Merge pull request #56 from SUNET/pahol-fix-noble-eyaml

patch for broken eyaml in ubuntu24.04.

edit-secrets

@@ -67,6 +67,39 @@ function patch_broken_eyaml {
                next if @@plugins.include? spec
 
                dependency = spec.dependencies.find { |d| d.name == "hiera-eyaml" }
+EOF
+            fi
+        fi
+    fi
+
+    #
+    # Ubuntu 24.04 (noble) has a hiera-eyaml version that is incompatible with ruby 3.2+ (default in ubuntu24).
+    # This is fixed in hiera-eyaml version 3.3.0: https://github.com/voxpupuli/hiera-eyaml/pull/340/files
+    # https://github.com/voxpupuli/hiera-eyaml/blob/master/CHANGELOG.md
+    # But there is no modern version of hiera-eyaml packaged in debian or ubuntu.
+    # https://github.com/puppetlabs/puppet/wiki/Puppet-8-Compatibility#filedirexists-removed
+    #
+
+    . /etc/os-release
+    if [ "${VERSION_CODENAME}" == "noble" ]; then
+        plugins_file="/usr/share/rubygems-integration/all/gems/hiera-eyaml-3.3.0/lib/hiera/backend/eyaml/subcommands/edit.rb"
+        if [ -f $plugins_file ]; then
+            # We only want to try patching the file if it is the known broken version
+            bad_sum="59c6eb910ab2eb44f8c75aeaa79bff097038feb673b5c6bdccde23d9b2a393e2"
+            sum=$(sha256sum $plugins_file | awk '{print $1}')
+            if [ "$sum" == "$bad_sum" ]; then
+                patch --fuzz=0 --directory=/ --strip=0 <<'EOF'
+--- /usr/share/rubygems-integration/all/gems/hiera-eyaml-3.3.0/lib/hiera/backend/eyaml/subcommands/edit.rb.orig	2022-06-11 16:30:10.000000000 +0000
++++ /usr/share/rubygems-integration/all/gems/hiera-eyaml-3.3.0/lib/hiera/backend/eyaml/subcommands/edit.rb	2024-09-09 14:13:19.306342025 +0000
+@@ -59,7 +59,7 @@
+             Optimist::die "You must specify an eyaml file" if ARGV.empty?
+             options[:source] = :eyaml
+             options[:eyaml] = ARGV.shift
+-            if File.exists? options[:eyaml]
++            if File.exist? options[:eyaml]
+               begin
+                 options[:input_data] = File.read options[:eyaml]
+               rescue
 EOF
             fi
         fi

global/overlay/etc/puppet/hiera.yaml

@@ -21,7 +21,7 @@ hierarchy:
       pkcs7_public_key:  /etc/hiera/eyaml/public_certkey.pkcs7.pem
 
   - name: "Overrides per distribution"
-    path: "dist_%{::lsbdistcodename}_override.yaml"
+    path: "dist_%{facts.os.distro.codename}_override.yaml"
 
   - name: "Data common to whole environment"
     path: "common.yaml"

global/overlay/usr/local/bin/run-cosmos

@@ -67,14 +67,19 @@ fleetlock_lock() {
         # called.
         fleetlock_enable_unlock_service || return 1
         local fleetlock_group=""
+        local optional_args=()
         # shellcheck source=/dev/null
         . $FLEETLOCK_CONFIG || return 1
         if [ -z "$fleetlock_group" ]; then
             echo "Unable to set fleetlock_group"
             return 1
         fi
+        if [ -n "$fleetlock_lock_timeout" ]; then
+            optional_args+=("--timeout")
+            optional_args+=("$fleetlock_lock_timeout")
+        fi
         echo "Getting fleetlock lock"
-        $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock || return 1
+        $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock "${optional_args[@]}" || return 1
     fi
     return 0
 }
@@ -82,15 +87,20 @@ fleetlock_lock() {
 fleetlock_unlock() {
     if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then
         local fleetlock_group=""
+        local optional_args=()
         # shellcheck source=/dev/null
         . $FLEETLOCK_CONFIG || return 1
         if [ -z "$fleetlock_group" ]; then
             echo "Unable to set fleetlock_group"
             return 1
         fi
+        if [ -n "$fleetlock_unlock_timeout" ]; then
+            optional_args+=("--timeout")
+            optional_args+=("$fleetlock_unlock_timeout")
+        fi
         machine_is_healthy || return 1
         echo "Releasing fleetlock lock"
-        $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock || return 1
+        $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock "${optional_args[@]}" || return 1
     fi
     return 0
 }

