Add AlmaLinux 8 support (#308)

* Add AlmaLinux 8 support * Add support for stdlib 9 * Update other Puppet module dependencies * Add support for Puppet 8 * Drop support for Puppet 6 * Add missing Hiera data for AlmaLinux * Simplify repo gpg key logic to support AlmaLinux
simp · Oct 4, 2023 · a9b7953 · a9b7953
1 parent 1e9b410
commit a9b7953
Show file tree

Hide file tree

Showing 9 changed files with 227 additions and 38 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,10 @@
+* Tue Oct 03 2023 Steven Pritchard <steve@sicura.us> - 4.18.0
+- Add AlmaLinux 8 support
+- Add support for stdlib 9
+- Update other Puppet module dependencies
+- Add support for Puppet 8
+- Drop support for Puppet 6
+
 * Mon Jul 31 2023 Chris Tessmer <chris.tessmer@onyxpoint.com> - 4.17.0
 - Add RockyLinux 8 support
 

diff --git a/data/os/AlmaLinux-8.yaml b/data/os/AlmaLinux-8.yaml
@@ -0,0 +1,33 @@
+---
+simp::scenario::data::el8:
+  - rkhunter
+  - chrony
+simp::scenario_map:
+  one_shot: "%{alias('simp::scenario::data::el8')}"
+  simp: "%{alias('simp::scenario::data::el8')}"
+  simp_lite: "%{alias('simp::scenario::data::el8')}"
+simp::server::scenario_map:
+  poss: "%{alias('simp::scenario::data::el8')}"
+  simp: "%{alias('simp::scenario::data::el8')}"
+  simp_lite: "%{alias('simp::scenario::data::el8')}"
+
+simp::puppetdb::cipher_suites:
+  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+  - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+  - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+  - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+  - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+  - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+  - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+  - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+  - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+  - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  - TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+  - TLS_EMPTY_RENEGOTIATION_INFO_SCSV
diff --git a/data/os/AlmaLinux.yaml b/data/os/AlmaLinux.yaml
@@ -0,0 +1,150 @@
+#
+---
+simp::scenario_map:
+  none: []
+  poss:
+    - deferred_resources
+    - pupmod
+    - simp::scenario::poss
+
+  remote_access:
+    - deferred_resources
+    - pam::access
+    - pam::wheel
+    - pupmod
+    - resolv
+    - simp::admin
+    - simp::nsswitch
+    - simp::scenario::poss
+    - simp::sssd::client
+    - ssh
+
+  simp_lite:
+    # Shared with 'poss'
+    - pupmod
+    # Shared with 'simp'
+    - aide
+    - at
+    - auditd
+    - cron
+    - deferred_resources
+    - incron
+    - issue
+    - pam::access
+    - resolv
+    - simp::admin
+    - simp::base_apps
+    - simp::base_services
+    - simp::kmod_blacklist
+    - simp::mountpoints
+    - simp::nsswitch
+    - simp::prelink
+    - simp::scenario::base
+    - simp::sysctl
+    - simp::yum::schedule
+    - simp_rsyslog
+    - ssh
+    - swap
+    - timezone
+    - tuned
+    - useradd
+
+  simp:
+    # Shared with 'poss'
+    - pupmod
+    # Shared with 'simp_lite'
+    - aide
+    - at
+    - auditd
+    - cron
+    - deferred_resources
+    - incron
+    - issue
+    - pam::access
+    - resolv
+    - simp::admin
+    - simp::base_apps
+    - simp::base_services
