(SIMP-7822) Add EPEL installer (#138)

* Added:
  * A `enable_epel_on` function that follows the instructions on the EPEL
    website to properly enable EPEL on hosts. May be disabled using
    `BEAKER_enable_epel=no`.
  * An `enable_epel_on` function that follows the instructions on the EPEL
    website to properly enable EPEL on hosts. May be disabled using
    `BEAKER_enable_epel=no`.
  * An Ubuntu nodeset to make sure our default settings don't destroy other
    Linux systems.
  * Ensure that crypto policies get updated across the board so that the
    order of FIPS enforcement is irrelevant.
* Fixed:
  * Workaround URI.open change in Ruby 3

SIMP-7822 #comment added EPEL installer for consistency.

Author: trevor-vaughan

CHANGELOG.md

@@ -1,3 +1,18 @@
+### 1.20.0 / 2021-01-05
+* Added:
+  * A `enable_epel_on` function that follows the instructions on the EPEL
+    website to properly enable EPEL on hosts. May be disabled using
+    `BEAKER_enable_epel=no`.
+  * An Ubuntu nodeset to make sure our default settings don't destroy other
+    Linux systems.
+  * Added has_crypto_policies method for determining if crypto policies are
+    present on the SUT
+  * Added munge_ssh_crypto_policies to allow vagrant to SSH back into systems
+    with restrictive crypto policies (usually FIPS)
+* Fixed:
+  * Modify all crypto-policy backend files to support ssh-rsa keys
+  * Try harder when doing yum installations
+
 ### 1.19.4 / 2021-01-05
 * Fixed:
   * Only return a default empty string when `pfact_on` finds a `nil` value

lib/simp/beaker_helpers.rb

@@ -321,6 +321,19 @@ def copy_fixture_modules_to( suts = hosts, opts = {})
     pluginsync_on(suts) if opts[:pluginsync]
   end
 
+  def has_crypto_policies(sut)
+    file_exists_on(sut, '/etc/crypto-policies/config')
+  end
+
+  def munge_ssh_crypto_policies(sut, key_types=['ssh-rsa'])
+    if has_crypto_policies(sut)
+      on(sut, "yum update -y crypto-policies", :accept_all_exit_codes => true)
+
+      # Since we may be doing this prior to having a box flip into FIPS mode, we
+      # need to find and modify *all* of the affected policies
+      on( sut, %{sed --follow-symlinks -i 's/PubkeyAcceptedKeyTypes\\(.\\)/PubkeyAcceptedKeyTypes\\1#{key_types.join(',')},/' $( grep -L ssh-rsa $( find /etc/crypto-policies /usr/share/crypto-policies -type f -a \\( -name '*.txt' -o -name '*.config' \\) -exec grep -l PubkeyAcceptedKeyTypes {} \\; ) ) })
+    end
+  end
 
   # Configure and reboot SUTs into FIPS mode
   def enable_fips_mode_on( suts = hosts )
@@ -374,17 +387,14 @@ def enable_fips_mode_on( suts = hosts )
         on(sut, module_install_cmd)
       end
 
-      # Enable FIPS and then reboot to finish.
-      on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }"))
-
       # Work around Vagrant and cipher restrictions in EL8+
       #
       # Hopefully, Vagrant will update the used ciphers at some point but who
       # knows when that will be
-      opensshserver_config = '/etc/crypto-policies/back-ends/opensshserver.config'
-      if file_exists_on(sut, opensshserver_config)
-        on(sut, "sed --follow-symlinks -i 's/PubkeyAcceptedKeyTypes=/PubkeyAcceptedKeyTypes=ssh-rsa,/' #{opensshserver_config}")
-      end
+      munge_ssh_crypto_policies(sut)
+
+      # Enable FIPS and then reboot to finish.
+      on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }"))
 
       sut.reboot
     end
@@ -477,6 +487,45 @@ def create_yum_resource( repo, metadata )
       repo_manifest = repo_manifest + %(\n#{repo_manifest_opts.join(",\n")}) + "\n}\n"
   end
 
