From 73e5eb3486d47e29f74ab40aa14a4ff7964d993d Mon Sep 17 00:00:00 2001
From: Patrik Holmqvist <pahol@sunet.se>
Date: Thu, 19 Dec 2024 15:40:27 +0100
Subject: [PATCH] Do not run bastion for now on ubuntu24, SC-2522

---
 .../etc/puppet/manifests/cosmos-site.pp       | 32 +++++++++----------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index 670b655f..9dd23c16 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -838,23 +838,21 @@ class sunetops {
      config => safe_hiera('sunetops_ssh_keys', {})
    }
 
-   # OS hardening
-  if $facts['networking']['hostname'] =~ /kvm/ {
-    class {'bastion':
-      fstab_fix_shm        => false,
-      sysctl_net_hardening => false,
-    }
-  } elsif $facts['networking']['hostname'] =~ /random/ {  # pollen requires exec on /tmp
-    class {'bastion':
-      fixperms_enable      => false,
-      fixperms_paranoia    => false,
-    }
-  } else {
-    class {'bastion':
-      fstab_fix_shm     => false,
-      fixperms_paranoia => true,
-    }
-  }
+
+  # OS hardening
+  # For now we skip this on ubuntu24, SC-2522
+  if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') <= 0 ){
+   if $facts['networking']['hostname'] =~ /kvm/ {
+      class {'bastion':
+         fstab_fix_shm        => false,
+         sysctl_net_hardening => false,
+      }
+   } else {
+      class {'bastion':
+         fstab_fix_shm     => false,
+         fixperms_paranoia => true,
+      }
+   }
 }
 
 class konsulter {