From d14359563bf36296c547d2ce8cff21765d8ef8ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20Camu=C3=B1as?= Date: Wed, 3 Apr 2024 14:36:10 +0200 Subject: [PATCH 1/5] Support Debian 12 --- README.md | 1 + data/os/Debian/12.yaml | 31 +++++++++++++++++++ manifests/init.pp | 4 +-- metadata.json | 3 +- spec/acceptance/nodesets/debian-12.yml | 27 ++++++++++++++++ .../debian-12-x86_64-pam_common_account | 5 +++ .../fixtures/debian-12-x86_64-pam_common_auth | 5 +++ .../debian-12-x86_64-pam_common_password | 5 +++ .../debian-12-x86_64-pam_common_session | 7 +++++ ...2-x86_64-pam_common_session_noninteractive | 7 +++++ spec/fixtures/debian-12-x86_64-pam_d_login | 18 +++++++++++ spec/fixtures/debian-12-x86_64-pam_d_sshd | 16 ++++++++++ templates/login.debian10.erb | 19 ++++++++++++ templates/login.debian12.erb | 18 +++++++++++ templates/sshd.debian10.erb | 18 +++++++++++ templates/sshd.debian12.erb | 18 +++++++++++ 16 files changed, 199 insertions(+), 3 deletions(-) create mode 100644 data/os/Debian/12.yaml create mode 100644 spec/acceptance/nodesets/debian-12.yml create mode 100644 spec/fixtures/debian-12-x86_64-pam_common_account create mode 100644 spec/fixtures/debian-12-x86_64-pam_common_auth create mode 100644 spec/fixtures/debian-12-x86_64-pam_common_password create mode 100644 spec/fixtures/debian-12-x86_64-pam_common_session create mode 100644 spec/fixtures/debian-12-x86_64-pam_common_session_noninteractive create mode 100644 spec/fixtures/debian-12-x86_64-pam_d_login create mode 100644 spec/fixtures/debian-12-x86_64-pam_d_sshd create mode 100644 templates/login.debian10.erb create mode 100644 templates/login.debian12.erb create mode 100644 templates/sshd.debian10.erb create mode 100644 templates/sshd.debian12.erb diff --git a/README.md b/README.md index 87a8fbab..493217ba 100644 --- a/README.md +++ b/README.md @@ -277,6 +277,7 @@ module aims to support the current and previous major Puppet versions. * Amazon Linux 2 * Debian 10 * Debian 11 + * Debian 12 * Ubuntu 20.04 LTS * Ubuntu 22.04 LTS diff --git a/data/os/Debian/12.yaml b/data/os/Debian/12.yaml new file mode 100644 index 00000000..b7191b33 --- /dev/null +++ b/data/os/Debian/12.yaml @@ -0,0 +1,31 @@ +--- +pam::common_files_create_links: false +pam::common_files_suffix: ~ +pam::common_files: + - common_account + - common_auth + - common_password + - common_session + - common_session_noninteractive + +pam::pam_d_login_template: pam/login.debian12.erb +pam::pam_d_sshd_template: pam/sshd.debian12.erb +pam::package_name: libpam0g +pam::pam_auth_lines: + - 'auth [success=1 default=ignore] pam_unix.so nullok' + - 'auth requisite pam_deny.so' + - 'auth required pam_permit.so' +pam::pam_account_lines: + - 'account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so' + - 'account requisite pam_deny.so' + - 'account required pam_permit.so' +pam::pam_password_lines: + - 'password [success=1 default=ignore] pam_unix.so obscure yescrypt' + - 'password requisite pam_deny.so' + - 'password required pam_permit.so' +pam::pam_session_lines: + - 'session [default=1] pam_permit.so' + - 'session requisite pam_deny.so' + - 'session required pam_permit.so' + - 'session required pam_unix.so' + - 'session optional pam_systemd.so' diff --git a/manifests/init.pp b/manifests/init.pp index fc5f78b1..1bc059ad 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -266,8 +266,8 @@ fail("osfamily Suse's os.release.major is <${::facts['os']['release']['major']}> and must be 9, 10, 11, 12, 13 or 15") } - if $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9','10', '11']) { - fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10 or 11") + if $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9','10','11','12']) { + fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10, 11 or 12") } if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04', '22.04']) { diff --git a/metadata.json b/metadata.json index 496a34fa..1c09d711 100644 --- a/metadata.json +++ b/metadata.json @@ -27,7 +27,8 @@ { "operatingsystem": "Debian", "operatingsystemrelease": [ - "11" + "11", + "12" ] }, { diff --git a/spec/acceptance/nodesets/debian-12.yml