Linux systems. + * Added has_crypto_policies method for determining if crypto policies are + present on the SUT + * Added munge_ssh_crypto_policies to allow vagrant to SSH back into systems + with restrictive crypto policies (usually FIPS) +* Fixed: + * Modify all crypto-policy backend files to support ssh-rsa keys + * Try harder when doing yum installations + ### 1.19.4 / 2021-01-05 * Fixed: * Only return a default empty string when `pfact_on` finds a `nil` value diff --git a/lib/simp/beaker_helpers.rb b/lib/simp/beaker_helpers.rb index 4268b05..fdd216d 100644 --- a/lib/simp/beaker_helpers.rb +++ b/lib/simp/beaker_helpers.rb @@ -321,6 +321,19 @@ def copy_fixture_modules_to( suts = hosts, opts = {}) pluginsync_on(suts) if opts[:pluginsync] end + def has_crypto_policies(sut) + file_exists_on(sut, '/etc/crypto-policies/config') + end + + def munge_ssh_crypto_policies(sut, key_types=['ssh-rsa']) + if has_crypto_policies(sut) + on(sut, "yum update -y crypto-policies", :accept_all_exit_codes => true) + + # Since we may be doing this prior to having a box flip into FIPS mode, we + # need to find and modify *all* of the affected policies + on( sut, %{sed --follow-symlinks -i 's/PubkeyAcceptedKeyTypes\\(.\\)/PubkeyAcceptedKeyTypes\\1#{key_types.join(',')},/' $( grep -L ssh-rsa $( find /etc/crypto-policies /usr/share/crypto-policies -type f -a \\( -name '*.txt' -o -name '*.config' \\) -exec grep -l PubkeyAcceptedKeyTypes {} \\; ) ) }) + end + end # Configure and reboot SUTs into FIPS mode def enable_fips_mode_on( suts = hosts ) @@ -374,17 +387,14 @@ def enable_fips_mode_on( suts = hosts ) on(sut, module_install_cmd) end - # Enable FIPS and then reboot to finish. - on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }")) - # Work around Vagrant and cipher restrictions in EL8+ # # Hopefully, Vagrant will update the used ciphers at some point but who # knows when that will be - opensshserver_config = '/etc/crypto-policies/back-ends/opensshserver.config' - if file_exists_on(sut, opensshserver_config) - on(sut, "sed --follow-symlinks -i 's/PubkeyAcceptedKeyTypes=/PubkeyAcceptedKeyTypes=ssh-rsa,/' #{opensshserver_config}") - end + munge_ssh_crypto_policies(sut) + + # Enable FIPS and then reboot to finish. + on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }")) sut.reboot end @@ -477,6 +487,45 @@ def create_yum_resource( repo, metadata ) repo_manifest = repo_manifest + %(\n#{repo_manifest_opts.join(",\n")}) + "\n}\n" end + # Enable EPEL if appropriate to do so and the system is online + # + # Can be disabled by setting BEAKER_enable_epel=no + def enable_epel_on(sut) + if ONLINE && (ENV['BEAKER_stringify_facts'] != 'no') + os_info = fact_on(sut, 'os') + os_maj_rel = os_info['release']['major'] + + # This is based on the official EPEL docs https://fedoraproject.org/wiki/EPEL + if ['RedHat', 'CentOS'].include?(os_info['name']) + on( + sut, + %{yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-#{os_maj_rel}.noarch.rpm}, + :max_retries => 3, + :retry_interval => 10 + ) + + if os_info['name'] == 'RedHat' + if os_maj_rel == '7' + on sut, %{subscription-manager repos --enable "rhel-*-optional-rpms"} + on sut, %{subscription-manager repos --enable "rhel-*-extras-rpms"} + on sut, %{subscription-manager repos --enable "rhel-ha-for-rhel-*-server-rpms"} + end + + if os_maj_rel == '8' + on sut, %{subscription-manager repos --enable "codeready-builder-for-rhel-8-#{os_info['architecture']}-rpms"} + end + end + + if os_info['name'] == 'CentOS' + if os_maj_rel == '8' + # 8.0 fallback + on sut, %{dnf config-manager --set-enabled powertools || dnf config-manager --set-enabled PowerTools} + end + end + end + end + end + def linux_errata( sut ) # We need to be able to flip between server and client without issue on sut, 'puppet resource group puppet gid=52' @@ -562,6 +611,7 @@ def linux_errata( sut ) end enable_yum_repos_on(sut) + enable_epel_on(sut) # net-tools required for netstat utility being used by be_listening if fact_on(sut, 'operatingsystemmajrelease') == '7' @@ -1246,11 +1296,21 @@ def install_simp_repos(sut, disable = []) # NOTE: Do *NOT* use puppet in this method since it may not be available yet if on(sut, 'rpm -q yum-utils', :accept_all_exit_codes => true).exit_code != 0 - on(sut, 'yum -y install yum-utils') + on( + sut, + 'yum -y install yum-utils', + :max_retries => 3, + :retry_interval => 10 + ) end if on(sut, 'rpm -q simp-release-community', :accept_all_exit_codes => true).exit_code != 0 - on(sut, 'yum -y install "https://download.simp-project.com/simp-release-community.rpm"') + on( + sut, + 'yum -y install "https://download.simp-project.com/simp-release-community.rpm"', + :max_retries => 3, + :retry_interval => 10 + ) end to_disable = disable.dup diff --git a/lib/simp/beaker_helpers/constants.rb b/lib/simp/beaker_helpers/constants.rb index 04a3dc3..43b818c 100644 --- a/lib/simp/beaker_helpers/constants.rb +++ b/lib/simp/beaker_helpers/constants.rb @@ -17,7 +17,11 @@ module Simp::BeakerHelpers require 'open-uri' begin - ONLINE = true if open('http://google.com') + if URI.respond_to?(:open) + ONLINE = true if URI.open('http://google.com') + else + ONLINE = true if open('http://google.com') + end rescue ONLINE = false end diff --git a/lib/simp/beaker_helpers/version.rb b/lib/simp/beaker_helpers/version.rb index a9bdea3..a5665c9 100644 --- a/lib/simp/beaker_helpers/version.rb +++ b/lib/simp/beaker_helpers/version.rb @@ -1,5 +1,5 @@ module Simp; end module Simp::BeakerHelpers - VERSION = '1.19.4' + VERSION = '1.20.0' end diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml index 496ad59..174cc29 100644 --- a/spec/acceptance/nodesets/default.yml +++ b/spec/acceptance/nodesets/default.yml @@ -6,21 +6,27 @@ end -%> HOSTS: - server-el7: + el7: roles: - - server - - master - - default - el7 + - master platform: el-7-x86_64 box: centos/7 hypervisor: <%= hypervisor %> - server-el8: + el8: + roles: + - el8 + platform: el-8-x86_64 + box: centos/8 + hypervisor: <%= hypervisor %> + + el8-0: roles: - el8 platform: el-8-x86_64 box: centos/8 + box_version: "1905.1" hypervisor: <%= hypervisor %> CONFIG: @@ -30,3 +36,14 @@ CONFIG: <% if ENV['BEAKER_PUPPET_COLLECTION'] -%> puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %> <% end -%> + ssh: + keepalive: true + keepalive_interval: 10 + host_key: + - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:host_key].join("\n#{' '*6}- ") %> + kex: + - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:kex].join("\n#{' '*6}- ") %> + encryption: + - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:encryption].join("\n#{' '*6}- ") %> + hmac: + - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:hmac].join("\n#{' '*6}- ") %> diff --git a/spec/acceptance/nodesets/ubuntu.yml b/spec/acceptance/nodesets/ubuntu.yml new file mode 100644 index 0000000..f0fdf50 --- /dev/null +++ b/spec/acceptance/nodesets/ubuntu.yml @@ -0,0 +1,20 @@ +<% + if ENV['BEAKER_HYPERVISOR'] + hypervisor = ENV['BEAKER_HYPERVISOR'] + else + hypervisor = 'vagrant' + end +-%> +HOSTS: + focal: + platform: ubuntu-20.04-x86_64 + box: ubuntu/focal64 + hypervisor: <%= hypervisor %> + +CONFIG: + log_level: verbose + type: aio + vagrant_memsize: 256 +<% if ENV['BEAKER_PUPPET_COLLECTION'] -%> + puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %> +<% end -%>