+    - simp::kmod_blacklist
+    - simp::mountpoints
+    - simp::nsswitch
+    - simp::prelink
+    - simp::scenario::base
+    - simp::sysctl
+    - simp::yum::schedule
+    - simp_rsyslog
+    - ssh
+    - swap
+    - timezone
+    - tuned
+    - useradd
+    # These classes are only in 'simp'
+    - fips
+    - pam::wheel
+    - selinux
+    - svckill
+
+  one_shot:
+    # Shared with 'simp'
+    - aide
+    - at
+    - auditd
+    - cron
+    - deferred_resources
+    - incron
+    - issue
+    - pam::access
+    - pupmod
+    - resolv
+    - simp::admin
+    - simp::base_apps
+    - simp::base_services
+    - simp::kmod_blacklist
+    - simp::mountpoints
+    - simp::nsswitch
+    - simp::prelink
+    - simp::scenario::base
+    - simp::sysctl
+    - simp::yum::schedule
+    - simp_rsyslog
+    - ssh
+    - swap
+    - timezone
+    - tuned
+    - useradd
+    # These classes are only in 'one_shot'
+    - simp::one_shot
+
+simp::server::data:
+  - simp::server::rsync_shares
+  # Shared with 'poss'
+  - pupmod
+  # Shared with 'simp_lite'
+  - aide
+  - at
+  - cron
+  - deferred_resources
+  - incron
+  - issue
+  - pam::access
+  - resolv
+  - simp::admin
+  - simp::base_apps
+  - simp::base_services
+  - simp::kmod_blacklist
+  - simp::mountpoints
+  - simp::nsswitch
+  - simp::prelink
+  - simp::sysctl
+  - ssh
+  - swap
+  - timezone
+  - tuned
+  - useradd
+  - '--simp::scenario::base'
+  - '--auditd'
+  # These classes are only in 'simp'
+  - fips
+  - pam::wheel
+  - selinux
+  - svckill
diff --git a/functions/yum/repo/gpgkeys/simp.pp b/functions/yum/repo/gpgkeys/simp.pp
@@ -3,31 +3,18 @@
 # @return [Array<String>]
 #
 function simp::yum::repo::gpgkeys::simp() {
-  # Common keys, distributed in simp-gpgkeys
-  $_simp_gpgkeys = [
+  if $facts['os']['family'] != 'RedHat' or ($facts['os']['name'] in ['Fedora','Amazon']) {
+    fail("There are no Yumrepo GPG keys for OS '${facts['os']['name']}'")
+  }
+
+  [
+    # Common keys, distributed in simp-gpgkeys
     'RPM-GPG-KEY-puppet-20250406',
     'RPM-GPG-KEY-puppet',
     'RPM-GPG-KEY-puppetlabs',
     'RPM-GPG-KEY-SIMP-6',
     'RPM-GPG-KEY-PGDG-94',
-  ]
-
-  # keys needed by specific OSes
-  if $facts['os']['name'] in ['RedHat','CentOS','OracleLinux','Rocky'] {
-    case $facts['os']['release']['major'] {
-      '7':     { $_os_rel_gpgkeys = ['RPM-GPG-KEY-EPEL-7'] }
-      '8':     { $_os_rel_gpgkeys = ['RPM-GPG-KEY-EPEL-8'] }
-      default: { $_os_rel_gpgkeys = [] }
-    }
-
-    $_full_os_gpgkeys = case $facts['os']['name'] {
-      'RedHat':      { concat( $_os_rel_gpgkeys, 'RPM-GPG-KEY-redhat-release' ) }
-      'OracleLinux': { concat( $_os_rel_gpgkeys, 'RPM-GPG-KEY-oracle' ) }
-      'Rocky':       { concat( $_os_rel_gpgkeys, 'RPM-GPG-KEY-rockyofficial' ) }
-      default:       { $_os_rel_gpgkeys }
-    }
-  }
-  else { fail("There are no Yumrepo GPG keys for OS '${facts['os']['name']}'") }
-
-  concat( $_simp_gpgkeys, $_full_os_gpgkeys )
+    # keys needed by specific OSes
+    "RPM-GPG-KEY-EPEL-${facts['os']['release']['major']}",
+  ] + simp::yum::repo::gpgkeys::os_updates()
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -198,7 +198,7 @@
   #
   # in order to permit-non-SIMP OSes to use the `poss` scenario
 