+  # Enable EPEL if appropriate to do so and the system is online
+  #
+  # Can be disabled by setting BEAKER_enable_epel=no
+  def enable_epel_on(sut)
+    if ONLINE && (ENV['BEAKER_stringify_facts'] != 'no')
+      os_info = fact_on(sut, 'os')
+      os_maj_rel = os_info['release']['major']
+
+      # This is based on the official EPEL docs https://fedoraproject.org/wiki/EPEL
+      if ['RedHat', 'CentOS'].include?(os_info['name'])
+        on(
+          sut,
+          %{yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-#{os_maj_rel}.noarch.rpm},
+          :max_retries => 3,
+          :retry_interval => 10
+        )
+
+        if os_info['name'] == 'RedHat'
+          if os_maj_rel == '7'
+            on sut, %{subscription-manager repos --enable "rhel-*-optional-rpms"}
+            on sut, %{subscription-manager repos --enable "rhel-*-extras-rpms"}
+            on sut, %{subscription-manager repos --enable "rhel-ha-for-rhel-*-server-rpms"}
+          end
+
+          if os_maj_rel == '8'
+            on sut, %{subscription-manager repos --enable "codeready-builder-for-rhel-8-#{os_info['architecture']}-rpms"}
+          end
+        end
+
+        if os_info['name'] == 'CentOS'
+          if os_maj_rel == '8'
+            # 8.0 fallback
+            on sut, %{dnf config-manager --set-enabled powertools || dnf config-manager --set-enabled PowerTools}
+          end
+        end
+      end
+    end
+  end
+
   def linux_errata( sut )
     # We need to be able to flip between server and client without issue
     on sut, 'puppet resource group puppet gid=52'
@@ -562,6 +611,7 @@ def linux_errata( sut )
       end
 
       enable_yum_repos_on(sut)
+      enable_epel_on(sut)
 
       # net-tools required for netstat utility being used by be_listening
       if fact_on(sut, 'operatingsystemmajrelease') == '7'
@@ -1246,11 +1296,21 @@ def install_simp_repos(sut, disable = [])
     # NOTE: Do *NOT* use puppet in this method since it may not be available yet
 
     if on(sut, 'rpm -q yum-utils', :accept_all_exit_codes => true).exit_code != 0
-      on(sut, 'yum -y install yum-utils')
+      on(
+        sut,
+        'yum -y install yum-utils',
+        :max_retries => 3,
+        :retry_interval => 10
+      )
     end
 
     if on(sut, 'rpm -q simp-release-community', :accept_all_exit_codes => true).exit_code != 0
-      on(sut, 'yum -y install "https://download.simp-project.com/simp-release-community.rpm"')
+      on(
+        sut,
+        'yum -y install "https://download.simp-project.com/simp-release-community.rpm"',
+        :max_retries => 3,
+        :retry_interval => 10
+      )
     end
 
     to_disable = disable.dup

lib/simp/beaker_helpers/constants.rb

@@ -17,7 +17,11 @@ module Simp::BeakerHelpers
     require 'open-uri'
 
     begin
-      ONLINE = true if open('http://google.com')
+      if URI.respond_to?(:open)
+        ONLINE = true if URI.open('http://google.com')
+      else
+        ONLINE = true if open('http://google.com')
+      end
     rescue
       ONLINE = false
     end

lib/simp/beaker_helpers/version.rb

@@ -1,5 +1,5 @@
 module Simp; end
 
 module Simp::BeakerHelpers
-  VERSION = '1.19.4'
+  VERSION = '1.20.0'
 end

spec/acceptance/nodesets/default.yml

@@ -6,21 +6,27 @@
   end
 -%>
 HOSTS:
-  server-el7:
+  el7:
     roles:
-      - server
-      - master
-      - default
       - el7
+      - master
     platform: el-7-x86_64
     box: centos/7
     hypervisor: <%= hypervisor %>
 
-  server-el8:
+  el8:
+    roles:
+      - el8
+    platform: el-8-x86_64
+    box: centos/8
+    hypervisor: <%= hypervisor %>
+
+  el8-0:
     roles:
       - el8
     platform: el-8-x86_64
     box: centos/8
+    box_version: "1905.1"
     hypervisor: <%= hypervisor %>
 
 CONFIG:
@@ -30,3 +36,14 @@ CONFIG:
 <% if ENV['BEAKER_PUPPET_COLLECTION'] -%>
   puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %>
 <% end -%>
+  ssh:
+    keepalive: true
+    keepalive_interval: 10
+    host_key:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:host_key].join("\n#{' '*6}- ") %>
+    kex:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:kex].join("\n#{' '*6}- ") %>
+    encryption:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:encryption].join("\n#{' '*6}- ") %>
+    hmac:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:hmac].join("\n#{' '*6}- ") %>

spec/acceptance/nodesets/ubuntu.yml

@@ -0,0 +1,20 @@
+<%
+  if ENV['BEAKER_HYPERVISOR']
+    hypervisor = ENV['BEAKER_HYPERVISOR']
+  else
+    hypervisor = 'vagrant'
+  end
+-%>
+HOSTS:
+  focal:
+    platform: ubuntu-20.04-x86_64
+    box: ubuntu/focal64
+    hypervisor: <%= hypervisor %>
+
+CONFIG:
+  log_level: verbose
+  type: aio
+  vagrant_memsize: 256
+<% if ENV['BEAKER_PUPPET_COLLECTION'] -%>
+  puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %>
+<% end -%>