simp-beaker-helpers 1.19.4 → 1.20.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a44635bd8cc4cc1a091769b42837b03e7711e280ce4e81a261614ff95ca0241
-  data.tar.gz: afbf39be4623d4abb203efcf4215d931cba9366ee1252658918d382d5e6191fd
+  metadata.gz: 3223751413072f7e62097c273b72fa130bcc083701b418c5927bd97897a9f9c5
+  data.tar.gz: 89c0620294618b21000ff2b79504df5bbe27f199b0bd4eb17ed69ce987d12899
 SHA512:
-  metadata.gz: e2e6e7bf750cb1b75240583efa6ae766981fe82be3fcfa59e498198285c97901569fd4a17857328497b54c55fbc098504883b1be9b5239db2809ba8a3c80ed90
-  data.tar.gz: 20ad194cabcf61d8489efb238ff5d9590c76c3d6e2ea850431d2a51b7295720bf75a8deb48b752c942e0fe0ca8322e5591cf5b2718d69c6a88d923165661c65c
+  metadata.gz: 9179b27932ec80ecfddb09eb4ea2ba778c99513e31d341d7a85606f63ed85e152af7686b90f5e0a46ee11c50dd5aafe300f148069d6d4a87515fdb7e034fa8ed
+  data.tar.gz: a05d10fdcdc609bcc9e2886b19f856304b8b2386d0377ad0680c0d712a1d6fdad2619908267fc196f55dfaa5339452abc1638d428431d4ce4171689b017519d3

data/CHANGELOG.md

@@ -1,3 +1,18 @@
+### 1.20.0 / 2021-01-05
+* Added:
+  * A `enable_epel_on` function that follows the instructions on the EPEL
+    website to properly enable EPEL on hosts. May be disabled using
+    `BEAKER_enable_epel=no`.
+  * An Ubuntu nodeset to make sure our default settings don't destroy other
+    Linux systems.
+  * Added has_crypto_policies method for determining if crypto policies are
+    present on the SUT
+  * Added munge_ssh_crypto_policies to allow vagrant to SSH back into systems
+    with restrictive crypto policies (usually FIPS)
+* Fixed:
+  * Modify all crypto-policy backend files to support ssh-rsa keys
+  * Try harder when doing yum installations
+
 ### 1.19.4 / 2021-01-05
 * Fixed:
   * Only return a default empty string when `pfact_on` finds a `nil` value

data/lib/simp/beaker_helpers.rb

@@ -321,6 +321,19 @@ module Simp::BeakerHelpers
     pluginsync_on(suts) if opts[:pluginsync]
   end
 
+  def has_crypto_policies(sut)
+    file_exists_on(sut, '/etc/crypto-policies/config')
+  end
+
+  def munge_ssh_crypto_policies(sut, key_types=['ssh-rsa'])
+    if has_crypto_policies(sut)
+      on(sut, "yum update -y crypto-policies", :accept_all_exit_codes => true)
+
+      # Since we may be doing this prior to having a box flip into FIPS mode, we
+      # need to find and modify *all* of the affected policies
+      on( sut, %{sed --follow-symlinks -i 's/PubkeyAcceptedKeyTypes\\(.\\)/PubkeyAcceptedKeyTypes\\1#{key_types.join(',')},/' $( grep -L ssh-rsa $( find /etc/crypto-policies /usr/share/crypto-policies -type f -a \\( -name '*.txt' -o -name '*.config' \\) -exec grep -l PubkeyAcceptedKeyTypes {} \\; ) ) })
+    end
+  end
 
   # Configure and reboot SUTs into FIPS mode
   def enable_fips_mode_on( suts = hosts )
@@ -374,17 +387,14 @@ module Simp::BeakerHelpers
         on(sut, module_install_cmd)
       end
 
-      # Enable FIPS and then reboot to finish.
-      on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }"))
-
       # Work around Vagrant and cipher restrictions in EL8+
       #
       # Hopefully, Vagrant will update the used ciphers at some point but who
       # knows when that will be
-      opensshserver_config = '/etc/crypto-policies/back-ends/opensshserver.config'
-      if file_exists_on(sut, opensshserver_config)
-        on(sut, "sed --follow-symlinks -i 's/PubkeyAcceptedKeyTypes=/PubkeyAcceptedKeyTypes=ssh-rsa,/' #{opensshserver_config}")
-      end
+      munge_ssh_crypto_policies(sut)
+
+      # Enable FIPS and then reboot to finish.
+      on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }"))
 
       sut.reboot
     end
@@ -477,6 +487,45 @@ module Simp::BeakerHelpers
       repo_manifest = repo_manifest + %(\n#{repo_manifest_opts.join(",\n")}) + "\n}\n"
   end
 
+  # Enable EPEL if appropriate to do so and the system is online
+  #
+  # Can be disabled by setting BEAKER_enable_epel=no
+  def enable_epel_on(sut)
+    if ONLINE && (ENV['BEAKER_stringify_facts'] != 'no')
+      os_info = fact_on(sut, 'os')
+      os_maj_rel = os_info['release']['major']
+
+      # This is based on the official EPEL docs https://fedoraproject.org/wiki/EPEL
+      if ['RedHat', 'CentOS'].include?(os_info['name'])
+        on(
+          sut,
+          %{yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-#{os_maj_rel}.noarch.rpm},
+          :max_retries => 3,
+          :retry_interval => 10
+        )
+
+        if os_info['name'] == 'RedHat'
+          if os_maj_rel == '7'
+            on sut, %{subscription-manager repos --enable "rhel-*-optional-rpms"}
+            on sut, %{subscription-manager repos --enable "rhel-*-extras-rpms"}
+            on sut, %{subscription-manager repos --enable "rhel-ha-for-rhel-*-server-rpms"}
+          end
+
+          if os_maj_rel == '8'
+            on sut, %{subscription-manager repos --enable "codeready-builder-for-rhel-8-#{os_info['architecture']}-rpms"}
+          end
+        end
+
+        if os_info['name'] == 'CentOS'
+          if os_maj_rel == '8'
+            # 8.0 fallback
+            on sut, %{dnf config-manager --set-enabled powertools || dnf config-manager --set-enabled PowerTools}
+          end
+        end
+      end
+    end
+  end
+
   def linux_errata( sut )
     # We need to be able to flip between server and client without issue
     on sut, 'puppet resource group puppet gid=52'
@@ -562,6 +611,7 @@ module Simp::BeakerHelpers
       end
 