global/overlay/usr/local/bin/sunet-fleetlock

@@ -97,7 +97,10 @@ def do_fleetlock_request(
                 timeout=args.request_timeout,
                 auth=("", config[args.lock_group]["password"]),
             )
-        except requests.exceptions.ConnectionError as e:
+        except (
+            requests.exceptions.ConnectionError,
+            requests.exceptions.ReadTimeout,
+        ) as e:
             print(f"POST request failed: {e}")
             time.sleep(retry_sleep_delay)
             continue

global/post-tasks.d/010fix-ssh-perms

@@ -17,7 +17,7 @@ if test -f /root/.ssh/authorized_keys; then
     if test `stat -t /root/.ssh/authorized_keys | cut -d\  -f5` != 0; then
 	chown root.root /root/.ssh/authorized_keys
     fi
-    if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then
-	chmod 600 /root/.ssh/authorized_keys
+    if test `stat --printf=%a /root/.ssh/authorized_keys` != 440; then
+	chmod 440 /root/.ssh/authorized_keys
     fi
 fi

global/post-tasks.d/014set-cosmos-permissions

@@ -0,0 +1,24 @@
+#!/bin/sh
+#
+# Set Cosmos directory permissions so that
+# the files cannot be read by anyone but root,
+# since it's possible that the directory
+# can contain files that after applying the
+# overlay to / only should be read or writable
+# by root.
+
+set -e
+self=$(basename "$0")
+
+if ! test -d "$COSMOS_BASE"; then
+    test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
+    exit 0
+fi
+
+args=""
+if [ "x$COSMOS_VERBOSE" = "xy" ]; then
+    args="-v"
+fi
+
+chown ${args} root:root "$COSMOS_BASE"
+chmod ${args} 750 "$COSMOS_BASE"

global/pre-tasks.d/014set-cosmos-permissions

@@ -0,0 +1,24 @@
+#!/bin/sh
+#
+# Set Cosmos directory permissions so that
+# the files cannot be read by anyone but root,
+# since it's possible that the directory
+# can contain files that after applying the
+# overlay to / only should be read or writable
+# by root.
+
+set -e
+self=$(basename "$0")
+
+if ! test -d "$COSMOS_BASE"; then
+    test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
+    exit 0
+fi
+
+args=""
+if [ "x$COSMOS_VERBOSE" = "xy" ]; then
+    args="-v"
+fi
+
+chown ${args} root:root "$COSMOS_BASE"
+chmod ${args} 750 "$COSMOS_BASE"

global/pre-tasks.d/015set-overlay-permissions

@@ -14,10 +14,17 @@ if ! test -d "$MODEL_OVERLAY"; then
     exit 0
 fi
 
+args=""
+if [ "x$COSMOS_VERBOSE" = "xy" ]; then
+    args="-v"
+fi
+
 if [ -d "$MODEL_OVERLAY/root" ]; then
-    args=""
-    if [ "x$COSMOS_VERBOSE" = "xy" ]; then
-        args="-v"
-    fi
+    chown ${args} root:root "$MODEL_OVERLAY"/root
     chmod ${args} 0700 "$MODEL_OVERLAY"/root
 fi
+
+if [ -d "$MODEL_OVERLAY/root/.ssh" ]; then
+    chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh
+    chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh
+fi

global/pre-tasks.d/030puppet

@@ -13,7 +13,7 @@ if ! test -f "${stamp}" -a -f /usr/bin/puppet; then
     . /etc/os-release
 
     # Note: in posix shell, string comparison is done with a single =
-    if [ "${ID}" = "debian" ] && [ "${VERSION_ID}" -ge 12 ]; then
+    if [ "${ID}" = "debian" ] && [ "${VERSION_ID}" -ge 12 ] || ([ "${ID}" = "ubuntu" ] && $(dpkg --compare-versions ${VERSION_ID} ge 24.04)) ; then
       apt-get -y install \
           cron \
           puppet-module-camptocamp-augeas \