-  if $scenario_map.has_key($scenario) {
+  if $scenario in $scenario_map {
     $_classlist = simp::knockout(union($scenario_map[$scenario], $classes))
     if ($_classlist.empty) {
       if ($classification_warning) {

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -44,7 +44,7 @@
 ) {
   simplib::module_metadata::assert($module_name, { 'blacklist' => ['Windows'] })
 
-  if $scenario_map.has_key($scenario) {
+  if $scenario in $scenario_map {
     $_included_classes = $simp_options::authselect ? {
       # In environments using authselect, we want to manage nsswitch.conf
       # with the authselect class instead of the nsswitch class 

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "simp-simp",
-  "version": "4.17.0",
+  "version": "4.18.0",
   "author": "SIMP Team",
   "summary": "default profiles for core SIMP installations",
   "license": "Apache-2.0",
@@ -17,27 +17,27 @@
   "dependencies": [
     {
       "name": "puppet/kmod",
-      "version_requirement": ">= 2.1.0 < 4.0.0"
+      "version_requirement": ">= 2.1.0 < 5.0.0"
     },
     {
-      "name": "herculesteam/augeasproviders_sysctl",
-      "version_requirement": ">= 2.2.0 < 3.0.0"
+      "name": "puppet/augeasproviders_sysctl",
+      "version_requirement": ">= 2.2.0 < 4.0.0"
     },
     {
       "name": "puppet/chrony",
-      "version_requirement": ">= 1.0.0 < 3.0.0"
+      "version_requirement": ">= 1.0.0 < 4.0.0"
     },
     {
       "name": "puppetlabs/concat",
-      "version_requirement": ">= 6.4.0 < 8.0.0"
+      "version_requirement": ">= 6.4.0 < 10.0.0"
     },
     {
       "name": "puppetlabs/puppetdb",
       "version_requirement": ">= 7.1.0 < 8.0.0"
     },
     {
       "name": "puppetlabs/stdlib",
-      "version_requirement": ">= 8.0.0 < 9.0.0"
+      "version_requirement": ">= 8.0.0 < 10.0.0"
     },
     {
       "name": "saz/timezone",
@@ -195,7 +195,7 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 6.22.1 < 8.0.0"
+      "version_requirement": ">= 7.0.0 < 9.0.0"
     }
   ],
   "operatingsystem_support": [
@@ -239,6 +239,12 @@
       "operatingsystemrelease": [
         "8"
       ]
+    },
+    {
+      "operatingsystem": "AlmaLinux",
+      "operatingsystemrelease": [
+        "8"
+      ]
     }
   ]
 }
diff --git a/spec/classes/00_classes/yum/repo/local_os_updates_spec.rb b/spec/classes/00_classes/yum/repo/local_os_updates_spec.rb
@@ -30,8 +30,10 @@
             gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-oracle"
           elsif os_name  == 'Rocky'
             gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-rockyofficial"
-          else
+          elsif os_name  == 'CentOS'
             gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-#{os_name}-#{os_maj_rel}"
+          else
+            gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-#{os_name}"
           end
 
           if os_maj_rel <= '7'
@@ -64,9 +66,10 @@
               gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-oracle"
             elsif os_name  == 'Rocky'
               gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-rockyofficial"
-            else
-              #it should be CentOS.
+            elsif os_name  == 'CentOS'
               gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-#{os_name}-#{os_maj_rel}"
+            else
+              gpgkey = "https://puppet.example.simp/yum/#{gpgkey_path}/RPM-GPG-KEY-#{os_name}"
             end
 
             if os_maj_rel <= '7'
@@ -124,8 +127,10 @@
             gpgkey = gpg_prefixes.map{|x| "#{x}/RPM-GPG-KEY-oracle" }.join("\n    ")
           elsif os_name  == 'Rocky'
             gpgkey = gpg_prefixes.map{|x| "#{x}/RPM-GPG-KEY-rockyofficial" }.join("\n    ")
-          else
+          elsif os_name  == 'CentOS'
             gpgkey = gpg_prefixes.map{|x| "#{x}/RPM-GPG-KEY-#{os_name}-#{os_maj_rel}" }.join("\n    ")
+          else
+            gpgkey = gpg_prefixes.map{|x| "#{x}/RPM-GPG-KEY-#{os_name}" }.join("\n    ")
           end
           gpgkey += "\n    #{arbitrary_url}/RPM-GPG-KEY-#{os_name}-#{os_maj_rel}"
 

diff --git a/spec/classes/00_classes/yum/repo/local_simp_spec.rb b/spec/classes/00_classes/yum/repo/local_simp_spec.rb
@@ -27,11 +27,12 @@
         {
            'RedHat-7'      => ['RPM-GPG-KEY-EPEL-7','RPM-GPG-KEY-redhat-release'],
            'OracleLinux-7' => ['RPM-GPG-KEY-EPEL-7','RPM-GPG-KEY-oracle'],
-           'CentOS-7'      => ['RPM-GPG-KEY-EPEL-7'],
+           'CentOS-7'      => ['RPM-GPG-KEY-EPEL-7','RPM-GPG-KEY-CentOS-7'],
            'RedHat-8'      => ['RPM-GPG-KEY-EPEL-8','RPM-GPG-KEY-redhat-release'],
            'OracleLinux-8' => ['RPM-GPG-KEY-EPEL-8','RPM-GPG-KEY-oracle'],
-           'CentOS-8'      => ['RPM-GPG-KEY-EPEL-8'],
+           'CentOS-8'      => ['RPM-GPG-KEY-EPEL-8','RPM-GPG-KEY-CentOS-8'],
            'Rocky-8'       => ['RPM-GPG-KEY-EPEL-8','RPM-GPG-KEY-rockyofficial'],
+           'AlmaLinux-8'   => ['RPM-GPG-KEY-EPEL-8','RPM-GPG-KEY-AlmaLinux'],
         }
       }