Do not run bastion for now on ubuntu24, SC-2522

2024-12-19 15:40:27 +01:00 · 2024-12-19 15:40:27 +01:00 · 73e5eb3486
commit 73e5eb3486
parent b94a601b37
1 changed files with 15 additions and 17 deletions
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@ -838,23 +838,21 @@ class sunetops {
     config => safe_hiera('sunetops_ssh_keys', {})
   }

-   # OS hardening
-  if $facts['networking']['hostname'] =~ /kvm/ {
-    class {'bastion':
-      fstab_fix_shm        => false,
-      sysctl_net_hardening => false,
-    }
-  } elsif $facts['networking']['hostname'] =~ /random/ {  # pollen requires exec on /tmp
-    class {'bastion':
-      fixperms_enable      => false,
-      fixperms_paranoia    => false,
-    }
-  } else {
-    class {'bastion':
-      fstab_fix_shm     => false,
-      fixperms_paranoia => true,
-    }
-  }
+
+  # OS hardening
+  # For now we skip this on ubuntu24, SC-2522
+  if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') <= 0 ){
+   if $facts['networking']['hostname'] =~ /kvm/ {
+      class {'bastion':
+         fstab_fix_shm        => false,
+         sysctl_net_hardening => false,
+      }
+   } else {
+      class {'bastion':
+         fstab_fix_shm     => false,
+         fixperms_paranoia => true,
+      }
+   }
 }

 class konsulter {