b/spec/acceptance/nodesets/debian-12.yml new file mode 100644 index 00000000..958971be --- /dev/null +++ b/spec/acceptance/nodesets/debian-12.yml @@ -0,0 +1,27 @@ +HOSTS: + debian12: + roles: + - agent + platform: debian-12-amd64 + hypervisor: docker + image: debian:12 + docker_preserve_image: true + docker_cmd: + - '/sbin/init' + docker_image_commands: + - 'apt-get install -y wget net-tools systemd-sysv locales apt-transport-https ca-certificates' + - 'echo "LC_ALL=en_US.UTF-8" >> /etc/environment' + - 'echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen' + - 'echo "LANG=en_US.UTF-8" > /etc/locale.conf' + - 'locale-gen en_US.UTF-8' + docker_env: + - LANG=en_US.UTF-8 + - LANGUAGE=en_US.UTF-8 + - LC_ALL=en_US.UTF-8 + docker_container_name: 'pam-debian12' +CONFIG: + log_level: debug + type: foss +ssh: + password: root + auth_methods: ["password"] diff --git a/spec/fixtures/debian-12-x86_64-pam_common_account b/spec/fixtures/debian-12-x86_64-pam_common_account new file mode 100644 index 00000000..9d331866 --- /dev/null +++ b/spec/fixtures/debian-12-x86_64-pam_common_account @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +account requisite pam_deny.so +account required pam_permit.so diff --git a/spec/fixtures/debian-12-x86_64-pam_common_auth b/spec/fixtures/debian-12-x86_64-pam_common_auth new file mode 100644 index 00000000..164cc8a7 --- /dev/null +++ b/spec/fixtures/debian-12-x86_64-pam_common_auth @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth [success=1 default=ignore] pam_unix.so nullok +auth requisite pam_deny.so +auth required pam_permit.so diff --git a/spec/fixtures/debian-12-x86_64-pam_common_password b/spec/fixtures/debian-12-x86_64-pam_common_password new file mode 100644 index 00000000..79ee972b --- /dev/null +++ b/spec/fixtures/debian-12-x86_64-pam_common_password @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password [success=1 default=ignore] pam_unix.so obscure yescrypt +password requisite pam_deny.so +password required pam_permit.so diff --git a/spec/fixtures/debian-12-x86_64-pam_common_session b/spec/fixtures/debian-12-x86_64-pam_common_session new file mode 100644 index 00000000..891ecdc4 --- /dev/null +++ b/spec/fixtures/debian-12-x86_64-pam_common_session @@ -0,0 +1,7 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session required pam_unix.so +session optional pam_systemd.so diff --git a/spec/fixtures/debian-12-x86_64-pam_common_session_noninteractive b/spec/fixtures/debian-12-x86_64-pam_common_session_noninteractive new file mode 100644 index 00000000..891ecdc4 --- /dev/null +++ b/spec/fixtures/debian-12-x86_64-pam_common_session_noninteractive @@ -0,0 +1,7 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session required pam_unix.so +session optional pam_systemd.so diff --git a/spec/fixtures/debian-12-x86_64-pam_d_login b/spec/fixtures/debian-12-x86_64-pam_d_login new file mode 100644 index 00000000..6a09e6a1 --- /dev/null +++ b/spec/fixtures/debian-12-x86_64-pam_d_login @@ -0,0 +1,18 @@ +auth optional pam_faildelay.so delay=3000000 +auth requisite pam_nologin.so +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 envfile=/etc/default/locale +@include common-auth +auth optional pam_group.so +session required pam_limits.so +session optional pam_lastlog.so +session optional pam_mail.so standard +session optional pam_keyinit.so force revoke +@include common-account +@include common-session +@include common-password diff --git a/spec/fixtures/debian-12-x86_64-pam_d_sshd b/spec/fixtures/debian-12-x86_64-pam_d_sshd new file mode 100644 index 00000000..f587e208 --- /dev/null +++ b/spec/fixtures/debian-12-x86_64-pam_d_sshd @@ -0,0 +1,16 @@ +@include common-auth +account required pam_nologin.so +account required pam_access.so +@include common-account +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +@include common-session +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate +session optional pam_mail.so standard noenv # [1] +session required pam_limits.so +session required pam_env.so # [1] +session required pam_env.so user_readenv=1 envfile=/etc/default/locale +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +@include