       enable_yum_repos_on(sut)
+      enable_epel_on(sut)
 
       # net-tools required for netstat utility being used by be_listening
       if fact_on(sut, 'operatingsystemmajrelease') == '7'
@@ -1246,11 +1296,21 @@ done
     # NOTE: Do *NOT* use puppet in this method since it may not be available yet
 
     if on(sut, 'rpm -q yum-utils', :accept_all_exit_codes => true).exit_code != 0
-      on(sut, 'yum -y install yum-utils')
+      on(
+        sut,
+        'yum -y install yum-utils',
+        :max_retries => 3,
+        :retry_interval => 10
+      )
     end
 
     if on(sut, 'rpm -q simp-release-community', :accept_all_exit_codes => true).exit_code != 0
-      on(sut, 'yum -y install "https://download.simp-project.com/simp-release-community.rpm"')
+      on(
+        sut,
+        'yum -y install "https://download.simp-project.com/simp-release-community.rpm"',
+        :max_retries => 3,
+        :retry_interval => 10
+      )
     end
 
     to_disable = disable.dup

data/lib/simp/beaker_helpers/constants.rb

@@ -17,7 +17,11 @@ module Simp::BeakerHelpers
     require 'open-uri'
 
     begin
-      ONLINE = true if open('http://google.com')
+      if URI.respond_to?(:open)
+        ONLINE = true if URI.open('http://google.com')
+      else
+        ONLINE = true if open('http://google.com')
+      end
     rescue
       ONLINE = false
     end

data/lib/simp/beaker_helpers/version.rb

@@ -1,5 +1,5 @@
 module Simp; end
 
 module Simp::BeakerHelpers
-  VERSION = '1.19.4'
+  VERSION = '1.20.0'
 end

data/spec/acceptance/nodesets/default.yml

@@ -6,21 +6,27 @@
   end
 -%>
 HOSTS:
-  server-el7:
+  el7:
     roles:
-      - server
-      - master
-      - default
       - el7
+      - master
     platform: el-7-x86_64
     box: centos/7
     hypervisor: <%= hypervisor %>
 
-  server-el8:
+  el8:
+    roles:
+      - el8
+    platform: el-8-x86_64
+    box: centos/8
+    hypervisor: <%= hypervisor %>
+
+  el8-0:
     roles:
       - el8
     platform: el-8-x86_64
     box: centos/8
+    box_version: "1905.1"
     hypervisor: <%= hypervisor %>
 
 CONFIG:
@@ -30,3 +36,14 @@ CONFIG:
 <% if ENV['BEAKER_PUPPET_COLLECTION'] -%>
   puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %>
 <% end -%>
+  ssh:
+    keepalive: true
+    keepalive_interval: 10
+    host_key:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:host_key].join("\n#{' '*6}- ") %>
+    kex:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:kex].join("\n#{' '*6}- ") %>
+    encryption:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:encryption].join("\n#{' '*6}- ") %>
+    hmac:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:hmac].join("\n#{' '*6}- ") %>

data/spec/acceptance/nodesets/ubuntu.yml

@@ -0,0 +1,20 @@
+<%
+  if ENV['BEAKER_HYPERVISOR']
+    hypervisor = ENV['BEAKER_HYPERVISOR']
+  else
+    hypervisor = 'vagrant'
+  end
+-%>
+HOSTS:
+  focal:
+    platform: ubuntu-20.04-x86_64
+    box: ubuntu/focal64
+    hypervisor: <%= hypervisor %>
+
+CONFIG:
+  log_level: verbose
+  type: aio
+  vagrant_memsize: 256
+<% if ENV['BEAKER_PUPPET_COLLECTION'] -%>
+  puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %>
+<% end -%>

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: simp-beaker-helpers
 version: !ruby/object:Gem::Version
-  version: 1.19.4
+  version: 1.20.0
 platform: ruby
 authors:
 - Chris Tessmer
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-05 00:00:00.000000000 Z
+date: 2021-01-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: beaker
@@ -188,6 +188,7 @@ files:
 - lib/simp/rake/beaker.rb
 - simp-beaker-helpers.gemspec
 - spec/acceptance/nodesets/default.yml
+- spec/acceptance/nodesets/ubuntu.yml
 - spec/acceptance/suites/default/check_puppet_version_spec.rb
 - spec/acceptance/suites/default/enable_fips_spec.rb
 - spec/acceptance/suites/default/fixture_modules_spec.rb
@@ -241,6 +242,7 @@ specification_version: 4
 summary: beaker helper methods for SIMP
 test_files:
 - spec/acceptance/nodesets/default.yml
+- spec/acceptance/nodesets/ubuntu.yml
 - spec/acceptance/suites/default/check_puppet_version_spec.rb
 - spec/acceptance/suites/default/enable_fips_spec.rb
 - spec/acceptance/suites/default/fixture_modules_spec.rb