common-password diff --git a/templates/login.debian10.erb b/templates/login.debian10.erb new file mode 100644 index 00000000..3681d2d8 --- /dev/null +++ b/templates/login.debian10.erb @@ -0,0 +1,19 @@ +auth optional pam_faildelay.so delay=3000000 +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so +auth requisite pam_nologin.so +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 envfile=/etc/default/locale +@include common-auth +auth optional pam_group.so +session required pam_limits.so +session optional pam_lastlog.so +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate +session optional pam_mail.so standard +session optional pam_keyinit.so force revoke +@include common-account +@include common-session +@include common-password \ No newline at end of file diff --git a/templates/login.debian12.erb b/templates/login.debian12.erb new file mode 100644 index 00000000..6a09e6a1 --- /dev/null +++ b/templates/login.debian12.erb @@ -0,0 +1,18 @@ +auth optional pam_faildelay.so delay=3000000 +auth requisite pam_nologin.so +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 envfile=/etc/default/locale +@include common-auth +auth optional pam_group.so +session required pam_limits.so +session optional pam_lastlog.so +session optional pam_mail.so standard +session optional pam_keyinit.so force revoke +@include common-account +@include common-session +@include common-password diff --git a/templates/sshd.debian10.erb b/templates/sshd.debian10.erb new file mode 100644 index 00000000..4cce9a26 --- /dev/null +++ b/templates/sshd.debian10.erb @@ -0,0 +1,18 @@ +@include common-auth +account required pam_nologin.so +<% if @sshd_pam_access != 'absent' -%> +account <%= @sshd_pam_access %> pam_access.so +<% end -%> +@include common-account +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +@include common-session +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate +session optional pam_mail.so standard noenv # [1] +session required pam_limits.so +session required pam_env.so # [1] +session required pam_env.so user_readenv=1 envfile=/etc/default/locale +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +@include common-password diff --git a/templates/sshd.debian12.erb b/templates/sshd.debian12.erb new file mode 100644 index 00000000..4cce9a26 --- /dev/null +++ b/templates/sshd.debian12.erb @@ -0,0 +1,18 @@ +@include common-auth +account required pam_nologin.so +<% if @sshd_pam_access != 'absent' -%> +account <%= @sshd_pam_access %> pam_access.so +<% end -%> +@include common-account +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +@include common-session +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate +session optional pam_mail.so standard noenv # [1] +session required pam_limits.so +session required pam_env.so # [1] +session required pam_env.so user_readenv=1 envfile=/etc/default/locale +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +@include common-password From eb67aa39b8d6247c0880f741a45513bcb3a8fc8d Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Mon, 30 Dec 2024 17:08:57 -0500 Subject: [PATCH 2/5] Remove trailing whitespace --- .devcontainer/README.md | 4 ++-- manifests/faillock.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/README.md b/.devcontainer/README.md index a7193616..9839fb0a 100644 --- a/.devcontainer/README.md +++ b/.devcontainer/README.md @@ -1,11 +1,11 @@ # devcontainer -For format details, see https://aka.ms/devcontainer.json. +For format details, see https://aka.ms/devcontainer.json. For config options, see the README at: https://github.com/microsoft/vscode-dev-containers/tree/v0.140.1/containers/puppet - + ``` json { "name": "Puppet Development Kit (Community)", diff --git a/manifests/faillock.pp b/manifests/faillock.pp index 16a99bd2..0aabe587 100644 --- a/manifests/faillock.pp +++ b/manifests/faillock.pp @@ -34,7 +34,7 @@ # The faillock 'root_unlock_time' config option # @param admin_group # The faillock 'admin_group' config option -# +# class pam::faillock ( Stdlib::Absolutepath $config_file = '/etc/security/faillock.conf', String[1] $config_file_owner = 'root', From e16e4886d7c6dda5262b6502504b2bc815101bd5 Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Mon, 30 Dec 2024 17:10:30 -0500 Subject: [PATCH 3/5] Require the latest nsswitch module The latest is 3.2.0 and 3.1.0 is necessary for Ubuntu 22.04. --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 1c09d711..fb5e0210 100644 --- a/metadata.json +++ b/metadata.json @@ -10,7 +10,7 @@ "dependencies": [ { "name": "puppet/nsswitch", - "version_requirement": ">= 3.0.0 < 4.0.0" + "version_requirement": ">= 3.2.0 < 4.0.0" }, { "name": "puppetlabs/stdlib", From 1138f844823833c6c91cf59604cc93c42a03ec34 Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Mon, 30 Dec 2024 17:11:38 -0500 Subject: [PATCH 4/5] Perform acceptance testing with Debian 12 --- .github/workflows/ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3ad9440a..f5c377a3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -58,6 +58,7 @@ jobs: - "el8" - "el9" - "debian-11" + - "debian-12" - "ubuntu-2004" - "ubuntu-2204" puppet: @@ -66,7 +67,7 @@ jobs: env: BUNDLE_WITHOUT: development:release BEAKER_debug: true - name: + name: steps: - name: Enable IPv6 on docker run: | From f78b8da9202cec22f51a1b626a509cdac40e7667 Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Mon, 30 Dec 2024 17:15:06 -0500 Subject: [PATCH 5/5] Stop failing on unsupported platforms This allows for the use of unsupported platforms by simply adding the correct hiera data. Examples can be found under `examples/hiera/`. --- manifests/init.pp | 20 -------------------- spec/classes/init_spec.rb | 32 -------------------------------- 2 files changed, 52 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 1bc059ad..c11e94e5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -253,26 +253,6 @@ Boolean $common_files_create_links = false, Optional[String] $common_files_suffix = undef, ) { - # Fail on unsupported platforms - if $facts['os']['family'] == 'RedHat' and !($facts['os']['release']['major'] in ['2','5','6','7','8', '9']) { - fail("osfamily RedHat's os.release.major is <${::facts['os']['release']['major']}> and must be 2, 5, 6, 7, 8 or 9") - } - - if $facts['os']['family'] == 'Solaris' and !($facts['kernelrelease'] in ['5.9','5.10','5.11']) { - fail("osfamily Solaris' kernelrelease is <${facts['kernelrelease']}> and must be 5.9, 5.10 or 5.11") - } - - if $facts['os']['family'] == 'Suse' and !($facts['os']['release']['major'] in ['9','10','11','12','13','15']) { - fail("osfamily Suse's os.release.major is <${::facts['os']['release']['major']}> and must be 9, 10, 11, 12, 13 or 15") - } - - if $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9','10','11','12']) { - fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10, 11 or 12") - } - - if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04', '22.04']) { - fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, 18.04, 20.04 or 22.04") - } if $pam_d_sshd_template == 'pam/sshd.custom.erb' { unless $pam_sshd_auth_lines and diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 177465cd..86160a71 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -352,36 +352,4 @@ end end end - - describe 'on unsupported platforms' do - context 'with defaults params on Debian 6' do - let(:facts) { { os: { 'name' => 'Debian', 'release' => { 'major' => '6' } } } } - - it { is_expected.to compile.and_raise_error(%r{must be}) } - end - - context 'with defaults params on RedHat 4' do - let(:facts) { { os: { 'family' => 'RedHat', 'release' => { 'major' => '4' } } } } - - it { is_expected.to compile.and_raise_error(%r{must be}) } - end - - context 'with defaults params on Solaris 8' do - let(:facts) { { os: { 'family' => 'Solaris' }, kernelrelease: '5.8' } } - - it { is_expected.to compile.and_raise_error(%r{must be}) } - end - - context 'with defaults params on SLES 8' do - let(:facts) { { os: { 'family' => 'Suse', 'release' => { 'major' => '8' } } } } - - it { is_expected.to compile.and_raise_error(%r{must be}) } - end - - context 'with defaults params on Ubuntu 10.04' do - let(:facts) { { os: { 'name' => 'Ubuntu', 'release' => { 'major' => '10.04' } } } } - - it { is_expected.to compile.and_raise_error(%r{must be}) } - end - end end